Edit tour

Windows Analysis Report
l5Cp6aAf3o.exe

Overview

General Information

Sample name:	l5Cp6aAf3o.exe renamed because original name is a hash value
Original sample name:	7d3b45b611a612c3ebd77457c79950d6f7414e37efe2a4c58ed6e5a17f7b3e1d.exe
Analysis ID:	1632426
MD5:	368261894981b06ed7ecc369e81200a6
SHA1:	4d9038a3b7152d7c62cbbc96808cf1bd9a2e9d2e
SHA256:	7d3b45b611a612c3ebd77457c79950d6f7414e37efe2a4c58ed6e5a17f7b3e1d
Tags:	AgentTeslaexeuser-adrian__luca
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AgentTesla

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Connects to many ports of the same IP (likely port scanning)

Contains functionality to log keystrokes (.Net Source)

Drops executable to a common third party application directory

Hides that the sample has been downloaded from the Internet (zone.identifier)

Installs a global keyboard hook

Joe Sandbox ML detected suspicious sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Potentially Suspicious Malware Callback Communication

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Uses 32bit PE files

Uses FTP

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

l5Cp6aAf3o.exe (PID: 7120 cmdline: "C:\Users\user\Desktop\l5Cp6aAf3o.exe" MD5: 368261894981B06ED7ECC369E81200A6)

l5Cp6aAf3o.exe (PID: 6188 cmdline: "C:\Users\user\Desktop\l5Cp6aAf3o.exe" MD5: 368261894981B06ED7ECC369E81200A6)

adobe.exe (PID: 3636 cmdline: "C:\Users\user\AppData\Roaming\adobe\adobe.exe" MD5: 368261894981B06ED7ECC369E81200A6)

adobe.exe (PID: 5160 cmdline: "C:\Users\user\AppData\Roaming\adobe\adobe.exe" MD5: 368261894981B06ED7ECC369E81200A6)

adobe.exe (PID: 5696 cmdline: "C:\Users\user\AppData\Roaming\adobe\adobe.exe" MD5: 368261894981B06ED7ECC369E81200A6)

adobe.exe (PID: 5744 cmdline: "C:\Users\user\AppData\Roaming\adobe\adobe.exe" MD5: 368261894981B06ED7ECC369E81200A6)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://s4.serv00.com", "Username": "f2241_evica", "Password": "Doll440@@"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Memory Dumps

