Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe

Overview

General Information

Sample name:ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe
Analysis ID:1566986
MD5:a21780a599c30bcf11b6152ff9d16be2
SHA1:953f98a9904c76b275809bad78d16cf550f2483d
SHA256:93ea6ac422f90a1031160360409fea1c16c533be06cc2b6e71e748ee3d20683a
Tags:exeuser-threatcat_ch
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to bypass UAC (CMSTPLUA)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates autostart registry keys with suspicious names
Delayed program exit found
Drops executable to a common third party application directory
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Yara detected WebBrowserPassView password recovery tool
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates processes with suspicious names
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evaded block containing many API calls
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe (PID: 7108 cmdline: "C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe" MD5: A21780A599C30BCF11B6152FF9D16BE2)
    • ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe (PID: 5324 cmdline: "C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe" MD5: A21780A599C30BCF11B6152FF9D16BE2)
      • Adobe.exe (PID: 1200 cmdline: "C:\ProgramData\Adobe\Adobe.exe" MD5: A21780A599C30BCF11B6152FF9D16BE2)
        • Adobe.exe (PID: 6504 cmdline: "C:\ProgramData\Adobe\Adobe.exe" MD5: A21780A599C30BCF11B6152FF9D16BE2)
        • Adobe.exe (PID: 2796 cmdline: "C:\ProgramData\Adobe\Adobe.exe" MD5: A21780A599C30BCF11B6152FF9D16BE2)
          • Adobe.exe (PID: 6200 cmdline: C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\lajbmlzkezuensg" MD5: A21780A599C30BCF11B6152FF9D16BE2)
          • Adobe.exe (PID: 3620 cmdline: C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\vdpundkdshmrqyukhkq" MD5: A21780A599C30BCF11B6152FF9D16BE2)
          • Adobe.exe (PID: 6448 cmdline: C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\gxumowvfgpewamqoqvdmfn" MD5: A21780A599C30BCF11B6152FF9D16BE2)
  • Adobe.exe (PID: 3220 cmdline: "C:\ProgramData\Adobe\Adobe.exe" MD5: A21780A599C30BCF11B6152FF9D16BE2)
    • Adobe.exe (PID: 5660 cmdline: "C:\ProgramData\Adobe\Adobe.exe" MD5: A21780A599C30BCF11B6152FF9D16BE2)
  • Adobe.exe (PID: 5240 cmdline: "C:\ProgramData\Adobe\Adobe.exe" MD5: A21780A599C30BCF11B6152FF9D16BE2)
    • Adobe.exe (PID: 7132 cmdline: "C:\ProgramData\Adobe\Adobe.exe" MD5: A21780A599C30BCF11B6152FF9D16BE2)
    • Adobe.exe (PID: 4708 cmdline: "C:\ProgramData\Adobe\Adobe.exe" MD5: A21780A599C30BCF11B6152FF9D16BE2)
    • Adobe.exe (PID: 6108 cmdline: "C:\ProgramData\Adobe\Adobe.exe" MD5: A21780A599C30BCF11B6152FF9D16BE2)
  • Adobe.exe (PID: 7088 cmdline: "C:\ProgramData\Adobe\Adobe.exe" MD5: A21780A599C30BCF11B6152FF9D16BE2)
    • Adobe.exe (PID: 6148 cmdline: "C:\ProgramData\Adobe\Adobe.exe" MD5: A21780A599C30BCF11B6152FF9D16BE2)
    • Adobe.exe (PID: 3228 cmdline: "C:\ProgramData\Adobe\Adobe.exe" MD5: A21780A599C30BCF11B6152FF9D16BE2)
    • Adobe.exe (PID: 6660 cmdline: "C:\ProgramData\Adobe\Adobe.exe" MD5: A21780A599C30BCF11B6152FF9D16BE2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["104.250.180.178:7902:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "Adobe.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Adobe_Nov-3XE9WN", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Adobe", "Keylog folder": "remcos"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.2086357247.0000000000F38000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    0000000C.00000002.2271330549.0000000001277000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000014.00000002.2432009216.0000000000A87000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        00000010.00000002.2350119787.0000000000E27000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          00000006.00000002.4488781563.0000000001117000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
            Click to see the 25 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            3.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.400000.0.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
              3.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.400000.0.raw.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                3.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.400000.0.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                  3.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.400000.0.raw.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                  • 0x6b6f8:$a1: Remcos restarted by watchdog!
                  • 0x6bc70:$a3: %02i:%02i:%02i:%03i
                  3.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.400000.0.raw.unpackREMCOS_RAT_variantsunknownunknown
                  • 0x65994:$str_a1: C:\Windows\System32\cmd.exe
                  • 0x65910:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                  • 0x65910:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                  • 0x65e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                  • 0x66410:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                  • 0x65a04:$str_b2: Executing file:
                  • 0x6683c:$str_b3: GetDirectListeningPort
                  • 0x66200:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                  • 0x66380:$str_b7: \update.vbs
                  • 0x65a2c:$str_b9: Downloaded file:
                  • 0x65a18:$str_b10: Downloading file:
                  • 0x65abc:$str_b12: Failed to upload file:
                  • 0x66804:$str_b13: StartForward
                  • 0x66824:$str_b14: StopForward
                  • 0x662d8:$str_b15: fso.DeleteFile "
                  • 0x6626c:$str_b16: On Error Resume Next
                  • 0x66308:$str_b17: fso.DeleteFolder "
                  • 0x65aac:$str_b18: Uploaded file:
                  • 0x65a6c:$str_b19: Unable to delete:
                  • 0x662a0:$str_b20: while fso.FileExists("
                  • 0x65f49:$str_c0: [Firefox StoredLogins not found]
                  Click to see the 28 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: CurrentVersion Autorun Keys Modification
                  Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\ProgramData\Adobe\Adobe.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe, ProcessId: 5324, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Adobe_Nov-3XE9WN
                  Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
                  Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\ProgramData\Adobe\Adobe.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe, ProcessId: 5324, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe_Nov-3XE9WN

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-12-02T22:05:09.013181+010020365941Malware Command and Control Activity Detected192.168.2.549708104.250.180.1787902TCP
                  2024-12-02T22:05:12.432650+010020365941Malware Command and Control Activity Detected192.168.2.549710104.250.180.1787902TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-12-02T22:05:12.639026+010028033043Unknown Traffic192.168.2.549711178.237.33.5080TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeAvira: detected
                  Antivirus detection for dropped file
                  Source: C:\ProgramData\Adobe\Adobe.exeAvira: detection malicious, Label: HEUR/AGEN.1309499
                  Found malware configuration
                  Source: 00000003.00000002.2086357247.0000000000F38000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": ["104.250.180.178:7902:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "Adobe.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Adobe_Nov-3XE9WN", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Adobe", "Keylog folder": "remcos"}
                  Multi AV Scanner detection for dropped file
                  Source: C:\ProgramData\Adobe\Adobe.exeReversingLabs: Detection: 52%
                  Multi AV Scanner detection for submitted file
                  Source: ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeReversingLabs: Detection: 52%
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 3.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.40c1d60.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.4266940.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.41aa120.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.40c1d60.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000003.00000002.2086357247.0000000000F38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.2271330549.0000000001277000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000014.00000002.2432009216.0000000000A87000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000010.00000002.2350119787.0000000000E27000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.4488781563.0000000001117000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2088718838.00000000040A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe PID: 7108, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe PID: 5324, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 2796, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 5660, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 6108, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 6660, type: MEMORYSTR
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for dropped file
                  Source: C:\ProgramData\Adobe\Adobe.exeJoe Sandbox ML: detected
                  Machine Learning detection for sample
                  Source: ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeJoe Sandbox ML: detected
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: 3_2_0043293A CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,3_2_0043293A
                  Source: ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe, 00000000.00000002.2088718838.00000000040A9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_08aaf9df-d

                  Exploits

                  barindex
                  Yara detected UAC Bypass using CMSTP
                  Source: Yara matchFile source: 3.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.40c1d60.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.4266940.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.41aa120.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.40c1d60.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2088718838.00000000040A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe PID: 7108, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe PID: 5324, type: MEMORYSTR

                  Privilege Escalation

                  barindex
                  Contains functionality to bypass UAC (CMSTPLUA)
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: 3_2_00406764 _wcslen,CoGetObject,3_2_00406764
                  Source: ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: Adcf.pdb source: ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe, Adobe.exe.3.dr
                  Source: Binary string: Adcf.pdbSHA256cx source: ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe, Adobe.exe.3.dr
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: 3_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,3_2_0040B335
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: 3_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,3_2_0041B42F
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: 3_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,3_2_0040B53A
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: 3_2_0044D5E9 FindFirstFileExA,3_2_0044D5E9
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: 3_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,3_2_004089A9
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: 3_2_00406AC2 FindFirstFileW,FindNextFileW,3_2_00406AC2
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: 3_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,3_2_00407A8C
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: 3_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,3_2_00418C69
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: 3_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,3_2_00408DA7
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 6_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,6_2_100010F1
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 6_2_10006580 FindFirstFileExA,6_2_10006580
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 9_2_0040AE51 FindFirstFileW,FindNextFileW,9_2_0040AE51
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 10_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,10_2_00407EF8
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 11_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,11_2_00407898
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: 3_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,3_2_00406F06

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49708 -> 104.250.180.178:7902
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49710 -> 104.250.180.178:7902
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorIPs: 104.250.180.178
                  Source: global trafficTCP traffic: 192.168.2.5:49708 -> 104.250.180.178:7902
                  Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                  Source: Joe Sandbox ViewIP Address: 104.250.180.178 104.250.180.178
                  Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                  Source: Joe Sandbox ViewASN Name: M247GB M247GB
                  Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.5:49711 -> 178.237.33.50:80
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: 3_2_004260F7 recv,3_2_004260F7
                  Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                  Source: Adobe.exe, 00000009.00000002.2268520420.00000000011ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: :///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfms-settings:networkfile://192.168.2.1/all/install/setup.au3https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                  Source: Adobe.exe, 00000009.00000002.2268520420.00000000011ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: :///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfms-settings:networkfile://192.168.2.1/all/install/setup.au3https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                  Source: Adobe.exe, 0000000B.00000002.2257093239.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
                  Source: Adobe.exe, Adobe.exe, 0000000B.00000002.2257093239.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
                  Source: Adobe.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                  Source: Adobe.exe, 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
                  Source: Adobe.exe, 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
                  Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                  Source: bhv55B4.tmp.9.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
                  Source: bhv55B4.tmp.9.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
                  Source: bhv55B4.tmp.9.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
                  Source: bhv55B4.tmp.9.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
                  Source: bhv55B4.tmp.9.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
                  Source: Adobe.exe, 00000006.00000002.4489027387.000000000114E000.00000004.00000020.00020000.00000000.sdmp, Adobe.exe, 00000006.00000002.4488781563.0000000001117000.00000004.00000020.00020000.00000000.sdmp, Adobe.exe, 00000006.00000002.4489027387.0000000001172000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
                  Source: ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe, 00000000.00000002.2088718838.00000000040A9000.00000004.00000800.00020000.00000000.sdmp, ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe, 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
                  Source: Adobe.exe, 00000006.00000002.4488781563.0000000001117000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpA
                  Source: Adobe.exe, 00000006.00000002.4489027387.0000000001172000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpCS
                  Source: bhv55B4.tmp.9.drString found in binary or memory: http://ocsp.digicert.com0
                  Source: Adobe.exe, Adobe.exe, 0000000B.00000002.2257093239.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com
                  Source: Adobe.exe, Adobe.exe, 0000000B.00000002.2257093239.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.com
                  Source: Adobe.exe, 0000000B.00000002.2257093239.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
                  Source: Adobe.exe, 0000000B.00000002.2257093239.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comr
                  Source: Adobe.exe, 00000009.00000002.2267964354.0000000000CF2000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net
                  Source: Adobe.exe, 0000000B.00000002.2257093239.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/
                  Source: Adobe.exe, 00000009.00000002.2268188672.0000000000DCC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                  Source: Adobe.exe, 00000009.00000002.2268188672.0000000000DCC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                  Source: Adobe.exe, 00000009.00000002.2268188672.0000000000DCC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033LMEM
                  Source: Adobe.exe, 00000009.00000002.2268188672.0000000000DCC000.00000004.00000020.00020000.00000000.sdmp, Adobe.exe, 00000009.00000002.2268520420.00000000011ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                  Source: Adobe.exeString found in binary or memory: https://login.yahoo.com/config/login
                  Source: Adobe.exe, Adobe.exe, 0000000B.00000002.2257093239.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
                  Source: Adobe.exeString found in binary or memory: https://www.google.com/accounts/servicelogin

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Contains functionality to register a low level keyboard hook
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: 3_2_004099E4 SetWindowsHookExA 0000000D,004099D0,000000003_2_004099E4
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: 3_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,3_2_004159C6
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: 3_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,3_2_004159C6
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 9_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,9_2_0040987A
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 9_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,9_2_004098E2
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 10_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,10_2_00406DFC
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 10_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,10_2_00406E9F
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 11_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,11_2_004068B5
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 11_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,11_2_004072B5
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: 3_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,3_2_004159C6
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: 3_2_00409B10 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,3_2_00409B10
                  Source: Yara matchFile source: 3.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.40c1d60.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.4266940.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.41aa120.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.40c1d60.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2088718838.00000000040A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe PID: 7108, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe PID: 5324, type: MEMORYSTR

                  E-Banking Fraud

                  barindex
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 3.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.40c1d60.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.4266940.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.41aa120.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.40c1d60.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000003.00000002.2086357247.0000000000F38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.2271330549.0000000001277000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000014.00000002.2432009216.0000000000A87000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000010.00000002.2350119787.0000000000E27000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.4488781563.0000000001117000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2088718838.00000000040A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe PID: 7108, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe PID: 5324, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 2796, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 5660, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 6108, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 6660, type: MEMORYSTR

                  Spam, unwanted Advertisements and Ransom Demands

                  barindex
                  Contains functionalty to change the wallpaper
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: 3_2_0041BB77 SystemParametersInfoW,3_2_0041BB77

