Create Interactive Tour

Windows Analysis Report
Adobe CEF Helper 3.9.exe

Overview

General Information

Sample Name:	Adobe CEF Helper 3.9.exe
Analysis ID:	12181
MD5:	c70d8dce46b4551133ecc58aed84bf0e
SHA1:	00626346632fdfb2a1d5831793e92a3601ec4d9f
SHA256:	0459e62c5444896d5be404c559c834ba455fa5cae1689c70fc8c61bc15468681
Infos:

Detection

Score:	6
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Uses 32bit PE files

Sample file is different than original file name gathered from version info

Extensive use of GetProcAddress (often used to hide API calls)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to read the PEB

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Contains functionality to dynamically determine API calls

Found large amount of non-executed APIs

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Program does not show much activity (idle)

Classification

Process Tree

System is w10x64native

Adobe CEF Helper 3.9.exe (PID: 8340 cmdline: "C:\Users\user\Desktop\Adobe CEF Helper 3.9.exe" -install MD5: C70D8DCE46B4551133ECC58AED84BF0E)

Adobe CEF Helper 3.9.exe (PID: 4304 cmdline: "C:\Users\user\Desktop\Adobe CEF Helper 3.9.exe" /install MD5: C70D8DCE46B4551133ECC58AED84BF0E)

Adobe CEF Helper 3.9.exe (PID: 8096 cmdline: "C:\Users\user\Desktop\Adobe CEF Helper 3.9.exe" /load MD5: C70D8DCE46B4551133ECC58AED84BF0E)

cleanup

Joe Sandbox Signatures

• Compliance
• Spreading
• Networking
• System Summary
• Data Obfuscation
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: Adobe CEF Helper 3.9.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Adobe CEF Helper 3.9.exe

Static PE information: certificate valid

Source: Adobe CEF Helper 3.9.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\builds\ACC\GM\source\dev\target\win32\Release\HEX\Adobe CEF Helper.pdb source: Adobe CEF Helper 3.9.exe
Source:	Binary string: C:\builds\ACC\GM\source\dev\target\win32\Release\HEX\Adobe CEF Helper.pdb- source: Adobe CEF Helper 3.9.exe

Source: C:\Users\user\Desktop\Adobe CEF Helper 3.9.exe

Code function: 0_2_006B9D9E FindFirstFileExW,FindClose,FindNextFileW,

0_2_006B9D9E

Source: Adobe CEF Helper 3.9.exe	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: Adobe CEF Helper 3.9.exe	String found in binary or memory: http://ocsp.thawte.com0
Source: Adobe CEF Helper 3.9.exe	String found in binary or memory: http://s.symcb.com/pca3-g5.crl0
Source: Adobe CEF Helper 3.9.exe	String found in binary or memory: http://s.symcd.com0_
Source: Adobe CEF Helper 3.9.exe	String found in binary or memory: http://sw.symcb.com/sw.crl0
Source: Adobe CEF Helper 3.9.exe	String found in binary or memory: http://sw.symcd.com0
Source: Adobe CEF Helper 3.9.exe	String found in binary or memory: http://sw1.symcb.com/sw.crt0
Source: Adobe CEF Helper 3.9.exe	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: Adobe CEF Helper 3.9.exe	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: Adobe CEF Helper 3.9.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: Adobe CEF Helper 3.9.exe	String found in binary or memory: https://d.symcb.com/cps0%
Source: Adobe CEF Helper 3.9.exe	String found in binary or memory: https://d.symcb.com/rpa0
Source: Adobe CEF Helper 3.9.exe	String found in binary or memory: https://d.symcb.com/rpa0)

Source: Adobe CEF Helper 3.9.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Adobe CEF Helper 3.9.exe, 00000000.00000000.724959944.00000000006DA000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameAdobe CEF Helper.exeB vs Adobe CEF Helper 3.9.exe
Source: Adobe CEF Helper 3.9.exe, 00000004.00000000.747488032.00000000006DA000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameAdobe CEF Helper.exeB vs Adobe CEF Helper 3.9.exe
Source: Adobe CEF Helper 3.9.exe, 00000005.00000000.770025180.00000000006DA000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameAdobe CEF Helper.exeB vs Adobe CEF Helper 3.9.exe
Source: Adobe CEF Helper 3.9.exe	Binary or memory string: OriginalFilenameAdobe CEF Helper.exeB vs Adobe CEF Helper 3.9.exe

Source: C:\Users\user\Desktop\Adobe CEF Helper 3.9.exe	Code function: 0_2_006BBC39	0_2_006BBC39
Source: C:\Users\user\Desktop\Adobe CEF Helper 3.9.exe	Code function: 0_2_006B919A	0_2_006B919A
Source: C:\Users\user\Desktop\Adobe CEF Helper 3.9.exe	Code function: 0_2_006B2E18	0_2_006B2E18
Source: C:\Users\user\Desktop\Adobe CEF Helper 3.9.exe	Code function: 0_2_006B4610	0_2_006B4610
Source: C:\Users\user\Desktop\Adobe CEF Helper 3.9.exe	Code function: 0_2_006BF210	0_2_006BF210

Source: Adobe CEF Helper 3.9.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Adobe CEF Helper 3.9.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Adobe CEF Helper 3.9.exe "C:\Users\user\Desktop\Adobe CEF Helper 3.9.exe" -install
Source: unknown	Process created: C:\Users\user\Desktop\Adobe CEF Helper 3.9.exe "C:\Users\user\Desktop\Adobe CEF Helper 3.9.exe" /install
Source: unknown	Process created: C:\Users\user\Desktop\Adobe CEF Helper 3.9.exe "C:\Users\user\Desktop\Adobe CEF Helper 3.9.exe" /load

Source: C:\Users\user\Desktop\Adobe CEF Helper 3.9.exe	Command line argument: CEF	0_2_006B12E0
Source: C:\Users\user\Desktop\Adobe CEF Helper 3.9.exe	Command line argument: HEX.dll	0_2_006B12E0
Source: C:\Users\user\Desktop\Adobe CEF Helper 3.9.exe	Command line argument: >k	0_2_006BEA90

Source: Adobe CEF Helper 3.9.exe

Joe Sandbox Cloud Basic: Detection: clean Score: 7

Perma Link

Source: classification engine

Classification label: clean6.winEXE@3/0@0/0

Source: Adobe CEF Helper 3.9.exe

Static PE information: certificate valid

Source: Adobe CEF Helper 3.9.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Adobe CEF Helper 3.9.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Adobe CEF Helper 3.9.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Adobe CEF Helper 3.9.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Adobe CEF Helper 3.9.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Adobe CEF Helper 3.9.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Adobe CEF Helper 3.9.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: Adobe CEF Helper 3.9.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\builds\ACC\GM\source\dev\target\win32\Release\HEX\Adobe CEF Helper.pdb source: Adobe CEF Helper 3.9.exe
Source:	Binary string: C:\builds\ACC\GM\source\dev\target\win32\Release\HEX\Adobe CEF Helper.pdb- source: Adobe CEF Helper 3.9.exe

Source: Adobe CEF Helper 3.9.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Adobe CEF Helper 3.9.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Adobe CEF Helper 3.9.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Adobe CEF Helper 3.9.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Adobe CEF Helper 3.9.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\Adobe CEF Helper 3.9.exe

Code function: 0_2_006B2A56 push ecx; ret

0_2_006B2A69

Source: C:\Users\user\Desktop\Adobe CEF Helper 3.9.exe

Code function: 0_2_006B12E0 SetDllDirectoryW,LoadLibraryW,GetProcAddress,FreeLibrary,

0_2_006B12E0

Source: C:\Users\user\Desktop\Adobe CEF Helper 3.9.exe

Code function: 0_2_006B2E18 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_006B2E18

Source: C:\Users\user\Desktop\Adobe CEF Helper 3.9.exe

API coverage: 8.7 %

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\Adobe CEF Helper 3.9.exe

Code function: 0_2_006B9D9E FindFirstFileExW,FindClose,FindNextFileW,

0_2_006B9D9E

Source: C:\Users\user\Desktop\Adobe CEF Helper 3.9.exe

Code function: 0_2_006B31FA IsDebuggerPresent,OutputDebugStringW,

0_2_006B31FA

Source: C:\Users\user\Desktop\Adobe CEF Helper 3.9.exe

Code function: 0_2_006B6FD7 mov eax, dword ptr fs:[00000030h]

0_2_006B6FD7

Source: C:\Users\user\Desktop\Adobe CEF Helper 3.9.exe

Code function: 0_2_006B12E0 SetDllDirectoryW,LoadLibraryW,GetProcAddress,FreeLibrary,

0_2_006B12E0

Source: C:\Users\user\Desktop\Adobe CEF Helper 3.9.exe

Code function: 0_2_006BB38C GetProcessHeap,

0_2_006BB38C

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\Adobe CEF Helper 3.9.exe	Code function: 0_2_006B24C7 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_006B24C7
Source: C:\Users\user\Desktop\Adobe CEF Helper 3.9.exe	Code function: 0_2_006B295A SetUnhandledExceptionFilter,	0_2_006B295A
Source: C:\Users\user\Desktop\Adobe CEF Helper 3.9.exe	Code function: 0_2_006B5E07 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_006B5E07
Source: C:\Users\user\Desktop\Adobe CEF Helper 3.9.exe	Code function: 0_2_006B27C8 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_006B27C8

Source: C:\Users\user\Desktop\Adobe CEF Helper 3.9.exe

Code function: 0_2_006B2A6B cpuid

0_2_006B2A6B

Source: C:\Users\user\Desktop\Adobe CEF Helper 3.9.exe

Code function: 0_2_006B26B7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_006B26B7

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Command and Scripting Interpreter	Path Interception	1 Process Injection	1 Process Injection	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Native API	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Obfuscated Files or Information	LSASS Memory	2 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	12 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Adobe CEF Helper 3.9.exe	4%	Virustotal		Browse
Adobe CEF Helper 3.9.exe	0%	ReversingLabs

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://ocsp.thawte.com0	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.thawte.com/ThawteTimestampingCA.crl0	Adobe CEF Helper 3.9.exe	false		high
http://ocsp.thawte.com0	Adobe CEF Helper 3.9.exe	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	37.0.0 Beryl
Analysis ID:	12181
Start date and time:	2023-03-08 09:25:47 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 35s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Number of analysed new started processes analysed:	31
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	Adobe CEF Helper 3.9.exe
Detection:	CLEAN
Classification:	clean6.winEXE@3/0@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 100% (good quality ratio 91.1%) Quality average: 76.2% Quality standard deviation: 32%
HCA Information:	Successful, ratio: 94% Number of executed functions: 7 Number of non-executed functions: 22
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, backgroundTaskHost.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 40.125.122.151, 20.166.126.56
Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, client.wns.windows.com, fe3.delivery.mp.microsoft.com, fs.microsoft.com, slscr.update.microsoft.com, login.live.com, glb.cws.prod.dcat.dsp.trafficmanager.net, ctldl.windowsupdate.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com, fe3cr.delivery.mp.microsoft.com

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.479793152508406
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Adobe CEF Helper 3.9.exe
File size:	190144
MD5:	c70d8dce46b4551133ecc58aed84bf0e
SHA1:	00626346632fdfb2a1d5831793e92a3601ec4d9f
SHA256:	0459e62c5444896d5be404c559c834ba455fa5cae1689c70fc8c61bc15468681
SHA512:	12117c7fa9acef9a2a8d7da53a2a435dd45298bb98439025e2c4a3bb0c8096675d5541c0b2eb7246164e2a19cd879f98c0a007b0f73691d59036822be01a6f92
SSDEEP:	3072:Ab6eqM+UdkAkko1tnC0Ag0Fuj8zDTBfhXxFGS7EArdUYVS77ylmrYM:o6VM+Uu5Lm0AO4DTB9GSYAfUUmrYM
TLSH:	0A048D04B6E28573D471093144B9BEA44639F9392F12CF7BBF98361B2D653C09533ABA
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........j....z...z...z.......z.....6.z.......z.JR....z..Vy...z..V....z..V~...z.r.....z...{.n.z..s....z..Vs...z..V....z.......z..Vx...z

File Icon


Icon Hash:	bee0dcd6cce49a00

Static PE Info

General

Entrypoint:	0x402140
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x57FECE6A [Wed Oct 12 23:59:38 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	87b66fbc31fd804dcc1ea09f9a947825

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=Symantec Class 3 Extended Validation Code Signing CA - G2, OU=Symantec Trust Network, O=Symantec Corporation, C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	06/11/2015 00:00:00 29/10/2017 00:59:59
Subject Chain	CN=Adobe Systems Incorporated, OU=AAM 256, O=Adobe Systems Incorporated, L=San Jose, S=California, C=US, SERIALNUMBER=2748129, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.2=Delaware, OID.1.3.6.1.4.1.311.60.2.1.3=US
Version:	3
Thumbprint MD5:	6E845F2D8FBD447ED9418D445BB32DEF
Thumbprint SHA-1:	34A14660CDC20A4EB84F90A4E80DECC474BF9849
Thumbprint SHA-256:	1E4C1E966BDB31921E752D40D9AD2E919808F0A45121F971020E361A0E20D32B
Serial:	6DC3ED4566163E279D2784C99FFFD787

Entrypoint Preview

Instruction
call 00007F5A94885877h
jmp 00007F5A94885185h
jmp 00007F5A948850BDh
push ebp
mov ebp, esp
push dword ptr [ebp+08h]
call 00007F5A948850B2h
pop ecx
pop ebp
ret
push ebx
push esi
push edi
push 00000000h
push 00000FA0h
push 0041F9A8h
call 00007F5A94887EEDh
add esp, 0Ch
push 0041CC28h
call dword ptr [00410060h]
mov esi, eax
test esi, esi
je 00007F5A94885392h
push 004101A0h
push esi
call dword ptr [00410084h]
push 004101BCh
push esi
mov ebx, eax
call dword ptr [00410084h]
push 004101D8h
push esi
mov edi, eax
call dword ptr [00410084h]
mov esi, eax
test ebx, ebx
je 00007F5A94885339h
test edi, edi
je 00007F5A94885335h
test esi, esi
je 00007F5A94885331h
and dword ptr [0041F9C4h], 00000000h
mov ecx, ebx
push 0041F9C0h
call 00007F5A94885B38h
call ebx
push edi
call 00007F5A94887B55h
push esi
mov dword ptr [0041F9C8h], eax
call 00007F5A94887B4Ah
pop ecx
pop ecx
mov dword ptr [0041F9CCh], eax
jmp 00007F5A94885318h
xor eax, eax
push eax
push eax
push 00000001h
push eax
call dword ptr [00410050h]
mov dword ptr [0041F9C4h], eax
test eax, eax
je 00007F5A94885313h
push 0040221Dh

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729
[RES] VS2015 UPD2 build 23918
[LNK] VS2015 UPD2 build 23918

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1dc98	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x23000	0xce28	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x2ce00	0x18c0	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x30000	0x171c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1cd30	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x1cdfc	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x1cda0	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x10000	0x128	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xee57	0xf000	False	0.5611165364583334	data	6.615299306576569	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x10000	0xe352	0xe400	False	0.5731907894736842	data	6.057287353554554	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1f000	0x18c4	0xa00	False	0.223046875	data	2.6518591277421106	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.gfids	0x21000	0x150	0x200	False	0.423828125	data	2.2924498968384603	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0x22000	0x9	0x200	False	0.033203125	data	0.020393135236084953	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x23000	0xce28	0xd000	False	0.5187424879807693	data	5.812800197342498	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x30000	0x171c	0x1800	False	0.6788736979166666	data	6.460935492820969	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x231f0	0x828	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2835 x 2835 px/m	English	United States
RT_ICON	0x23a18	0x2028	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2835 x 2835 px/m	English	United States
RT_ICON	0x25a40	0x4828	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2835 x 2835 px/m	English	United States
RT_ICON	0x2a268	0x1ac2	PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced	English	United States
RT_ICON	0x2bd30	0x3ba2	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States
RT_GROUP_ICON	0x2f8d8	0x4c	data	English	United States
RT_VERSION	0x2f928	0x380	data	English	India
RT_MANIFEST	0x2fca8	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
KERNEL32.dll	FindNextFileW, WriteFile, GetModuleFileNameW, FindClose, CreateFileW, GetLastError, CloseHandle, FlushFileBuffers, InitializeCriticalSectionAndSpinCount, MultiByteToWideChar, RaiseException, DecodePointer, DeleteCriticalSection, WideCharToMultiByte, HeapFree, GetCurrentProcess, TerminateProcess, HeapSize, CreateEventW, HeapReAlloc, HeapAlloc, GetProcessHeap, GetModuleHandleW, LCMapStringW, WriteConsoleW, GetConsoleCP, SetStdHandle, FreeEnvironmentStringsW, GetEnvironmentStringsW, SetDllDirectoryW, FreeLibrary, GetProcAddress, LoadLibraryW, TlsSetValue, GetCommandLineW, TlsGetValue, TlsAlloc, SetLastError, EncodePointer, GetCommandLineA, GetOEMCP, IsValidCodePage, FindFirstFileExW, GetConsoleMode, SetFilePointerEx, GetFileType, GetACP, GetModuleHandleExW, ExitProcess, GetStdHandle, RtlUnwind, LoadLibraryExW, OutputDebugStringW, GetCPInfo, EnterCriticalSection, LeaveCriticalSection, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetStringTypeW, TlsFree
ADVAPI32.dll	SystemFunction036
SHLWAPI.dll	PathAppendW, PathRemoveFileSpecW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States
English	India

Network Behavior

Report size exceeds maximum size, please checkout the PCAP download to see all network behavior

Statistics

Click to jump to process

Memory Usage

• Adobe CEF Helper 3.9.exe
• Adobe CEF Helper 3.9.exe
• Adobe CEF Helper 3.9.exe

Click to jump to process

Behavior

• Adobe CEF Helper 3.9.exe
• Adobe CEF Helper 3.9.exe
• Adobe CEF Helper 3.9.exe

Click to jump to process

System Behavior

Analysis Process: Adobe CEF Helper 3.9.exePID: 8340, Parent PID: 5036

Function Logs

General

Target ID:	0
Start time:	09:29:52
Start date:	08/03/2023
Path:	C:\Users\user\Desktop\Adobe CEF Helper 3.9.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Adobe CEF Helper 3.9.exe" -install
Imagebase:	0x6b0000
File size:	190144 bytes
MD5 hash:	C70D8DCE46B4551133ECC58AED84BF0E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

File Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Process Activities

Process Terminated

Show Windows behavior

Thread Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Analysis Process: Adobe CEF Helper 3.9.exePID: 4304, Parent PID: 5036

Function Logs

General

Target ID:	4
Start time:	09:29:54
Start date:	08/03/2023
Path:	C:\Users\user\Desktop\Adobe CEF Helper 3.9.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Adobe CEF Helper 3.9.exe" /install
Imagebase:	0x6b0000
File size:	190144 bytes
MD5 hash:	C70D8DCE46B4551133ECC58AED84BF0E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

File Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Process Activities

Process Terminated

Show Windows behavior

Thread Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Memory Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

System Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Analysis Process: Adobe CEF Helper 3.9.exePID: 8096, Parent PID: 5036

Function Logs

General

Target ID:	5
Start time:	09:29:57
Start date:	08/03/2023
Path:	C:\Users\user\Desktop\Adobe CEF Helper 3.9.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Adobe CEF Helper 3.9.exe" /load
Imagebase:	0x6b0000
File size:	190144 bytes
MD5 hash:	C70D8DCE46B4551133ECC58AED84BF0E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

File Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Process Activities

Process Terminated

Show Windows behavior

Thread Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Memory Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

System Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Disassembly

Analysis Process: Adobe CEF Helper 3.9.exePID: 8340, Parent PID: 5036COMMON

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	3.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3.3%
Total number of Nodes:	1256
Total number of Limit Nodes:	33

Executed Functions

Function 006B12E0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 120
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 69%

			E006B12E0(void* __ebx, void* __edi, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				char _v32;
				intOrPtr _v36;
				char _v40;
				intOrPtr _v44;
				char _v48;
				char _v56;
				char _v60;
				short _v64;
				char _v68;
				intOrPtr _v72;
				char _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				short _v88;
				short _v92;
				char _v96;
				char _v100;
				void* __esi;
				signed int _t47;
				struct HINSTANCE__* _t67;
				_Unknown_base(*)()* _t77;
				char* _t88;
				char* _t90;
				intOrPtr _t101;
				void* _t103;
				struct HINSTANCE__* _t104;
				void* _t105;
				signed int _t106;
				signed int _t108;
				void* _t109;
				signed int _t110;

				_t84 = __ebx;
				_t108 = (_t106 & 0xfffffff8) - 0x50;
				_t47 =  *0x6cf00c; // 0xe4e76224
				_v8 = _t47 ^ _t108;
				_push(_t103);
				_v12 = 7;
				_t101 = _a4;
				_v16 = 0;
				_v32 = 0;
				E006B19F0( &_v32, _t103);
				_v36 = 7;
				_push(0xffffffff);
				_v56 = 0;
				_v40 = 0;
				E006B15E0( &_v56,  &_v32, 0);
				E006B1A90( &_v68);
				_v72 = 7;
				_t88 =  &_v92;
				_v76 = 0;
				_v92 = 0;
				E006B14E0(_t88, "CEF", 3);
				_push(_t88);
				E006B1BD0( &_v76,  &_v100);
				_t58 = _v80;
				_t109 = _t108 + 4;
				if(_v80 >= 8) {
					E006B1700(__ebx,  &_v100, _t101, _v84, _t58 + 1);
				}
				_t60 =  >=  ? _v60 :  &_v60;
				__imp__SetDllDirectoryW( >=  ? _v60 :  &_v60);
				_v68 = 7;
				_t90 =  &_v88;
				_v72 = 0;
				_v88 = 0;
				E006B14E0(_t90, L"HEX.dll", 7);
				_push(_t90);
				_t99 =  &_v96;
				E006B1BD0( &_v48,  &_v96);
				_t64 = _v76;
				_t110 = _t109 + 4;
				if(_v76 >= 8) {
					E006B1700(_t84,  &_v96, _t101, _v88, _t64 + 1);
				}
				_t66 =  >=  ? _v40 :  &_v40;
				_t67 = LoadLibraryW( >=  ? _v40 :  &_v40); // executed
				_t104 = _t67;
				if(_t104 != 0) {
					_t77 = GetProcAddress(_t104, "CEFProcessForkHandlerEx");
					 *_t77(_t101);
					_t110 = _t110 + 4;
					FreeLibrary(_t104);
				}
				_t68 = _v44;
				if(_v44 >= 8) {
					E006B1700(_t84, _t99, _t101, _v64, _t68 + 1);
				}
				_v44 = 7;
				_v64 = 0;
				_t70 = _v20;
				_v48 = 0;
				if(_v20 >= 8) {
					E006B1700(_t84, _t99, _t101, _v40, _t70 + 1);
				}
				_pop(_t105);
				return E006B1EC3(_v16 ^ _t110, _t99, _t105);
			}

0x006b12e0
0x006b12e6
0x006b12e9
0x006b12f0
0x006b12f4
0x006b12f7
0x006b1300
0x006b1307
0x006b130f
0x006b1314
0x006b131b
0x006b1323
0x006b1326
0x006b1333
0x006b133c
0x006b1345
0x006b134e
0x006b135b
0x006b135f
0x006b1367
0x006b136c
0x006b1371
0x006b137a
0x006b137f
0x006b1383
0x006b1389
0x006b1395
0x006b1395
0x006b13a3
0x006b13a9
0x006b13b3
0x006b13c0
0x006b13c4
0x006b13cc
0x006b13d1
0x006b13d6
0x006b13d7
0x006b13df
0x006b13e4
0x006b13e8
0x006b13ee
0x006b13fa
0x006b13fa
0x006b1408
0x006b140e
0x006b1414
0x006b1418
0x006b1420
0x006b1427
0x006b1429
0x006b142d
0x006b142d
0x006b1433
0x006b143a
0x006b1446
0x006b1446
0x006b144d
0x006b1455
0x006b145a
0x006b145e
0x006b1469
0x006b1475
0x006b1475
0x006b1481
0x006b148c

APIs

Part of subcall function 006B19F0: GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 006B1A14

SetDllDirectoryW.KERNEL32(?), ref: 006B13A9
LoadLibraryW.KERNELBASE(?), ref: 006B140E
GetProcAddress.KERNEL32(00000000,CEFProcessForkHandlerEx), ref: 006B1420
FreeLibrary.KERNEL32(00000000), ref: 006B142D

Strings

HEX.dll, xrefs: 006B13BB
CEFProcessForkHandlerEx, xrefs: 006B141A
CEF, xrefs: 006B1356

Memory Dump Source

Source File: 00000000.00000002.725815674.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.725773275.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.725959949.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726074510.00000000006CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726116527.00000000006D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726147829.00000000006D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726147829.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_Adobe CEF Helper 3.jbxd

Similarity

API ID: Library$AddressDirectoryFileFreeLoadModuleNameProc
String ID: CEF$CEFProcessForkHandlerEx$HEX.dll
API String ID: 1234357850-4195659784
Opcode ID: 96a42c815c467e99a5afb6e59b092b8024c8f9394ae591114c21baecf4dfb184
Instruction ID: 834e155b335d7f3c0e2ea274f999ecec2d0a0ea2b7e10a9744a1b194fdadc0b4
Opcode Fuzzy Hash: 96a42c815c467e99a5afb6e59b092b8024c8f9394ae591114c21baecf4dfb184
Instruction Fuzzy Hash: AE4158B1118300AFC740DF64C865BABB7E6FF89744F404A1DF4A697290EB74EA488B57

Uniqueness

Uniqueness Score: -1.00%

Function 006B6FD7 Relevance: 4.5, APIs: 3, Instructions: 20
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E006B6FD7(int _a4) {
				void* _t7;
				void* _t14;
				void* _t16;
				void* _t17;

				_t7 = E006B9A5C(_t14, _t16, _t17); // executed
				if(_t7 != 0 && ( *( *[fs:0x30] + 0x68) >> 0x00000008 & 0x00000001) == 0) {
					TerminateProcess(GetCurrentProcess(), _a4);
				}
				E006B7018(_t14, _a4);
				ExitProcess(_a4);
			}

0x006b6fdc
0x006b6fe3
0x006b6fff
0x006b6fff
0x006b7008
0x006b7011

APIs

GetCurrentProcess.KERNEL32(00000003,?,006B6FAD,00000003,006CD978,0000000C,006B70C0,00000003,00000002,00000000,?,006B792C,00000003), ref: 006B6FF8
TerminateProcess.KERNEL32(00000000,?,006B6FAD,00000003,006CD978,0000000C,006B70C0,00000003,00000002,00000000,?,006B792C,00000003), ref: 006B6FFF
ExitProcess.KERNEL32 ref: 006B7011

Memory Dump Source

Source File: 00000000.00000002.725815674.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.725773275.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.725959949.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726074510.00000000006CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726116527.00000000006D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726147829.00000000006D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726147829.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_Adobe CEF Helper 3.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 61b5540f595a4a1165cb8763ac19c3f7c324ad03ef4849091edb7ac5ea8c3ebd
Instruction ID: 443809dc663fac754c2ae5fb908a597ff9faea59bf38b39b10bc70f8be8787ec
Opcode Fuzzy Hash: 61b5540f595a4a1165cb8763ac19c3f7c324ad03ef4849091edb7ac5ea8c3ebd
Instruction Fuzzy Hash: 97E046B1104108EFCF527F60CD08ED83B2BEB80351B020414F9088B222CB39DD82CB94

Uniqueness

Uniqueness Score: -1.00%

Function 006B971A Relevance: 6.1, APIs: 4, Instructions: 52
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E006B971A(signed int _a4) {
				signed int _t9;
				void* _t10;
				void* _t13;
				signed int _t15;
				WCHAR* _t22;
				signed int _t24;
				signed int* _t25;
				void* _t27;

				_t9 = _a4;
				_t25 = 0x6d0680 + _t9 * 4;
				_t24 =  *_t25;
				if(_t24 == 0) {
					_t22 =  *(0x6c3830 + _t9 * 4);
					_t10 = LoadLibraryExW(_t22, 0, 0x800); // executed
					_t27 = _t10;
					if(_t27 != 0) {
						L8:
						 *_t25 = _t27;
						if( *_t25 != 0) {
							FreeLibrary(_t27);
						}
						_t13 = _t27;
						L11:
						return _t13;
					}
					_t15 = GetLastError();
					if(_t15 != 0x57) {
						_t27 = 0;
					} else {
						_t15 = LoadLibraryExW(_t22, _t27, _t27);
						_t27 = _t15;
					}
					if(_t27 != 0) {
						goto L8;
					} else {
						 *_t25 = _t15 | 0xffffffff;
						_t13 = 0;
						goto L11;
					}
				}
				_t4 = _t24 + 1; // 0xe4e76225
				asm("sbb eax, eax");
				return  ~_t4 & _t24;
			}

0x006b971f
0x006b9723
0x006b972a
0x006b972e
0x006b973c
0x006b974c
0x006b9752
0x006b9756
0x006b977f
0x006b9781
0x006b9785
0x006b9788
0x006b9788
0x006b978e
0x006b9790
0x00000000
0x006b9791
0x006b9758
0x006b9761
0x006b9770
0x006b9763
0x006b9766
0x006b976c
0x006b976c
0x006b9774
0x00000000
0x006b9776
0x006b9779
0x006b977b
0x00000000
0x006b977b
0x006b9774
0x006b9730
0x006b9735
0x00000000

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,?,00000000,00000000,?,006B96C1,?,00000000,00000000,00000000,?,006B98BE,00000006,FlsSetValue), ref: 006B974C
GetLastError.KERNEL32(?,006B96C1,?,00000000,00000000,00000000,?,006B98BE,00000006,FlsSetValue,006C3CE8,006C3CF0,00000000,00000364,?,006B818B), ref: 006B9758
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,006B96C1,?,00000000,00000000,00000000,?,006B98BE,00000006,FlsSetValue,006C3CE8,006C3CF0,00000000), ref: 006B9766

Memory Dump Source

Source File: 00000000.00000002.725815674.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.725773275.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.725959949.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726074510.00000000006CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726116527.00000000006D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726147829.00000000006D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726147829.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_Adobe CEF Helper 3.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 257806aea8e4057e2649c1a9ab4e6d9585d58c2de2b95d272be25932210562ea
Instruction ID: cb0ad8b0d260d4f0dfbbdd6905a9ed1144cfa51764c4f2f82f6dd8af67285816
Opcode Fuzzy Hash: 257806aea8e4057e2649c1a9ab4e6d9585d58c2de2b95d272be25932210562ea
Instruction Fuzzy Hash: 4601D472721226ABD7214E789C44EE637DAEF457A1B210630FA16E3280DB30D841C7F0

Uniqueness

Uniqueness Score: -1.00%

Function 006BA93A Relevance: 3.0, APIs: 2, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E006BA93A(void* __ecx) {
				void* _t6;
				void* _t14;
				void* _t18;
				WCHAR* _t19;

				_t14 = __ecx;
				_t19 = GetEnvironmentStringsW();
				if(_t19 != 0) {
					_t12 = (E006BA903(_t19) - _t19 >> 1) + (E006BA903(_t19) - _t19 >> 1);
					_t6 = E006B792D(_t14, (E006BA903(_t19) - _t19 >> 1) + (E006BA903(_t19) - _t19 >> 1)); // executed
					_t18 = _t6;
					if(_t18 != 0) {
						E006B53F0(_t18, _t19, _t12);
					}
					E006B7C95(0);
					FreeEnvironmentStringsW(_t19);
				} else {
					_t18 = 0;
				}
				return _t18;
			}

0x006ba93a
0x006ba944
0x006ba948
0x006ba959
0x006ba95d
0x006ba962
0x006ba968
0x006ba96d
0x006ba972
0x006ba977
0x006ba97e
0x006ba94a
0x006ba94a
0x006ba94a
0x006ba989

APIs

GetEnvironmentStringsW.KERNEL32 ref: 006BA93E
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 006BA97E

Memory Dump Source

Source File: 00000000.00000002.725815674.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.725773275.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.725959949.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726074510.00000000006CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726116527.00000000006D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726147829.00000000006D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726147829.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_Adobe CEF Helper 3.jbxd

Similarity

API ID: EnvironmentStrings$Free
String ID:
API String ID: 3328510275-0
Opcode ID: ef8a0903e96b3b73f5905b09a80d5fdc19993bca30318ec5c30d7042901f075b
Instruction ID: d7c8ce4a72768a3e970f3f7dcc6bfd3d1a05b60325e87da32ce3b730edb696a1
Opcode Fuzzy Hash: ef8a0903e96b3b73f5905b09a80d5fdc19993bca30318ec5c30d7042901f075b
Instruction Fuzzy Hash: 28E0E5B71149106AA2A232797C49EEF2B1BCFC27B07270118F00986241EE148D8652B6

Uniqueness

Uniqueness Score: -1.00%

Function 006B967E Relevance: 1.6, APIs: 1, Instructions: 65
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 90%

			E006B967E(signed int _a4, CHAR* _a8, intOrPtr* _a12, intOrPtr _a16) {
				struct HINSTANCE__* _t13;
				signed int* _t20;
				signed int _t27;
				signed int _t28;
				signed int _t29;
				signed int _t33;
				intOrPtr* _t34;

				_t20 = 0x6d06d0 + _a4 * 4;
				_t27 =  *0x6cf00c; // 0xe4e76224
				_t29 = _t28 | 0xffffffff;
				_t33 = _t27 ^  *_t20;
				asm("ror esi, cl");
				if(_t33 == _t29) {
					L14:
					return 0;
				}
				if(_t33 == 0) {
					_t34 = _a12;
					if(_t34 == _a16) {
						L7:
						_t13 = 0;
						L8:
						if(_t13 == 0) {
							L13:
							_push(0x20);
							asm("ror edi, cl");
							 *_t20 = _t29 ^ _t27;
							goto L14;
						}
						_t33 = GetProcAddress(_t13, _a8);
						if(_t33 == 0) {
							_t27 =  *0x6cf00c; // 0xe4e76224
							goto L13;
						}
						 *_t20 = E006B4A2A(_t33);
						goto L2;
					} else {
						goto L4;
					}
					while(1) {
						L4:
						_t13 = E006B971A( *_t34); // executed
						if(_t13 != 0) {
							break;
						}
						_t34 = _t34 + 4;
						if(_t34 != _a16) {
							continue;
						}
						_t27 =  *0x6cf00c; // 0xe4e76224
						goto L7;
					}
					_t27 =  *0x6cf00c; // 0xe4e76224
					goto L8;
				}
				L2:
				return _t33;
			}

0x006b9689
0x006b9692
0x006b9698
0x006b96a2
0x006b96a4
0x006b96a8
0x006b9713
0x00000000
0x006b9713
0x006b96ac
0x006b96b2
0x006b96b8
0x006b96d4
0x006b96d4
0x006b96d6
0x006b96d8
0x006b9703
0x006b9705
0x006b970d
0x006b9711
0x00000000
0x006b9711
0x006b96e4
0x006b96e8
0x006b96fd
0x00000000
0x006b96fd
0x006b96f1
0x00000000
0x00000000
0x00000000
0x00000000
0x006b96ba
0x006b96ba
0x006b96bc
0x006b96c4
0x00000000
0x00000000
0x006b96c6
0x006b96cc
0x00000000
0x00000000
0x006b96ce
0x00000000
0x006b96ce
0x006b96f5
0x00000000
0x006b96f5
0x006b96ae
0x00000000