Source	Rule	Description	Author
0000000C.00000002.3606212050.000000000304C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.1356297287.000000000279C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.3606453711.00000000028EC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.1356297287.0000000002771000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.1356297287.0000000002771000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.1347515701.0000000000762000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.1347515701.0000000000762000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000C.00000002.3606212050.0000000003021000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000002.3606212050.0000000003021000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.3606453711.00000000028C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.3606453711.00000000028C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1137270533.0000000003DC9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1137270533.0000000003DC9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: l5Cp6aAf3o.exe PID: 7120	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: l5Cp6aAf3o.exe PID: 7120	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: l5Cp6aAf3o.exe PID: 6188	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: l5Cp6aAf3o.exe PID: 6188	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: adobe.exe PID: 5160	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: adobe.exe PID: 5160	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: adobe.exe PID: 5744	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: adobe.exe PID: 5744	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 16 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
5.2.adobe.exe.760000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.adobe.exe.760000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.2.adobe.exe.760000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33f56:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33fc8:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x34052:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x340e4:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3414e:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x341c0:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34256:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x342e6:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
5.2.adobe.exe.760000.0.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x31239:$s2: GetPrivateProfileString 0x30944:$s3: get_OSFullName 0x31f6e:$s5: remove_Key 0x32113:$s5: remove_Key 0x33072:$s6: FtpWebRequest 0x33f38:$s7: logins 0x344aa:$s7: logins 0x371bb:$s7: logins 0x3726d:$s7: logins 0x38bbe:$s7: logins 0x37e07:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.l5Cp6aAf3o.exe.3f7c250.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.l5Cp6aAf3o.exe.3f7c250.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.l5Cp6aAf3o.exe.3f7c250.3.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x32156:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x321c8:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x32252:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x322e4:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3234e:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x323c0:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x32456:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x324e6:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.l5Cp6aAf3o.exe.3f7c250.3.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x2f439:$s2: GetPrivateProfileString 0x2eb44:$s3: get_OSFullName 0x3016e:$s5: remove_Key 0x30313:$s5: remove_Key 0x31272:$s6: FtpWebRequest 0x32138:$s7: logins 0x326aa:$s7: logins 0x353bb:$s7: logins 0x3546d:$s7: logins 0x36dbe:$s7: logins 0x36007:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.l5Cp6aAf3o.exe.3f7c250.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.l5Cp6aAf3o.exe.3f7c250.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.l5Cp6aAf3o.exe.3f7c250.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33f56:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6f586:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xaa9a6:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33fc8:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6f5f8:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xaaa18:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x34052:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6f682:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xaaaa2:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x340e4:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6f714:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xaab34:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3414e:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6f77e:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xaab9e:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x341c0:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6f7f0:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xaac10:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34256:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6f886:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xaaca6:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
0.2.l5Cp6aAf3o.exe.3f7c250.3.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x31239:$s2: GetPrivateProfileString 0x6c869:$s2: GetPrivateProfileString 0xa7c89:$s2: GetPrivateProfileString 0x30944:$s3: get_OSFullName 0x6bf74:$s3: get_OSFullName 0xa7394:$s3: get_OSFullName 0x31f6e:$s5: remove_Key 0x32113:$s5: remove_Key 0x6d59e:$s5: remove_Key 0x6d743:$s5: remove_Key 0xa89be:$s5: remove_Key 0xa8b63:$s5: remove_Key 0x33072:$s6: FtpWebRequest 0x6e6a2:$s6: FtpWebRequest 0xa9ac2:$s6: FtpWebRequest 0x33f38:$s7: logins 0x344aa:$s7: logins 0x371bb:$s7: logins 0x3726d:$s7: logins 0x38bbe:$s7: logins 0x6f568:$s7: logins
0.2.l5Cp6aAf3o.exe.3e32da0.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.l5Cp6aAf3o.exe.3e32da0.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.l5Cp6aAf3o.exe.3e32da0.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x17d406:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x1b8a36:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x1f3e56:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x17d478:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x1b8aa8:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x1f3ec8:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x17d502:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x1b8b32:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x1f3f52:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x17d594:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x1b8bc4:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x1f3fe4:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x17d5fe:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x1b8c2e:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x1f404e:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x17d670:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x1b8ca0:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x1f40c0:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x17d706:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x1b8d36:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x1f4156:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
0.2.l5Cp6aAf3o.exe.3e32da0.2.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x17a6e9:$s2: GetPrivateProfileString 0x1b5d19:$s2: GetPrivateProfileString 0x1f1139:$s2: GetPrivateProfileString 0x179df4:$s3: get_OSFullName 0x1b5424:$s3: get_OSFullName 0x1f0844:$s3: get_OSFullName 0x17b41e:$s5: remove_Key 0x17b5c3:$s5: remove_Key 0x1b6a4e:$s5: remove_Key 0x1b6bf3:$s5: remove_Key 0x1f1e6e:$s5: remove_Key 0x1f2013:$s5: remove_Key 0x17c522:$s6: FtpWebRequest 0x1b7b52:$s6: FtpWebRequest 0x1f2f72:$s6: FtpWebRequest 0x17d3e8:$s7: logins 0x17d95a:$s7: logins 0x18066b:$s7: logins 0x18071d:$s7: logins 0x18206e:$s7: logins 0x1b8a18:$s7: logins
0.2.l5Cp6aAf3o.exe.3e9c1d0.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.l5Cp6aAf3o.exe.3e9c1d0.4.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.l5Cp6aAf3o.exe.3e9c1d0.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x113fd6:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x14f606:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x18aa26:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x114048:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x14f678:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x18aa98:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x1140d2:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x14f702:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x18ab22:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x114164:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x14f794:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x18abb4:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x1141ce:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x14f7fe:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x18ac1e:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x114240:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x14f870:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x18ac90:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x1142d6:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x14f906:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x18ad26:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
0.2.l5Cp6aAf3o.exe.3e9c1d0.4.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x1112b9:$s2: GetPrivateProfileString 0x14c8e9:$s2: GetPrivateProfileString 0x187d09:$s2: GetPrivateProfileString 0x1109c4:$s3: get_OSFullName 0x14bff4:$s3: get_OSFullName 0x187414:$s3: get_OSFullName 0x111fee:$s5: remove_Key 0x112193:$s5: remove_Key 0x14d61e:$s5: remove_Key 0x14d7c3:$s5: remove_Key 0x188a3e:$s5: remove_Key 0x188be3:$s5: remove_Key 0x1130f2:$s6: FtpWebRequest 0x14e722:$s6: FtpWebRequest 0x189b42:$s6: FtpWebRequest 0x113fb8:$s7: logins 0x11452a:$s7: logins 0x11723b:$s7: logins 0x1172ed:$s7: logins 0x118c3e:$s7: logins 0x14f5e8:$s7: logins
Click to see the 15 entries

Sigma Signatures

System Summary

Sigma detected: Potentially Suspicious Malware Callback Communication

Source: Network Connection

Author: Florian Roth (Nextron Systems): Data: DestinationIp: 213.189.52.181, DestinationIsIpv6: false, DestinationPort: 65535, EventID: 3, Image: C:\Users\user\Desktop\l5Cp6aAf3o.exe, Initiated: true, ProcessId: 6188, Protocol: tcp, SourceIp: 192.168.2.11, SourceIsIpv6: false, SourcePort: 49701

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\adobe\adobe.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\l5Cp6aAf3o.exe, ProcessId: 6188, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe

Suricata Signatures

ET MALWARE AgentTesla Exfil via FTP

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T23:37:21.166128+0100	2029927	1	A Network Trojan was detected	192.168.2.11	49700	213.189.52.181	21	TCP
2025-03-07T23:37:34.668685+0100	2029927	1	A Network Trojan was detected	192.168.2.11	49708	213.189.52.181	21	TCP
2025-03-07T23:37:42.779851+0100	2029927	1	A Network Trojan was detected	192.168.2.11	49711	213.189.52.181	21	TCP

ETPRO MALWARE Agent Tesla CnC Exfil Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T23:37:21.744541+0100	2855542	1	A Network Trojan was detected	192.168.2.11	49701	213.189.52.181	65535	TCP
2025-03-07T23:37:21.750206+0100	2855542	1	A Network Trojan was detected	192.168.2.11	49701	213.189.52.181	65535	TCP
2025-03-07T23:37:35.203228+0100	2855542	1	A Network Trojan was detected	192.168.2.11	49709	213.189.52.181	63094	TCP
2025-03-07T23:37:35.208687+0100	2855542	1	A Network Trojan was detected	192.168.2.11	49709	213.189.52.181	63094	TCP
2025-03-07T23:37:43.405296+0100	2855542	1	A Network Trojan was detected	192.168.2.11	49712	213.189.52.181	64223	TCP
2025-03-07T23:37:43.410813+0100	2855542	1	A Network Trojan was detected	192.168.2.11	49712	213.189.52.181	64223	TCP