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 3.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 3.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 3.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 3.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 3.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 3.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.40c1d60.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.40c1d60.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.40c1d60.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.4266940.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.4266940.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.41aa120.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.41aa120.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.40c1d60.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.40c1d60.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 00000000.00000002.2088718838.00000000040A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: Process Memory Space: ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe PID: 7108, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: Process Memory Space: ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe PID: 5324, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Initial sample is a PE file and has a suspicious name
                  Source: initial sampleStatic PE information: Filename: ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess Stats: CPU usage > 49%
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 9_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,9_2_0040DD85
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 9_2_00401806 NtdllDefWindowProc_W,9_2_00401806
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 9_2_004018C0 NtdllDefWindowProc_W,9_2_004018C0
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 10_2_004016FD NtdllDefWindowProc_A,10_2_004016FD
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 10_2_004017B7 NtdllDefWindowProc_A,10_2_004017B7
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 11_2_00402CAC NtdllDefWindowProc_A,11_2_00402CAC
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 11_2_00402D66 NtdllDefWindowProc_A,11_2_00402D66
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: 3_2_004158B9 ExitWindowsEx,LoadLibraryA,GetProcAddress,3_2_004158B9
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: 0_2_014ED3A40_2_014ED3A4
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: 0_2_0751A7300_2_0751A730
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: 0_2_075186600_2_07518660
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: 0_2_07518ED00_2_07518ED0
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: 0_2_07518A980_2_07518A98
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: 3_2_0041D0713_2_0041D071
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: 3_2_004520D23_2_004520D2
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: 3_2_0043D0983_2_0043D098
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: 3_2_004371503_2_00437150
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: 3_2_004361AA3_2_004361AA
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: 3_2_004262543_2_00426254
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: 3_2_004313773_2_00431377
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: 3_2_0043651C3_2_0043651C
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: 3_2_0041E5DF3_2_0041E5DF
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: 3_2_0044C7393_2_0044C739
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: 3_2_004367C63_2_004367C6
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: 3_2_004267CB3_2_004267CB
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: 3_2_0043C9DD3_2_0043C9DD
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: 3_2_00432A493_2_00432A49
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: 3_2_00436A8D3_2_00436A8D
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: 3_2_0043CC0C3_2_0043CC0C
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: 3_2_00436D483_2_00436D48
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: 3_2_00434D223_2_00434D22
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: 3_2_00426E733_2_00426E73
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: 3_2_00440E203_2_00440E20
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: 3_2_0043CE3B3_2_0043CE3B
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: 3_2_00412F453_2_00412F45
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: 3_2_00452F003_2_00452F00
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: 3_2_00426FAD3_2_00426FAD
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 4_2_02CCD3A44_2_02CCD3A4
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 6_2_100171946_2_10017194
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 6_2_1000B5C16_2_1000B5C1
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 8_2_02E4D3A48_2_02E4D3A4
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 8_2_0740A7308_2_0740A730
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 8_2_074086608_2_07408660
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 8_2_07408ED08_2_07408ED0
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 8_2_07408A988_2_07408A98
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 9_2_0044B0409_2_0044B040
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 9_2_0043610D9_2_0043610D
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 9_2_004473109_2_00447310
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 9_2_0044A4909_2_0044A490
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 9_2_0040755A9_2_0040755A
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 9_2_0043C5609_2_0043C560
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 9_2_0044B6109_2_0044B610
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 9_2_0044D6C09_2_0044D6C0
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 9_2_004476F09_2_004476F0
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 9_2_0044B8709_2_0044B870
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 9_2_0044081D9_2_0044081D
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 9_2_004149579_2_00414957
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 9_2_004079EE9_2_004079EE
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 9_2_00407AEB9_2_00407AEB
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 9_2_0044AA809_2_0044AA80
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 9_2_00412AA99_2_00412AA9
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 9_2_00404B749_2_00404B74
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 9_2_00404B039_2_00404B03
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 9_2_0044BBD89_2_0044BBD8
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 9_2_00404BE59_2_00404BE5
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 9_2_00404C769_2_00404C76
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 9_2_00415CFE9_2_00415CFE
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 9_2_00416D729_2_00416D72
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 9_2_00446D309_2_00446D30
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 9_2_00446D8B9_2_00446D8B
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 9_2_00406E8F9_2_00406E8F
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 10_2_0040503810_2_00405038
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 10_2_0041208C10_2_0041208C
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 10_2_004050A910_2_004050A9
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 10_2_0040511A10_2_0040511A
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 10_2_0043C13A10_2_0043C13A
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 10_2_004051AB10_2_004051AB
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 10_2_0044930010_2_00449300
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 10_2_0040D32210_2_0040D322
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 10_2_0044A4F010_2_0044A4F0
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 10_2_0043A5AB10_2_0043A5AB
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 10_2_0041363110_2_00413631
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 10_2_0044669010_2_00446690
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 10_2_0044A73010_2_0044A730
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 10_2_004398D810_2_004398D8
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 10_2_004498E010_2_004498E0
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 10_2_0044A88610_2_0044A886
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 10_2_0043DA0910_2_0043DA09
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 10_2_00438D5E10_2_00438D5E
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 10_2_00449ED010_2_00449ED0
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 10_2_0041FE8310_2_0041FE83
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 10_2_00430F5410_2_00430F54
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 11_2_004050C211_2_004050C2
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 11_2_004014AB11_2_004014AB
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 11_2_0040513311_2_00405133
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 11_2_004051A411_2_004051A4
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 11_2_0040124611_2_00401246
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 11_2_0040CA4611_2_0040CA46
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 11_2_0040523511_2_00405235
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 11_2_004032C811_2_004032C8
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 11_2_0040168911_2_00401689
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 11_2_00402F6011_2_00402F60
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 13_2_0287D3A413_2_0287D3A4
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 13_2_0744A73013_2_0744A730
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 13_2_0744866013_2_07448660
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 13_2_07448ED013_2_07448ED0
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 13_2_07448A9813_2_07448A98
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 13_2_0744EAB813_2_0744EAB8
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 17_2_050FD3A417_2_050FD3A4
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 17_2_071FA73017_2_071FA730
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 17_2_071F866017_2_071F8660
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 17_2_071F8ED017_2_071F8ED0
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 17_2_071F8A9817_2_071F8A98
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 17_2_071FEAB817_2_071FEAB8
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: String function: 004169A7 appears 87 times
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: String function: 0044DB70 appears 41 times
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: String function: 004165FF appears 35 times
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: String function: 00422297 appears 42 times
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: String function: 00444B5A appears 37 times
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: String function: 00413025 appears 79 times
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: String function: 00416760 appears 69 times
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: String function: 00401F66 appears 50 times
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: String function: 004020E7 appears 39 times
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: String function: 004338A5 appears 41 times
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: String function: 00433FB0 appears 55 times
                  Source: ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe, 00000000.00000002.2091696194.0000000007520000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe
                  Source: ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe, 00000000.00000002.2088718838.00000000040A9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe
                  Source: ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe, 00000000.00000002.2091322556.0000000006210000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe
                  Source: ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe, 00000000.00000002.2084479691.000000000139E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe
                  Source: ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe, 00000000.00000002.2086690517.00000000030E9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe
                  Source: ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeBinary or memory string: OriginalFilenameAdcf.exe6 vs ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe
                  Source: ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 3.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 3.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 3.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 3.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 3.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 3.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.40c1d60.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.40c1d60.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.40c1d60.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.4266940.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.4266940.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.41aa120.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.41aa120.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.40c1d60.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.40c1d60.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 00000000.00000002.2088718838.00000000040A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: Process Memory Space: ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe PID: 7108, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: Process Memory Space: ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe PID: 5324, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: Adobe.exe.3.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.7520000.4.raw.unpack, vG3AfOoUidGGkxae9N.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.7520000.4.raw.unpack, ISRxbcSJBsxg9PE50M.csSecurity API names: _0020.SetAccessControl
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.7520000.4.raw.unpack, ISRxbcSJBsxg9PE50M.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.7520000.4.raw.unpack, ISRxbcSJBsxg9PE50M.csSecurity API names: _0020.AddAccessRule
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.41aa120.2.raw.unpack, vG3AfOoUidGGkxae9N.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.4266940.0.raw.unpack, ISRxbcSJBsxg9PE50M.csSecurity API names: _0020.SetAccessControl
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.4266940.0.raw.unpack, ISRxbcSJBsxg9PE50M.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.4266940.0.raw.unpack, ISRxbcSJBsxg9PE50M.csSecurity API names: _0020.AddAccessRule
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.4266940.0.raw.unpack, vG3AfOoUidGGkxae9N.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.41aa120.2.raw.unpack, ISRxbcSJBsxg9PE50M.csSecurity API names: _0020.SetAccessControl
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.41aa120.2.raw.unpack, ISRxbcSJBsxg9PE50M.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.41aa120.2.raw.unpack, ISRxbcSJBsxg9PE50M.csSecurity API names: _0020.AddAccessRule
                  Source: classification engineClassification label: mal100.rans.phis.troj.spyw.expl.evad.winEXE@32/7@1/2
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 9_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,9_2_004182CE
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: 3_2_00416AB7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,3_2_00416AB7
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 11_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,CloseHandle,11_2_00410DE1
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 9_2_00418758 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,9_2_00418758
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: 3_2_0040E219 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,3_2_0040E219
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: 3_2_0041A63F FindResourceA,LoadResource,LockResource,SizeofResource,3_2_0041A63F
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: 3_2_00419BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,3_2_00419BC4
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.logJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeMutant created: NULL
                  Source: C:\ProgramData\Adobe\Adobe.exeMutant created: \Sessions\1\BaseNamedObjects\Adobe_Nov-3XE9WN
                  Source: C:\ProgramData\Adobe\Adobe.exeFile created: C:\Users\user\AppData\Local\Temp\bhv55B4.tmpJump to behavior
                  Source: ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                  Source: C:\ProgramData\Adobe\Adobe.exeSystem information queried: HandleInformationJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: Adobe.exe, Adobe.exe, 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                  Source: Adobe.exe, Adobe.exe, 0000000A.00000002.2257016816.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                  Source: Adobe.exe, 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                  Source: Adobe.exe, Adobe.exe, 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                  Source: Adobe.exe, Adobe.exe, 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                  Source: Adobe.exe, Adobe.exe, 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                  Source: Adobe.exe, 00000009.00000002.2268520420.00000000011ED000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                  Source: Adobe.exe, Adobe.exe, 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                  Source: ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeReversingLabs: Detection: 52%
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeFile read: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeEvasive API call chain: __getmainargs,DecisionNodes,exit
                  Source: unknownProcess created: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe "C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe"
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeProcess created: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe "C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe"
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
                  Source: unknownProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\lajbmlzkezuensg"
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\vdpundkdshmrqyukhkq"
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\gxumowvfgpewamqoqvdmfn"
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
                  Source: unknownProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
                  Source: unknownProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeProcess created: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe "C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe" Jump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"Jump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"Jump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\lajbmlzkezuensg"Jump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\vdpundkdshmrqyukhkq"Jump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\gxumowvfgpewamqoqvdmfn"Jump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"Jump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"Jump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"Jump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"Jump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: version.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: version.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: version.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: pstorec.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: vaultcli.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: pstorec.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: version.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: winmm.dll
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: urlmon.dll
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: wininet.dll
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: iertutil.dll
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: srvcli.dll
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: netutils.dll
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: iphlpapi.dll
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: kernel.appcore.dll
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: mscoree.dll
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: kernel.appcore.dll
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: version.dll
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: uxtheme.dll
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: windows.storage.dll
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: wldp.dll
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: profapi.dll
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: cryptsp.dll
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: rsaenh.dll
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: cryptbase.dll
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: windowscodecs.dll
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: amsi.dll
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: userenv.dll
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: msasn1.dll
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: gpapi.dll
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: dwrite.dll
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: winmm.dll
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: urlmon.dll
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: wininet.dll
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: iertutil.dll
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: srvcli.dll
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: netutils.dll
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: iphlpapi.dll
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
                  Source: ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: Adcf.pdb source: ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe, Adobe.exe.3.dr
                  Source: Binary string: Adcf.pdbSHA256cx source: ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe, Adobe.exe.3.dr