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 006B96DE

Memory Dump Source

Source File: 00000000.00000002.725815674.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.725773275.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.725959949.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726074510.00000000006CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726116527.00000000006D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726147829.00000000006D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726147829.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_Adobe CEF Helper 3.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: 33f1c1b1da495873ba7de243bb2a0718ad91bf838cb639e8b5ce8119aae2b7b4
Instruction ID: cae32dbd73b896ba182342a0b91276e8d437e856b85925985a4b1073b866a82e
Opcode Fuzzy Hash: 33f1c1b1da495873ba7de243bb2a0718ad91bf838cb639e8b5ce8119aae2b7b4
Instruction Fuzzy Hash: 1711A773A105319BAB259F19DC509EA7397AB817607168230FE14EB344EA30EC8187F0

Uniqueness

Uniqueness Score: -1.00%

Function 006B7867 Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E006B7867(void* __ecx, signed int _a4, signed int _a8) {
				void* _t8;
				void* _t12;
				signed int _t13;
				void* _t15;
				signed int _t18;
				long _t19;

				_t15 = __ecx;
				_t18 = _a4;
				if(_t18 == 0) {
					L2:
					_t19 = _t18 * _a8;
					if(_t19 == 0) {
						_t19 = _t19 + 1;
					}
					while(1) {
						_t8 = RtlAllocateHeap( *0x6d0790, 8, _t19); // executed
						if(_t8 != 0) {
							break;
						}
						__eflags = E006B720F();
						if(__eflags == 0) {
							L8:
							 *((intOrPtr*)(E006B633F())) = 0xc;
							__eflags = 0;
							return 0;
						}
						_t12 = E006B65B6(_t15, __eflags, _t19);
						_pop(_t15);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L8;
						}
					}
					return _t8;
				}
				_t13 = 0xffffffe0;
				if(_t13 / _t18 < _a8) {
					goto L8;
				}
				goto L2;
			}

0x006b7867
0x006b786d
0x006b7872
0x006b7880
0x006b7880
0x006b7886
0x006b7888
0x006b7888
0x006b789f
0x006b78a8
0x006b78b0
0x00000000
0x00000000
0x006b7890
0x006b7892
0x006b78b4
0x006b78b9
0x006b78bf
0x00000000
0x006b78bf
0x006b7895
0x006b789a
0x006b789b
0x006b789d
0x00000000
0x00000000
0x006b789d
0x00000000
0x006b789f
0x006b7878
0x006b787e
0x00000000
0x00000000
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,006B816E,00000001,00000364,?,006B45AE,00000006,00000000,-00000002,00000000,?,006B1CC7,?), ref: 006B78A8

Memory Dump Source

Source File: 00000000.00000002.725815674.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.725773275.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.725959949.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726074510.00000000006CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726116527.00000000006D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726147829.00000000006D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726147829.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_Adobe CEF Helper 3.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 95dd3ad9fd1fb743e7c678ebbcfdcfcbfe3191ffb4e6a7d07967ef54a065102d
Instruction ID: ad7521db6199c8deea0dd3faff3312eb6504f010ac019aab23edf5c319529837
Opcode Fuzzy Hash: 95dd3ad9fd1fb743e7c678ebbcfdcfcbfe3191ffb4e6a7d07967ef54a065102d
Instruction Fuzzy Hash: 65F0E2B260812066EB756A629C0ABDB374BAFC0760F184175FC1CAA391DA31E881C7F4

Uniqueness

Uniqueness Score: -1.00%

Function 006B792D Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E006B792D(void* __ecx, long _a4) {
				void* _t4;
				void* _t6;
				void* _t7;
				long _t8;

				_t7 = __ecx;
				_t8 = _a4;
				if(_t8 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E006B633F())) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t8 == 0) {
					_t8 = _t8 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0x6d0790, 0, _t8); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E006B720F();
					if(__eflags == 0) {
						goto L7;
					}
					_t6 = E006B65B6(_t7, __eflags, _t8);
					_pop(_t7);
					__eflags = _t6;
					if(_t6 == 0) {
						goto L7;
					}
				}
				return _t4;
			}

0x006b792d
0x006b7933
0x006b7939
0x006b796b
0x006b7970
0x006b7976
0x00000000
0x006b7976
0x006b793d
0x006b793f
0x006b793f
0x006b7956
0x006b795f
0x006b7967
0x00000000
0x00000000
0x006b7947
0x006b7949
0x00000000
0x00000000
0x006b794c
0x006b7951
0x006b7952
0x006b7954
0x00000000
0x00000000
0x006b7954
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000000,00000004,00000000,?,006B45AE,00000006,00000000,-00000002,00000000,?,006B1CC7,?,00000004,00000000), ref: 006B795F

Memory Dump Source

Source File: 00000000.00000002.725815674.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.725773275.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.725959949.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726074510.00000000006CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726116527.00000000006D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726147829.00000000006D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726147829.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_Adobe CEF Helper 3.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: e06df4f36b21a53a19377209fd1e32462e1b875f036d502729baef70e585c48c
Instruction ID: 5b3144a0c26bfe57bfd0ccef104ecc3333d5432df146e2f40a933895a4758041
Opcode Fuzzy Hash: e06df4f36b21a53a19377209fd1e32462e1b875f036d502729baef70e585c48c
Instruction Fuzzy Hash: 4AE065B115962196E73136669C00FDB375BABC17B1F150225FC19A6391DB20DEC193E8

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 006B2E18 Relevance: 143.7, APIs: 41, Strings: 41, Instructions: 207
libraryloaderCOMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E006B2E18() {
				struct HINSTANCE__* _t83;

				_t83 = GetModuleHandleW(L"kernel32.dll");
				 *0x6cfec0 = GetProcAddress(_t83, "FlsAlloc") ^  *0x6cf00c;
				 *0x6cfec4 = GetProcAddress(_t83, "FlsFree") ^  *0x6cf00c;
				 *0x6cfec8 = GetProcAddress(_t83, "FlsGetValue") ^  *0x6cf00c;
				 *0x6cfecc = GetProcAddress(_t83, "FlsSetValue") ^  *0x6cf00c;
				 *0x6cfed0 = GetProcAddress(_t83, "InitializeCriticalSectionEx") ^  *0x6cf00c;
				 *0x6cfed4 = GetProcAddress(_t83, "InitOnceExecuteOnce") ^  *0x6cf00c;
				 *0x6cfed8 = GetProcAddress(_t83, "CreateEventExW") ^  *0x6cf00c;
				 *0x6cfedc = GetProcAddress(_t83, "CreateSemaphoreW") ^  *0x6cf00c;
				 *0x6cfee0 = GetProcAddress(_t83, "CreateSemaphoreExW") ^  *0x6cf00c;
				 *0x6cfee4 = GetProcAddress(_t83, "CreateThreadpoolTimer") ^  *0x6cf00c;
				 *0x6cfee8 = GetProcAddress(_t83, "SetThreadpoolTimer") ^  *0x6cf00c;
				 *0x6cfeec = GetProcAddress(_t83, "WaitForThreadpoolTimerCallbacks") ^  *0x6cf00c;
				 *0x6cfef0 = GetProcAddress(_t83, "CloseThreadpoolTimer") ^  *0x6cf00c;
				 *0x6cfef4 = GetProcAddress(_t83, "CreateThreadpoolWait") ^  *0x6cf00c;
				 *0x6cfef8 = GetProcAddress(_t83, "SetThreadpoolWait") ^  *0x6cf00c;
				 *0x6cfefc = GetProcAddress(_t83, "CloseThreadpoolWait") ^  *0x6cf00c;
				 *0x6cff00 = GetProcAddress(_t83, "FlushProcessWriteBuffers") ^  *0x6cf00c;
				 *0x6cff04 = GetProcAddress(_t83, "FreeLibraryWhenCallbackReturns") ^  *0x6cf00c;
				 *0x6cff08 = GetProcAddress(_t83, "GetCurrentProcessorNumber") ^  *0x6cf00c;
				 *0x6cff0c = GetProcAddress(_t83, "CreateSymbolicLinkW") ^  *0x6cf00c;
				 *0x6cff10 = GetProcAddress(_t83, "GetCurrentPackageId") ^  *0x6cf00c;
				 *0x6cff14 = GetProcAddress(_t83, "GetTickCount64") ^  *0x6cf00c;
				 *0x6cff18 = GetProcAddress(_t83, "GetFileInformationByHandleEx") ^  *0x6cf00c;
				 *0x6cff1c = GetProcAddress(_t83, "SetFileInformationByHandle") ^  *0x6cf00c;
				 *0x6cff20 = GetProcAddress(_t83, "GetSystemTimePreciseAsFileTime") ^  *0x6cf00c;
				 *0x6cff24 = GetProcAddress(_t83, "InitializeConditionVariable") ^  *0x6cf00c;
				 *0x6cff28 = GetProcAddress(_t83, "WakeConditionVariable") ^  *0x6cf00c;
				 *0x6cff2c = GetProcAddress(_t83, "WakeAllConditionVariable") ^  *0x6cf00c;
				 *0x6cff30 = GetProcAddress(_t83, "SleepConditionVariableCS") ^  *0x6cf00c;
				 *0x6cff34 = GetProcAddress(_t83, "InitializeSRWLock") ^  *0x6cf00c;
				 *0x6cff38 = GetProcAddress(_t83, "AcquireSRWLockExclusive") ^  *0x6cf00c;
				 *0x6cff3c = GetProcAddress(_t83, "TryAcquireSRWLockExclusive") ^  *0x6cf00c;
				 *0x6cff40 = GetProcAddress(_t83, "ReleaseSRWLockExclusive") ^  *0x6cf00c;
				 *0x6cff44 = GetProcAddress(_t83, "SleepConditionVariableSRW") ^  *0x6cf00c;
				 *0x6cff48 = GetProcAddress(_t83, "CreateThreadpoolWork") ^  *0x6cf00c;
				 *0x6cff4c = GetProcAddress(_t83, "SubmitThreadpoolWork") ^  *0x6cf00c;
				 *0x6cff50 = GetProcAddress(_t83, "CloseThreadpoolWork") ^  *0x6cf00c;
				 *0x6cff54 = GetProcAddress(_t83, "CompareStringEx") ^  *0x6cf00c;
				 *0x6cff58 = GetProcAddress(_t83, "GetLocaleInfoEx") ^  *0x6cf00c;
				 *0x6cff5c = GetProcAddress(_t83, "LCMapStringEx") ^  *0x6cf00c;
				return 0;
			}

0x006b2e24
0x006b2e3e
0x006b2e55
0x006b2e6c
0x006b2e83
0x006b2e9a
0x006b2eb1
0x006b2ec8
0x006b2edf
0x006b2ef6
0x006b2f0d
0x006b2f24
0x006b2f3b
0x006b2f52
0x006b2f69
0x006b2f7f
0x006b2f97
0x006b2fae
0x006b2fc5
0x006b2fdc
0x006b2ff3
0x006b300a
0x006b3021
0x006b3038
0x006b304f
0x006b3066
0x006b307d
0x006b3094
0x006b30ab
0x006b30c2
0x006b30d9
0x006b30f0
0x006b3107
0x006b311e
0x006b3135
0x006b314c
0x006b3163
0x006b317a
0x006b3191
0x006b31a8
0x006b31b9
0x006b31c1

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 006B2E1E
GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 006B2E2C
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 006B2E43
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 006B2E5A
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 006B2E71
GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 006B2E88
GetProcAddress.KERNEL32(00000000,InitOnceExecuteOnce), ref: 006B2E9F
GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 006B2EB6
GetProcAddress.KERNEL32(00000000,CreateSemaphoreW), ref: 006B2ECD
GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 006B2EE4
GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 006B2EFB
GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 006B2F12
GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 006B2F29
GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 006B2F40
GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 006B2F57
GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 006B2F6E
GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 006B2F85
GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 006B2F9C
GetProcAddress.KERNEL32(00000000,FreeLibraryWhenCallbackReturns), ref: 006B2FB3
GetProcAddress.KERNEL32(00000000,GetCurrentProcessorNumber), ref: 006B2FCA
GetProcAddress.KERNEL32(00000000,CreateSymbolicLinkW), ref: 006B2FE1
GetProcAddress.KERNEL32(00000000,GetCurrentPackageId), ref: 006B2FF8
GetProcAddress.KERNEL32(00000000,GetTickCount64), ref: 006B300F
GetProcAddress.KERNEL32(00000000,GetFileInformationByHandleEx), ref: 006B3026
GetProcAddress.KERNEL32(00000000,SetFileInformationByHandle), ref: 006B303D
GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 006B3054
GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 006B306B
GetProcAddress.KERNEL32(00000000,WakeConditionVariable), ref: 006B3082
GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 006B3099
GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 006B30B0
GetProcAddress.KERNEL32(00000000,InitializeSRWLock), ref: 006B30C7
GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 006B30DE
GetProcAddress.KERNEL32(00000000,TryAcquireSRWLockExclusive), ref: 006B30F5
GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 006B310C
GetProcAddress.KERNEL32(00000000,SleepConditionVariableSRW), ref: 006B3123
GetProcAddress.KERNEL32(00000000,CreateThreadpoolWork), ref: 006B313A
GetProcAddress.KERNEL32(00000000,SubmitThreadpoolWork), ref: 006B3151
GetProcAddress.KERNEL32(00000000,CloseThreadpoolWork), ref: 006B3168
GetProcAddress.KERNEL32(00000000,CompareStringEx), ref: 006B317F
GetProcAddress.KERNEL32(00000000,GetLocaleInfoEx), ref: 006B3196
GetProcAddress.KERNEL32(00000000,LCMapStringEx), ref: 006B31AD

Strings

SubmitThreadpoolWork, xrefs: 006B3146
CloseThreadpoolWork, xrefs: 006B315D
WakeAllConditionVariable, xrefs: 006B308E
SetFileInformationByHandle, xrefs: 006B3032
GetLocaleInfoEx, xrefs: 006B318B
CompareStringEx, xrefs: 006B3174
kernel32.dll, xrefs: 006B2E19
CreateSemaphoreW, xrefs: 006B2EC2
SetThreadpoolTimer, xrefs: 006B2F07
CloseThreadpoolWait, xrefs: 006B2F7A
FlsSetValue, xrefs: 006B2E66
CreateSemaphoreExW, xrefs: 006B2ED9
FlushProcessWriteBuffers, xrefs: 006B2F91
InitializeConditionVariable, xrefs: 006B3060
GetTickCount64, xrefs: 006B3004
CreateThreadpoolWork, xrefs: 006B312F
AcquireSRWLockExclusive, xrefs: 006B30D3
LCMapStringEx, xrefs: 006B31A2
FlsAlloc, xrefs: 006B2E26
CreateThreadpoolWait, xrefs: 006B2F4C
ReleaseSRWLockExclusive, xrefs: 006B3101
WaitForThreadpoolTimerCallbacks, xrefs: 006B2F1E
FlsGetValue, xrefs: 006B2E4F
GetCurrentProcessorNumber, xrefs: 006B2FBF
FlsFree, xrefs: 006B2E38
CloseThreadpoolTimer, xrefs: 006B2F35
SetThreadpoolWait, xrefs: 006B2F63
SleepConditionVariableSRW, xrefs: 006B3118
CreateEventExW, xrefs: 006B2EAB
FreeLibraryWhenCallbackReturns, xrefs: 006B2FA8
InitializeCriticalSectionEx, xrefs: 006B2E7D
CreateSymbolicLinkW, xrefs: 006B2FD6
TryAcquireSRWLockExclusive, xrefs: 006B30EA
InitializeSRWLock, xrefs: 006B30BC
WakeConditionVariable, xrefs: 006B3077
CreateThreadpoolTimer, xrefs: 006B2EF0
GetCurrentPackageId, xrefs: 006B2FED
InitOnceExecuteOnce, xrefs: 006B2E94
GetSystemTimePreciseAsFileTime, xrefs: 006B3049
SleepConditionVariableCS, xrefs: 006B30A5
GetFileInformationByHandleEx, xrefs: 006B301B

Memory Dump Source

Source File: 00000000.00000002.725815674.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.725773275.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.725959949.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726074510.00000000006CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726116527.00000000006D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726147829.00000000006D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726147829.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_Adobe CEF Helper 3.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$CloseThreadpoolTimer$CloseThreadpoolWait$CloseThreadpoolWork$CompareStringEx$CreateEventExW$CreateSemaphoreExW$CreateSemaphoreW$CreateSymbolicLinkW$CreateThreadpoolTimer$CreateThreadpoolWait$CreateThreadpoolWork$FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$FlushProcessWriteBuffers$FreeLibraryWhenCallbackReturns$GetCurrentPackageId$GetCurrentProcessorNumber$GetFileInformationByHandleEx$GetLocaleInfoEx$GetSystemTimePreciseAsFileTime$GetTickCount64$InitOnceExecuteOnce$InitializeConditionVariable$InitializeCriticalSectionEx$InitializeSRWLock$LCMapStringEx$ReleaseSRWLockExclusive$SetFileInformationByHandle$SetThreadpoolTimer$SetThreadpoolWait$SleepConditionVariableCS$SleepConditionVariableSRW$SubmitThreadpoolWork$TryAcquireSRWLockExclusive$WaitForThreadpoolTimerCallbacks$WakeAllConditionVariable$WakeConditionVariable$kernel32.dll
API String ID: 667068680-295688737
Opcode ID: 1112e86bc21a25b316cb020f7222b2929728b010ed3a99bf912183663a0c9e84
Instruction ID: 6dc02b6a497cf108a622015c39f956b4d530dfd5d01e53d17992fa9371b138a4
Opcode Fuzzy Hash: 1112e86bc21a25b316cb020f7222b2929728b010ed3a99bf912183663a0c9e84
Instruction Fuzzy Hash: 19919475A61250EBE7009FB4FD59E763BEBFB1EB01342A92AE211D6172D7F490048F60