Joe Security MALWARE AgentTesla - FTP Exfil Passwords

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T23:37:43.410813+0100	1800009	1	A Network Trojan was detected	192.168.2.11	49712	213.189.52.181	64223	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: l5Cp6aAf3o.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe

Avira: detection malicious, Label: TR/AD.GenSteal.giyej

Found malware configuration

Source: 0.2.l5Cp6aAf3o.exe.3f7c250.3.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://s4.serv00.com", "Username": "f2241_evica", "Password": "Doll440@@"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	ReversingLabs: Detection: 71%
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Virustotal: Detection: 72%			Perma Link

Multi AV Scanner detection for submitted file

Source: l5Cp6aAf3o.exe	Virustotal: Detection: 72%			Perma Link
Source: l5Cp6aAf3o.exe	ReversingLabs: Detection: 71%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: l5Cp6aAf3o.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.11:49699 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.11:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.11:49710 version: TLS 1.2

Source: l5Cp6aAf3o.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: C:\Users\GT350\source\repos\UpdatedRunpe\UpdatedRunpe\obj\x86\Debug\AQipUvwTwkLZyiCs.pdb source: l5Cp6aAf3o.exe, 00000000.00000002.1137073337.0000000002DC1000.00000004.00000800.00020000.00000000.sdmp, l5Cp6aAf3o.exe, 00000000.00000002.1138475103.0000000005580000.00000004.08000000.00040000.00000000.sdmp, adobe.exe, 00000004.00000002.1276090316.00000000025E1000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 0000000B.00000002.1356607093.000000000307E000.00000004.00000800.00020000.00000000.sdmp

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.11:49701 -> 213.189.52.181:65535
Source: Network traffic	Suricata IDS: 2029927 - Severity 1 - ET MALWARE AgentTesla Exfil via FTP : 192.168.2.11:49711 -> 213.189.52.181:21
Source: Network traffic	Suricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.11:49709 -> 213.189.52.181:63094
Source: Network traffic	Suricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.11:49712 -> 213.189.52.181:64223
Source: Network traffic	Suricata IDS: 1800009 - Severity 1 - Joe Security MALWARE AgentTesla - FTP Exfil Passwords : 192.168.2.11:49712 -> 213.189.52.181:64223
Source: Network traffic	Suricata IDS: 2029927 - Severity 1 - ET MALWARE AgentTesla Exfil via FTP : 192.168.2.11:49700 -> 213.189.52.181:21
Source: Network traffic	Suricata IDS: 2029927 - Severity 1 - ET MALWARE AgentTesla Exfil via FTP : 192.168.2.11:49708 -> 213.189.52.181:21

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 213.189.52.181 ports 64223,65535,64639,1,2,63094,21

Source: global traffic

TCP traffic: 192.168.2.11:49701 -> 213.189.52.181:65535

Source: Joe Sandbox View	IP Address: 213.189.52.181 213.189.52.181
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: unknown

FTP traffic detected: 213.189.52.181:21 -> 192.168.2.11:49700 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 150 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 150 allowed.220-Local time is now 23:37. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 150 allowed.220-Local time is now 23:37. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 150 allowed.220-Local time is now 23:37. Server port: 21.220-This is a private system - No anonymous login220 You will be disconnected after 15 minutes of inactivity.

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: s4.serv00.com

Source: l5Cp6aAf3o.exe, 00000002.00000002.3606453711.0000000002906000.00000004.00000800.00020000.00000000.sdmp, l5Cp6aAf3o.exe, 00000002.00000002.3606453711.00000000028EC000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000005.00000002.1356297287.000000000279C000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 0000000C.00000002.3606212050.000000000304C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s4.serv00.com
Source: l5Cp6aAf3o.exe, 00000002.00000002.3606453711.0000000002871000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000005.00000002.1356297287.0000000002721000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 0000000C.00000002.3606212050.0000000002FDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: l5Cp6aAf3o.exe, 00000000.00000002.1137270533.0000000003DC9000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000005.00000002.1347515701.0000000000762000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: l5Cp6aAf3o.exe, 00000000.00000002.1137270533.0000000003DC9000.00000004.00000800.00020000.00000000.sdmp, l5Cp6aAf3o.exe, 00000002.00000002.3606453711.0000000002871000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000005.00000002.1356297287.0000000002721000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000005.00000002.1347515701.0000000000762000.00000040.00000400.00020000.00000000.sdmp, adobe.exe, 0000000C.00000002.3606212050.0000000002FDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: l5Cp6aAf3o.exe, 00000002.00000002.3606453711.0000000002871000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000005.00000002.1356297287.0000000002721000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 0000000C.00000002.3606212050.0000000002FDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: l5Cp6aAf3o.exe, 00000002.00000002.3606453711.0000000002871000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 00000005.00000002.1356297287.0000000002721000.00000004.00000800.00020000.00000000.sdmp, adobe.exe, 0000000C.00000002.3606212050.0000000002FDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t

Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706

Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.11:49699 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.11:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.11:49710 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.l5Cp6aAf3o.exe.3f7c250.3.raw.unpack, SKTzxzsJw.cs

.Net Code: yMwXHKL8p

Installs a global keyboard hook

Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\l5Cp6aAf3o.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\adobe\adobe.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\adobe\adobe.exe	Jump to behavior

Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 5.2.adobe.exe.760000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 5.2.adobe.exe.760000.0.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.l5Cp6aAf3o.exe.3f7c250.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.l5Cp6aAf3o.exe.3f7c250.3.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.l5Cp6aAf3o.exe.3f7c250.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.l5Cp6aAf3o.exe.3f7c250.3.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.l5Cp6aAf3o.exe.3e32da0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.l5Cp6aAf3o.exe.3e32da0.2.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.l5Cp6aAf3o.exe.3e9c1d0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.l5Cp6aAf3o.exe.3e9c1d0.4.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen

Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Code function: 0_2_00F6D324	0_2_00F6D324
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Code function: 2_2_00EEF208	2_2_00EEF208
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Code function: 2_2_00EEE320	2_2_00EEE320
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Code function: 2_2_00EE4A90	2_2_00EE4A90
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Code function: 2_2_00EE3E78	2_2_00EE3E78
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Code function: 2_2_00EE41C0	2_2_00EE41C0
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Code function: 2_2_00EEB3B0	2_2_00EEB3B0
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Code function: 2_2_06292A68	2_2_06292A68
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Code function: 2_2_06292A5B	2_2_06292A5B
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Code function: 2_2_062F6238	2_2_062F6238
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Code function: 2_2_062F30A8	2_2_062F30A8
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Code function: 2_2_062F51E8	2_2_062F51E8
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Code function: 2_2_062FC1D8	2_2_062FC1D8
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Code function: 2_2_062FAE6A	2_2_062FAE6A
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Code function: 2_2_062F591B	2_2_062F591B
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Code function: 2_2_062F79C8	2_2_062F79C8
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Code function: 2_2_062FE400	2_2_062FE400
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Code function: 2_2_062F72E8	2_2_062F72E8
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Code function: 2_2_062F0006	2_2_062F0006
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Code function: 2_2_062F0040	2_2_062F0040
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 4_2_00E6D324	4_2_00E6D324
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 5_2_024CE0F8	5_2_024CE0F8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 5_2_024CB5F7	5_2_024CB5F7
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 5_2_024C4A90	5_2_024C4A90
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 5_2_024CE8A9	5_2_024CE8A9
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 5_2_024C3E78	5_2_024C3E78
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 5_2_024CADA8	5_2_024CADA8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 5_2_024C41C0	5_2_024C41C0
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 5_2_063D6638	5_2_063D6638
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 5_2_063D34A8	5_2_063D34A8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 5_2_063D55E8	5_2_063D55E8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 5_2_063D7DC8	5_2_063D7DC8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 5_2_063DB26F	5_2_063DB26F
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 5_2_063DC1D8	5_2_063DC1D8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 5_2_063D76E8	5_2_063D76E8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 5_2_063D277A	5_2_063D277A
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 5_2_063D8408	5_2_063D8408
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 5_2_063DE400	5_2_063DE400
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 5_2_063D5D1B	5_2_063D5D1B
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 5_2_063D0040	5_2_063D0040
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 5_2_064C2442	5_2_064C2442
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 5_2_064C2468	5_2_064C2468
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 5_2_064C2462	5_2_064C2462
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 5_2_063D0006	5_2_063D0006
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 11_2_0137D324	11_2_0137D324
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 12_2_013DE0F8	12_2_013DE0F8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 12_2_013DE8A9	12_2_013DE8A9
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 12_2_013D4A90	12_2_013D4A90
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 12_2_013D3E78	12_2_013D3E78
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 12_2_013D41C0	12_2_013D41C0
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 12_2_013DADA8	12_2_013DADA8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 12_2_06C66638	12_2_06C66638
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 12_2_06C634A8	12_2_06C634A8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 12_2_06C67DC8	12_2_06C67DC8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 12_2_06C655E8	12_2_06C655E8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 12_2_06C6B26F	12_2_06C6B26F
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 12_2_06C6C1D8	12_2_06C6C1D8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 12_2_06C676E8	12_2_06C676E8
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 12_2_06C6E400	12_2_06C6E400
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 12_2_06C65D1B	12_2_06C65D1B
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 12_2_06C60040	12_2_06C60040
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 12_2_06D52458	12_2_06D52458
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 12_2_06D52468	12_2_06D52468
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 12_2_06C60007	12_2_06C60007

Source: l5Cp6aAf3o.exe, 00000000.00000002.1137073337.0000000002DC1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs l5Cp6aAf3o.exe
Source: l5Cp6aAf3o.exe, 00000000.00000002.1137073337.0000000002DC1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamed9e9e37e-59b8-4cab-97db-2b15f3b5cf75.exe4 vs l5Cp6aAf3o.exe
Source: l5Cp6aAf3o.exe, 00000000.00000002.1137270533.0000000003DC9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameExample.dll0 vs l5Cp6aAf3o.exe
Source: l5Cp6aAf3o.exe, 00000000.00000002.1137270533.0000000003DC9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamed9e9e37e-59b8-4cab-97db-2b15f3b5cf75.exe4 vs l5Cp6aAf3o.exe
Source: l5Cp6aAf3o.exe, 00000000.00000000.1128253840.00000000008CB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameAcrobat.exe< vs l5Cp6aAf3o.exe
Source: l5Cp6aAf3o.exe, 00000000.00000002.1138475103.0000000005580000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs l5Cp6aAf3o.exe
Source: l5Cp6aAf3o.exe, 00000000.00000002.1135885675.0000000000F7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs l5Cp6aAf3o.exe
Source: l5Cp6aAf3o.exe, 00000000.00000002.1138531233.00000000055B0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameExample.dll0 vs l5Cp6aAf3o.exe
Source: l5Cp6aAf3o.exe, 00000002.00000002.3603221163.0000000000887000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs l5Cp6aAf3o.exe
Source: l5Cp6aAf3o.exe, 00000002.00000002.3602880955.0000000000789000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs l5Cp6aAf3o.exe
Source: l5Cp6aAf3o.exe	Binary or memory string: OriginalFilenameAcrobat.exe< vs l5Cp6aAf3o.exe