                  Data Obfuscation

                  barindex
                  .NET source code contains potential unpacker
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.7520000.4.raw.unpack, ISRxbcSJBsxg9PE50M.cs.Net Code: shVCvZZCVb System.Reflection.Assembly.Load(byte[])
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.41aa120.2.raw.unpack, ISRxbcSJBsxg9PE50M.cs.Net Code: shVCvZZCVb System.Reflection.Assembly.Load(byte[])
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.6210000.3.raw.unpack, L2.cs.Net Code: System.Reflection.Assembly.Load(byte[])
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.4266940.0.raw.unpack, ISRxbcSJBsxg9PE50M.cs.Net Code: shVCvZZCVb System.Reflection.Assembly.Load(byte[])
                  Source: ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeStatic PE information: 0xB5DFA02C [Fri Sep 10 08:07:08 2066 UTC]
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: 3_2_0041BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,3_2_0041BCE3
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: 3_2_004567E0 push eax; ret 3_2_004567FE
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: 3_2_0045B9DD push esi; ret 3_2_0045B9E6
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: 3_2_00463EF3 push ds; retf 3_2_00463EEC
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: 3_2_00455EAF push ecx; ret 3_2_00455EC2
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: 3_2_00433FF6 push ecx; ret 3_2_00434009
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 6_2_10002806 push ecx; ret 6_2_10002819
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 8_2_05A28548 push eax; iretd 8_2_05A28549
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 8_2_05A27EF3 pushfd ; retf 8_2_05A27EF9
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 8_2_05A27E5B push esp; retf 8_2_05A27E61
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 8_2_05A27E58 pushad ; retf 8_2_05A27E59
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 9_2_0044693D push ecx; ret 9_2_0044694D
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 9_2_0044DB70 push eax; ret 9_2_0044DB84
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 9_2_0044DB70 push eax; ret 9_2_0044DBAC
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 9_2_00451D54 push eax; ret 9_2_00451D61
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 10_2_0044B090 push eax; ret 10_2_0044B0A4
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 10_2_0044B090 push eax; ret 10_2_0044B0CC
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 10_2_00451D34 push eax; ret 10_2_00451D41
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 10_2_00444E71 push ecx; ret 10_2_00444E81
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 11_2_00414060 push eax; ret 11_2_00414074
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 11_2_00414060 push eax; ret 11_2_0041409C
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 11_2_00414039 push ecx; ret 11_2_00414049
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 11_2_004164EB push 0000006Ah; retf 11_2_004165C4
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 11_2_00416553 push 0000006Ah; retf 11_2_004165C4
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 11_2_00416555 push 0000006Ah; retf 11_2_004165C4
                  Source: ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeStatic PE information: section name: .text entropy: 7.84894087837348
                  Source: Adobe.exe.3.drStatic PE information: section name: .text entropy: 7.84894087837348
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.7520000.4.raw.unpack, aXCEbNzZPUcBSKjvfs.csHigh entropy of concatenated method names: 'onM2cvHQLw', 'vvO2ok3rSv', 'idD27du2qK', 'liP2VrVpxo', 'JSn2NIrR5V', 'gA22xCl86P', 'Hx72U5qYub', 'Ux22ZmNklu', 'sw72eti80P', 'uW62QVZZpr'
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.7520000.4.raw.unpack, lKeyS7FuSXG0TZPfgt.csHigh entropy of concatenated method names: 'uQBJsCdMdv', 'hq6JEJ9dLP', 'ToString', 'JIVJ63ATdV', 'r2uJ427Nt2', 'gArJtKuRNR', 'r62JyfbRb1', 'TSkJ82KxWD', 'LjVJ1kruK7', 'EpfJSr1M59'
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.7520000.4.raw.unpack, MT3ewlu2tJaCO5FRnZ.csHigh entropy of concatenated method names: 'cDJ9KdLuhs', 'w4b9J6jIUu', 'DDq99lBofO', 'La79GMQu9a', 'vdP9rvb37o', 'HNR9Z4JoqP', 'Dispose', 'icyA6SpCDL', 'Tu0A4AiEAX', 'wb3AtY2F4F'
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.7520000.4.raw.unpack, xnTHTKbCSZx8d3D4qfw.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'kX1Y9uKIWv', 'y18Y2Papy5', 'u1oYGW30f3', 'YcxYYUvnEB', 'aNCYrptjR7', 'r1lYqO6Dhj', 'guoYZhse9u'
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.7520000.4.raw.unpack, Qu23mcarpxkyuIyswY.csHigh entropy of concatenated method names: 'VPd9VlJohA', 'sdQ9NQ3RaL', 'T239BJvZoE', 'aTT9xZpy1P', 'EXj9UKNWxX', 'VF59lq52UU', 'OQf9g7f5wy', 'adZ9HQLHEF', 'zMk9i1W2ti', 'gCO9DLFxP1'
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.7520000.4.raw.unpack, ySN60uXyr62hUSJwJM.csHigh entropy of concatenated method names: 'd9pyPoKgvg', 'ThrywTXXEJ', 'ASItBcavsW', 'Ksytxgah21', 'Il6tU5AeXq', 'WITtl6rVe0', 'l02tgYwnnn', 'AWOtHq6lKE', 'XnGtik09np', 'QpptD7IKc1'
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.7520000.4.raw.unpack, dRnyXXtdcNdVkDC3mQ.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'bRdmamc8BH', 'dKWmRds4sP', 'JHvmz091wt', 'P5sO5GrFyJ', 'CLuObgNiar', 'im6OmWyk7V', 'raeOOKVdSE', 'ahDMQjRFBXXJkoTIyA2'
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.7520000.4.raw.unpack, tPRhSoLUIleax6JxlG.csHigh entropy of concatenated method names: 'HvpJjVRwWB', 'm6YJRncZBt', 's0GA57i7ab', 'PiuAbpL1Pd', 'FE0J0gnRMO', 'ikQJk1tK0Y', 'ynQJT3PeNC', 'SpQJ33UCrI', 'rb7JWOWuX0', 'QbEJnmVySu'
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.7520000.4.raw.unpack, odg71aCa06K6jTUGsh.csHigh entropy of concatenated method names: 'TZrb1G3AfO', 'JidbSGGkxa', 'h8Ibsgx8qY', 'VgAbECQSN6', 'kJwbKJMFSk', 'kxabf1XGKP', 'klaGSAwSlYpDBsttyH', 'Mp2J5YQATgD6TkYdBv', 'H3obbjlOdT', 'VkCbOAYRuA'
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.7520000.4.raw.unpack, NLioR74G9JiZjlhiI7.csHigh entropy of concatenated method names: 'Dispose', 'qaCbaO5FRn', 'FUnmNmmVDA', 't73i3bXfp6', 'xTQbRAopw0', 's7Mbz0j5eS', 'ProcessDialogKey', 'hf3m5u23mc', 'vpxmbkyuIy', 'mwYmm72CFA'
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.7520000.4.raw.unpack, Q3kU3pb5CuEZLhioBDq.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'sA020OwPPc', 'RBM2kOxgoH', 'y7s2TQF7XV', 'HkM23NKnuG', 'Ukv2WJocss', 's9T2nNGHDM', 'fGi2FDCB2k'
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.7520000.4.raw.unpack, YcmckwNFeu51QfrflD.csHigh entropy of concatenated method names: 'yIY0FuFPA7nkDQMgYHK', 'c2fvFiFoXHE7bnL0dmi', 'tZm8ABVaZ9', 'jR089TLrQT', 'Grq82CR4Mk', 'xMLPA2F4ojwWUN5lbXj', 'SKtGbYF77wYHW3TgsD4'
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.7520000.4.raw.unpack, P4EivliHasS1pNCygV.csHigh entropy of concatenated method names: 'icm1eoR8kk', 'a8Q1Q6Amvj', 'ti91vYfFnr', 'G7l1dWoklX', 'LjO1P5RAmi', 'sBu1cAFHlR', 'xfr1wRWuvX', 'VHq1ogMgLI', 'pAN17boGTM', 'BNy1X1CRdG'
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.7520000.4.raw.unpack, OaH7Ct33jBfqR2FkNC.csHigh entropy of concatenated method names: 'ohqKD4ndvF', 'T9JKkqoQGY', 'DRUK3tK3co', 'TugKW04FvP', 'dutKNgBKeo', 'e9rKBi8h7a', 'f7RKxJ91h8', 'w6yKUJHrdk', 'NYLKlbnrVN', 'vw0KgiQAQG'
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.7520000.4.raw.unpack, E2CFAiR0WgZxW6XwyP.csHigh entropy of concatenated method names: 'BOt2tqdkbq', 'cMg2ylMVWt', 'U0c28Ea7Bq', 'DYg21f3gsH', 'XRE29TH27I', 'MtZ2Sy2hRK', 'Next', 'Next', 'Next', 'NextBytes'
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.7520000.4.raw.unpack, o1wCOKTXnjol5rVexH.csHigh entropy of concatenated method names: 'NRIpoi3VJ8', 'ehtp7c7caq', 'aWEpVrauyx', 'Ee8pNyYG6q', 'XTUpxqE1R5', 'ywspUjssn2', 'pi7pg6vRiQ', 'vBBpHktZu2', 'qHvpDIFmWo', 'XcCp0LoglA'
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.7520000.4.raw.unpack, TSkSxaV1XGKP0sAyP7.csHigh entropy of concatenated method names: 'ulx8IOBkPI', 'pnM84xRVh0', 'Mvu8yZrMue', 'dwv81i2O9T', 'nYG8SqRJ5o', 'h5tyhs62qG', 'tbiyLS7q4X', 'iNjyuLdkYV', 'jxryjQC1Hd', 'bsRyayPCnZ'
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.7520000.4.raw.unpack, vG3AfOoUidGGkxae9N.csHigh entropy of concatenated method names: 'SM743ELu0G', 'Ha94W6FZVP', 'uD34nXZKR1', 'Y8m4FUJbEk', 'pHB4hBAcln', 'hNh4LBmGjB', 'c634u8yeOu', 'aI34jh3eEZ', 'rUD4aEji6C', 'bo94RP09VT'
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.7520000.4.raw.unpack, C9T9s4bbCndY8uyZhwq.csHigh entropy of concatenated method names: 'Yqq2R7H1a1', 'HyA2z2SrU8', 'rkLG55dgtx', 'E4AGbppVXs', 'WLTGmCp0Nr', 'nCuGOJlOA3', 'q2bGCHglY1', 'h0ZGIM6JPA', 'Nx4G6aDofo', 'lsHG4ZvAON'
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.7520000.4.raw.unpack, gOujARgroX7SoxK1WN.csHigh entropy of concatenated method names: 'SHU16EpfW5', 'ofo1t09Pbu', 'zqY18p249U', 'wGL8RJnkdi', 'ouY8z5xciV', 'Duq15XcSpp', 'XeI1b93trd', 'Vlj1mC4iC5', 'EpF1OvVfxr', 'srB1CVnWPw'
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.7520000.4.raw.unpack, m1xpKy78Igx8qYLgAC.csHigh entropy of concatenated method names: 'JsytdGjaF6', 'wSgtcSjk1n', 'nLFtoZOstX', 'b2nt7EZsXf', 'DaCtKlQtRs', 'sNftfoQHuw', 'FOItJs3Vs9', 'wJCtAYglsO', 'NAst9Fwb34', 'mxHt2QlfHY'
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.7520000.4.raw.unpack, ISRxbcSJBsxg9PE50M.csHigh entropy of concatenated method names: 'P5bOIaCnM0', 'MxJO6JGyTw', 'IKpO48vNYv', 'xdbOtMTgWD', 'urqOybNQEb', 'OQbO8fYe9I', 'yuiO1r0VNo', 'auROSS6uQr', 'OkLOM9BFm1', 'TXlOsInVt0'
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.7520000.4.raw.unpack, LtMkD8mE2pldO3AL2v.csHigh entropy of concatenated method names: 'xt8vjcMJr', 'C8wdK94uQ', 'mwQcrQcAp', 'qOnw9pWC2', 'BWJ7XJivB', 'mI3Xp1yki', 'wBpgvKe1ZhMqeTutRM', 'zbEnNtWgi0L2VCdMCA', 'vumAtiF21', 'JYy2skCDx'
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.7520000.4.raw.unpack, SLD6hHbOgJPxQ5yb8NE.csHigh entropy of concatenated method names: 'TH2GRXLJTY', 'YG5Gz2qgsM', 'g1hY5rBvxj', 'xywIaZ1YV8db5yWSlmx', 'pMFAIT1wf4ltWdpcToO', 'lq2aiI1QAgRZDKH5P7R', 'VCnK3a1Ajrr68SZRPxL'
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.41aa120.2.raw.unpack, aXCEbNzZPUcBSKjvfs.csHigh entropy of concatenated method names: 'onM2cvHQLw', 'vvO2ok3rSv', 'idD27du2qK', 'liP2VrVpxo', 'JSn2NIrR5V', 'gA22xCl86P', 'Hx72U5qYub', 'Ux22ZmNklu', 'sw72eti80P', 'uW62QVZZpr'
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.41aa120.2.raw.unpack, lKeyS7FuSXG0TZPfgt.csHigh entropy of concatenated method names: 'uQBJsCdMdv', 'hq6JEJ9dLP', 'ToString', 'JIVJ63ATdV', 'r2uJ427Nt2', 'gArJtKuRNR', 'r62JyfbRb1', 'TSkJ82KxWD', 'LjVJ1kruK7', 'EpfJSr1M59'
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.41aa120.2.raw.unpack, MT3ewlu2tJaCO5FRnZ.csHigh entropy of concatenated method names: 'cDJ9KdLuhs', 'w4b9J6jIUu', 'DDq99lBofO', 'La79GMQu9a', 'vdP9rvb37o', 'HNR9Z4JoqP', 'Dispose', 'icyA6SpCDL', 'Tu0A4AiEAX', 'wb3AtY2F4F'
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.41aa120.2.raw.unpack, xnTHTKbCSZx8d3D4qfw.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'kX1Y9uKIWv', 'y18Y2Papy5', 'u1oYGW30f3', 'YcxYYUvnEB', 'aNCYrptjR7', 'r1lYqO6Dhj', 'guoYZhse9u'
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.41aa120.2.raw.unpack, Qu23mcarpxkyuIyswY.csHigh entropy of concatenated method names: 'VPd9VlJohA', 'sdQ9NQ3RaL', 'T239BJvZoE', 'aTT9xZpy1P', 'EXj9UKNWxX', 'VF59lq52UU', 'OQf9g7f5wy', 'adZ9HQLHEF', 'zMk9i1W2ti', 'gCO9DLFxP1'
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.41aa120.2.raw.unpack, ySN60uXyr62hUSJwJM.csHigh entropy of concatenated method names: 'd9pyPoKgvg', 'ThrywTXXEJ', 'ASItBcavsW', 'Ksytxgah21', 'Il6tU5AeXq', 'WITtl6rVe0', 'l02tgYwnnn', 'AWOtHq6lKE', 'XnGtik09np', 'QpptD7IKc1'