Uniqueness

Uniqueness Score: -1.00%

Function 006B9D9E Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 235
fileCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E006B9D9E(void* __ebx, void* __ecx, void* __edi, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr _v28;
				signed int _v32;
				WCHAR* _v36;
				signed int _v48;
				intOrPtr _v556;
				intOrPtr _v558;
				struct _WIN32_FIND_DATAW _v604;
				intOrPtr* _v608;
				signed int _v612;
				signed int _v616;
				intOrPtr _v644;
				intOrPtr _v648;
				void* __esi;
				signed int _t40;
				signed int _t45;
				signed int _t48;
				signed int _t50;
				signed int _t51;
				signed char _t53;
				signed int _t62;
				void* _t64;
				union _FINDEX_INFO_LEVELS _t66;
				signed int _t71;
				intOrPtr* _t72;
				signed int _t75;
				void* _t82;
				void* _t84;
				signed int _t85;
				void* _t89;
				WCHAR* _t90;
				intOrPtr* _t94;
				intOrPtr _t97;
				void* _t99;
				signed int _t100;
				intOrPtr* _t104;
				signed int _t107;
				void* _t110;
				signed int _t113;
				void* _t114;
				union _FINDEX_INFO_LEVELS _t115;
				void* _t119;
				void* _t120;
				void* _t121;
				signed int _t122;
				void* _t123;
				void* _t124;
				signed int _t128;
				void* _t129;
				signed int _t130;
				void* _t131;
				void* _t132;

				_push(__ecx);
				_t94 = _a4;
				_push(__ebx);
				_push(__edi);
				_t2 = _t94 + 2; // 0x2
				_t110 = _t2;
				do {
					_t40 =  *_t94;
					_t94 = _t94 + 2;
				} while (_t40 != 0);
				_t113 = _a12;
				_t97 = (_t94 - _t110 >> 1) + 1;
				_v8 = _t97;
				if(_t97 <= (_t40 | 0xffffffff) - _t113) {
					_t89 = _t113 + 1 + _t97;
					_t120 = E006B7867(_t97, _t89, 2);
					_t99 = _t119;
					__eflags = _t113;
					if(_t113 == 0) {
						L6:
						_push(_v8);
						_t89 = _t89 - _t113;
						_t45 = E006B641F(_t99, _t120 + _t113 * 2, _t89, _a4);
						_t130 = _t129 + 0x10;
						__eflags = _t45;
						if(__eflags != 0) {
							goto L9;
						} else {
							_t82 = E006BA017(_a16, __eflags, _t120);
							E006B7C95(0);
							_t84 = _t82;
							goto L8;
						}
					} else {
						_push(_t113);
						_t85 = E006B641F(_t99, _t120, _t89, _a8);
						_t130 = _t129 + 0x10;
						__eflags = _t85;
						if(_t85 != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E006B5FFE();
							asm("int3");
							_t128 = _t130;
							_t131 = _t130 - 0x260;
							_t48 =  *0x6cf00c; // 0xe4e76224
							_v48 = _t48 ^ _t128;
							_t111 = _v28;
							_t100 = _v32;
							_push(_t89);
							_t90 = _v36;
							_push(_t120);
							_push(_t113);
							_t121 = 0x5c;
							_v644 = _t111;
							_v648 = 0x2f;
							_t114 = 0x3a;
							while(1) {
								__eflags = _t100 - _t90;
								if(_t100 == _t90) {
									break;
								}
								_t50 =  *_t100 & 0x0000ffff;
								__eflags = _t50 - _v612;
								if(_t50 != _v612) {
									__eflags = _t50 - _t121;
									if(_t50 != _t121) {
										__eflags = _t50 - _t114;
										if(_t50 != _t114) {
											_t100 = _t100 - 2;
											__eflags = _t100;
											continue;
										}
									}
								}
								break;
							}
							_t122 =  *_t100 & 0x0000ffff;
							__eflags = _t122 - _t114;
							if(_t122 != _t114) {
								L19:
								_t51 = _t122;
								_t115 = 0;
								_t111 = 0x2f;
								__eflags = _t51 - _t111;
								if(_t51 == _t111) {
									L23:
									_t53 = 1;
									__eflags = 1;
								} else {
									_t111 = 0x5c;
									__eflags = _t51 - _t111;
									if(_t51 == _t111) {
										goto L23;
									} else {
										_t111 = 0x3a;
										__eflags = _t51 - _t111;
										if(_t51 == _t111) {
											goto L23;
										} else {
											_t53 = 0;
										}
									}
								}
								_t103 = (_t100 - _t90 >> 1) + 1;
								asm("sbb eax, eax");
								_v612 =  ~(_t53 & 0x000000ff) & (_t100 - _t90 >> 0x00000001) + 0x00000001;
								E006B4EC0(_t115,  &_v604, _t115, 0x250);
								_t132 = _t131 + 0xc;
								_t123 = FindFirstFileExW(_t90, _t115,  &_v604, _t115, _t115, _t115);
								__eflags = _t123 - 0xffffffff;
								if(_t123 != 0xffffffff) {
									_t104 = _v608;
									_t62 =  *((intOrPtr*)(_t104 + 4)) -  *_t104;
									__eflags = _t62;
									_v616 = _t62 >> 2;
									_t64 = 0x2e;
									do {
										__eflags = _v604.cFileName - _t64;
										if(_v604.cFileName != _t64) {
											L36:
											_push(_t104);
											_t66 = E006B9D9E(_t90, _t104, _t115,  &(_v604.cFileName), _t90, _v612);
											_t132 = _t132 + 0x10;
											__eflags = _t66;
											if(_t66 != 0) {
												goto L26;
											} else {
												goto L37;
											}
										} else {
											__eflags = _v558 - _t115;
											if(_v558 == _t115) {
												goto L37;
											} else {
												__eflags = _v558 - _t64;
												if(_v558 != _t64) {
													goto L36;
												} else {
													__eflags = _v556 - _t115;
													if(_v556 == _t115) {
														goto L37;
													} else {
														goto L36;
													}
												}
											}
										}
										goto L40;
										L37:
										_t71 = FindNextFileW(_t123,  &_v604);
										_t104 = _v608;
										__eflags = _t71;
										_t64 = 0x2e;
									} while (_t71 != 0);
									_t72 = _t104;
									_t107 = _v616;
									_t111 =  *_t72;
									_t75 =  *((intOrPtr*)(_t72 + 4)) -  *_t72 >> 2;
									__eflags = _t107 - _t75;
									if(_t107 != _t75) {
										E006BDB80(_t90, _t115, _t111 + _t107 * 4, _t75 - _t107, 4, E006B9BB9);
									}
								} else {
									_push(_v608);
									_t66 = E006B9D9E(_t90, _t103, _t115, _t90, _t115, _t115);
									L26:
									_t115 = _t66;
								}
								__eflags = _t123 - 0xffffffff;
								if(_t123 != 0xffffffff) {
									FindClose(_t123);
								}
							} else {
								__eflags = _t100 -  &(_t90[1]);
								if(_t100 ==  &(_t90[1])) {
									goto L19;
								} else {
									_push(_t111);
									E006B9D9E(_t90, _t100, 0, _t90, 0, 0);
								}
							}
							_pop(_t124);
							__eflags = _v12 ^ _t128;
							return E006B1EC3(_v12 ^ _t128, _t111, _t124);
						} else {
							goto L6;
						}
					}
				} else {
					_t84 = 0xc;
					L8:
					return _t84;
				}
				L40:
			}

0x006b9da3
0x006b9da4
0x006b9da7
0x006b9da8
0x006b9dab
0x006b9dab
0x006b9dae
0x006b9dae
0x006b9db1
0x006b9db4
0x006b9db9
0x006b9dc3
0x006b9dc6
0x006b9dcb
0x006b9dd6
0x006b9de0
0x006b9de3
0x006b9de4
0x006b9de6
0x006b9dfa
0x006b9dfa
0x006b9dfd
0x006b9e07
0x006b9e0c
0x006b9e0f
0x006b9e11
0x00000000
0x006b9e13
0x006b9e17
0x006b9e20
0x006b9e26
0x00000000
0x006b9e28
0x006b9de8
0x006b9de8
0x006b9dee
0x006b9df3
0x006b9df6
0x006b9df8
0x006b9e2f
0x006b9e31
0x006b9e32
0x006b9e33
0x006b9e34
0x006b9e35
0x006b9e36
0x006b9e3b
0x006b9e3f
0x006b9e41
0x006b9e47
0x006b9e4e
0x006b9e51
0x006b9e54
0x006b9e57
0x006b9e58
0x006b9e5b
0x006b9e5c
0x006b9e5f
0x006b9e62
0x006b9e68
0x006b9e72
0x006b9e8e
0x006b9e8e
0x006b9e90
0x00000000
0x00000000
0x006b9e75
0x006b9e78
0x006b9e7f
0x006b9e81
0x006b9e84
0x006b9e86
0x006b9e89
0x006b9e8b
0x006b9e8b
0x00000000
0x006b9e8b
0x006b9e89
0x006b9e84
0x00000000
0x006b9e7f
0x006b9e92
0x006b9e95
0x006b9e98
0x006b9eb4
0x006b9eb6
0x006b9eb8
0x006b9eba
0x006b9ebb
0x006b9ebe
0x006b9ed4
0x006b9ed6
0x006b9ed6
0x006b9ec0
0x006b9ec2
0x006b9ec3
0x006b9ec6
0x00000000
0x006b9ec8
0x006b9eca
0x006b9ecb
0x006b9ece
0x00000000
0x006b9ed0
0x006b9ed0
0x006b9ed0
0x006b9ece
0x006b9ec6
0x006b9ede
0x006b9ee6
0x006b9eea
0x006b9ef8
0x006b9efd
0x006b9f12
0x006b9f14
0x006b9f17
0x006b9f4c
0x006b9f57
0x006b9f57
0x006b9f5c
0x006b9f62
0x006b9f63
0x006b9f63
0x006b9f6a
0x006b9f87
0x006b9f87
0x006b9f96
0x006b9f9b
0x006b9f9e
0x006b9fa0
0x00000000
0x00000000
0x00000000
0x00000000
0x006b9f6c
0x006b9f6c
0x006b9f73
0x00000000
0x006b9f75
0x006b9f75
0x006b9f7c
0x00000000
0x006b9f7e
0x006b9f7e
0x006b9f85
0x00000000
0x00000000
0x00000000
0x00000000
0x006b9f85
0x006b9f7c
0x006b9f73
0x00000000
0x006b9fa2
0x006b9faa
0x006b9fb0
0x006b9fb6
0x006b9fba
0x006b9fba
0x006b9fbd
0x006b9fbf
0x006b9fc5
0x006b9fcc
0x006b9fcf
0x006b9fd1
0x006b9fe5
0x006b9fea
0x006b9f19
0x006b9f1f
0x006b9f23
0x006b9f2b
0x006b9f2b
0x006b9f2b
0x006b9f2d
0x006b9f30
0x006b9f33
0x006b9f33
0x006b9e9a
0x006b9e9d
0x006b9e9f
0x00000000
0x006b9ea1
0x006b9ea1
0x006b9ea7
0x006b9eac
0x006b9e9f
0x006b9f3f
0x006b9f40
0x006b9f4b
0x00000000
0x00000000
0x00000000
0x006b9df8
0x006b9dcd
0x006b9dcf
0x006b9e29
0x006b9e2e
0x006b9e2e
0x00000000

APIs

Part of subcall function 006B7867: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,006B816E,00000001,00000364,?,006B45AE,00000006,00000000,-00000002,00000000,?,006B1CC7,?), ref: 006B78A8

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,?,00000000,?), ref: 006B9F0C
FindClose.KERNEL32(00000000), ref: 006B9F33
FindNextFileW.KERNEL32(00000000,?), ref: 006B9FAA

Strings

/, xrefs: 006B9E68

Memory Dump Source

Source File: 00000000.00000002.725815674.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.725773275.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.725959949.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726074510.00000000006CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726116527.00000000006D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726147829.00000000006D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726147829.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_Adobe CEF Helper 3.jbxd

Similarity

API ID: Find$File$AllocateCloseFirstHeapNext
String ID: /
API String ID: 2963102669-2043925204
Opcode ID: 0e4cc7a9b74c5f894d0fc4c4ddb2f5de51c6b297a94952a2a753d7adf2ad6498
Instruction ID: a98474a180f7b4e78d8baca5485db938b572b60975439817b8af68d15d8fea73
Opcode Fuzzy Hash: 0e4cc7a9b74c5f894d0fc4c4ddb2f5de51c6b297a94952a2a753d7adf2ad6498
Instruction Fuzzy Hash: 576138B26002146ADB30EA799C49EFB776EEFC4314F5441A9FA05DB281E631CDC28774

Uniqueness

Uniqueness Score: -1.00%

Function 006B27C8 Relevance: 6.1, APIs: 4, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E006B27C8(intOrPtr __edx, intOrPtr __edi, intOrPtr _a4) {
				char _v0;
				struct _EXCEPTION_POINTERS _v12;
				intOrPtr _v80;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v608;
				intOrPtr _v612;
				void* _v616;
				intOrPtr _v620;
				char _v624;
				intOrPtr _v628;
				intOrPtr _v632;
				intOrPtr _v636;
				intOrPtr _v640;
				intOrPtr _v644;
				_Unknown_base(*)()* _v648;
				intOrPtr _v652;
				intOrPtr _v656;
				intOrPtr _v660;
				intOrPtr _v664;
				intOrPtr _v668;
				char _v808;
				char* _t38;
				long _t48;
				signed int _t50;
				intOrPtr _t51;
				signed char _t54;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr _t57;

				_t57 = __edi;
				_t56 = __edx;
				if(IsProcessorFeaturePresent(0x17) != 0) {
					_t55 = _a4;
					asm("int 0x29");
				}
				 *0x6cfd28 = 0;
				_v632 = E006B4EC0(_t57,  &_v808, 0, 0x2cc);
				_v636 = _t55;
				_v640 = _t56;
				_v644 = _t51;
				_v648 = 0;
				_v652 = _t57;
				_v608 = ss;
				_v620 = cs;
				_v656 = ds;
				_v660 = es;
				_v664 = fs;
				_v668 = gs;
				asm("pushfd");
				_pop( *_t15);
				_v624 = _v0;
				_t38 =  &_v0;
				_v612 = _t38;
				_v808 = 0x10001;
				_v628 =  *((intOrPtr*)(_t38 - 4));
				E006B4EC0(_t57,  &_v92, 0, 0x50);
				_v92 = 0x40000015;
				_v88 = 1;
				_v80 = _v0;
				_t28 = IsDebuggerPresent() - 1; // -1
				_v12.ExceptionRecord =  &_v92;
				asm("sbb bl, bl");
				_v12.ContextRecord =  &_v808;
				_t54 =  ~_t28 + 1;
				SetUnhandledExceptionFilter(0);
				_t48 = UnhandledExceptionFilter( &_v12);
				if(_t48 == 0) {
					_t50 =  ~(_t54 & 0x000000ff);
					asm("sbb eax, eax");
					 *0x6cfd28 =  *0x6cfd28 & _t50;
					return _t50;
				}
				return _t48;
			}

0x006b27c8
0x006b27c8
0x006b27dc
0x006b27de
0x006b27e1
0x006b27e1
0x006b27f2
0x006b2800
0x006b2806
0x006b280c
0x006b2812
0x006b2818
0x006b281e
0x006b2824
0x006b282b
0x006b2832
0x006b2839
0x006b2840
0x006b2847
0x006b284e
0x006b284f
0x006b2858
0x006b285e
0x006b2861
0x006b2867
0x006b2876
0x006b2881
0x006b288c
0x006b2893
0x006b289a
0x006b28a4
0x006b28ac
0x006b28b5
0x006b28b7
0x006b28ba
0x006b28bc
0x006b28c6
0x006b28ce
0x006b28d3
0x006b28d5
0x006b28d7
0x00000000
0x006b28d7
0x006b28e2

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 006B27D5
IsDebuggerPresent.KERNEL32(?,?,?,00000017,?), ref: 006B289D
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,00000017,?), ref: 006B28BC
UnhandledExceptionFilter.KERNEL32(?,?,?,?,00000017,?), ref: 006B28C6

Memory Dump Source

Source File: 00000000.00000002.725815674.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.725773275.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.725959949.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726074510.00000000006CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726116527.00000000006D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726147829.00000000006D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726147829.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_Adobe CEF Helper 3.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 8199c621d31e548426a5f785b2b302d2c7657274a642ff593f1dc53ddb4f65d3
Instruction ID: 73d14c85081e3f2486ce184ebc066d1487950e431e71e9bb5840469d9afa6df0
Opcode Fuzzy Hash: 8199c621d31e548426a5f785b2b302d2c7657274a642ff593f1dc53ddb4f65d3
Instruction Fuzzy Hash: F23109B5D0522CDBDB50DFA5D989ADDBBB9EF08304F1041AAE40DA7210EB315A85CF94

Uniqueness

Uniqueness Score: -1.00%

Function 006B26B7 Relevance: 6.1, APIs: 4, Instructions: 53
timethreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E006B26B7() {
				signed int _v8;
				struct _FILETIME _v16;
				signed int _v20;
				union _LARGE_INTEGER _v24;
				signed int _t21;
				signed int _t29;
				signed int _t32;
				signed int _t36;

				_v16.dwLowDateTime = _v16.dwLowDateTime & 0x00000000;
				_v16.dwHighDateTime = _v16.dwHighDateTime & 0x00000000;
				_t21 =  *0x6cf00c; // 0xe4e76224
				if(_t21 == 0xbb40e64e || (0xffff0000 & _t21) == 0) {
					GetSystemTimeAsFileTime( &_v16);
					_v8 = _v16.dwHighDateTime ^ _v16.dwLowDateTime;
					_v8 = _v8 ^ GetCurrentThreadId();
					_v8 = _v8 ^ GetCurrentProcessId();
					QueryPerformanceCounter( &_v24);
					_t29 =  &_v8;
					_t36 = _v20 ^ _v24.LowPart ^ _v8 ^ _t29;
					if(_t36 != 0xbb40e64e) {
						if((0xffff0000 & _t36) == 0) {
							_t29 = (_t36 | 0x00004711) << 0x10;
							_t36 = _t36 | _t29;
						}
					} else {
						_t36 = 0xbb40e64f;
					}
					 *0x6cf00c = _t36;
					 *0x6cf008 =  !_t36;
					return _t29;
				} else {
					_t32 =  !_t21;
					 *0x6cf008 = _t32;
					return _t32;
				}
			}