Source: l5Cp6aAf3o.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 5.2.adobe.exe.760000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 5.2.adobe.exe.760000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.l5Cp6aAf3o.exe.3f7c250.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.l5Cp6aAf3o.exe.3f7c250.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.l5Cp6aAf3o.exe.3f7c250.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.l5Cp6aAf3o.exe.3f7c250.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.l5Cp6aAf3o.exe.3e32da0.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.l5Cp6aAf3o.exe.3e32da0.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.l5Cp6aAf3o.exe.3e9c1d0.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.l5Cp6aAf3o.exe.3e9c1d0.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload

Source: l5Cp6aAf3o.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: l5Cp6aAf3o.exe, -.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 0.2.l5Cp6aAf3o.exe.55b0000.6.raw.unpack, DarkListView.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.l5Cp6aAf3o.exe.3f7c250.3.raw.unpack, 4JJG6X.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.l5Cp6aAf3o.exe.3f7c250.3.raw.unpack, 4JJG6X.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.l5Cp6aAf3o.exe.3f7c250.3.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.l5Cp6aAf3o.exe.3f7c250.3.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.l5Cp6aAf3o.exe.3f7c250.3.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.l5Cp6aAf3o.exe.3f7c250.3.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.l5Cp6aAf3o.exe.55b0000.6.raw.unpack, DarkComboBox.cs	Base64 encoded string: 'Uwm+UuKGd614I69RzLI93aXq8M4plP4Fl8XGnAA54HkS/0jMOBsYAdDU3ufQvFFjYZJP0JeYZcnDYanLTNfb9IJuC/u1be1KdJkORevGYuzVlkHzJtU9FNAhjxyJAuY/'
Source: 0.2.l5Cp6aAf3o.exe.3e32da0.2.raw.unpack, DarkComboBox.cs	Base64 encoded string: 'Uwm+UuKGd614I69RzLI93aXq8M4plP4Fl8XGnAA54HkS/0jMOBsYAdDU3ufQvFFjYZJP0JeYZcnDYanLTNfb9IJuC/u1be1KdJkORevGYuzVlkHzJtU9FNAhjxyJAuY/'
Source: 0.2.l5Cp6aAf3o.exe.3e9c1d0.4.raw.unpack, DarkComboBox.cs	Base64 encoded string: 'Uwm+UuKGd614I69RzLI93aXq8M4plP4Fl8XGnAA54HkS/0jMOBsYAdDU3ufQvFFjYZJP0JeYZcnDYanLTNfb9IJuC/u1be1KdJkORevGYuzVlkHzJtU9FNAhjxyJAuY/'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@9/2@2/2

Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe

File created: C:\Users\user\AppData\Roaming\adobe\adobe.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe

Mutant created: NULL

Source: l5Cp6aAf3o.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: l5Cp6aAf3o.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: l5Cp6aAf3o.exe	Virustotal: Detection: 72%
Source: l5Cp6aAf3o.exe	ReversingLabs: Detection: 71%

Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe

File read: C:\Users\user\Desktop\l5Cp6aAf3o.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\l5Cp6aAf3o.exe "C:\Users\user\Desktop\l5Cp6aAf3o.exe"
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process created: C:\Users\user\Desktop\l5Cp6aAf3o.exe "C:\Users\user\Desktop\l5Cp6aAf3o.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Adobe\adobe.exe "C:\Users\user\AppData\Roaming\adobe\adobe.exe"
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process created: C:\Users\user\AppData\Roaming\Adobe\adobe.exe "C:\Users\user\AppData\Roaming\adobe\adobe.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Adobe\adobe.exe "C:\Users\user\AppData\Roaming\adobe\adobe.exe"
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process created: C:\Users\user\AppData\Roaming\Adobe\adobe.exe "C:\Users\user\AppData\Roaming\adobe\adobe.exe"
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process created: C:\Users\user\Desktop\l5Cp6aAf3o.exe "C:\Users\user\Desktop\l5Cp6aAf3o.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process created: C:\Users\user\AppData\Roaming\Adobe\adobe.exe "C:\Users\user\AppData\Roaming\adobe\adobe.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process created: C:\Users\user\AppData\Roaming\Adobe\adobe.exe "C:\Users\user\AppData\Roaming\adobe\adobe.exe"	Jump to behavior

Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Section loaded: edputil.dll	Jump to behavior

Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: l5Cp6aAf3o.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: l5Cp6aAf3o.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: l5Cp6aAf3o.exe

Static file information: File size 1573888 > 1048576

Source: l5Cp6aAf3o.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x125200

Source: l5Cp6aAf3o.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Data Obfuscation

.NET source code contains potential unpacker

Source: l5Cp6aAf3o.exe, --c.cs

.Net Code: CypherMatic System.Reflection.Assembly.Load(byte[])

Source: l5Cp6aAf3o.exe

Static PE information: 0xD7B686A6 [Wed Sep 6 07:24:22 2084 UTC]

Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Code function: 0_2_00F6A0C1 push eax; iretd	0_2_00F6A0C3
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Code function: 0_2_00F6C3E0 push cs; iretd	0_2_00F6C3EE
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Code function: 0_2_00F6C4C8 push cs; iretd	0_2_00F6C4D6
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Code function: 0_2_00F6C520 push cs; iretd	0_2_00F6C52E
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Code function: 0_2_00F6F362 pushfd ; iretd	0_2_00F6F36F
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Code function: 2_2_00EEAABB push eax; retf 027Bh	2_2_00EEAAC1
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Code function: 2_2_06292345 push edi; ret	2_2_06292346
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Code function: 2_2_06297C72 push es; ret	2_2_06297C80
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Code function: 2_2_0629381F push esp; ret	2_2_06293820
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Code function: 2_2_06293857 push esp; ret	2_2_0629385F
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Code function: 2_2_062FFBD1 push eax; ret	2_2_062FFBDD
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 5_2_024CEED0 pushad ; ret	5_2_024CEED1
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 5_2_064C866D push esp; iretd	5_2_064C8675
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 5_2_064C8068 push esp; iretd	5_2_064C8071
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 5_2_064C7673 push es; ret	5_2_064C7680
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 11_2_0137F362 push cs; ret	11_2_0137F3C5
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 11_2_0137B488 push esp; ret	11_2_0137B4CA
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 11_2_0137B4E8 push esp; ret	11_2_0137B4FE
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 12_2_013DEED0 pushad ; ret	12_2_013DEED1
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 12_2_06D5866D push esp; iretd	12_2_06D58675
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Code function: 12_2_06D58068 push esp; iretd	12_2_06D58071

Source: l5Cp6aAf3o.exe

Static PE information: section name: .text entropy: 7.726502334340935

Persistence and Installation Behavior

Drops executable to a common third party application directory

Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe

File written: C:\Users\user\AppData\Roaming\Adobe\adobe.exe

Jump to behavior

Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe

File created: C:\Users\user\AppData\Roaming\Adobe\adobe.exe

Jump to dropped file

Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run adobe			Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run adobe			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe

File opened: C:\Users\user\AppData\Roaming\adobe\adobe.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Memory allocated: F40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Memory allocated: 2DC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Memory allocated: 1340000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Memory allocated: EE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Memory allocated: 2870000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Memory allocated: 26A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: E60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 25E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 45E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 24C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 2720000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 2520000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 1330000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 3020000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 2F70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 13D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 2FD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Memory allocated: 2ED0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 599452	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 599344	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 599230	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 599125	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 599016	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 598797	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 598684	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 598577	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 598468	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 598313	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 598148	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 598027	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 597922	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 597813	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 597688	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 597563	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 597453	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 597344	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 597219	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 597109	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 597000	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 596891	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 596781	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 596671	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 596561	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 596453	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 596344	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 596219	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 596109	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 596000	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 595891	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 595781	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 595670	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 595501	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 595375	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 595225	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 595109	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 595000	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 594890	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 594781	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 594672	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 594562	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 594453	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 594344	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598672	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598343	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598076	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597963	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597816	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597468	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597250	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597140	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596922	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596688	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596577	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596463	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596358	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596248	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596140	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596002	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599873	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598672	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598561	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598452	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598344	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598219	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597948	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597814	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597468	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597250	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597138	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596922	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596593	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596484	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596374	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596265	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596047	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595937	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595828	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595718	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595609	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595500	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595308	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595195	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595078	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594966	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594859	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594750	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594640	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594531	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594422	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594312	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594203	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594093	Jump to behavior

Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Window / User API: threadDelayed 7279	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Window / User API: threadDelayed 2568	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Window / User API: threadDelayed 3005	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Window / User API: threadDelayed 3869	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Window / User API: threadDelayed 3400	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Window / User API: threadDelayed 6428	Jump to behavior

Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe TID: 6600	Thread sleep count: 39 > 30	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe TID: 6600	Thread sleep time: -35971150943733603s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe TID: 6600	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe TID: 6600	Thread sleep time: -599891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe TID: 6608	Thread sleep count: 7279 > 30	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe TID: 6608	Thread sleep count: 2568 > 30	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe TID: 6600	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe TID: 6600	Thread sleep time: -599672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe TID: 6600	Thread sleep time: -599562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe TID: 6600	Thread sleep time: -599452s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe TID: 6600	Thread sleep time: -599344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe TID: 6600	Thread sleep time: -599230s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe TID: 6600	Thread sleep time: -599125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe TID: 6600	Thread sleep time: -599016s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe TID: 6600	Thread sleep time: -598906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe TID: 6600	Thread sleep time: -598797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe TID: 6600	Thread sleep time: -598684s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe TID: 6600	Thread sleep time: -598577s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe TID: 6600	Thread sleep time: -598468s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe TID: 6600	Thread sleep time: -598313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe TID: 6600	Thread sleep time: -598148s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe TID: 6600	Thread sleep time: -598027s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe TID: 6600	Thread sleep time: -597922s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe TID: 6600	Thread sleep time: -597813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe TID: 6600	Thread sleep time: -597688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe TID: 6600	Thread sleep time: -597563s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe TID: 6600	Thread sleep time: -597453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe TID: 6600	Thread sleep time: -597344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe TID: 6600	Thread sleep time: -597219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe TID: 6600	Thread sleep time: -597109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe TID: 6600	Thread sleep time: -597000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe TID: 6600	Thread sleep time: -596891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe TID: 6600	Thread sleep time: -596781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe TID: 6600	Thread sleep time: -596671s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe TID: 6600	Thread sleep time: -596561s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe TID: 6600	Thread sleep time: -596453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe TID: 6600	Thread sleep time: -596344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe TID: 6600	Thread sleep time: -596219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe TID: 6600	Thread sleep time: -596109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe TID: 6600	Thread sleep time: -596000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe TID: 6600	Thread sleep time: -595891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe TID: 6600	Thread sleep time: -595781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe TID: 6600	Thread sleep time: -595670s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe TID: 6600	Thread sleep time: -595501s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe TID: 6600	Thread sleep time: -595375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe TID: 6600	Thread sleep time: -595225s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe TID: 6600	Thread sleep time: -595109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe TID: 6600	Thread sleep time: -595000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe TID: 6600	Thread sleep time: -594890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe TID: 6600	Thread sleep time: -594781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe TID: 6600	Thread sleep time: -594672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe TID: 6600	Thread sleep time: -594562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe TID: 6600	Thread sleep time: -594453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe TID: 6600	Thread sleep time: -594344s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5504	Thread sleep time: -23058430092136925s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5504	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 1292	Thread sleep count: 3005 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5504	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 1292	Thread sleep count: 3869 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5504	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5504	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5504	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5504	Thread sleep time: -599437s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5504	Thread sleep time: -599328s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5504	Thread sleep time: -599219s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5504	Thread sleep time: -599109s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5504	Thread sleep time: -599000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5504	Thread sleep time: -598890s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5504	Thread sleep time: -598781s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5504	Thread sleep time: -598672s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5504	Thread sleep time: -598562s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5504	Thread sleep time: -598453s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5504	Thread sleep time: -598343s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5504	Thread sleep time: -598234s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5504	Thread sleep time: -598076s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5504	Thread sleep time: -597963s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5504	Thread sleep time: -597816s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5504	Thread sleep time: -597687s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5504	Thread sleep time: -597578s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5504	Thread sleep time: -597468s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5504	Thread sleep time: -597359s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5504	Thread sleep time: -597250s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5504	Thread sleep time: -597140s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5504	Thread sleep time: -597031s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5504	Thread sleep time: -596922s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5504	Thread sleep time: -596812s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5504	Thread sleep time: -596688s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5504	Thread sleep time: -596577s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5504	Thread sleep time: -596463s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5504	Thread sleep time: -596358s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5504	Thread sleep time: -596248s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5504	Thread sleep time: -596140s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 5504	Thread sleep time: -596002s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7144	Thread sleep count: 33 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7144	Thread sleep time: -30437127721620741s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7144	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2056	Thread sleep count: 3400 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7144	Thread sleep time: -599873s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 2056	Thread sleep count: 6428 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7144	Thread sleep time: -599765s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7144	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7144	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7144	Thread sleep time: -599437s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7144	Thread sleep time: -599328s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7144	Thread sleep time: -599218s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7144	Thread sleep time: -599109s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7144	Thread sleep time: -599000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7144	Thread sleep time: -598890s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7144	Thread sleep time: -598781s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7144	Thread sleep time: -598672s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7144	Thread sleep time: -598561s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7144	Thread sleep time: -598452s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7144	Thread sleep time: -598344s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7144	Thread sleep time: -598219s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7144	Thread sleep time: -597948s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7144	Thread sleep time: -597814s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7144	Thread sleep time: -597687s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7144	Thread sleep time: -597578s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7144	Thread sleep time: -597468s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7144	Thread sleep time: -597359s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7144	Thread sleep time: -597250s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7144	Thread sleep time: -597138s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7144	Thread sleep time: -597031s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7144	Thread sleep time: -596922s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7144	Thread sleep time: -596812s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7144	Thread sleep time: -596703s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7144	Thread sleep time: -596593s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7144	Thread sleep time: -596484s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7144	Thread sleep time: -596374s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7144	Thread sleep time: -596265s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7144	Thread sleep time: -596156s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7144	Thread sleep time: -596047s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7144	Thread sleep time: -595937s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7144	Thread sleep time: -595828s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7144	Thread sleep time: -595718s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7144	Thread sleep time: -595609s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7144	Thread sleep time: -595500s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7144	Thread sleep time: -595308s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7144	Thread sleep time: -595195s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7144	Thread sleep time: -595078s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7144	Thread sleep time: -594966s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7144	Thread sleep time: -594859s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7144	Thread sleep time: -594750s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7144	Thread sleep time: -594640s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7144	Thread sleep time: -594531s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7144	Thread sleep time: -594422s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7144	Thread sleep time: -594312s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7144	Thread sleep time: -594203s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe TID: 7144	Thread sleep time: -594093s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 599452	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 599344	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 599230	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 599125	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 599016	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 598797	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 598684	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 598577	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 598468	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 598313	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 598148	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 598027	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 597922	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 597813	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 597688	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 597563	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 597453	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 597344	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 597219	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 597109	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 597000	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 596891	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 596781	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 596671	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 596561	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 596453	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 596344	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 596219	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 596109	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 596000	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 595891	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 595781	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 595670	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 595501	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 595375	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 595225	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 595109	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 595000	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 594890	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 594781	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 594672	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 594562	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 594453	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Thread delayed: delay time: 594344	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598672	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598343	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598076	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597963	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597816	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597468	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597250	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597140	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596922	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596688	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596577	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596463	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596358	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596248	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596140	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596002	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599873	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598672	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598561	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598452	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598344	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 598219	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597948	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597814	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597468	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597250	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597138	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596922	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596593	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596484	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596374	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596265	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 596047	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595937	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595828	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595718	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595609	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595500	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595308	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595195	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 595078	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594966	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594859	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594750	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594640	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594531	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594422	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594312	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594203	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Thread delayed: delay time: 594093	Jump to behavior