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.41aa120.2.raw.unpack, dRnyXXtdcNdVkDC3mQ.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'bRdmamc8BH', 'dKWmRds4sP', 'JHvmz091wt', 'P5sO5GrFyJ', 'CLuObgNiar', 'im6OmWyk7V', 'raeOOKVdSE', 'ahDMQjRFBXXJkoTIyA2'
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.41aa120.2.raw.unpack, tPRhSoLUIleax6JxlG.csHigh entropy of concatenated method names: 'HvpJjVRwWB', 'm6YJRncZBt', 's0GA57i7ab', 'PiuAbpL1Pd', 'FE0J0gnRMO', 'ikQJk1tK0Y', 'ynQJT3PeNC', 'SpQJ33UCrI', 'rb7JWOWuX0', 'QbEJnmVySu'
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.41aa120.2.raw.unpack, odg71aCa06K6jTUGsh.csHigh entropy of concatenated method names: 'TZrb1G3AfO', 'JidbSGGkxa', 'h8Ibsgx8qY', 'VgAbECQSN6', 'kJwbKJMFSk', 'kxabf1XGKP', 'klaGSAwSlYpDBsttyH', 'Mp2J5YQATgD6TkYdBv', 'H3obbjlOdT', 'VkCbOAYRuA'
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.41aa120.2.raw.unpack, NLioR74G9JiZjlhiI7.csHigh entropy of concatenated method names: 'Dispose', 'qaCbaO5FRn', 'FUnmNmmVDA', 't73i3bXfp6', 'xTQbRAopw0', 's7Mbz0j5eS', 'ProcessDialogKey', 'hf3m5u23mc', 'vpxmbkyuIy', 'mwYmm72CFA'
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.41aa120.2.raw.unpack, Q3kU3pb5CuEZLhioBDq.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'sA020OwPPc', 'RBM2kOxgoH', 'y7s2TQF7XV', 'HkM23NKnuG', 'Ukv2WJocss', 's9T2nNGHDM', 'fGi2FDCB2k'
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.41aa120.2.raw.unpack, YcmckwNFeu51QfrflD.csHigh entropy of concatenated method names: 'yIY0FuFPA7nkDQMgYHK', 'c2fvFiFoXHE7bnL0dmi', 'tZm8ABVaZ9', 'jR089TLrQT', 'Grq82CR4Mk', 'xMLPA2F4ojwWUN5lbXj', 'SKtGbYF77wYHW3TgsD4'
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.41aa120.2.raw.unpack, P4EivliHasS1pNCygV.csHigh entropy of concatenated method names: 'icm1eoR8kk', 'a8Q1Q6Amvj', 'ti91vYfFnr', 'G7l1dWoklX', 'LjO1P5RAmi', 'sBu1cAFHlR', 'xfr1wRWuvX', 'VHq1ogMgLI', 'pAN17boGTM', 'BNy1X1CRdG'
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.41aa120.2.raw.unpack, OaH7Ct33jBfqR2FkNC.csHigh entropy of concatenated method names: 'ohqKD4ndvF', 'T9JKkqoQGY', 'DRUK3tK3co', 'TugKW04FvP', 'dutKNgBKeo', 'e9rKBi8h7a', 'f7RKxJ91h8', 'w6yKUJHrdk', 'NYLKlbnrVN', 'vw0KgiQAQG'
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.41aa120.2.raw.unpack, E2CFAiR0WgZxW6XwyP.csHigh entropy of concatenated method names: 'BOt2tqdkbq', 'cMg2ylMVWt', 'U0c28Ea7Bq', 'DYg21f3gsH', 'XRE29TH27I', 'MtZ2Sy2hRK', 'Next', 'Next', 'Next', 'NextBytes'
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.41aa120.2.raw.unpack, o1wCOKTXnjol5rVexH.csHigh entropy of concatenated method names: 'NRIpoi3VJ8', 'ehtp7c7caq', 'aWEpVrauyx', 'Ee8pNyYG6q', 'XTUpxqE1R5', 'ywspUjssn2', 'pi7pg6vRiQ', 'vBBpHktZu2', 'qHvpDIFmWo', 'XcCp0LoglA'
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.41aa120.2.raw.unpack, TSkSxaV1XGKP0sAyP7.csHigh entropy of concatenated method names: 'ulx8IOBkPI', 'pnM84xRVh0', 'Mvu8yZrMue', 'dwv81i2O9T', 'nYG8SqRJ5o', 'h5tyhs62qG', 'tbiyLS7q4X', 'iNjyuLdkYV', 'jxryjQC1Hd', 'bsRyayPCnZ'
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.41aa120.2.raw.unpack, vG3AfOoUidGGkxae9N.csHigh entropy of concatenated method names: 'SM743ELu0G', 'Ha94W6FZVP', 'uD34nXZKR1', 'Y8m4FUJbEk', 'pHB4hBAcln', 'hNh4LBmGjB', 'c634u8yeOu', 'aI34jh3eEZ', 'rUD4aEji6C', 'bo94RP09VT'
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.41aa120.2.raw.unpack, C9T9s4bbCndY8uyZhwq.csHigh entropy of concatenated method names: 'Yqq2R7H1a1', 'HyA2z2SrU8', 'rkLG55dgtx', 'E4AGbppVXs', 'WLTGmCp0Nr', 'nCuGOJlOA3', 'q2bGCHglY1', 'h0ZGIM6JPA', 'Nx4G6aDofo', 'lsHG4ZvAON'
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.41aa120.2.raw.unpack, gOujARgroX7SoxK1WN.csHigh entropy of concatenated method names: 'SHU16EpfW5', 'ofo1t09Pbu', 'zqY18p249U', 'wGL8RJnkdi', 'ouY8z5xciV', 'Duq15XcSpp', 'XeI1b93trd', 'Vlj1mC4iC5', 'EpF1OvVfxr', 'srB1CVnWPw'
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.41aa120.2.raw.unpack, m1xpKy78Igx8qYLgAC.csHigh entropy of concatenated method names: 'JsytdGjaF6', 'wSgtcSjk1n', 'nLFtoZOstX', 'b2nt7EZsXf', 'DaCtKlQtRs', 'sNftfoQHuw', 'FOItJs3Vs9', 'wJCtAYglsO', 'NAst9Fwb34', 'mxHt2QlfHY'
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.41aa120.2.raw.unpack, ISRxbcSJBsxg9PE50M.csHigh entropy of concatenated method names: 'P5bOIaCnM0', 'MxJO6JGyTw', 'IKpO48vNYv', 'xdbOtMTgWD', 'urqOybNQEb', 'OQbO8fYe9I', 'yuiO1r0VNo', 'auROSS6uQr', 'OkLOM9BFm1', 'TXlOsInVt0'
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.41aa120.2.raw.unpack, LtMkD8mE2pldO3AL2v.csHigh entropy of concatenated method names: 'xt8vjcMJr', 'C8wdK94uQ', 'mwQcrQcAp', 'qOnw9pWC2', 'BWJ7XJivB', 'mI3Xp1yki', 'wBpgvKe1ZhMqeTutRM', 'zbEnNtWgi0L2VCdMCA', 'vumAtiF21', 'JYy2skCDx'
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.41aa120.2.raw.unpack, SLD6hHbOgJPxQ5yb8NE.csHigh entropy of concatenated method names: 'TH2GRXLJTY', 'YG5Gz2qgsM', 'g1hY5rBvxj', 'xywIaZ1YV8db5yWSlmx', 'pMFAIT1wf4ltWdpcToO', 'lq2aiI1QAgRZDKH5P7R', 'VCnK3a1Ajrr68SZRPxL'
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.4266940.0.raw.unpack, aXCEbNzZPUcBSKjvfs.csHigh entropy of concatenated method names: 'onM2cvHQLw', 'vvO2ok3rSv', 'idD27du2qK', 'liP2VrVpxo', 'JSn2NIrR5V', 'gA22xCl86P', 'Hx72U5qYub', 'Ux22ZmNklu', 'sw72eti80P', 'uW62QVZZpr'
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.4266940.0.raw.unpack, lKeyS7FuSXG0TZPfgt.csHigh entropy of concatenated method names: 'uQBJsCdMdv', 'hq6JEJ9dLP', 'ToString', 'JIVJ63ATdV', 'r2uJ427Nt2', 'gArJtKuRNR', 'r62JyfbRb1', 'TSkJ82KxWD', 'LjVJ1kruK7', 'EpfJSr1M59'
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.4266940.0.raw.unpack, MT3ewlu2tJaCO5FRnZ.csHigh entropy of concatenated method names: 'cDJ9KdLuhs', 'w4b9J6jIUu', 'DDq99lBofO', 'La79GMQu9a', 'vdP9rvb37o', 'HNR9Z4JoqP', 'Dispose', 'icyA6SpCDL', 'Tu0A4AiEAX', 'wb3AtY2F4F'
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.4266940.0.raw.unpack, xnTHTKbCSZx8d3D4qfw.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'kX1Y9uKIWv', 'y18Y2Papy5', 'u1oYGW30f3', 'YcxYYUvnEB', 'aNCYrptjR7', 'r1lYqO6Dhj', 'guoYZhse9u'
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.4266940.0.raw.unpack, Qu23mcarpxkyuIyswY.csHigh entropy of concatenated method names: 'VPd9VlJohA', 'sdQ9NQ3RaL', 'T239BJvZoE', 'aTT9xZpy1P', 'EXj9UKNWxX', 'VF59lq52UU', 'OQf9g7f5wy', 'adZ9HQLHEF', 'zMk9i1W2ti', 'gCO9DLFxP1'
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.4266940.0.raw.unpack, ySN60uXyr62hUSJwJM.csHigh entropy of concatenated method names: 'd9pyPoKgvg', 'ThrywTXXEJ', 'ASItBcavsW', 'Ksytxgah21', 'Il6tU5AeXq', 'WITtl6rVe0', 'l02tgYwnnn', 'AWOtHq6lKE', 'XnGtik09np', 'QpptD7IKc1'
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.4266940.0.raw.unpack, dRnyXXtdcNdVkDC3mQ.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'bRdmamc8BH', 'dKWmRds4sP', 'JHvmz091wt', 'P5sO5GrFyJ', 'CLuObgNiar', 'im6OmWyk7V', 'raeOOKVdSE', 'ahDMQjRFBXXJkoTIyA2'
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.4266940.0.raw.unpack, tPRhSoLUIleax6JxlG.csHigh entropy of concatenated method names: 'HvpJjVRwWB', 'm6YJRncZBt', 's0GA57i7ab', 'PiuAbpL1Pd', 'FE0J0gnRMO', 'ikQJk1tK0Y', 'ynQJT3PeNC', 'SpQJ33UCrI', 'rb7JWOWuX0', 'QbEJnmVySu'
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.4266940.0.raw.unpack, odg71aCa06K6jTUGsh.csHigh entropy of concatenated method names: 'TZrb1G3AfO', 'JidbSGGkxa', 'h8Ibsgx8qY', 'VgAbECQSN6', 'kJwbKJMFSk', 'kxabf1XGKP', 'klaGSAwSlYpDBsttyH', 'Mp2J5YQATgD6TkYdBv', 'H3obbjlOdT', 'VkCbOAYRuA'
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.4266940.0.raw.unpack, NLioR74G9JiZjlhiI7.csHigh entropy of concatenated method names: 'Dispose', 'qaCbaO5FRn', 'FUnmNmmVDA', 't73i3bXfp6', 'xTQbRAopw0', 's7Mbz0j5eS', 'ProcessDialogKey', 'hf3m5u23mc', 'vpxmbkyuIy', 'mwYmm72CFA'
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.4266940.0.raw.unpack, Q3kU3pb5CuEZLhioBDq.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'sA020OwPPc', 'RBM2kOxgoH', 'y7s2TQF7XV', 'HkM23NKnuG', 'Ukv2WJocss', 's9T2nNGHDM', 'fGi2FDCB2k'
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.4266940.0.raw.unpack, YcmckwNFeu51QfrflD.csHigh entropy of concatenated method names: 'yIY0FuFPA7nkDQMgYHK', 'c2fvFiFoXHE7bnL0dmi', 'tZm8ABVaZ9', 'jR089TLrQT', 'Grq82CR4Mk', 'xMLPA2F4ojwWUN5lbXj', 'SKtGbYF77wYHW3TgsD4'
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.4266940.0.raw.unpack, P4EivliHasS1pNCygV.csHigh entropy of concatenated method names: 'icm1eoR8kk', 'a8Q1Q6Amvj', 'ti91vYfFnr', 'G7l1dWoklX', 'LjO1P5RAmi', 'sBu1cAFHlR', 'xfr1wRWuvX', 'VHq1ogMgLI', 'pAN17boGTM', 'BNy1X1CRdG'
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.4266940.0.raw.unpack, OaH7Ct33jBfqR2FkNC.csHigh entropy of concatenated method names: 'ohqKD4ndvF', 'T9JKkqoQGY', 'DRUK3tK3co', 'TugKW04FvP', 'dutKNgBKeo', 'e9rKBi8h7a', 'f7RKxJ91h8', 'w6yKUJHrdk', 'NYLKlbnrVN', 'vw0KgiQAQG'
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.4266940.0.raw.unpack, E2CFAiR0WgZxW6XwyP.csHigh entropy of concatenated method names: 'BOt2tqdkbq', 'cMg2ylMVWt', 'U0c28Ea7Bq', 'DYg21f3gsH', 'XRE29TH27I', 'MtZ2Sy2hRK', 'Next', 'Next', 'Next', 'NextBytes'
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.4266940.0.raw.unpack, o1wCOKTXnjol5rVexH.csHigh entropy of concatenated method names: 'NRIpoi3VJ8', 'ehtp7c7caq', 'aWEpVrauyx', 'Ee8pNyYG6q', 'XTUpxqE1R5', 'ywspUjssn2', 'pi7pg6vRiQ', 'vBBpHktZu2', 'qHvpDIFmWo', 'XcCp0LoglA'
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.4266940.0.raw.unpack, TSkSxaV1XGKP0sAyP7.csHigh entropy of concatenated method names: 'ulx8IOBkPI', 'pnM84xRVh0', 'Mvu8yZrMue', 'dwv81i2O9T', 'nYG8SqRJ5o', 'h5tyhs62qG', 'tbiyLS7q4X', 'iNjyuLdkYV', 'jxryjQC1Hd', 'bsRyayPCnZ'
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.4266940.0.raw.unpack, vG3AfOoUidGGkxae9N.csHigh entropy of concatenated method names: 'SM743ELu0G', 'Ha94W6FZVP', 'uD34nXZKR1', 'Y8m4FUJbEk', 'pHB4hBAcln', 'hNh4LBmGjB', 'c634u8yeOu', 'aI34jh3eEZ', 'rUD4aEji6C', 'bo94RP09VT'
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.4266940.0.raw.unpack, C9T9s4bbCndY8uyZhwq.csHigh entropy of concatenated method names: 'Yqq2R7H1a1', 'HyA2z2SrU8', 'rkLG55dgtx', 'E4AGbppVXs', 'WLTGmCp0Nr', 'nCuGOJlOA3', 'q2bGCHglY1', 'h0ZGIM6JPA', 'Nx4G6aDofo', 'lsHG4ZvAON'
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.4266940.0.raw.unpack, gOujARgroX7SoxK1WN.csHigh entropy of concatenated method names: 'SHU16EpfW5', 'ofo1t09Pbu', 'zqY18p249U', 'wGL8RJnkdi', 'ouY8z5xciV', 'Duq15XcSpp', 'XeI1b93trd', 'Vlj1mC4iC5', 'EpF1OvVfxr', 'srB1CVnWPw'
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.4266940.0.raw.unpack, m1xpKy78Igx8qYLgAC.csHigh entropy of concatenated method names: 'JsytdGjaF6', 'wSgtcSjk1n', 'nLFtoZOstX', 'b2nt7EZsXf', 'DaCtKlQtRs', 'sNftfoQHuw', 'FOItJs3Vs9', 'wJCtAYglsO', 'NAst9Fwb34', 'mxHt2QlfHY'
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.4266940.0.raw.unpack, ISRxbcSJBsxg9PE50M.csHigh entropy of concatenated method names: 'P5bOIaCnM0', 'MxJO6JGyTw', 'IKpO48vNYv', 'xdbOtMTgWD', 'urqOybNQEb', 'OQbO8fYe9I', 'yuiO1r0VNo', 'auROSS6uQr', 'OkLOM9BFm1', 'TXlOsInVt0'
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.4266940.0.raw.unpack, LtMkD8mE2pldO3AL2v.csHigh entropy of concatenated method names: 'xt8vjcMJr', 'C8wdK94uQ', 'mwQcrQcAp', 'qOnw9pWC2', 'BWJ7XJivB', 'mI3Xp1yki', 'wBpgvKe1ZhMqeTutRM', 'zbEnNtWgi0L2VCdMCA', 'vumAtiF21', 'JYy2skCDx'
                  Source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.4266940.0.raw.unpack, SLD6hHbOgJPxQ5yb8NE.csHigh entropy of concatenated method names: 'TH2GRXLJTY', 'YG5Gz2qgsM', 'g1hY5rBvxj', 'xywIaZ1YV8db5yWSlmx', 'pMFAIT1wf4ltWdpcToO', 'lq2aiI1QAgRZDKH5P7R', 'VCnK3a1Ajrr68SZRPxL'