0x006b26bd
0x006b26c1
0x006b26c5
0x006b26d8
0x006b26eb
0x006b26f7
0x006b2700
0x006b2709
0x006b2710
0x006b2719
0x006b2722
0x006b2726
0x006b2731
0x006b273a
0x006b273d
0x006b273d
0x006b2728
0x006b2728
0x006b2728
0x006b273f
0x006b2747
0x00000000
0x006b26de
0x006b26de
0x006b26e0
0x00000000
0x006b26e0

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 006B26EB
GetCurrentThreadId.KERNEL32 ref: 006B26FA
GetCurrentProcessId.KERNEL32 ref: 006B2703
QueryPerformanceCounter.KERNEL32(?), ref: 006B2710

Memory Dump Source

Source File: 00000000.00000002.725815674.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.725773275.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.725959949.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726074510.00000000006CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726116527.00000000006D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726147829.00000000006D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726147829.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_Adobe CEF Helper 3.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: fb8ed70d2597baaa32206f4be28643c31f7633864fbdd56a7653df766d24273c
Instruction ID: c7aa518bcf1954735353ba5ecb282e37225e9e8c476e35f52a499eaa5908fcff
Opcode Fuzzy Hash: fb8ed70d2597baaa32206f4be28643c31f7633864fbdd56a7653df766d24273c
Instruction Fuzzy Hash: 7F119EB1E00109DBDB14DFB8D964AFEB7FAFB08300F61547AD406D7250EE308A408B54

Uniqueness

Uniqueness Score: -1.00%

Function 006B24C7 Relevance: 6.0, APIs: 4, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E006B24C7(struct _EXCEPTION_POINTERS* _a4) {

				SetUnhandledExceptionFilter(0);
				UnhandledExceptionFilter(_a4);
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

0x006b24cc
0x006b24d5
0x006b24ee

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,006B25E6,006C01FC,00000017), ref: 006B24CC
UnhandledExceptionFilter.KERNEL32(006C01FC,?,006B25E6,006C01FC,00000017), ref: 006B24D5
GetCurrentProcess.KERNEL32(C0000409,?,006B25E6,006C01FC,00000017), ref: 006B24E0
TerminateProcess.KERNEL32(00000000,?,006B25E6,006C01FC,00000017), ref: 006B24E7

Memory Dump Source

Source File: 00000000.00000002.725815674.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.725773275.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.725959949.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726074510.00000000006CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726116527.00000000006D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726147829.00000000006D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726147829.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_Adobe CEF Helper 3.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
String ID:
API String ID: 3231755760-0
Opcode ID: cd53aa00f3499d04272de380f6af241c206d9447e8baa2b307e3d4847861b753
Instruction ID: 6bd1f825b43bfd6e38e4435edce349100365fd78a3147d44f984103ff4f59d4f
Opcode Fuzzy Hash: cd53aa00f3499d04272de380f6af241c206d9447e8baa2b307e3d4847861b753
Instruction Fuzzy Hash: 45D01232200208FBEB402BE0EC0CFAC3F2EFB08212F02A400F30E92020CB3644418BA9

Uniqueness

Uniqueness Score: -1.00%

Function 006B31FA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E006B31FA(intOrPtr* __ecx, void* __eflags) {
				intOrPtr* _t13;

				_t13 = __ecx;
				E006B324D(__ecx);
				 *__ecx = 0x38;
				 *((intOrPtr*)(__ecx + 8)) = 0x6b0000;
				 *((intOrPtr*)(__ecx + 4)) = 0x6b0000;
				 *((intOrPtr*)(__ecx + 0xc)) = 0xe00;
				 *((intOrPtr*)(__ecx + 0x10)) = 0x6c1f70;
				if(E006B1DA0(__ecx + 0x14) < 0) {
					if(IsDebuggerPresent() != 0) {
						OutputDebugStringW(L"ERROR : Unable to initialize critical section in CAtlBaseModule\n");
					}
					 *0x6d0890 = 1;
				}
				return _t13;
			}

0x006b31fb
0x006b31fd
0x006b3207
0x006b3210
0x006b3213
0x006b3216
0x006b321d
0x006b322b
0x006b3235
0x006b323c
0x006b323c
0x006b3242
0x006b3242
0x006b324c

APIs

Part of subcall function 006B1DA0: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,006B3229,?,?,?,006B12C6), ref: 006B1DA3
Part of subcall function 006B1DA0: GetLastError.KERNEL32(?,?,?,006B12C6), ref: 006B1DAD

IsDebuggerPresent.KERNEL32(?,?,?,006B12C6), ref: 006B322D
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,006B12C6), ref: 006B323C

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 006B3237

Memory Dump Source

Source File: 00000000.00000002.725815674.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.725773275.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.725959949.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726074510.00000000006CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726116527.00000000006D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726147829.00000000006D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726147829.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_Adobe CEF Helper 3.jbxd

Similarity

API ID: CountCriticalDebugDebuggerErrorInitializeLastOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 450123788-631824599
Opcode ID: 4b52559b15346654b5add19b4c519e3badf055bcc2dc46bb6faec952b08aea63
Instruction ID: 64225911ff447edef3c7c69b97f46f6fd23235463605fbf177a2a6e374538d0f
Opcode Fuzzy Hash: 4b52559b15346654b5add19b4c519e3badf055bcc2dc46bb6faec952b08aea63
Instruction Fuzzy Hash: 2CE092B07043518FE3A0AF65E405B967BE2AF02744F44881DE995C6741EBB0E6888BA1

Uniqueness

Uniqueness Score: -1.00%

Function 006B5E07 Relevance: 4.6, APIs: 3, Instructions: 78
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E006B5E07(intOrPtr __ebx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v0;
				signed int _v8;
				intOrPtr _v524;
				intOrPtr _v528;
				void* _v532;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v724;
				intOrPtr _v792;
				intOrPtr _v800;
				char _v804;
				struct _EXCEPTION_POINTERS _v812;
				signed int _t40;
				char* _t47;
				char* _t49;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t66;
				intOrPtr _t67;
				int _t68;
				intOrPtr _t69;
				signed int _t70;

				_t69 = __esi;
				_t67 = __edi;
				_t66 = __edx;
				_t61 = __ebx;
				_t40 =  *0x6cf00c; // 0xe4e76224
				_t41 = _t40 ^ _t70;
				_v8 = _t40 ^ _t70;
				if(_a4 != 0xffffffff) {
					_push(_a4);
					E006B29A7(_t41);
					_pop(_t62);
				}
				E006B4EC0(_t67,  &_v804, 0, 0x50);
				E006B4EC0(_t67,  &_v724, 0, 0x2cc);
				_v812.ExceptionRecord =  &_v804;
				_t47 =  &_v724;
				_v812.ContextRecord = _t47;
				_v548 = _t47;
				_v552 = _t62;
				_v556 = _t66;
				_v560 = _t61;
				_v564 = _t69;
				_v568 = _t67;
				_v524 = ss;
				_v536 = cs;
				_v572 = ds;
				_v576 = es;
				_v580 = fs;
				_v584 = gs;
				asm("pushfd");
				_pop( *_t22);
				_v540 = _v0;
				_t49 =  &_v0;
				_v528 = _t49;
				_v724 = 0x10001;
				_v544 =  *((intOrPtr*)(_t49 - 4));
				_v804 = _a8;
				_v800 = _a12;
				_v792 = _v0;
				_t68 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(0);
				if(UnhandledExceptionFilter( &_v812) == 0 && _t68 == 0 && _a4 != 0xffffffff) {
					_push(_a4);
					E006B29A7(_t57);
				}
				return E006B1EC3(_v8 ^ _t70, _t66, _t69);
			}

0x006b5e07
0x006b5e07
0x006b5e07
0x006b5e07
0x006b5e12
0x006b5e17
0x006b5e19
0x006b5e21
0x006b5e23
0x006b5e26
0x006b5e2b
0x006b5e2b
0x006b5e37
0x006b5e4a
0x006b5e58
0x006b5e5e
0x006b5e64
0x006b5e6a
0x006b5e70
0x006b5e76
0x006b5e7c
0x006b5e82
0x006b5e88
0x006b5e8e
0x006b5e95
0x006b5e9c
0x006b5ea3
0x006b5eaa
0x006b5eb1
0x006b5eb8
0x006b5eb9
0x006b5ec2
0x006b5ec8
0x006b5ecb
0x006b5ed1
0x006b5ede
0x006b5ee7
0x006b5ef0
0x006b5ef9
0x006b5f07
0x006b5f09
0x006b5f1e
0x006b5f2a
0x006b5f2d
0x006b5f32
0x006b5f41

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000004), ref: 006B5EFF
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000004), ref: 006B5F09
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000004), ref: 006B5F16

Memory Dump Source

Source File: 00000000.00000002.725815674.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.725773275.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.725959949.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726074510.00000000006CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726116527.00000000006D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726147829.00000000006D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726147829.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_Adobe CEF Helper 3.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 25a6c0855d91149a27b5e38f1fe2751f38811644f7a392c9a1b28fe04fcf446e
Instruction ID: afc5b3f05d20edeacfa381e5edf0b35d6b3374778749422dc48eab762921ca61
Opcode Fuzzy Hash: 25a6c0855d91149a27b5e38f1fe2751f38811644f7a392c9a1b28fe04fcf446e
Instruction Fuzzy Hash: 9331D3B5901218ABCB61DF64D889BDDBBB9BF08310F5041EAE41CA7251EB709BC18F45

Uniqueness

Uniqueness Score: -1.00%

Function 006B2A6B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 135
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E006B2A6B(intOrPtr __edx) {
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed char _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				intOrPtr _t51;
				signed int _t53;
				signed int _t56;
				signed int _t57;
				intOrPtr _t59;
				signed int _t60;
				signed int _t62;
				intOrPtr _t67;
				intOrPtr _t68;
				intOrPtr* _t70;
				intOrPtr _t78;
				intOrPtr _t83;
				intOrPtr* _t85;
				signed int _t86;
				signed int _t89;

				_t83 = __edx;
				 *0x6cfd30 =  *0x6cfd30 & 0x00000000;
				 *0x6cf020 =  *0x6cf020 | 1;
				if(IsProcessorFeaturePresent(0xa) == 0) {
					L20:
					return 0;
				}
				_v24 = _v24 & 0x00000000;
				 *0x6cf020 =  *0x6cf020 | 0x00000002;
				 *0x6cfd30 = 1;
				_t85 =  &_v48;
				_push(1);
				asm("cpuid");
				_pop(_t67);
				 *_t85 = 0;
				 *((intOrPtr*)(_t85 + 4)) = 1;
				 *((intOrPtr*)(_t85 + 8)) = 0;
				 *((intOrPtr*)(_t85 + 0xc)) = _t83;
				_v16 = _v48;
				_t51 = 1;
				asm("sbb cl, cl");
				_t78 = 0;
				_push(1);
				asm("cpuid");
				_pop(_t68);
				 *_t85 = _t51;
				 *((intOrPtr*)(_t85 + 4)) = _t67;
				 *((intOrPtr*)(_t85 + 8)) = _t78;
				 *((intOrPtr*)(_t85 + 0xc)) = _t83;
				if( ~(_v36 ^ 0x49656e69 | _v40 ^ 0x6c65746e | _v44 ^ 0x756e6547) + 1 == 0) {
					L9:
					_t86 =  *0x6cfd34; // 0x2
					L10:
					_v32 = _v36;
					_t53 = _v40;
					_v12 = _t53;
					_v28 = _t53;
					if(_v16 >= 7) {
						_t59 = 7;
						_push(_t68);
						asm("cpuid");
						_t70 =  &_v48;
						 *_t70 = _t59;
						 *((intOrPtr*)(_t70 + 4)) = _t68;
						 *((intOrPtr*)(_t70 + 8)) = 0;
						 *((intOrPtr*)(_t70 + 0xc)) = _t83;
						_t60 = _v44;
						_v24 = _t60;
						_t53 = _v12;
						if((_t60 & 0x00000200) != 0) {
							 *0x6cfd34 = _t86 | 0x00000002;
						}
					}
					if((_t53 & 0x00100000) != 0) {
						 *0x6cf020 =  *0x6cf020 | 0x00000004;
						 *0x6cfd30 = 2;
						if((_t53 & 0x08000000) != 0 && (_t53 & 0x10000000) != 0) {
							asm("xgetbv");
							_v20 = _t53;
							_v16 = _t83;
							if((_v20 & 0x00000006) == 6 && 0 == 0) {
								_t56 =  *0x6cf020; // 0x2f
								_t57 = _t56 | 0x00000008;
								 *0x6cfd30 = 3;
								 *0x6cf020 = _t57;
								if((_v24 & 0x00000020) != 0) {
									 *0x6cfd30 = 5;
									 *0x6cf020 = _t57 | 0x00000020;
								}
							}
						}
					}
					goto L20;
				}
				_t62 = _v48 & 0x0fff3ff0;
				if(_t62 == 0x106c0 || _t62 == 0x20660 || _t62 == 0x20670 || _t62 == 0x30650 || _t62 == 0x30660 || _t62 == 0x30670) {
					_t89 =  *0x6cfd34; // 0x2
					_t86 = _t89 | 0x00000001;
					 *0x6cfd34 = _t86;
					goto L10;
				} else {
					goto L9;
				}
			}

0x006b2a6b
0x006b2a6e
0x006b2a7c
0x006b2a8b
0x006b2c05
0x006b2c0b
0x006b2c0b
0x006b2a91
0x006b2a97
0x006b2aa2
0x006b2aa8
0x006b2aab
0x006b2aac
0x006b2ab0
0x006b2ab1
0x006b2ab3
0x006b2ab6
0x006b2ab9
0x006b2ac2
0x006b2ae3
0x006b2ae4
0x006b2aeb
0x006b2aec
0x006b2aed
0x006b2af1
0x006b2af2
0x006b2af4
0x006b2af7
0x006b2afa
0x006b2afd
0x006b2b42
0x006b2b42
0x006b2b48
0x006b2b4f
0x006b2b52
0x006b2b55
0x006b2b58
0x006b2b5b
0x006b2b5f
0x006b2b62
0x006b2b63
0x006b2b68
0x006b2b6b
0x006b2b6d
0x006b2b70
0x006b2b73
0x006b2b76
0x006b2b7e
0x006b2b81
0x006b2b84
0x006b2b89
0x006b2b89
0x006b2b84
0x006b2b96
0x006b2b98
0x006b2b9f
0x006b2bae
0x006b2bb9
0x006b2bbc
0x006b2bbf
0x006b2bd0
0x006b2bd6
0x006b2bdb
0x006b2bde
0x006b2bec
0x006b2bf1
0x006b2bf6
0x006b2c00
0x006b2c00
0x006b2bf1
0x006b2bd0
0x006b2bae
0x00000000
0x006b2b96
0x006b2b02
0x006b2b0c
0x006b2b31
0x006b2b37
0x006b2b3a
0x00000000
0x00000000
0x00000000
0x00000000

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 006B2A84

Strings

, xrefs: 006B2BE8

Memory Dump Source

Source File: 00000000.00000002.725815674.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.725773275.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.725959949.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726074510.00000000006CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726116527.00000000006D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726147829.00000000006D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726147829.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_Adobe CEF Helper 3.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-3916222277
Opcode ID: 5bbe69b80f6a54da216bd28a00ff11afe88bb907c5d462462cf36674b608afcc
Instruction ID: 62b290281445dab3f2e3079dd17dbc7a99a696c9665adcea1668e6076b853dd2
Opcode Fuzzy Hash: 5bbe69b80f6a54da216bd28a00ff11afe88bb907c5d462462cf36674b608afcc
Instruction Fuzzy Hash: 6E5161B1D112068BDB14CF69D8A6BEEBBF6FB08314F14952AD806E7350D774A844CB50

Uniqueness

Uniqueness Score: -1.00%

Function 006B919A Relevance: 1.8, APIs: 1, Instructions: 269
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E006B919A(long _a4, signed int* _a8, signed char _a12, signed int _a16, intOrPtr* _a20, unsigned int* _a24, intOrPtr _a28) {
				signed int _t172;
				signed int _t175;
				signed int _t178;
				signed int* _t179;
				signed int _t195;
				signed int _t199;
				signed int _t202;
				void* _t203;
				void* _t206;
				signed int _t209;
				void* _t210;
				signed int _t225;
				unsigned int* _t240;
				signed char _t242;
				signed int* _t250;
				unsigned int* _t256;
				signed int* _t257;
				signed char _t259;
				long _t262;
				signed int* _t265;