Source: l5Cp6aAf3o.exe, 00000002.00000002.3603221163.0000000000929000.00000004.00000020.00020000.00000000.sdmp, adobe.exe, 00000005.00000002.1348060454.0000000000932000.00000004.00000020.00020000.00000000.sdmp, adobe.exe, 0000000C.00000002.3604739711.00000000014D1000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 0.2.l5Cp6aAf3o.exe.2e1eb1c.1.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: 0.2.l5Cp6aAf3o.exe.2e1eb1c.1.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: 0.2.l5Cp6aAf3o.exe.2e1eb1c.1.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs	Reference to suspicious API methods: ReadProcessMemory(processInformation.ProcessHandle, num3 + 8, ref buffer, 4, ref bytesRead)
Source: 0.2.l5Cp6aAf3o.exe.3f7c250.3.raw.unpack, zOS.cs	Reference to suspicious API methods: _120HqGy.OpenProcess(_2pIt.DuplicateHandle, bInheritHandle: true, (uint)iVE.ProcessID)

Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Process created: C:\Users\user\Desktop\l5Cp6aAf3o.exe "C:\Users\user\Desktop\l5Cp6aAf3o.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process created: C:\Users\user\AppData\Roaming\Adobe\adobe.exe "C:\Users\user\AppData\Roaming\adobe\adobe.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Process created: C:\Users\user\AppData\Roaming\Adobe\adobe.exe "C:\Users\user\AppData\Roaming\adobe\adobe.exe"	Jump to behavior

Source: l5Cp6aAf3o.exe, 00000002.00000002.3606453711.00000000028F2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q8<b>[ Program Manager]</b> (08/03/2025 06:11:50)<br>{Win}TH
Source: l5Cp6aAf3o.exe, 00000002.00000002.3606453711.00000000028F2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR
Source: l5Cp6aAf3o.exe, 00000002.00000002.3606453711.00000000028F2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: l5Cp6aAf3o.exe, 00000002.00000002.3606453711.00000000028F2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q9<b>[ Program Manager]</b> (08/03/2025 06:11:50)<br>{Win}rTH
Source: l5Cp6aAf3o.exe, 00000002.00000002.3606453711.00000000028F2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q3<b>[ Program Manager]</b> (08/03/2025 06:11:50)<br>
Source: l5Cp6aAf3o.exe, 00000002.00000002.3606453711.0000000002906000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: <html>Time: 03/24/2025 13:23:41<br>User Name: user<br>Computer Name: 783875<br>OSFullName: Microsoft Windows 10 Pro<br>CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz<br>RAM: 8191.25 MB<br>IP Address: 24.38.253.191<br><hr><b>[ Program Manager]</b> (08/03/2025 06:11:50)<br>{Win}r</html>

Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Queries volume information: C:\Users\user\Desktop\l5Cp6aAf3o.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Queries volume information: C:\Users\user\Desktop\l5Cp6aAf3o.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Users\user\AppData\Roaming\Adobe\adobe.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Users\user\AppData\Roaming\Adobe\adobe.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Users\user\AppData\Roaming\Adobe\adobe.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Users\user\AppData\Roaming\Adobe\adobe.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 5.2.adobe.exe.760000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.l5Cp6aAf3o.exe.3f7c250.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.l5Cp6aAf3o.exe.3f7c250.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.l5Cp6aAf3o.exe.3e32da0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.l5Cp6aAf3o.exe.3e9c1d0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.3606212050.000000000304C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1356297287.000000000279C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3606453711.00000000028EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1356297287.0000000002771000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1347515701.0000000000762000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3606212050.0000000003021000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3606453711.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1137270533.0000000003DC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: l5Cp6aAf3o.exe PID: 7120, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: l5Cp6aAf3o.exe PID: 6188, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: adobe.exe PID: 5160, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: adobe.exe PID: 5744, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions	Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\l5Cp6aAf3o.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobe\adobe.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 5.2.adobe.exe.760000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.l5Cp6aAf3o.exe.3f7c250.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.l5Cp6aAf3o.exe.3f7c250.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.l5Cp6aAf3o.exe.3e32da0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.l5Cp6aAf3o.exe.3e9c1d0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.1356297287.0000000002771000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1347515701.0000000000762000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3606212050.0000000003021000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3606453711.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1137270533.0000000003DC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: l5Cp6aAf3o.exe PID: 7120, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: l5Cp6aAf3o.exe PID: 6188, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: adobe.exe PID: 5160, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: adobe.exe PID: 5744, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 5.2.adobe.exe.760000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.l5Cp6aAf3o.exe.3f7c250.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.l5Cp6aAf3o.exe.3f7c250.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.l5Cp6aAf3o.exe.3e32da0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.l5Cp6aAf3o.exe.3e9c1d0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.3606212050.000000000304C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1356297287.000000000279C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3606453711.00000000028EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1356297287.0000000002771000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1347515701.0000000000762000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3606212050.0000000003021000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3606453711.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1137270533.0000000003DC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: l5Cp6aAf3o.exe PID: 7120, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: l5Cp6aAf3o.exe PID: 6188, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: adobe.exe PID: 5160, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: adobe.exe PID: 5744, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	1 Exfiltration Over Alternative Protocol	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 Registry Run Keys / Startup Folder	12 Process Injection	1 Deobfuscate/Decode Files or Information	21 Input Capture	24 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Registry Run Keys / Startup Folder	21 Obfuscated Files or Information	1 Credentials in Registry	211 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Software Packing	NTDS	2 Process Discovery	Distributed Component Object Model	21 Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	141 Virtualization/Sandbox Evasion	SSH	1 Clipboard Data	23 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Masquerading	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	141 Virtualization/Sandbox Evasion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	12 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Hidden Files and Directories	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report l5Cp6aAf3o.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
l5Cp6aAf3o.exe