                  Persistence and Installation Behavior

                  barindex
                  Drops executable to a common third party application directory
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeFile written: C:\ProgramData\Adobe\Adobe.exeJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: 3_2_00406128 ShellExecuteW,URLDownloadToFileW,3_2_00406128
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeFile created: \isf (twn24110458 - invoice & packing list po pous120000241, pous120000771.scr.exe
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeFile created: \isf (twn24110458 - invoice & packing list po pous120000241, pous120000771.scr.exe
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeFile created: \isf (twn24110458 - invoice & packing list po pous120000241, pous120000771.scr.exeJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeFile created: \isf (twn24110458 - invoice & packing list po pous120000241, pous120000771.scr.exeJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeFile created: C:\ProgramData\Adobe\Adobe.exeJump to dropped file
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeFile created: C:\ProgramData\Adobe\Adobe.exeJump to dropped file

                  Boot Survival

                  barindex
                  Creates autostart registry keys with suspicious names
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Adobe_Nov-3XE9WNJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: 3_2_00419BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,3_2_00419BC4
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Adobe_Nov-3XE9WNJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Adobe_Nov-3XE9WNJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Adobe_Nov-3XE9WNJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Adobe_Nov-3XE9WNJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: 3_2_0041BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,3_2_0041BCE3
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX

                  Malware Analysis System Evasion

                  barindex
                  Yara detected AntiVM3
                  Source: Yara matchFile source: Process Memory Space: ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe PID: 7108, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 1200, type: MEMORYSTR
                  Delayed program exit found
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: 3_2_0040E54F Sleep,ExitProcess,3_2_0040E54F
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeMemory allocated: 14E0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeMemory allocated: 30A0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeMemory allocated: 50A0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeMemory allocated: 7FD0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeMemory allocated: 7740000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeMemory allocated: 8FD0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeMemory allocated: 9FD0000 memory reserve | memory write watchJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 2C80000 memory reserve | memory write watchJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 2EF0000 memory reserve | memory write watchJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 2E20000 memory reserve | memory write watchJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 75D0000 memory reserve | memory write watchJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 85D0000 memory reserve | memory write watchJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 8760000 memory reserve | memory write watchJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 9760000 memory reserve | memory write watchJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 2DF0000 memory reserve | memory write watchJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 3040000 memory reserve | memory write watchJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 2F90000 memory reserve | memory write watchJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 79E0000 memory reserve | memory write watchJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 7630000 memory reserve | memory write watchJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 89E0000 memory reserve | memory write watchJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 99E0000 memory reserve | memory write watchJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: F50000 memory reserve | memory write watchJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 2A80000 memory reserve | memory write watchJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 28D0000 memory reserve | memory write watchJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 7450000 memory reserve | memory write watchJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 7020000 memory reserve | memory write watchJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 8450000 memory reserve | memory write watchJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 9450000 memory reserve | memory write watchJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 2BD0000 memory reserve | memory write watch
                  Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 2BD0000 memory reserve | memory write watch
                  Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 4BD0000 memory reserve | memory write watch
                  Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 7420000 memory reserve | memory write watch
                  Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 8420000 memory reserve | memory write watch
                  Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 85B0000 memory reserve | memory write watch
                  Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 95B0000 memory reserve | memory write watch
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 9_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,9_2_0040DD85
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,3_2_004198C2
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeThread delayed: delay time: 922337203685477
                  Source: C:\ProgramData\Adobe\Adobe.exeWindow / User API: threadDelayed 444Jump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeWindow / User API: threadDelayed 9545Jump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeEvaded block: after key decisiongraph_3-47829
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeEvaded block: after key decisiongraph_3-47806
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeAPI coverage: 5.5 %
                  Source: C:\ProgramData\Adobe\Adobe.exeAPI coverage: 9.7 %
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe TID: 1396Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exe TID: 5368Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exe TID: 5780Thread sleep count: 444 > 30Jump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exe TID: 5780Thread sleep time: -1332000s >= -30000sJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exe TID: 5780Thread sleep count: 9545 > 30Jump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exe TID: 5780Thread sleep time: -28635000s >= -30000sJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exe TID: 1564Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exe TID: 5592Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exe TID: 5160Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: 3_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,3_2_0040B335
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: 3_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,3_2_0041B42F
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: 3_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,3_2_0040B53A
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: 3_2_0044D5E9 FindFirstFileExA,3_2_0044D5E9
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: 3_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,3_2_004089A9
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: 3_2_00406AC2 FindFirstFileW,FindNextFileW,3_2_00406AC2
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: 3_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,3_2_00407A8C
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: 3_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,3_2_00418C69
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: 3_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,3_2_00408DA7
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 6_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,6_2_100010F1
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 6_2_10006580 FindFirstFileExA,6_2_10006580
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 9_2_0040AE51 FindFirstFileW,FindNextFileW,9_2_0040AE51
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 10_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,10_2_00407EF8
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 11_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,11_2_00407898
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: 3_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,3_2_00406F06
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 9_2_00418981 memset,GetSystemInfo,9_2_00418981
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeThread delayed: delay time: 922337203685477
                  Source: Adobe.exe, 00000006.00000002.4488781563.0000000001117000.00000004.00000020.00020000.00000000.sdmp, Adobe.exe, 00000006.00000002.4489027387.0000000001193000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: Adobe.exe, 00000006.00000002.4489027387.0000000001193000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: C:\ProgramData\Adobe\Adobe.exeAPI call chain: ExitProcess graph end node
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: 3_2_0043A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_0043A65D
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 9_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,9_2_0040DD85
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: 3_2_0041BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,3_2_0041BCE3
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: 3_2_00442554 mov eax, dword ptr fs:[00000030h]3_2_00442554
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 6_2_10004AB4 mov eax, dword ptr fs:[00000030h]6_2_10004AB4
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: 3_2_0044E92E GetProcessHeap,3_2_0044E92E
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: 3_2_00434168 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_00434168
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: 3_2_0043A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_0043A65D
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: 3_2_00433B44 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00433B44
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: 3_2_00433CD7 SetUnhandledExceptionFilter,3_2_00433CD7
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 6_2_100060E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_100060E2
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 6_2_10002639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_10002639
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 6_2_10002B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_10002B1C
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Injects a PE file into a foreign processes
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeMemory written: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeMemory written: C:\ProgramData\Adobe\Adobe.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeMemory written: C:\ProgramData\Adobe\Adobe.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeMemory written: C:\ProgramData\Adobe\Adobe.exe base: 400000 value starts with: 4D5A
                  Maps a DLL or memory area into another process
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: NULL target: C:\ProgramData\Adobe\Adobe.exe protection: execute and read and writeJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: NULL target: C:\ProgramData\Adobe\Adobe.exe protection: execute and read and writeJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: NULL target: C:\ProgramData\Adobe\Adobe.exe protection: execute and read and writeJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe3_2_00410F36
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: 3_2_00418754 mouse_event,3_2_00418754
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeProcess created: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe "C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe" Jump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"Jump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"Jump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\lajbmlzkezuensg"Jump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\vdpundkdshmrqyukhkq"Jump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\gxumowvfgpewamqoqvdmfn"Jump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"Jump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"Jump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"Jump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"Jump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
                  Source: Adobe.exe, 00000006.00000002.4489027387.0000000001172000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                  Source: Adobe.exe, 00000006.00000002.4489027387.0000000001172000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerSC
                  Source: Adobe.exe, 00000006.00000002.4489027387.000000000114E000.00000004.00000020.00020000.00000000.sdmp, Adobe.exe, 00000006.00000002.4488781563.0000000001117000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: 3_2_00433E0A cpuid 3_2_00433E0A
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: EnumSystemLocalesW,3_2_004470AE
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: GetLocaleInfoW,3_2_004510BA
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,3_2_004511E3
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: GetLocaleInfoW,3_2_004512EA
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,3_2_004513B7
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: GetLocaleInfoW,3_2_00447597
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: GetLocaleInfoA,3_2_0040E679
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,3_2_00450A7F
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: EnumSystemLocalesW,3_2_00450CF7
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: EnumSystemLocalesW,3_2_00450D42
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: EnumSystemLocalesW,3_2_00450DDD
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,3_2_00450E6A
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeQueries volume information: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\ProgramData\Adobe\Adobe.exe VolumeInformationJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\ProgramData\Adobe\Adobe.exe VolumeInformationJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\ProgramData\Adobe\Adobe.exe VolumeInformationJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\ProgramData\Adobe\Adobe.exe VolumeInformation
                  Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                  Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: 3_2_00434010 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,3_2_00434010
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: 3_2_0041A7A2 GetUserNameW,3_2_0041A7A2
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: 3_2_0044800F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,3_2_0044800F
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 9_2_0041739B GetVersionExW,9_2_0041739B
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 3.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.40c1d60.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.4266940.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.41aa120.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.40c1d60.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000003.00000002.2086357247.0000000000F38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.2271330549.0000000001277000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000014.00000002.2432009216.0000000000A87000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000010.00000002.2350119787.0000000000E27000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.4488781563.0000000001117000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2088718838.00000000040A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe PID: 7108, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe PID: 5324, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 2796, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 5660, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 6108, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 6660, type: MEMORYSTR
                  Contains functionality to steal Chrome passwords or cookies
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data3_2_0040B21B
                  Contains functionality to steal Firefox passwords or cookies
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\3_2_0040B335
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: \key3.db3_2_0040B335
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\ProgramData\Adobe\Adobe.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqliteJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.dbJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Tries to steal Instant Messenger accounts or passwords
                  Source: C:\ProgramData\Adobe\Adobe.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeKey opened: HKEY_CURRENT_USER\Software\PaltalkJump to behavior
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\ProgramData\Adobe\Adobe.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
                  Tries to steal Mail credentials (via file registry)
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: ESMTPPassword10_2_004033F0
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword10_2_00402DB3
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword10_2_00402DB3
                  Yara detected WebBrowserPassView password recovery tool
                  Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 6200, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 3.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.40c1d60.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.4266940.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.41aa120.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.40c1d60.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000003.00000002.2086357247.0000000000F38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.2271330549.0000000001277000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000014.00000002.2432009216.0000000000A87000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000010.00000002.2350119787.0000000000E27000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.4488781563.0000000001117000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2088718838.00000000040A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe PID: 7108, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe PID: 5324, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 2796, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 5660, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 6108, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 6660, type: MEMORYSTR
                  Source: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeCode function: cmd.exe3_2_00405042