				 *(_a4 + 4) = 0;
				_t262 = 0xc000000d;
				 *(_a4 + 8) = 0;
				 *(_a4 + 0xc) = 0;
				_t242 = _a12;
				if((_t242 & 0x00000010) != 0) {
					_t262 = 0xc000008f;
					 *(_a4 + 4) =  *(_a4 + 4) | 1;
				}
				if((_t242 & 0x00000002) != 0) {
					_t262 = 0xc0000093;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000002;
				}
				if((_t242 & 0x00000001) != 0) {
					_t262 = 0xc0000091;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000004;
				}
				if((_t242 & 0x00000004) != 0) {
					_t262 = 0xc000008e;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
				}
				if((_t242 & 0x00000008) != 0) {
					_t262 = 0xc0000090;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000010;
				}
				_t265 = _a8;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 << 4) ^  *(_a4 + 8)) & 0x00000010;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 +  *_t265) ^  *(_a4 + 8)) & 0x00000008;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 >> 1) ^  *(_a4 + 8)) & 0x00000004;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 >> 3) ^  *(_a4 + 8)) & 0x00000002;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 >> 5) ^  *(_a4 + 8)) & 1;
				_t259 = E006B966C(_a4);
				if((_t259 & 0x00000001) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000010;
				}
				if((_t259 & 0x00000004) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000008;
				}
				if((_t259 & 0x00000008) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000004;
				}
				if((_t259 & 0x00000010) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000002;
				}
				if((_t259 & 0x00000020) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 1;
				}
				_t172 =  *_t265 & 0x00000c00;
				if(_t172 == 0) {
					 *_a4 =  *_a4 & 0xfffffffc;
				} else {
					if(_t172 == 0x400) {
						_t257 = _a4;
						_t225 =  *_t257 & 0xfffffffd | 1;
						L26:
						 *_t257 = _t225;
						L29:
						_t175 =  *_t265 & 0x00000300;
						if(_t175 == 0) {
							_t250 = _a4;
							_t178 =  *_t250 & 0xffffffeb | 0x00000008;
							L35:
							 *_t250 = _t178;
							L36:
							_t179 = _a4;
							_t254 = (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *_t179 =  *_t179 ^ (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *(_a4 + 0x20) =  *(_a4 + 0x20) | 1;
							if(_a28 == 0) {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe3 | 0x00000002;
								 *((long long*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t254 = _a4;
								_t240 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe3 | 0x00000002;
								 *(_a4 + 0x50) =  *_t240;
							} else {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe1;
								 *((intOrPtr*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t240 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe1;
								 *(_a4 + 0x50) =  *_t240;
							}
							E006B95D2(_t254);
							RaiseException(_t262, 0, 1,  &_a4);
							_t256 = _a4;
							if((_t256[2] & 0x00000010) != 0) {
								 *_t265 =  *_t265 & 0xfffffffe;
							}
							if((_t256[2] & 0x00000008) != 0) {
								 *_t265 =  *_t265 & 0xfffffffb;
							}
							if((_t256[2] & 0x00000004) != 0) {
								 *_t265 =  *_t265 & 0xfffffff7;
							}
							if((_t256[2] & 0x00000002) != 0) {
								 *_t265 =  *_t265 & 0xffffffef;
							}
							if((_t256[2] & 0x00000001) != 0) {
								 *_t265 =  *_t265 & 0xffffffdf;
							}
							_t195 =  *_t256 & 0x00000003;
							if(_t195 == 0) {
								 *_t265 =  *_t265 & 0xfffff3ff;
							} else {
								_t206 = _t195 - 1;
								if(_t206 == 0) {
									_t209 =  *_t265 & 0xfffff7ff | 0x00000400;
									L55:
									 *_t265 = _t209;
									L58:
									_t199 =  *_t256 >> 0x00000002 & 0x00000007;
									if(_t199 == 0) {
										_t202 =  *_t265 & 0xfffff3ff | 0x00000300;
										L64:
										 *_t265 = _t202;
										L65:
										if(_a28 == 0) {
											 *_t240 = _t256[0x14];
										} else {
											 *_t240 = _t256[0x14];
										}
										return _t202;
									}
									_t203 = _t199 - 1;
									if(_t203 == 0) {
										_t202 =  *_t265 & 0xfffff3ff | 0x00000200;
										goto L64;
									}
									_t202 = _t203 - 1;
									if(_t202 == 0) {
										 *_t265 =  *_t265 & 0xfffff3ff;
									}
									goto L65;
								}
								_t210 = _t206 - 1;
								if(_t210 == 0) {
									_t209 =  *_t265 & 0xfffffbff | 0x00000800;
									goto L55;
								}
								if(_t210 == 1) {
									 *_t265 =  *_t265 | 0x00000c00;
								}
							}
							goto L58;
						}
						if(_t175 == 0x200) {
							_t250 = _a4;
							_t178 =  *_t250 & 0xffffffe7 | 0x00000004;
							goto L35;
						}
						if(_t175 == 0x300) {
							 *_a4 =  *_a4 & 0xffffffe3;
						}
						goto L36;
					}
					if(_t172 == 0x800) {
						_t257 = _a4;
						_t225 =  *_t257 & 0xfffffffe | 0x00000002;
						goto L26;
					}
					if(_t172 == 0xc00) {
						 *_a4 =  *_a4 | 0x00000003;
					}
				}
			}

0x006b91a8
0x006b91af
0x006b91b4
0x006b91ba
0x006b91bd
0x006b91c3
0x006b91c8
0x006b91cd
0x006b91cd
0x006b91d3
0x006b91d8
0x006b91dd
0x006b91dd
0x006b91e4
0x006b91e9
0x006b91ee
0x006b91ee
0x006b91f5
0x006b91fa
0x006b91ff
0x006b91ff
0x006b9206
0x006b920b
0x006b9210
0x006b9210
0x006b9218
0x006b9228
0x006b923a
0x006b924c
0x006b925f
0x006b9271
0x006b9279
0x006b927e
0x006b9283
0x006b9283
0x006b928a
0x006b928f
0x006b928f
0x006b9296
0x006b929b
0x006b929b
0x006b92a2
0x006b92a7
0x006b92a7
0x006b92ae
0x006b92b3
0x006b92b3
0x006b92bd
0x006b92bf
0x006b92f9
0x006b92c1
0x006b92c6
0x006b92ea
0x006b92f2
0x006b92e6
0x006b92e6
0x006b92fc
0x006b9303
0x006b9305
0x006b9327
0x006b932f
0x006b9332
0x006b9332
0x006b9334
0x006b9334
0x006b933f
0x006b9345
0x006b934a
0x006b9351
0x006b938b
0x006b9396
0x006b939c
0x006b939f
0x006b93a2
0x006b93ae
0x006b93b6
0x006b9353
0x006b9356
0x006b9362
0x006b9368
0x006b936e
0x006b9371
0x006b937a
0x006b937a
0x006b93b9
0x006b93c7
0x006b93cd
0x006b93d4
0x006b93d6
0x006b93d6
0x006b93dd
0x006b93df
0x006b93df
0x006b93e6
0x006b93e8
0x006b93e8
0x006b93ef
0x006b93f1
0x006b93f1
0x006b93f8
0x006b93fa
0x006b93fa
0x006b9407
0x006b940a
0x006b9441
0x006b940c
0x006b940c
0x006b940f
0x006b943a
0x006b942f
0x006b942f
0x006b9443
0x006b944b
0x006b944e
0x006b946d
0x006b9472
0x006b9472
0x006b9474
0x006b9479
0x006b9485
0x006b947b
0x006b947e
0x006b947e
0x006b948a
0x006b948a
0x006b9450
0x006b9453
0x006b9462
0x00000000
0x006b9462
0x006b9455
0x006b9458
0x006b945a
0x006b945a
0x00000000
0x006b9458
0x006b9411
0x006b9414
0x006b942a
0x00000000
0x006b942a
0x006b9419
0x006b941b
0x006b941b
0x006b9419
0x00000000
0x006b940a
0x006b930c
0x006b931a
0x006b9322
0x00000000
0x006b9322
0x006b9310
0x006b9315
0x006b9315
0x00000000
0x006b9310
0x006b92cd
0x006b92db
0x006b92e3
0x00000000
0x006b92e3
0x006b92d1
0x006b92d6
0x006b92d6
0x006b92d1

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,?,?,?,006B9195,?,?,?,?,?,?,00000000), ref: 006B93C7

Memory Dump Source

Source File: 00000000.00000002.725815674.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.725773275.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.725959949.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726074510.00000000006CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726116527.00000000006D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726147829.00000000006D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726147829.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_Adobe CEF Helper 3.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 542d636c4e2e65d6c621a5e229610850c4a5274a75a9c918731692c0985d71c9
Instruction ID: 5094f41d391990ca59b196bbf2de611ae3689ee702f54fbfc3137cfbec576583
Opcode Fuzzy Hash: 542d636c4e2e65d6c621a5e229610850c4a5274a75a9c918731692c0985d71c9
Instruction Fuzzy Hash: C9B15D715206089FD715CF28C48ABE47BE1FF45364F258658EA99CF3A1C335EA82CB50

Uniqueness

Uniqueness Score: -1.00%

Function 006B295A Relevance: 1.5, APIs: 1, Instructions: 3
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E006B295A() {

				return SetUnhandledExceptionFilter(E006B2966);
			}

0x006b2965

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00002966,006B1FBD), ref: 006B295F

Memory Dump Source

Source File: 00000000.00000002.725815674.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.725773275.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.725959949.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726074510.00000000006CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726116527.00000000006D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726147829.00000000006D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726147829.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_Adobe CEF Helper 3.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: e26bad85f4b067a77ae90bb095690b252ecd07d52b24ae73ca01eeace1f5057b
Instruction ID: 3779e785af4fe538cd76ce4acb9542bec0c02326ad8cd8242c280a7ea36db77c
Opcode Fuzzy Hash: e26bad85f4b067a77ae90bb095690b252ecd07d52b24ae73ca01eeace1f5057b
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 006BEA90 Relevance: 1.3, Strings: 1, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E006BEA90(intOrPtr _a4, char _a8) {
				void* _t11;
				signed int _t13;
				void* _t15;
				void* _t18;
				intOrPtr _t19;
				intOrPtr _t20;

				_t8 = _a4;
				_t18 = 0;
				_t2 = _t8 + 0x3c; // 0x110
				_t15 =  *_t2 + _a4;
				_t13 =  *(_t15 + 6) & 0x0000ffff;
				_t11 = ( *(_t15 + 0x14) & 0x0000ffff) + 0x18 + _t15;
				if(_t13 == 0) {
					L5:
					return 0;
				}
				_t5 =  &_a8; // 0x6beb3e
				_t19 =  *_t5;
				while(1) {
					_t20 =  *((intOrPtr*)(_t11 + 0xc));
					if(_t19 >= _t20 && _t19 <  *((intOrPtr*)(_t11 + 8)) + _t20) {
						break;
					}
					_t18 = _t18 + 1;
					_t11 = _t11 + 0x28;
					if(_t18 < _t13) {
						continue;
					} else {
						goto L5;
					}
					L7:
				}
				return _t11;
				goto L7;
			}

0x006bea93
0x006bea96
0x006bea9b
0x006bea9e
0x006beaa4
0x006beaab
0x006beaaf
0x006beacc
0x00000000
0x006beacc
0x006beab1
0x006beab1
0x006beab4
0x006beab4
0x006beab9
0x00000000
0x00000000
0x006beac4
0x006beac5
0x006beaca
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x006beaca
0x006bead2
0x00000000

Strings

>k, xrefs: 006BEAB1

Memory Dump Source

Source File: 00000000.00000002.725815674.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.725773275.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.725959949.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726074510.00000000006CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726116527.00000000006D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726147829.00000000006D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726147829.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_Adobe CEF Helper 3.jbxd

Similarity

API ID:
String ID: >k
API String ID: 0-321286556
Opcode ID: 1dc8bee23c138a933d8091b39665165e589bfb8d0d54666c843b9a3133221a8b
Instruction ID: 95abc28f2248ecd792ba01e393e591e215036c6fe13228a48e8624c82ed8c126
Opcode Fuzzy Hash: 1dc8bee23c138a933d8091b39665165e589bfb8d0d54666c843b9a3133221a8b
Instruction Fuzzy Hash: 99F030727002155B9B448B5ADC80AF9B3DFEE8473431D80AAE5048B742DA75EC92C394

Uniqueness

Uniqueness Score: -1.00%

Function 006BB38C Relevance: 1.3, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E006BB38C() {
				signed int _t3;

				_t3 = GetProcessHeap();
				 *0x6d0790 = _t3;
				return _t3 & 0xffffff00 | _t3 != 0x00000000;
			}

0x006bb38c
0x006bb394
0x006bb39c

APIs

GetProcessHeap.KERNEL32 ref: 006BB38C

Memory Dump Source

Source File: 00000000.00000002.725815674.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.725773275.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.725959949.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726074510.00000000006CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726116527.00000000006D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726147829.00000000006D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726147829.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_Adobe CEF Helper 3.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 475434a468b8b62eb2b0216d8c1fcf043703d42e22221b68a1ed6694245cdb9d
Instruction ID: 06f20abca8b22d3f57fef22c1c8bf1d0ea206ea51c1c3c828f348378bae5e37e
Opcode Fuzzy Hash: 475434a468b8b62eb2b0216d8c1fcf043703d42e22221b68a1ed6694245cdb9d
Instruction Fuzzy Hash: D9A00474711101CF77404F357D0571D37D7F5555D1F0551575405C5170D73454505F55

Uniqueness

Uniqueness Score: -1.00%

Function 006BF210 Relevance: .7, Instructions: 651COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.725815674.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.725773275.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.725959949.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726074510.00000000006CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726116527.00000000006D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726147829.00000000006D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726147829.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_Adobe CEF Helper 3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee113276ddba2b672adb54d3448b1d9171bbfbffa9162f173e9f859d6b8ad48b
Instruction ID: 0f05d4868721f093461e2764d6e5fce69b6f354fad7ed97d3ce215ca74ca9576
Opcode Fuzzy Hash: ee113276ddba2b672adb54d3448b1d9171bbfbffa9162f173e9f859d6b8ad48b
Instruction Fuzzy Hash: 89320362D28F414DD7239638CC22375664AAFB73D4F55D737E81AB5AB6EF2984C34200

Uniqueness

Uniqueness Score: -1.00%

Function 006BBC39 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.725815674.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.725773275.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.725959949.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726074510.00000000006CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726116527.00000000006D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726147829.00000000006D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726147829.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_Adobe CEF Helper 3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 747b3fca37ab49332eb5fe56010689fd3c7c98eb8aaa19a0745aea5eae09fade
Instruction ID: 48d6ded86224996b3a325965edfcbb04d40e0a8e6350ac27cecd4a6d8be2329f
Opcode Fuzzy Hash: 747b3fca37ab49332eb5fe56010689fd3c7c98eb8aaa19a0745aea5eae09fade
Instruction Fuzzy Hash: 37321561D29F014DD7239634CC22375A38AAFB73D4F15E727E816B5EA6EB29D6C34200

Uniqueness

Uniqueness Score: -1.00%

Function 006B4610 Relevance: .1, Instructions: 76
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E006B4610(signed int _a4, signed char _a8, intOrPtr _a12) {
				intOrPtr _t13;
				void* _t14;
				signed char _t20;
				signed char _t24;
				signed int _t27;
				signed char _t32;
				unsigned int _t33;
				signed char _t35;
				signed char _t37;
				signed int _t39;

				_t13 = _a12;
				if(_t13 == 0) {
					L11:
					return _t13;
				} else {
					_t39 = _a4;
					_t20 = _a8;
					if((_t39 & 0x00000003) == 0) {
						L5:
						_t14 = _t13 - 4;
						if(_t14 < 0) {
							L8:
							_t13 = _t14 + 4;
							if(_t13 == 0) {
								goto L11;
							} else {
								while(1) {
									_t24 =  *_t39;
									_t39 = _t39 + 1;
									if((_t24 ^ _t20) == 0) {
										goto L20;
									}
									_t13 = _t13 - 1;
									if(_t13 != 0) {
										continue;
									} else {
										goto L11;
									}
									goto L24;
								}
								goto L20;
							}
						} else {
							_t20 = ((_t20 << 8) + _t20 << 0x10) + (_t20 << 8) + _t20;
							do {
								_t27 =  *_t39 ^ _t20;
								_t39 = _t39 + 4;
								if(((_t27 ^ 0xffffffff ^ 0x7efefeff + _t27) & 0x81010100) == 0) {
									goto L12;
								} else {
									_t32 =  *(_t39 - 4) ^ _t20;
									if(_t32 == 0) {
										return _t39 - 4;
									} else {
										_t33 = _t32 ^ _t20;
										if(_t33 == 0) {
											return _t39 - 3;
										} else {
											_t35 = _t33 >> 0x00000010 ^ _t20;
											if(_t35 == 0) {
												return _t39 - 2;
											} else {
												if((_t35 ^ _t20) == 0) {
													goto L20;
												} else {
													goto L12;
												}
											}
										}
									}
								}
								goto L24;
								L12:
								_t14 = _t14 - 4;
							} while (_t14 >= 0);
							goto L8;
						}
					} else {
						while(1) {
							_t37 =  *_t39;
							_t39 = _t39 + 1;
							if((_t37 ^ _t20) == 0) {
								break;
							}
							_t13 = _t13 - 1;
							if(_t13 == 0) {
								goto L11;
							} else {
								if((_t39 & 0x00000003) != 0) {
									continue;
								} else {
									goto L5;
								}
							}
							goto L24;
						}
						L20:
						return _t39 - 1;
					}
				}
				L24:
			}

0x006b4610
0x006b4617
0x006b466c
0x006b466c
0x006b4619
0x006b4619
0x006b461f
0x006b4629
0x006b4641
0x006b4641
0x006b4644
0x006b4658
0x006b4658
0x006b465b
0x00000000
0x006b465d
0x006b465d
0x006b465d
0x006b465f
0x006b4664
0x00000000
0x00000000
0x006b4666
0x006b4669
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x006b4669
0x00000000
0x006b465d
0x006b4646
0x006b4653
0x006b4672
0x006b4674
0x006b4682
0x006b468b
0x00000000
0x006b468d
0x006b4690
0x006b4692
0x006b46bc
0x006b4694
0x006b4694
0x006b4696
0x006b46b6
0x006b4698
0x006b469b
0x006b469d
0x006b46b0
0x006b469f
0x006b46a1
0x00000000
0x006b46a3
0x00000000
0x006b46a3
0x006b46a1
0x006b469d
0x006b4696
0x006b4692
0x00000000
0x006b466d
0x006b466d
0x006b466d
0x00000000
0x006b4657
0x006b462b
0x006b462b
0x006b462b
0x006b462d
0x006b4632
0x00000000
0x00000000
0x006b4634
0x006b4637
0x00000000
0x006b4639
0x006b463f
0x00000000
0x00000000
0x00000000
0x00000000
0x006b463f
0x00000000
0x006b4637
0x006b46a6
0x006b46aa
0x006b46aa
0x006b4629
0x00000000

Memory Dump Source

Source File: 00000000.00000002.725815674.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.725773275.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.725959949.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726074510.00000000006CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726116527.00000000006D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726147829.00000000006D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726147829.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_Adobe CEF Helper 3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 297cf2d13cb492ed52d94c10a99e456e896ff8bda69e5d6045e826e4918b1a0b
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 951108F720049183D6148A2DC9B8AF6A397EAC7325B2D436AD1914B75BFA2299C59700

Uniqueness

Uniqueness Score: -1.00%

Function 006B215D Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E006B215D(void* __ebx, void* __ecx, void* __edx, _Unknown_base(*)()* __edi, void* __esi, void* __eflags) {
				void* _t4;
				void* _t10;
				intOrPtr* _t17;
				void* _t24;
				struct HINSTANCE__* _t28;
				_Unknown_base(*)()* _t29;

				_t25 = __edi;
				_t24 = __edx;
				_push(__edi);
				E006B4D59(__eflags, 0x6cf9a8, 0xfa0, 0);
				_t28 = GetModuleHandleW(L"kernel32.dll");
				if(_t28 == 0) {
					L7:
					E006B27C8(_t24, _t25, 7);
					asm("int3");
					DeleteCriticalSection(0x6cf9a8);
					_t4 =  *0x6cf9c4; // 0x0
					__eflags = _t4;
					if(_t4 != 0) {
						return CloseHandle(_t4);
					}
					return _t4;
				} else {
					_t17 = GetProcAddress(_t28, "InitializeConditionVariable");
					_t25 = GetProcAddress(_t28, "SleepConditionVariableCS");
					_t29 = GetProcAddress(_t28, "WakeAllConditionVariable");
					if(_t17 == 0 || _t25 == 0) {
						L5:
						_t10 = CreateEventW(0, 1, 0, 0);
						 *0x6cf9c4 = _t10;
						__eflags = _t10;
						if(__eflags == 0) {
							goto L7;
						} else {
							goto L6;
						}
					} else {
						_t37 = _t29;
						if(_t29 == 0) {
							goto L5;
						} else {
							 *0x6cf9c4 =  *0x6cf9c4 & 0x00000000;
							L006B2A05();
							 *_t17(0x6cf9c0);
							 *0x6cf9c8 = E006B4A2A(_t25);
							 *0x6cf9cc = E006B4A2A(_t29);
							L6:
							E006B248F(_t37, 0x6b221d);
							return 0;
						}
					}
				}
			}

0x006b215d
0x006b215d
0x006b215f
0x006b216c
0x006b217f
0x006b2183
0x006b2215
0x006b2217
0x006b221c
0x006b2222
0x006b2228
0x006b222d
0x006b222f
0x00000000
0x006b2232
0x006b2238
0x006b2189
0x006b219b
0x006b21a9
0x006b21b1
0x006b21b5
0x006b21ee
0x006b21f5
0x006b21fb
0x006b2200
0x006b2202
0x00000000
0x00000000
0x00000000
0x00000000
0x006b21bb
0x006b21bb
0x006b21bd
0x00000000
0x006b21bf
0x006b21bf
0x006b21cd
0x006b21d2
0x006b21db
0x006b21e7
0x006b2204
0x006b2209
0x006b2214
0x006b2214
0x006b21bd
0x006b21b5

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 006B2179
GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 006B218F
GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 006B219D
GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 006B21AB
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 006B21F5
DeleteCriticalSection.KERNEL32(006CF9A8,00000007), ref: 006B2222
CloseHandle.KERNEL32(00000000), ref: 006B2232

Strings

InitializeConditionVariable, xrefs: 006B2189
WakeAllConditionVariable, xrefs: 006B21A3
kernel32.dll, xrefs: 006B2174
SleepConditionVariableCS, xrefs: 006B2195

Memory Dump Source

Source File: 00000000.00000002.725815674.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.725773275.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.725959949.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726074510.00000000006CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726116527.00000000006D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726147829.00000000006D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726147829.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_Adobe CEF Helper 3.jbxd

Similarity

API ID: AddressProc$Handle$CloseCreateCriticalDeleteEventModuleSection
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$kernel32.dll
API String ID: 246271217-758797311
Opcode ID: f8370c604c9d19aefefb181c3a683d248e38b979f5abe7b681a1fc6dabf50880
Instruction ID: 7ce578d77889a99f7aaa999d577628be13e42ae738bbb4b413756b12eeee791b
Opcode Fuzzy Hash: f8370c604c9d19aefefb181c3a683d248e38b979f5abe7b681a1fc6dabf50880
Instruction Fuzzy Hash: F411C8B1B51312BBEB103BB8AC19FF626DBEB44B11F12102DFA00D2691EE7089808765

Uniqueness

Uniqueness Score: -1.00%

Function 006B1A90 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E006B1A90(intOrPtr __ecx) {
				void* __edi;
				intOrPtr _t26;
				signed int _t29;
				WCHAR* _t30;
				int _t31;
				WCHAR* _t42;
				signed int _t45;
				intOrPtr _t47;
				WCHAR* _t55;
				short* _t58;
				WCHAR* _t60;
				intOrPtr _t64;
				WCHAR* _t65;
				void* _t67;
				void* _t68;
				void* _t69;

				_t47 = __ecx;
				_t64 =  *((intOrPtr*)(__ecx + 0x10));
				if(_t64 != 0) {
					_push( ~(__eflags > 0) | (_t64 + 0x00000001) * 0x00000002);
					_t60 = E006B61EA( ~(__eflags > 0) | (_t64 + 0x00000001) * 0x00000002);
					_t68 = _t67 + 4;
					__eflags = _t60;
					if(_t60 == 0) {
						L17:
						__eflags = 0;
						return 0;
					} else {
						__eflags =  *((intOrPtr*)(__ecx + 0x14)) - 8;
						if( *((intOrPtr*)(__ecx + 0x14)) < 8) {
							_t26 = __ecx;
						} else {
							_t26 =  *((intOrPtr*)(__ecx));
						}
						E006B6127(_t60, _t64 + 1, _t26);
						_t29 = _t64 - 1;
						_t69 = _t68 + 0xc;
						__eflags = _t60[_t29] - 0x5c;
						_t30 =  &(_t60[_t29]);
						if(_t60[_t29] == 0x5c) {
							do {
								 *_t30 = 0;
								_t42 = _t60;
								_t16 =  &(_t42[1]); // 0x2
								_t58 = _t16;
								asm("o16 nop [eax+eax]");
								do {
									_t55 =  *_t42;
									_t42 =  &(_t42[1]);
									__eflags = _t55;
								} while (_t55 != 0);
								_t45 = (_t42 - _t58 >> 1) - 1;
								__eflags = _t60[_t45] - 0x5c;
								_t30 =  &(_t60[_t45]);
							} while (_t60[_t45] == 0x5c);
						}
						_t31 = PathRemoveFileSpecW(_t60);
						__eflags = _t31;
						if(_t31 != 0) {
							E006B1490(_t47, _t60, _t60);
							L006B61E5(_t60);
							return 1;
						} else {
							__eflags =  *0x6d0870 - _t31;
							if( *0x6d0870 == _t31) {
								_t65 =  *0x6d0874; // 0x0
								__eflags = _t65;
								if(_t65 != 0) {
									 *((intOrPtr*)( *_t65 + 0x34))( *0x6d0874, 0x32, 0x6c8fe4, L"FileUtils", L"Failed to remove file spec error: %d", GetLastError());
									_t69 = _t69 + 0x18;
								}
								L006B214A(_t60);
								goto L17;
							} else {
								 *0x6d0870(0x32, L"OOBEUtils", L"FileUtils", 0x6c8fe4, 0x6c8fe4, L"Failed to remove file spec error: %d", GetLastError());
								L006B214A(_t60);
								__eflags = 0;
								return 0;
							}
						}
					}
				} else {
					return 0;
				}
			}

0x006b1a91
0x006b1a94
0x006b1a99
0x006b1ab4
0x006b1aba
0x006b1abc
0x006b1abf
0x006b1ac1
0x006b1ba4
0x006b1ba6
0x006b1ba9
0x006b1ac7
0x006b1ac7
0x006b1acb
0x006b1ad1
0x006b1acd
0x006b1acd
0x006b1acd
0x006b1ad9
0x006b1ade
0x006b1ae1
0x006b1ae4
0x006b1ae9
0x006b1aec
0x006b1af0
0x006b1af2
0x006b1af5
0x006b1af7
0x006b1af7
0x006b1afa
0x006b1b00
0x006b1b00
0x006b1b03
0x006b1b06
0x006b1b06
0x006b1b0f
0x006b1b10
0x006b1b15
0x006b1b15
0x006b1af0
0x006b1b1b
0x006b1b21
0x006b1b23
0x006b1bad
0x006b1bb3
0x006b1bc0
0x006b1b29
0x006b1b29
0x006b1b2f
0x006b1b6b
0x006b1b71
0x006b1b73
0x006b1b95
0x006b1b98
0x006b1b98
0x006b1b9c
0x00000000
0x006b1b31
0x006b1b53
0x006b1b5d
0x006b1b65
0x006b1b6a
0x006b1b6a
0x006b1b2f
0x006b1b23
0x006b1a9c
0x006b1a9f
0x006b1a9f

APIs

PathRemoveFileSpecW.SHLWAPI(00000000), ref: 006B1B1B
GetLastError.KERNEL32 ref: 006B1B31

Strings

Failed to remove file spec error: %d, xrefs: 006B1B38, 006B1B7E
OOBEUtils, xrefs: 006B1B4C
FileUtils, xrefs: 006B1B47, 006B1B83

Memory Dump Source

Source File: 00000000.00000002.725815674.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.725773275.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.725959949.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726074510.00000000006CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726116527.00000000006D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726147829.00000000006D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726147829.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_Adobe CEF Helper 3.jbxd

Similarity

API ID: ErrorFileLastPathRemoveSpec
String ID: Failed to remove file spec error: %d$FileUtils$OOBEUtils
API String ID: 3648509562-2250240356
Opcode ID: 4c4e598895d3bee4ca3eac4fb362db5ea17c18299bd6b32e5717e670135ff0d9
Instruction ID: 907ee010a254bf3181c0f51e3ffd750d2c4f512598809097d093641d8251bd10
Opcode Fuzzy Hash: 4c4e598895d3bee4ca3eac4fb362db5ea17c18299bd6b32e5717e670135ff0d9
Instruction Fuzzy Hash: 233139B1B41210BFDB206B289C52FFB33ABEF92741745002EF805DB252EB61E8519791

Uniqueness

Uniqueness Score: -1.00%

Function 006B7018 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,006B700D,00000003,?,006B6FAD,00000003,006CD978,0000000C,006B70C0,00000003,00000002), ref: 006B7038
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 006B704B
FreeLibrary.KERNEL32(00000000,?,?,?,006B700D,00000003,?,006B6FAD,00000003,006CD978,0000000C,006B70C0,00000003,00000002,00000000), ref: 006B706E

Strings

CorExitProcess, xrefs: 006B7043
mscoree.dll, xrefs: 006B7031

Memory Dump Source

Source File: 00000000.00000002.725815674.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.725773275.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.725959949.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726074510.00000000006CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726116527.00000000006D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726147829.00000000006D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726147829.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_Adobe CEF Helper 3.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: fe5fc0e61e3e4dd699bc5fed3f2d5500d8ccc65f6872308f2c8a0e9e1bea6469
Instruction ID: 3596ab672eaf541bf44fee049e1613a0fc040fc5385c9f76568f3760e4523bc5
Opcode Fuzzy Hash: fe5fc0e61e3e4dd699bc5fed3f2d5500d8ccc65f6872308f2c8a0e9e1bea6469
Instruction Fuzzy Hash: 5AF04471A04208FBDB21AF90DC19FEDBFB6EB44711F0101A9F905A2250DB708A80CB90

Uniqueness

Uniqueness Score: -1.00%

Function 006BD0D7 Relevance: 7.7, APIs: 5, Instructions: 152
fileCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E006BD0D7(void* __ebx, void* __edi, intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				signed char _v15;
				char _v16;
				void _v24;
				short _v28;
				char _v31;
				void _v32;
				long _v36;
				intOrPtr _v40;
				void* _v44;
				signed int _v48;
				signed char* _v52;
				long _v56;
				int _v60;
				void* __esi;
				signed int _t78;
				signed int _t80;
				int _t86;
				void* _t92;
				void* _t94;
				long _t97;
				void _t105;
				void* _t112;
				signed int _t116;
				signed int _t118;
				signed char _t123;
				signed char _t128;
				signed int _t129;
				signed char* _t131;
				intOrPtr* _t132;
				signed int _t133;
				void* _t134;

				_t78 =  *0x6cf00c; // 0xe4e76224
				_v8 = _t78 ^ _t133;
				_t80 = _a8;
				_t118 = _t80 >> 6;
				_t116 = (_t80 & 0x0000003f) * 0x30;
				_t131 = _a12;
				_v52 = _t131;
				_v48 = _t118;
				_v44 =  *((intOrPtr*)( *((intOrPtr*)(0x6d0470 + _t118 * 4)) + _t116 + 0x18));
				_v40 = _a16 + _t131;
				_t86 = GetConsoleCP();
				_t132 = _a4;
				_v60 = _t86;
				 *_t132 = 0;
				 *((intOrPtr*)(_t132 + 4)) = 0;
				 *((intOrPtr*)(_t132 + 8)) = 0;
				while(_t131 < _v40) {
					_v28 = 0;
					_v31 =  *_t131;
					_t129 =  *(0x6d0470 + _v48 * 4);
					_t123 =  *(_t129 + _t116 + 0x2d);
					if((_t123 & 0x00000004) == 0) {
						_t92 = E006B78C4(_t116, _t129);
						_t129 = 0x8000;
						if(( *(_t92 + ( *_t131 & 0x000000ff) * 2) & 0x00008000) == 0) {
							_push(1);
							_push(_t131);
							goto L8;
						} else {
							if(_t131 >= _v40) {
								_t129 = _v48;
								 *((char*)( *((intOrPtr*)(0x6d0470 + _t129 * 4)) + _t116 + 0x2e)) =  *_t131;
								 *( *((intOrPtr*)(0x6d0470 + _t129 * 4)) + _t116 + 0x2d) =  *( *((intOrPtr*)(0x6d0470 + _t129 * 4)) + _t116 + 0x2d) | 0x00000004;
								 *((intOrPtr*)(_t132 + 4)) =  *((intOrPtr*)(_t132 + 4)) + 1;
							} else {
								_t112 = E006B8C76( &_v28, _t131, 2);
								_t134 = _t134 + 0xc;
								if(_t112 != 0xffffffff) {
									_t131 =  &(_t131[1]);
									goto L9;
								}
							}
						}
					} else {
						_t128 = _t123 & 0x000000fb;
						_v16 =  *((intOrPtr*)(_t129 + _t116 + 0x2e));
						_push(2);
						_v15 = _t128;
						 *(_t129 + _t116 + 0x2d) = _t128;
						_push( &_v16);
						L8:
						_push( &_v28);
						_t94 = E006B8C76();
						_t134 = _t134 + 0xc;
						if(_t94 != 0xffffffff) {
							L9:
							_t131 =  &(_t131[1]);
							_t97 = WideCharToMultiByte(_v60, 0,  &_v28, 1,  &_v24, 5, 0, 0);
							_v56 = _t97;
							if(_t97 != 0) {
								if(WriteFile(_v44,  &_v24, _t97,  &_v36, 0) == 0) {
									L19:
									 *_t132 = GetLastError();
								} else {
									 *((intOrPtr*)(_t132 + 4)) =  *((intOrPtr*)(_t132 + 8)) - _v52 + _t131;
									if(_v36 >= _v56) {
										if(_v31 != 0xa) {
											goto L16;
										} else {
											_t105 = 0xd;
											_v32 = _t105;
											if(WriteFile(_v44,  &_v32, 1,  &_v36, 0) == 0) {
												goto L19;
											} else {
												if(_v36 >= 1) {
													 *((intOrPtr*)(_t132 + 8)) =  *((intOrPtr*)(_t132 + 8)) + 1;
													 *((intOrPtr*)(_t132 + 4)) =  *((intOrPtr*)(_t132 + 4)) + 1;
													goto L16;
												}
											}
										}
									}
								}
							}
						}
					}
					goto L20;
					L16:
				}
				L20:
				return E006B1EC3(_v8 ^ _t133, _t129, _t132);
			}

0x006bd0df
0x006bd0e6
0x006bd0e9
0x006bd0f1
0x006bd0f5
0x006bd101
0x006bd104
0x006bd107
0x006bd10e
0x006bd116
0x006bd119
0x006bd11f
0x006bd125
0x006bd12a
0x006bd12c
0x006bd12f
0x006bd134
0x006bd13e
0x006bd145
0x006bd148
0x006bd14f
0x006bd156
0x006bd171
0x006bd179
0x006bd182
0x006bd1a8
0x006bd1aa
0x00000000
0x006bd184
0x006bd187
0x006bd24e
0x006bd25a
0x006bd265
0x006bd26a
0x006bd18d
0x006bd194
0x006bd199
0x006bd19f
0x006bd1a5
0x00000000
0x006bd1a5
0x006bd19f
0x006bd187
0x006bd158
0x006bd15c
0x006bd15f
0x006bd165
0x006bd167
0x006bd16a
0x006bd16e
0x006bd1ab
0x006bd1ae
0x006bd1af
0x006bd1b4
0x006bd1ba
0x006bd1c0
0x006bd1cf
0x006bd1d5
0x006bd1db
0x006bd1e0
0x006bd1fc
0x006bd26f
0x006bd275
0x006bd1fe
0x006bd206
0x006bd20f
0x006bd215
0x00000000
0x006bd217
0x006bd219
0x006bd21c
0x006bd235
0x00000000
0x006bd237
0x006bd23b
0x006bd23d
0x006bd240
0x00000000
0x006bd240
0x006bd23b
0x006bd235
0x006bd215
0x006bd20f
0x006bd1fc
0x006bd1e0
0x006bd1ba
0x00000000
0x006bd243
0x006bd243
0x006bd277
0x006bd289

APIs

GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,006BD84C,?,00000000,?,00000000,00000000), ref: 006BD119
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 006BD1D5
WriteFile.KERNEL32(?,?,00000000,006BD84C,00000000,?,?,?,?,?,?,?,?,?,006BD84C,?), ref: 006BD1F4
WriteFile.KERNEL32(?,?,00000001,006BD84C,00000000,?,?,?,?,?,?,?,?,?,006BD84C,?), ref: 006BD22D