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts21
                  Native API                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		1
                  Disable or Modify Tools                  		2
                  OS Credential Dumping                  		2
                  System Time Discovery                  		Remote Services11
                  Archive Collected Data                  		12
                  Ingress Tool Transfer                  		Exfiltration Over Other Network Medium1
                  System Shutdown/Reboot
                  CredentialsDomainsDefault Accounts12
                  Command and Scripting Interpreter                  		1
                  Windows Service                  		1
                  Bypass User Account Control                  		1
                  Deobfuscate/Decode Files or Information                  		111
                  Input Capture                  		1
                  Account Discovery                  		Remote Desktop Protocol1
                  Data from Local System                  		2
                  Encrypted Channel                  		Exfiltration Over Bluetooth1
                  Defacement
                  Email AddressesDNS ServerDomain Accounts2
                  Service Execution                  		11
                  Registry Run Keys / Startup Folder                  		1
                  Access Token Manipulation                  		3
                  Obfuscated Files or Information                  		2
                  Credentials in Registry                  		1
                  System Service Discovery                  		SMB/Windows Admin Shares1
                  Email Collection                  		1
                  Non-Standard Port                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                  Windows Service                  		12
                  Software Packing                  		3
                  Credentials In Files                  		3
                  File and Directory Discovery                  		Distributed Component Object Model111
                  Input Capture                  		2
                  Non-Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script222
                  Process Injection                  		1
                  Timestomp                  		LSA Secrets38
                  System Information Discovery                  		SSH3
                  Clipboard Data                  		12
                  Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts11
                  Registry Run Keys / Startup Folder                  		1
                  DLL Side-Loading                  		Cached Domain Credentials131
                  Security Software Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                  Bypass User Account Control                  		DCSync31
                  Virtualization/Sandbox Evasion                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
                  Masquerading                  		Proc Filesystem4
                  Process Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt31
                  Virtualization/Sandbox Evasion                  		/etc/passwd and /etc/shadow1
                  Application Window Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                  Access Token Manipulation                  		Network Sniffing1
                  System Owner/User Discovery                  		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                  Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd222
                  Process Injection                  		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1566986 Sample: ISF (TWN24110458 - Invoice ... Startdate: 02/12/2024 Architecture: WINDOWS Score: 100 60 geoplugin.net 2->60 66 Suricata IDS alerts for network traffic 2->66 68 Found malware configuration 2->68 70 Malicious sample detected (through community Yara rule) 2->70 72 17 other signatures 2->72 10 ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe 3 2->10         started        14 Adobe.exe 2 2->14         started        16 Adobe.exe 2->16         started        18 Adobe.exe 2 2->18         started        signatures3 process4 file5 58 ISF (TWN24110458 -...0000771.scr.exe.log, ASCII 10->58 dropped 88 Injects a PE file into a foreign processes 10->88 20 ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe 2 4 10->20         started        24 Adobe.exe 14->24         started        26 Adobe.exe 14->26         started        28 Adobe.exe 14->28         started        30 Adobe.exe 16->30         started        32 Adobe.exe 16->32         started        34 Adobe.exe 16->34         started        36 Adobe.exe 18->36         started        signatures6 process7 file8 54 C:\ProgramData\Adobe\Adobe.exe, PE32 20->54 dropped 56 C:\ProgramData\...\Adobe.exe:Zone.Identifier, ASCII 20->56 dropped 74 Creates autostart registry keys with suspicious names 20->74 76 Drops executable to a common third party application directory 20->76 38 Adobe.exe 3 20->38         started        signatures9 process10 signatures11 78 Antivirus detection for dropped file 38->78 80 Multi AV Scanner detection for dropped file 38->80 82 Tries to steal Mail credentials (via file registry) 38->82 84 Machine Learning detection for dropped file 38->84 41 Adobe.exe 3 14 38->41         started        45 Adobe.exe 38->45         started        process12 dnsIp13 62 104.250.180.178, 49708, 49710, 7902 M247GB United States 41->62 64 geoplugin.net 178.237.33.50, 49711, 80 ATOM86-ASATOM86NL Netherlands 41->64 86 Maps a DLL or memory area into another process 41->86 47 Adobe.exe 1 41->47         started        50 Adobe.exe 1 41->50         started        52 Adobe.exe 14 41->52         started        signatures14 process15 signatures16 90 Tries to steal Instant Messenger accounts or passwords 47->90 92 Tries to steal Mail credentials (via file / registry access) 47->92 94 Tries to harvest and steal browser information (history, passwords, etc) 50->94

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe53%ReversingLabsByteCode-MSIL.Trojan.Remcos
                  ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe100%AviraHEUR/AGEN.1309499
                  ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\ProgramData\Adobe\Adobe.exe100%AviraHEUR/AGEN.1309499
                  C:\ProgramData\Adobe\Adobe.exe100%Joe Sandbox ML
                  C:\ProgramData\Adobe\Adobe.exe53%ReversingLabsByteCode-MSIL.Trojan.Remcos

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  No Antivirus matches

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  geoplugin.net
                  		178.237.33.50
                  		truefalse
                    		high

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://geoplugin.net/json.gpfalse
                      		high

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://www.google.comAdobe.exe, Adobe.exe, 0000000B.00000002.2257093239.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                        		high
                        http://geoplugin.net/json.gpAAdobe.exe, 00000006.00000002.4488781563.0000000001117000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          http://www.imvu.comrAdobe.exe, 0000000B.00000002.2257093239.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                            		high
                            http://geoplugin.net/json.gp/CISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe, 00000000.00000002.2088718838.00000000040A9000.00000004.00000800.00020000.00000000.sdmp, ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe, 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                              		high
                              http://geoplugin.net/json.gpCSAdobe.exe, 00000006.00000002.4489027387.0000000001172000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                http://www.imvu.comAdobe.exe, Adobe.exe, 0000000B.00000002.2257093239.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                  		high
                                  https://www.google.com/accounts/serviceloginAdobe.exefalse
                                    		high
                                    https://login.yahoo.com/config/loginAdobe.exefalse
                                      		high
                                      http://www.nirsoft.netAdobe.exe, 00000009.00000002.2267964354.0000000000CF2000.00000004.00000010.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.nirsoft.net/Adobe.exe, 0000000B.00000002.2257093239.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                          		high
                                          http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.comAdobe.exe, 0000000B.00000002.2257093239.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                            		high
                                            http://www.ebuddy.comAdobe.exe, Adobe.exe, 0000000B.00000002.2257093239.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                              		high

                                              World Map of Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public IPs

                                              IPDomainCountryFlagASNASN NameMalicious
                                              104.250.180.178
                                              		unknownUnited States
                                              		9009M247GBtrue
                                              178.237.33.50
                                              		geoplugin.netNetherlands
                                              		8455ATOM86-ASATOM86NLfalse

                                              General Information

                                              Joe Sandbox version:41.0.0 Charoite
                                              Analysis ID:1566986
                                              Start date and time:2024-12-02 22:04:05 +01:00
                                              Joe Sandbox product:CloudBasic
                                              Overall analysis duration:0h 10m 7s
                                              Hypervisor based Inspection enabled:false
                                              Report type:full
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                              Number of analysed new started processes analysed:22
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:0
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Sample name:ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe
                                              Detection:MAL
                                              Classification:mal100.rans.phis.troj.spyw.expl.evad.winEXE@32/7@1/2
                                              EGA Information:
                                              • Successful, ratio: 100%
                                              HCA Information:
                                              • Successful, ratio: 99%
                                              • Number of executed functions: 243
                                              • Number of non-executed functions: 269
                                              Cookbook Comments:
                                              • Found application associated with file extension: .exe
                                              • Override analysis time to 240000 for current running targets taking high CPU consumption

                                              Warnings

                                              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                              • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                              • Report size exceeded maximum capacity and may have missing disassembly code.
                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                              • Report size getting too big, too many NtReadVirtualMemory calls found.
                                              • VT rate limit hit for: ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              16:04:59API Interceptor1x Sleep call for process: ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe modified
                                              16:05:05API Interceptor4182073x Sleep call for process: Adobe.exe modified
                                              22:05:04AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Adobe_Nov-3XE9WN "C:\ProgramData\Adobe\Adobe.exe"
                                              22:05:12AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Adobe_Nov-3XE9WN "C:\ProgramData\Adobe\Adobe.exe"
                                              22:05:21AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Adobe_Nov-3XE9WN "C:\ProgramData\Adobe\Adobe.exe"

                                              Joe Sandbox View / Context

                                              IPs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              104.250.180.178THITWNSEI24112908089786756456545346568789-00010.scr.exeGet hashmaliciousXWormBrowse
                                                SKM_BH450i2411261138090453854974574748668683985857435.scr.exeGet hashmaliciousPureLog Stealer, XWormBrowse
                                                  #U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeGet hashmaliciousPureLog Stealer, RemcosBrowse
                                                    Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeGet hashmaliciousPureLog Stealer, RemcosBrowse
                                                      CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeGet hashmaliciousPureLog Stealer, XWormBrowse
                                                        Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeGet hashmaliciousRemcosBrowse
                                                          PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeGet hashmaliciousXWormBrowse
                                                            rSOD219ISF-____.scr.exeGet hashmaliciousRemcosBrowse
                                                              rWWTLCLtoUSADCL.scr.exeGet hashmaliciousXWormBrowse
                                                                ttCOg61bOg.exeGet hashmaliciousRemcosBrowse
                                                                  178.237.33.50173317191746333e83fd715fcd29456f316941f504021238a7f0f8ba4a89827b03f83d6aba395.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                  • geoplugin.net/json.gp
                                                                  INTECH RFQ EN241813.exeGet hashmaliciousRemcosBrowse
                                                                  • geoplugin.net/json.gp
                                                                  doc02122024782020031808174KR1802122024_po_doc_00000(991KB).vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                                  • geoplugin.net/json.gp
                                                                  Quote Qu11262024.scr.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                  • geoplugin.net/json.gp
                                                                  RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exeGet hashmaliciousRemcosBrowse
                                                                  • geoplugin.net/json.gp
                                                                  rAttached_updat.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                                  • geoplugin.net/json.gp
                                                                  Beschwerde-AutoKauf.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                                  • geoplugin.net/json.gp
                                                                  #U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeGet hashmaliciousPureLog Stealer, RemcosBrowse
                                                                  • geoplugin.net/json.gp
                                                                  PO 09770_MQ 018370_04847_Order.exeGet hashmaliciousRemcosBrowse
                                                                  • geoplugin.net/json.gp
                                                                  Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeGet hashmaliciousPureLog Stealer, RemcosBrowse
                                                                  • geoplugin.net/json.gp

                                                                  Domains

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  geoplugin.net173317191746333e83fd715fcd29456f316941f504021238a7f0f8ba4a89827b03f83d6aba395.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                  • 178.237.33.50
                                                                  INTECH RFQ EN241813.exeGet hashmaliciousRemcosBrowse
                                                                  • 178.237.33.50
                                                                  doc02122024782020031808174KR1802122024_po_doc_00000(991KB).vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                                  • 178.237.33.50
                                                                  Quote Qu11262024.scr.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                  • 178.237.33.50
                                                                  RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exeGet hashmaliciousRemcosBrowse
                                                                  • 178.237.33.50
                                                                  rAttached_updat.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                                  • 178.237.33.50
                                                                  Beschwerde-AutoKauf.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                                  • 178.237.33.50
                                                                  #U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeGet hashmaliciousPureLog Stealer, RemcosBrowse
                                                                  • 178.237.33.50
                                                                  PO 09770_MQ 018370_04847_Order.exeGet hashmaliciousRemcosBrowse
                                                                  • 178.237.33.50
                                                                  Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeGet hashmaliciousPureLog Stealer, RemcosBrowse
                                                                  • 178.237.33.50

                                                                  ASNs

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  M247GBTHITWNSEI24112908089786756456545346568789-00010.scr.exeGet hashmaliciousXWormBrowse
                                                                  • 104.250.180.178
                                                                  rAttached_updat.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                                  • 172.111.247.228
                                                                  teste.arm.elfGet hashmaliciousGafgyt, Mirai, Moobot, OkiruBrowse
                                                                  • 158.46.140.103
                                                                  sora.ppc.elfGet hashmaliciousMiraiBrowse
                                                                  • 38.201.44.7
                                                                  la.bot.arm5.elfGet hashmaliciousUnknownBrowse
                                                                  • 62.216.72.28
                                                                  arm7-20241130-2047.elfGet hashmaliciousMiraiBrowse
                                                                  • 38.206.34.38
                                                                  sample.bin.exeGet hashmaliciousUnknownBrowse
                                                                  • 172.86.76.228
                                                                  sample.bin.exeGet hashmaliciousUnknownBrowse
                                                                  • 172.86.76.228
                                                                  EEghgCvQUy.exeGet hashmaliciousDanaBotBrowse
                                                                  • 172.86.76.246
                                                                  3yb52PgwJ2.exeGet hashmaliciousDanaBotBrowse
                                                                  • 172.86.76.246
                                                                  ATOM86-ASATOM86NL173317191746333e83fd715fcd29456f316941f504021238a7f0f8ba4a89827b03f83d6aba395.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                  • 178.237.33.50
                                                                  INTECH RFQ EN241813.exeGet hashmaliciousRemcosBrowse
                                                                  • 178.237.33.50
                                                                  doc02122024782020031808174KR1802122024_po_doc_00000(991KB).vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                                  • 178.237.33.50
                                                                  Quote Qu11262024.scr.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                  • 178.237.33.50
                                                                  RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exeGet hashmaliciousRemcosBrowse
                                                                  • 178.237.33.50
                                                                  rAttached_updat.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                                  • 178.237.33.50
                                                                  Beschwerde-AutoKauf.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                                  • 178.237.33.50
                                                                  #U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeGet hashmaliciousPureLog Stealer, RemcosBrowse
                                                                  • 178.237.33.50
                                                                  PO 09770_MQ 018370_04847_Order.exeGet hashmaliciousRemcosBrowse
                                                                  • 178.237.33.50
                                                                  Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeGet hashmaliciousPureLog Stealer, RemcosBrowse
                                                                  • 178.237.33.50

                                                                  JA3 Fingerprints

                                                                  No context

                                                                  Dropped Files

                                                                  No context

                                                                  Created / dropped Files

                                                                  C:\ProgramData\Adobe\Adobe.exe

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe
                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):968192
                                                                  Entropy (8bit):7.843918909535052
                                                                  Encrypted:false
                                                                  SSDEEP:24576:gjb4DeayiRyXCTovSWHH00vbqc+Su9NvyqWPCx:gf5+k1n00D4ScN69PCx
                                                                  MD5:A21780A599C30BCF11B6152FF9D16BE2
                                                                  SHA1:953F98A9904C76B275809BAD78D16CF550F2483D
                                                                  SHA-256:93EA6AC422F90A1031160360409FEA1C16C533BE06CC2B6E71E748EE3D20683A
                                                                  SHA-512:8E1F69A23B508C2CC4C61B001B91645A91211C89E11D35237CC78890C68F96362151A7DB7DA85045D9A639BD717110E965C92EAAA546B8F9702620E6022D8D59
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: Avira, Detection: 100%
                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                  • Antivirus: ReversingLabs, Detection: 53%
                                                                  Reputation:low
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...,................0.................. ........@.. ....................... ............@.................................V...O.......................................p............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........d...K......`.......X............................................0..M.........}......}.....(.....sn......(.............s....o....}g......o...s....o.....*....0...........s......o.....*".(.....*.0...........s".....o.....*..0..+.........,..{.......+....,...{....o........(.....*..0............o ....+..*.0..S..........+4...+.......(........X...(..../..o!......+....-....X...o".../..o!......+....-.*..0..............o#.......o!...Y..........,T...($.....b..(%....b`..(&...`....

                                                                  C:\ProgramData\Adobe\Adobe.exe:Zone.Identifier

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:modified
                                                                  Size (bytes):26
                                                                  Entropy (8bit):3.95006375643621
                                                                  Encrypted:false
                                                                  SSDEEP:3:ggPYV:rPYV
                                                                  MD5:187F488E27DB4AF347237FE461A079AD
                                                                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                  Malicious:true
                                                                  Reputation:high, very likely benign file
                                                                  Preview:[ZoneTransfer]....ZoneId=0

                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Adobe.exe.log

                                                                  Download File
                                                                  Process:C:\ProgramData\Adobe\Adobe.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1216
                                                                  Entropy (8bit):5.34331486778365
                                                                  Encrypted:false
                                                                  SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                  MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                  SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                  SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                  SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                  Malicious:false
                                                                  Reputation:high, very likely benign file
                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1216
                                                                  Entropy (8bit):5.34331486778365
                                                                  Encrypted:false
                                                                  SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                  MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                  SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                  SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                  SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                  Malicious:true
                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\json[1].json

                                                                  Download File
                                                                  Process:C:\ProgramData\Adobe\Adobe.exe
                                                                  File Type:JSON data
                                                                  Category:dropped
                                                                  Size (bytes):963
                                                                  Entropy (8bit):5.013758486871551
                                                                  Encrypted:false
                                                                  SSDEEP:12:tkluJnd6UGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkw7x:qluNdVauKyGX85jvXhNlT3/7AcV9Wro
                                                                  MD5:A0B25AA7ACE7B58B8A68A3B043CBD1A2
                                                                  SHA1:557B3E91B19FF73B980577D21B0759ACFB694334
                                                                  SHA-256:FF65B6A6CAF43C5830DA137836E99CC4F2DC511116EC72A8F180A17FCCB17526
                                                                  SHA-512:581BF3DEEA3713D383A87024CEA8C3B913FE1138C3D5A9D9D50854EB12DF8D8FFF3239ECB5DC21A24CD337DB7CE4655E6EB373B9524E6BBF160EAB31323CE894
                                                                  Malicious:false
                                                                  Preview:{. "geoplugin_request":"8.46.123.228",. "geoplugin_status":200,. "geoplugin_delay":"2ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                                                  C:\Users\user\AppData\Local\Temp\bhv55B4.tmp

                                                                  Download File
                                                                  Process:C:\ProgramData\Adobe\Adobe.exe
                                                                  File Type:Extensible storage engine DataBase, version 0x620, checksum 0xb20b6b62, page size 32768, DirtyShutdown, Windows version 10.0
                                                                  Category:dropped
                                                                  Size (bytes):15728640
                                                                  Entropy (8bit):0.10106922760070924
                                                                  Encrypted:false
                                                                  SSDEEP:1536:WSB2jpSB2jFSjlK/yw/ZweshzbOlqVqLesThEjv7veszO/Zk0P1EX:Wa6akUueqaeP6W
                                                                  MD5:8474A17101F6B908E85D4EF5495DEF3C
                                                                  SHA1:7B9993C39B3879C85BF4F343E907B9EBBDB8D30F
                                                                  SHA-256:56CC6547BDF75FA8CA4AF11433A7CAE673C8D1DF0DE51DBEEB19EF3B1D844A2A
                                                                  SHA-512:056D7FBFB21BFE87642D57275DD07DFD0DAE21D53A7CA7D748D4E89F199B3C212B4D6F5C4923BE156528556516AA8B4D44C6FC4D5287268C6AD5657FE5FEC7A0
                                                                  Malicious:false
                                                                  Preview:..kb... ...................':...{........................R.....)....{.......{3.h.T.........................-.1.':...{..........................................................................................................eJ......n........................................................................................................... .......':...{..............................................................................................................................................................................................,....{...........................................{3....................k.....{3..........................#......h.T.....................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\lajbmlzkezuensg

                                                                  Download File
                                                                  Process:C:\ProgramData\Adobe\Adobe.exe
                                                                  File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):2
                                                                  Entropy (8bit):1.0
                                                                  Encrypted:false
                                                                  SSDEEP:3:Qn:Qn
                                                                  MD5:F3B25701FE362EC84616A93A45CE9998
                                                                  SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                  SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                  SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                  Malicious:false
                                                                  Preview:..

                                                                  Static File Info

                                                                  General

                                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Entropy (8bit):7.843918909535052
                                                                  TrID:
                                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                  • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                  • Windows Screen Saver (13104/52) 0.07%
                                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                                  File name:ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe
                                                                  File size:968'192 bytes
                                                                  MD5:a21780a599c30bcf11b6152ff9d16be2
                                                                  SHA1:953f98a9904c76b275809bad78d16cf550f2483d
                                                                  SHA256:93ea6ac422f90a1031160360409fea1c16c533be06cc2b6e71e748ee3d20683a
                                                                  SHA512:8e1f69a23b508c2cc4c61b001b91645a91211c89e11d35237cc78890c68f96362151a7db7da85045d9a639bd717110e965c92eaaa546b8f9702620e6022d8d59
                                                                  SSDEEP:24576:gjb4DeayiRyXCTovSWHH00vbqc+Su9NvyqWPCx:gf5+k1n00D4ScN69PCx
                                                                  TLSH:2D251258165AE905CA8417B91EB2F2B12B7C3EDEE601D2039FDD6DEFB965F104C48243
                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...,.................0.................. ........@.. ....................... ............@................................

                                                                  File Icon

                                                                  Icon Hash:00928e8e8686b000

                                                                  Static PE Info

                                                                  General

                                                                  Entrypoint:0x4edbaa
                                                                  Entrypoint Section:.text
                                                                  Digitally signed:false
                                                                  Imagebase:0x400000
                                                                  Subsystem:windows gui
                                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                  Time Stamp:0xB5DFA02C [Fri Sep 10 08:07:08 2066 UTC]
                                                                  TLS Callbacks:
                                                                  CLR (.Net) Version:
                                                                  OS Version Major:4
                                                                  OS Version Minor:0
                                                                  File Version Major:4
                                                                  File Version Minor:0
                                                                  Subsystem Version Major:4
                                                                  Subsystem Version Minor:0
                                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                  Entrypoint Preview

                                                                  Instruction
                                                                  jmp dword ptr [00402000h]
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al

                                                                  Data Directories

                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xedb560x4f.text
                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xee0000x5a4.rsrc
                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xf00000xc.reloc
                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0xebef40x70.text
                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                  Sections

                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                  .text0x20000xebbb00xebc006d81c9a8c811b9a688ea1cfaa15cf45eFalse0.9377236876988335data7.84894087837348IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                  .rsrc0xee0000x5a40x600177ba6d34ba1f89491e9d11d10ce056aFalse0.4212239583333333data4.065732163704081IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .reloc0xf00000xc0x20031c2ee3d3f6048df1f567b342286eb2cFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                  Resources

                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                  RT_VERSION0xee0900x314data0.434010152284264
                                                                  RT_MANIFEST0xee3b40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                  Imports

                                                                  DLLImport
                                                                  mscoree.dll_CorExeMain

                                                                  Network Behavior

                                                                  Suricata IDS Alerts

                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                  2024-12-02T22:05:09.013181+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549708104.250.180.1787902TCP
                                                                  2024-12-02T22:05:12.432650+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549710104.250.180.1787902TCP
                                                                  2024-12-02T22:05:12.639026+01002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.549711178.237.33.5080TCP