Memory Dump Source

Source File: 00000000.00000002.725815674.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.725773275.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.725959949.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726074510.00000000006CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726116527.00000000006D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726147829.00000000006D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726147829.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_Adobe CEF Helper 3.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleMultiWide
String ID:
API String ID: 977765425-0
Opcode ID: c55e99aaf4e847fbbea234ebfff2414c0cda56ea474f7b2f5cfa91112b8f4e9d
Instruction ID: 81aa0ca5288856bbb80fc1edf1f2ea49bf48d5afc4a1dba8d371448952410e42
Opcode Fuzzy Hash: c55e99aaf4e847fbbea234ebfff2414c0cda56ea474f7b2f5cfa91112b8f4e9d
Instruction Fuzzy Hash: 305152B5E00249EFDB10CFA8D845EEEBBF6EF49300F14415AE955E7251E6309A81CB60

Uniqueness

Uniqueness Score: -1.00%

Function 006B4AE7 Relevance: 6.1, APIs: 4, Instructions: 54
libraryCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E006B4AE7(signed int _a4) {
				void* _t13;
				signed int _t15;
				signed int _t21;
				WCHAR* _t22;
				signed int* _t25;
				void* _t27;

				_t21 = _a4;
				_t25 = 0x6d0004 + _t21 * 4;
				asm("lock cmpxchg [edi], ecx");
				if(0 == 0) {
					_t22 =  *(_t21 * 4 + "X l");
					_t27 = LoadLibraryExW(_t22, 0, 0x800);
					if(_t27 != 0) {
						L8:
						 *_t25 = _t27;
						if( *_t25 != 0) {
							FreeLibrary(_t27);
						}
						_t13 = _t27;
						L11:
						return _t13;
					}
					_t15 = GetLastError();
					if(_t15 != 0x57) {
						_t27 = 0;
					} else {
						_t15 = LoadLibraryExW(_t22, _t27, _t27);
						_t27 = _t15;
					}
					if(_t27 != 0) {
						goto L8;
					} else {
						 *_t25 = _t15 | 0xffffffff;
						_t13 = 0;
						goto L11;
					}
				}
				asm("sbb eax, eax");
				return  ~0x00000001 & 0;
			}

0x006b4aeb
0x006b4af3
0x006b4afa
0x006b4b02
0x006b4b0f
0x006b4b25
0x006b4b29
0x006b4b52
0x006b4b54
0x006b4b58
0x006b4b5b
0x006b4b5b
0x006b4b61
0x006b4b63
0x00000000
0x006b4b63
0x006b4b2b
0x006b4b34
0x006b4b43
0x006b4b36
0x006b4b39
0x006b4b3f
0x006b4b3f
0x006b4b47
0x00000000
0x006b4b49
0x006b4b4c
0x006b4b4e
0x00000000
0x006b4b4e
0x006b4b47
0x006b4b09
0x00000000

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000800,?,?,?,?,006B4A8E,?,?,?,?,?,006B4B82,00000000,EventRegister), ref: 006B4B1F
GetLastError.KERNEL32(?,?,006B4A8E,?,?,?,?,?,006B4B82,00000000,EventRegister,006C20F8,EventRegister,?,?,006B102E), ref: 006B4B2B
LoadLibraryExW.KERNEL32(?,00000000,00000000,?,?,006B4A8E,?,?,?,?,?,006B4B82,00000000,EventRegister,006C20F8,EventRegister), ref: 006B4B39

Memory Dump Source

Source File: 00000000.00000002.725815674.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.725773275.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.725959949.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726074510.00000000006CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726116527.00000000006D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726147829.00000000006D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726147829.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_Adobe CEF Helper 3.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 3816929d11c029ab0f5812d4a75b9a982b7806997aa9d5de4158647abfd0dccc
Instruction ID: 19902690e35030550d3403dbd788a487b6a5d61643d51da282ce9d5a33703aa8
Opcode Fuzzy Hash: 3816929d11c029ab0f5812d4a75b9a982b7806997aa9d5de4158647abfd0dccc
Instruction Fuzzy Hash: D501B5727062229BDB214F35DC44FE7B79AAF057A1B110535EB06D7291EE30D841C7E4

Uniqueness

Uniqueness Score: -1.00%

Function 006B3F07 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E006B3F07(void* __edx, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				intOrPtr _v0;
				char _v8;
				char _v12;
				intOrPtr* _v16;
				intOrPtr* _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr* _v32;
				intOrPtr* _v60;
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t70;
				void* _t71;
				intOrPtr* _t74;
				intOrPtr* _t78;
				intOrPtr* _t82;
				intOrPtr* _t83;
				intOrPtr _t84;
				intOrPtr _t86;
				intOrPtr* _t87;
				intOrPtr* _t89;
				signed int _t93;
				void* _t97;
				intOrPtr _t98;
				intOrPtr* _t100;
				char _t101;
				void* _t105;
				intOrPtr _t111;
				char _t114;
				intOrPtr _t116;
				intOrPtr* _t119;
				intOrPtr* _t121;
				intOrPtr* _t123;
				intOrPtr _t129;
				void* _t130;
				intOrPtr* _t131;
				intOrPtr* _t132;
				signed int* _t136;
				void* _t138;
				void* _t140;
				void* _t141;
				void* _t142;

				_push(_t105);
				_push(_t105);
				_t119 = _a4;
				_t143 =  *_t119 - 0x80000003;
				if( *_t119 == 0x80000003) {
					L18:
					return _t70;
				} else {
					_push(_t97);
					_push(_t130);
					_t71 = E006B599C(_t97, _t105, __edx, _t119, _t130, _t143);
					_t98 = _a20;
					_t144 =  *((intOrPtr*)(_t71 + 8));
					if( *((intOrPtr*)(_t71 + 8)) == 0) {
						L6:
						if( *((intOrPtr*)(_t98 + 0xc)) == 0) {
							E006B6566(_t98, _t105, _t119);
							asm("int3");
							_t138 = _t140;
							_t141 = _t140 - 0x18;
							_push(_t98);
							_push(_t130);
							_t131 = _v16;
							_push(_t119);
							__eflags = _t131;
							if(_t131 == 0) {
								E006B6566(_t98, _t105, _t119);
								asm("int3");
								_push(_t138);
								_push(_t98);
								_push(_t131);
								_push(_t119);
								_t121 = _v60;
								_t132 = 0;
								__eflags =  *_t121;
								if( *_t121 <= 0) {
									L37:
									_t74 = 0;
									__eflags = 0;
								} else {
									_t100 = 0;
									while(1) {
										_t78 = E006B46BD( *((intOrPtr*)(_t100 +  *((intOrPtr*)(_t121 + 4)) + 4)) + 4, 0x6cf930);
										__eflags = _t78;
										if(_t78 == 0) {
											break;
										}
										_t132 = _t132 + 1;
										_t100 = _t100 + 0x10;
										__eflags = _t132 -  *_t121;
										if(_t132 <  *_t121) {
											continue;
										} else {
											goto L37;
										}
										goto L38;
									}
									_t74 = 1;
								}
								L38:
								return _t74;
							} else {
								_t123 =  *_t131;
								_t101 = 0;
								__eflags = _t123;
								if(_t123 > 0) {
									_t114 = 0;
									_v12 = 0;
									_t82 =  *((intOrPtr*)( *((intOrPtr*)(_v0 + 0x1c)) + 0xc));
									_t83 = _t82 + 4;
									__eflags = _t83;
									_v24 =  *_t82;
									_v32 = _t83;
									do {
										_t109 = _t83;
										_t84 = _v24;
										_v20 = _t83;
										_v16 = _t84;
										__eflags = _t84;
										if(_t84 > 0) {
											_t86 =  *((intOrPtr*)(_t131 + 4)) + _t114;
											__eflags = _t86;
											_v28 = _t86;
											while(1) {
												_t87 = E006B44F6(_t86,  *_t109,  *((intOrPtr*)(_v0 + 0x1c)));
												_t141 = _t141 + 0xc;
												__eflags = _t87;
												if(_t87 != 0) {
													break;
												}
												_t89 = _v16 - 1;
												_t109 = _v20 + 4;
												_v16 = _t89;
												__eflags = _t89;
												_v20 = _v20 + 4;
												_t86 = _v28;
												if(_t89 > 0) {
													continue;
												} else {
												}
												L29:
												_t114 = _v12;
												goto L30;
											}
											_t101 = 1;
											goto L29;
										}
										L30:
										_t83 = _v32;
										_t114 = _t114 + 0x10;
										_v12 = _t114;
										_t123 = _t123 - 1;
										__eflags = _t123;
									} while (_t123 != 0);
								}
								return _t101;
							}
						} else {
							_t70 = E006B5157(_t105, _t98, _a28, _a24,  &_v12,  &_v8);
							_t111 = _v12;
							_t142 = _t140 + 0x14;
							_t116 = _v8;
							if(_t111 < _t116) {
								_t17 = _t70 + 0xc; // 0xc
								_t136 = _t17;
								_t70 = _a24;
								do {
									if(_t70 >=  *((intOrPtr*)(_t136 - 0xc)) && _t70 <=  *((intOrPtr*)(_t136 - 8))) {
										_t93 =  *_t136 << 4;
										if( *((intOrPtr*)(_t136[1] + _t93 - 0xc)) == 0) {
											L13:
											_t94 = _t93 + _t136[1] + 0xfffffff0;
											_t129 = _a4;
											if(( *(_t93 + _t136[1] + 0xfffffff0) & 0x00000040) == 0) {
												_push(1);
												_t35 = _t136 - 0xc; // 0x0
												E006B3AE1(_t98, _t116, _t129, _a8, _a12, _a16, _t98, _t94, 0, _t35, _a28, _a32);
												_t116 = _v8;
												_t142 = _t142 + 0x2c;
												_t111 = _v12;
											}
										} else {
											_t116 = _v8;
											_t98 = _a20;
											if( *((char*)( *((intOrPtr*)(_t136[1] + _t93 - 0xc)) + 8)) == 0) {
												goto L13;
											}
										}
										_t70 = _a24;
									}
									_t111 = _t111 + 1;
									_t136 =  &(_t136[5]);
									_v12 = _t111;
								} while (_t111 < _t116);
							}
							goto L17;
						}
					} else {
						__imp__EncodePointer(0);
						_t130 = _t71;
						if( *((intOrPtr*)(E006B599C(_t98, _t105, __edx, _t119, _t130, _t144) + 8)) == _t130 ||  *_t119 == 0xe0434f4d ||  *_t119 == 0xe0434352) {
							goto L6;
						} else {
							_t70 = E006B507A(_t119, _a8, _a12, _a16, _t98, _a28, _a32);
							_t140 = _t140 + 0x1c;
							if(_t70 != 0) {
								L17:
								goto L18;
							} else {
								goto L6;
							}
						}
					}
				}
			}

0x006b3f0a
0x006b3f0b
0x006b3f0d
0x006b3f10
0x006b3f16
0x006b4017
0x006b401b
0x006b3f1c
0x006b3f1c
0x006b3f1d
0x006b3f1e
0x006b3f23
0x006b3f26
0x006b3f2a
0x006b3f71
0x006b3f75
0x006b401c
0x006b4021
0x006b4023
0x006b4025
0x006b4028
0x006b4029
0x006b402a
0x006b402d
0x006b402e
0x006b4030
0x006b40b8
0x006b40bd
0x006b40be
0x006b40c1
0x006b40c2
0x006b40c3
0x006b40c4
0x006b40c7
0x006b40c9
0x006b40cb
0x006b40f2
0x006b40f2
0x006b40f2
0x006b40cd
0x006b40cd
0x006b40cf
0x006b40df
0x006b40e6
0x006b40e8
0x00000000
0x00000000
0x006b40ea
0x006b40eb
0x006b40ee
0x006b40f0
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x006b40f0
0x006b40f9
0x006b40f9
0x006b40f4
0x006b40f8
0x006b4036
0x006b4036
0x006b4038
0x006b403a
0x006b403c
0x006b4041
0x006b4043
0x006b4049
0x006b404e
0x006b404e
0x006b4051
0x006b4054
0x006b4057
0x006b4057
0x006b4059
0x006b405c
0x006b405f
0x006b4062
0x006b4064
0x006b4069
0x006b4069
0x006b406b
0x006b406e
0x006b4077
0x006b407c
0x006b407f
0x006b4081
0x00000000
0x00000000
0x006b4089
0x006b408a
0x006b408d
0x006b4090
0x006b4092
0x006b4095
0x006b4098
0x00000000
0x00000000
0x006b409a
0x006b409e
0x006b409e
0x00000000
0x006b409e
0x006b409c
0x00000000
0x006b409c
0x006b40a1
0x006b40a1
0x006b40a4
0x006b40a7
0x006b40aa
0x006b40aa
0x006b40aa
0x006b4057
0x006b40b7
0x006b40b7
0x006b3f7b
0x006b3f8a
0x006b3f8f
0x006b3f92
0x006b3f95
0x006b3f9a
0x006b3f9c
0x006b3f9c
0x006b3f9f
0x006b3fa2
0x006b3fa5
0x006b3fb1
0x006b3fba
0x006b3fcf
0x006b3fd5
0x006b3fd7
0x006b3fdd
0x006b3fdf
0x006b3fe4
0x006b3ff9
0x006b3ffe
0x006b4001
0x006b4004
0x006b4004
0x006b3fbc
0x006b3fc3
0x006b3fca
0x006b3fcd
0x00000000
0x00000000
0x006b3fcd
0x006b4007
0x006b4007
0x006b400a
0x006b400b
0x006b400e
0x006b4011
0x006b3fa2
0x00000000
0x006b3f9a
0x006b3f2c
0x006b3f2e
0x006b3f34
0x006b3f3e
0x00000000
0x006b3f50
0x006b3f61
0x006b3f66
0x006b3f6b
0x006b4015
0x00000000
0x00000000
0x00000000
0x00000000
0x006b3f6b
0x006b3f3e
0x006b3f2a

APIs

EncodePointer.KERNEL32(00000000,?,?,?,?,?,?,?,006CD8DC), ref: 006B3F2E

Strings

MOC, xrefs: 006B3F40
RCC, xrefs: 006B3F48

Memory Dump Source

Source File: 00000000.00000002.725815674.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.725773275.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.725959949.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726074510.00000000006CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726116527.00000000006D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726147829.00000000006D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726147829.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_Adobe CEF Helper 3.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 4e6508d8a6e795cfaa9ab8a9fb3095803d809f8693c1f075e99b6efc9cfbd941
Instruction ID: 16d970319f9c74c6a9f59ede8ad473f1087a311ad48a432f3c41c84af2531e04
Opcode Fuzzy Hash: 4e6508d8a6e795cfaa9ab8a9fb3095803d809f8693c1f075e99b6efc9cfbd941
Instruction Fuzzy Hash: FB4167B2600209EFDF11DF44C881AEEB77AEF48314F288148FA0557352C775AEA1DB90

Uniqueness

Uniqueness Score: -1.00%

Function 006B4E47 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E006B4E47(intOrPtr* _a4, signed char* _a8) {
				signed char* _v8;
				intOrPtr _v12;
				char _v16;
				char _v20;
				long _v32;
				void _v36;
				DWORD* _t19;
				intOrPtr _t20;
				intOrPtr* _t22;
				signed int _t23;
				intOrPtr* _t26;
				signed char* _t31;

				_t22 = _a4;
				_t23 = 8;
				memcpy( &_v36, 0x6c2178, _t23 << 2);
				_t31 = _a8;
				if(_t31 != 0 && ( *_t31 & 0x00000010) != 0) {
					_t26 =  *_t22 - 4;
					_t20 =  *_t26;
					_t31 =  *(_t20 + 0x18);
					L006B2A05();
					 *((intOrPtr*)( *((intOrPtr*)(_t20 + 0x20))))(_t26);
				}
				_v12 = _t22;
				_v8 = _t31;
				if(_t31 != 0 && ( *_t31 & 0x00000008) != 0) {
					_v16 = 0x1994000;
				}
				_t19 =  &_v16;
				_t15 =  &_v20; // 0x6b2c73
				RaiseException(_v36, _v32,  *_t15, _t19);
				return _t19;
			}

0x006b4e4e
0x006b4e55
0x006b4e5e
0x006b4e60
0x006b4e65
0x006b4e6e
0x006b4e72
0x006b4e79
0x006b4e7c
0x006b4e81
0x006b4e81
0x006b4e83
0x006b4e86
0x006b4e8b
0x006b4e92
0x006b4e92
0x006b4e99
0x006b4e9d
0x006b4ea6
0x006b4eb2

APIs

RaiseException.KERNEL32(?,?,s,k,00000000,00000000,?,-00000002,?,?,?,?,006B2C73,00000000,006CD778,-00000002,00000000), ref: 006B4EA6

Strings

s,k, xrefs: 006B4E9D
x!l, xrefs: 006B4E56

Memory Dump Source

Source File: 00000000.00000002.725815674.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.725773275.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.725959949.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726074510.00000000006CF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726116527.00000000006D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726147829.00000000006D3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.726147829.00000000006DA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_Adobe CEF Helper 3.jbxd

Similarity

API ID: ExceptionRaise
String ID: s,k$x!l
API String ID: 3997070919-1665773512
Opcode ID: ba28075b94f1ec52506850658716ce24ee65f9d0547cf1fbf2865cf1b8b79cb3
Instruction ID: 1660798001d08ca9b038815481455f516ec9cf834d1bc984bc41f62fb5a420d7
Opcode Fuzzy Hash: ba28075b94f1ec52506850658716ce24ee65f9d0547cf1fbf2865cf1b8b79cb3
Instruction Fuzzy Hash: 010184B2900219ABCF15DF99D840FEEBBBAFF8C710F154159E90467391CB71A851CB90

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Adobe CEF Helper 3.9.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: Adobe CEF Helper 3.9.exePID: 8340, Parent PID: 5036

General

File Activities

File Opened

File Attributes Queried

Volume Information Queried

Section Activities

Sections loaded by Windows

Windows Analysis Report
Adobe CEF Helper 3.9.exe