                                                                  Network Port Distribution

                                                                  TCP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Dec 2, 2024 22:05:06.724208117 CET497087902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:06.844343901 CET790249708104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:06.844440937 CET497087902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:06.851178885 CET497087902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:06.971771002 CET790249708104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:08.968370914 CET790249708104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:09.013180971 CET497087902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:09.270176888 CET790249708104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:09.281244040 CET497087902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:09.401196957 CET790249708104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:09.401277065 CET497087902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:09.521239042 CET790249708104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:10.178033113 CET790249708104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:10.179357052 CET497087902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:10.299263000 CET790249708104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:10.478631973 CET790249708104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:10.526355982 CET497087902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:10.619805098 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:10.739758015 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:10.739828110 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:10.744143963 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:11.086463928 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:11.213964939 CET4971180192.168.2.5178.237.33.50
                                                                  Dec 2, 2024 22:05:11.333863020 CET8049711178.237.33.50192.168.2.5
                                                                  Dec 2, 2024 22:05:11.333946943 CET4971180192.168.2.5178.237.33.50
                                                                  Dec 2, 2024 22:05:11.334877014 CET4971180192.168.2.5178.237.33.50
                                                                  Dec 2, 2024 22:05:11.454812050 CET8049711178.237.33.50192.168.2.5
                                                                  Dec 2, 2024 22:05:12.378460884 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:12.432650089 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:12.638957977 CET8049711178.237.33.50192.168.2.5
                                                                  Dec 2, 2024 22:05:12.639025927 CET4971180192.168.2.5178.237.33.50
                                                                  Dec 2, 2024 22:05:12.652311087 CET497087902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:12.683790922 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:12.688112020 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:12.772207975 CET790249708104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:12.808116913 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:12.810266972 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:12.930181026 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:13.569570065 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:13.569732904 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:13.569788933 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:13.578886032 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:13.578979969 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:13.578995943 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:13.579034090 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:13.579233885 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:13.579289913 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:13.586934090 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:13.587059021 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:13.587105989 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:13.591202021 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:13.591279030 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:13.591372013 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:13.599544048 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:13.603739977 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:13.603823900 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:13.637742996 CET8049711178.237.33.50192.168.2.5
                                                                  Dec 2, 2024 22:05:13.637878895 CET4971180192.168.2.5178.237.33.50
                                                                  Dec 2, 2024 22:05:13.689775944 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:13.689799070 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:13.689857960 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:13.820022106 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:13.820115089 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:13.820188046 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:13.823422909 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:13.833987951 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:13.834064960 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:13.834124088 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:13.837363005 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:13.837424040 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:13.839091063 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:13.839236021 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:13.841276884 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:13.845159054 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:13.862303019 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:13.862376928 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:13.862425089 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:13.865972042 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:13.865992069 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:13.866024971 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:13.872800112 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:13.872853041 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:13.872889996 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:13.879800081 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:13.879853010 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:13.881901026 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:13.882052898 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:13.882225990 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:13.889035940 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:13.889635086 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:13.889684916 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:13.889769077 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:13.896743059 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:13.896792889 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:13.897342920 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:13.897641897 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:13.897773981 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:13.904356956 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:13.904558897 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:13.904604912 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:14.022317886 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.022602081 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.022651911 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:14.083846092 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.083951950 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.084105968 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:14.086594105 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.090714931 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.090754986 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:14.090776920 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.095618010 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.095664978 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:14.095784903 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.098323107 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.098364115 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:14.104238987 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.104340076 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.104393959 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:14.106971025 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.113692045 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.113734007 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:14.113850117 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.116487026 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.116604090 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:14.120584965 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.120703936 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.120754004 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:14.123322010 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.129684925 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.129730940 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:14.129781008 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.132428885 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.132500887 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:14.133924007 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.134013891 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.134057999 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:14.138495922 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.162941933 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.162990093 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:14.163047075 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.165642023 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.165700912 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:14.173521996 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.173614025 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.173670053 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:14.176256895 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.183547974 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.183561087 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.183692932 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:14.186249971 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.186300993 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:14.186357975 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.194442987 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.194490910 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:14.194542885 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.197189093 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.197232008 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:14.205908060 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.206072092 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.206145048 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:14.208681107 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.208874941 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.208914995 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:14.222444057 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.222539902 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.222587109 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:14.224457026 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.224556923 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.224606037 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:14.229470968 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.230148077 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.230200052 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:14.230249882 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.235450983 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.235498905 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:14.240906954 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.241059065 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.241107941 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:14.242326021 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.242383957 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.242435932 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:14.254086018 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.254237890 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.254295111 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:14.256845951 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.263921022 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.263981104 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:14.264106035 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.266551018 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.266599894 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:14.284082890 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.284238100 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.284384966 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:14.286066055 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.331044912 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.331054926 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.331120968 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:14.335330963 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.335366011 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.335391045 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:14.364213943 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.364264011 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:14.364276886 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.395560026 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.395611048 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:14.395612001 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.406923056 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.406963110 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:14.406966925 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.423397064 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.423450947 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.423458099 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:14.441771030 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.441824913 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.441833019 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:14.454852104 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.454926014 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:14.454936981 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.455929995 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.455976963 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:14.463903904 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.464073896 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.464366913 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:14.465056896 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.473823071 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.473835945 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.473877907 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:14.474848032 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.474903107 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:14.485172033 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.485279083 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.485400915 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:14.493726969 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.493829012 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.493870020 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:14.494803905 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.504174948 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.504239082 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:14.504282951 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.505337000 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.505389929 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:14.519155025 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.519418001 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.519485950 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:14.520253897 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.531951904 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.532007933 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.532008886 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:14.535358906 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.535418987 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:14.535444975 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.536037922 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.536060095 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.536107063 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:14.565932989 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.565989017 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:14.566243887 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.567034006 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.567097902 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:14.581794977 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.581916094 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.581968069 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:14.582962036 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.593455076 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.593468904 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.593518972 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:14.594528913 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.594592094 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:14.616981983 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.617084980 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.617137909 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:14.618135929 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.618263960 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.618514061 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:14.620407104 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.635710955 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.635807037 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.635854959 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:14.636842966 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.636899948 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:14.636928082 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.651768923 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.651878119 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.651922941 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:14.652924061 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.653064013 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:14.665000916 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.665066004 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.665194035 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:14.669965029 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.670084953 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.670130014 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:14.670984030 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.679693937 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.679707050 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.679771900 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:14.680849075 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.680932045 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:14.686269045 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.686312914 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.686351061 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:14.687877893 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.687988997 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.688030005 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:14.689225912 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.698885918 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.698940992 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:14.699023008 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.700011015 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.700059891 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:14.705312014 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.705374956 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.705415010 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:14.709428072 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.709599972 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.709647894 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:14.710534096 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.720355034 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.720402002 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.720406055 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:14.733078957 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.733088970 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.733136892 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:14.739134073 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.739183903 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:14.739330053 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.740279913 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.740334034 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:14.744330883 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.744343996 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.744400978 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:14.745358944 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.764050007 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.764139891 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.764249086 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:14.764988899 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.765034914 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:14.778626919 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.778754950 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.778801918 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:14.779783010 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.793771982 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.793868065 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.793869972 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:14.795083046 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.795149088 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:14.803761005 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.803891897 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.803976059 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:14.804934978 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.814541101 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.814595938 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:14.814855099 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.815418005 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.815428972 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.815473080 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:14.853382111 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.853482008 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:14.853513002 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.866152048 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.866203070 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:14.866240978 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.870980978 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.871028900 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:14.871054888 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.899884939 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.899959087 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.899972916 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:14.906435966 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.906486034 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.906501055 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:14.934516907 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.934568882 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:14.934603930 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.945231915 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.945321083 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.945341110 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:14.979640961 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.979731083 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:14.979968071 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:15.048798084 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.048928022 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.049026966 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:15.049930096 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.101227999 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.101284981 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:15.101330042 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.136280060 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.136344910 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:15.136456966 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.146550894 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.146560907 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.146656990 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:15.185584068 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.185600996 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.185720921 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:15.228929043 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.229042053 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.229161024 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:15.230078936 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.249489069 CET790249708104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.250008106 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.250108957 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:15.250128031 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.251630068 CET497087902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:15.295181990 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:15.296457052 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.296578884 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.296732903 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:15.297599077 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.297656059 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.297874928 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:15.299527884 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.299593925 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.299829960 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:15.307518005 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.307631016 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.308610916 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.308736086 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:15.317475080 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.317534924 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:15.317821980 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.318572044 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.318716049 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:15.347660065 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.347709894 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.347868919 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:15.357333899 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.357467890 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.357805967 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:15.358095884 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.364731073 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.364844084 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.365062952 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:15.365808010 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.365909100 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.365927935 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:15.371515036 CET790249708104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.374345064 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.374442101 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:15.374456882 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.375483990 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.375586033 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:15.383826017 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.383977890 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.384196043 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:15.384849072 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.384967089 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.385169029 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:15.404648066 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.404779911 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.404844046 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:15.410943985 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.411040068 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.411134005 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:15.412029028 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.417606115 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.417645931 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.417670965 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:15.418356895 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.418402910 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.418425083 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:15.423752069 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.423763037 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.423969030 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:15.424685001 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.427272081 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:15.437213898 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.437350988 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.437697887 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:15.438311100 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.455173016 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.455265999 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.455418110 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:15.468468904 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.468604088 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.468678951 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:15.469616890 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.469748974 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:15.497925997 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.497936964 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.498032093 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:15.560679913 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.560745955 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.561290026 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:15.561490059 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.561892033 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.561904907 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.562019110 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:15.563987017 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.564093113 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:15.564428091 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.564438105 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.564831972 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:15.573918104 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.574042082 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.575174093 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.575280905 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:15.583990097 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.584038019 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.584074974 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:15.605587006 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.605668068 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.605703115 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:15.624531984 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.624581099 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.624676943 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:15.656263113 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.656469107 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.656693935 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:15.669681072 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.669730902 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.669853926 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:15.761353016 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.761439085 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.761586905 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:15.775011063 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.775234938 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.775331020 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:15.806725025 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.806788921 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.811165094 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:15.838937998 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.839045048 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.839167118 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:15.840037107 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.885735989 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:15.902446032 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.903239012 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.903708935 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.911165953 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:15.914630890 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.914777040 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.915162086 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:15.915621996 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.919024944 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.919089079 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.919115067 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:15.920221090 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.920245886 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:15.963871002 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:15.994960070 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.995059013 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:15.995183945 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:15.996067047 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.034462929 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.034589052 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.034638882 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:16.035552025 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.037484884 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:16.080090046 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.080208063 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.080379009 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:16.081216097 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.135721922 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:16.141798019 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.142139912 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.142189026 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:16.142812967 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.182590961 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:16.183876991 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.184001923 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.184052944 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:16.185026884 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.229470968 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:16.230034113 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.230535030 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.230633020 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:16.231158018 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.235615969 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.235661983 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:16.235691071 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.254766941 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.254777908 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.254820108 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:16.255774975 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.255829096 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:16.281281948 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.281527042 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.281578064 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:16.296828032 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.297081947 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.297137976 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:16.297928095 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.299249887 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.299300909 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:16.319379091 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.319598913 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.319641113 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:16.320449114 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.344438076 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.344489098 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:16.344687939 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.345452070 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.345508099 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:16.385102034 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.385848045 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.385917902 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:16.409420013 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.409477949 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.409554005 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:16.410414934 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.423784018 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.423845053 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:16.423971891 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.424877882 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.424940109 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:16.437148094 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.437458038 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.437506914 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:16.455869913 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.455954075 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.455998898 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:16.462806940 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.463037968 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.463182926 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:16.463831902 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.469724894 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.469793081 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:16.469842911 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.470808029 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.470853090 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:16.494151115 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.494364023 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.494419098 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:16.495223045 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.520327091 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.520378113 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:16.520426989 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.533626080 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.533845901 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:16.534084082 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.534732103 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.534786940 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:16.545442104 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.545547962 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.545588970 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:16.561666965 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.562345028 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.562396049 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:16.563400984 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.569968939 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.570010900 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:16.570044994 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.572823048 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.572916031 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:16.580049992 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.580216885 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.580265999 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:16.581008911 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.584860086 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.584913015 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:16.584968090 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.585937977 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.585999012 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:16.609822989 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.610008001 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.610061884 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:16.610932112 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.638241053 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.638288975 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:16.638355017 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.663832903 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.663949966 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:16.665327072 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.695527077 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.695585012 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:16.695585966 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.709069967 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.709139109 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:16.709713936 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.710444927 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.710504055 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:16.722793102 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.723382950 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.723440886 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:16.734787941 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.734910965 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.735070944 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:16.746720076 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.747639894 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.747688055 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:16.771075010 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.771148920 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.773176908 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:16.780878067 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.780972004 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.781028032 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:16.795300961 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.795413971 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.795456886 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:16.796345949 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.811007023 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.811026096 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.811057091 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:16.832154989 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.832221985 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:16.832333088 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.833228111 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.833275080 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:16.839385986 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.839528084 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.839581013 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:16.897070885 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.897135973 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.897182941 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:16.904285908 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.904422045 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.904479027 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:16.905004978 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.905136108 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.905189037 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:16.907217979 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.914200068 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.914256096 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.914261103 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:16.915329933 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.915374994 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:16.923841000 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.923945904 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.923993111 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:16.924998999 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.935909033 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.935971022 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.936017036 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:16.948955059 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.949033976 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:16.949064970 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.950095892 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.950148106 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:16.996263981 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.996342897 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:16.996403933 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:17.050338030 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.050501108 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.050555944 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:17.051448107 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.070801973 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.070852041 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:17.070925951 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.071932077 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.071973085 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:17.098510981 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.098700047 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.098824978 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:17.116122007 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.116132021 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.116873026 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:17.137108088 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.137154102 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.137214899 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:17.149214029 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.149305105 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.149350882 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:17.150276899 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.163960934 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.164019108 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:17.164052010 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.165066004 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.165139914 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:17.211558104 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.211698055 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.211788893 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:17.212898016 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.229733944 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.229824066 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.229883909 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:17.230915070 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.230976105 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:17.237512112 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.237615108 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.237690926 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:17.238616943 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.251349926 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.251432896 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.251462936 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:17.271897078 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.271970034 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:17.272032022 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.299546957 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.299602032 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:17.299614906 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.316560984 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.316647053 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.316711903 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:17.338181973 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.338193893 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.338429928 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:17.350195885 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.350265026 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.350361109 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:17.386044979 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.386137962 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.386193991 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:17.387084007 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.412528038 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.412570953 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.412580013 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:17.424722910 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.424848080 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.424906015 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:17.425882101 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.425976038 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:17.444133997 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.444220066 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.444406033 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:17.444813967 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.444947958 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.445039988 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:17.452737093 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.452820063 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.452879906 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:17.471987963 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.472048998 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.472104073 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:17.472719908 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.482287884 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.482352972 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:17.482383966 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.483347893 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.483448029 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:17.490051031 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.490176916 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.490243912 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:17.491292953 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.494906902 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.494920015 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.495055914 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:17.495980024 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.496027946 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:17.509582996 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.509663105 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.509881973 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:17.510715961 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.517673016 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.517749071 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.517755032 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:17.534271002 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.534323931 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:17.534359932 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.535325050 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.535373926 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:17.536721945 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.536976099 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.537051916 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:17.537842035 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.539264917 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.539331913 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:17.539417982 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.551740885 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.551791906 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.551839113 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:17.565182924 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.565238953 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:17.565263033 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.566294909 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.566344023 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:17.574568987 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.574582100 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.575189114 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:17.575666904 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.591805935 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.591861963 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:17.591923952 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.592807055 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.592856884 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:17.607120037 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.607265949 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.607333899 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:17.608294010 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.625745058 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.625757933 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.625806093 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:17.653739929 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.653863907 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.653920889 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:17.658339024 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.658432007 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.658480883 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:17.659430027 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.676757097 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.676816940 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:17.676856041 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.677829981 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.679064035 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:17.683355093 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.683501959 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.683561087 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:17.687417030 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.687693119 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.687750101 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:17.688599110 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.718843937 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.718853951 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.718905926 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:17.721055031 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.721100092 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:17.721153975 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.722238064 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.722281933 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:17.722294092 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.736074924 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.736087084 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.736135006 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:17.737246990 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.737299919 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:17.754750967 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.754884005 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.754946947 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:17.766618013 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.766654015 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.766700983 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:17.794076920 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.794311047 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.795223951 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:17.807171106 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.807183027 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.807255983 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:17.807792902 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.828635931 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:17.828710079 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:19.276509047 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:19.397774935 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:19.397993088 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:19.398005962 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:19.398093939 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:19.398093939 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:19.398138046 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:19.398149967 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:19.398159027 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:19.398226023 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:19.398236990 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:19.398247004 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:19.398257017 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:19.518358946 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:19.518399000 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:19.518481970 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:19.518637896 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:19.518649101 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:19.518656969 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:19.519319057 CET790249710104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:19.519373894 CET497107902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:44.678891897 CET790249708104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:05:44.683094025 CET497087902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:05:44.803028107 CET790249708104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:06:14.698884964 CET790249708104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:06:14.700372934 CET497087902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:06:14.820272923 CET790249708104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:06:44.729135990 CET790249708104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:06:44.730436087 CET497087902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:06:44.850356102 CET790249708104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:07:00.698504925 CET4971180192.168.2.5178.237.33.50
                                                                  Dec 2, 2024 22:07:01.010844946 CET4971180192.168.2.5178.237.33.50
                                                                  Dec 2, 2024 22:07:01.620280027 CET4971180192.168.2.5178.237.33.50
                                                                  Dec 2, 2024 22:07:02.823848963 CET4971180192.168.2.5178.237.33.50
                                                                  Dec 2, 2024 22:07:05.229829073 CET4971180192.168.2.5178.237.33.50
                                                                  Dec 2, 2024 22:07:10.042047024 CET4971180192.168.2.5178.237.33.50
                                                                  Dec 2, 2024 22:07:14.728888035 CET790249708104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:07:14.731101990 CET497087902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:07:14.851186991 CET790249708104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:07:19.651449919 CET4971180192.168.2.5178.237.33.50
                                                                  Dec 2, 2024 22:07:44.738816977 CET790249708104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:07:44.740063906 CET497087902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:07:44.860075951 CET790249708104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:08:14.792699099 CET790249708104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:08:14.793956041 CET497087902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:08:14.914026976 CET790249708104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:08:44.778597116 CET790249708104.250.180.178192.168.2.5
                                                                  Dec 2, 2024 22:08:44.779829979 CET497087902192.168.2.5104.250.180.178
                                                                  Dec 2, 2024 22:08:44.900090933 CET790249708104.250.180.178192.168.2.5

                                                                  UDP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Dec 2, 2024 22:05:10.726438999 CET6194353192.168.2.51.1.1.1
                                                                  Dec 2, 2024 22:05:11.206309080 CET53619431.1.1.1192.168.2.5

                                                                  DNS Queries

                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                  Dec 2, 2024 22:05:10.726438999 CET192.168.2.51.1.1.10xa8faStandard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                                                  DNS Answers

                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                  Dec 2, 2024 22:05:11.206309080 CET1.1.1.1192.168.2.50xa8faNo error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                                                  HTTP Request Dependency Graph

                                                                  • geoplugin.net

                                                                  HTTP Packets

                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  0192.168.2.549711178.237.33.50802796C:\ProgramData\Adobe\Adobe.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Dec 2, 2024 22:05:11.334877014 CET71OUTGET /json.gp HTTP/1.1
                                                                  Host: geoplugin.net
                                                                  Cache-Control: no-cache
                                                                  Dec 2, 2024 22:05:12.638957977 CET1171INHTTP/1.1 200 OK
                                                                  date: Mon, 02 Dec 2024 21:05:12 GMT
                                                                  server: Apache
                                                                  content-length: 963
                                                                  content-type: application/json; charset=utf-8
                                                                  cache-control: public, max-age=300
                                                                  access-control-allow-origin: *
                                                                  Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 32 32 38 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 32 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 [TRUNCATED]
                                                                  Data Ascii: { "geoplugin_request":"8.46.123.228", "geoplugin_status":200, "geoplugin_delay":"2ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                                  Statistics

                                                                  CPU Usage

                                                                  Click to jump to process

                                                                  Memory Usage

                                                                  Click to jump to process

                                                                  High Level Behavior Distribution

                                                                  Click to dive into process behavior distribution

                                                                  Behavior

                                                                  Click to jump to process

                                                                  System Behavior

                                                                  General

                                                                  Target ID:0
                                                                  Start time:16:04:53
                                                                  Start date:02/12/2024
                                                                  Path:C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe"
                                                                  Imagebase:0xcd0000
                                                                  File size:968'192 bytes
                                                                  MD5 hash:A21780A599C30BCF11B6152FF9D16BE2
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.2088718838.00000000040A9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.2088718838.00000000040A9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.2088718838.00000000040A9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.2088718838.00000000040A9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                  Reputation:low
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:3
                                                                  Start time:16:05:00
                                                                  Start date:02/12/2024
                                                                  Path:C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe"
                                                                  Imagebase:0x7d0000
                                                                  File size:968'192 bytes
                                                                  MD5 hash:A21780A599C30BCF11B6152FF9D16BE2
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000003.00000002.2086357247.0000000000F38000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                  • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                  Reputation:low
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:4
                                                                  Start time:16:05:00
                                                                  Start date:02/12/2024
                                                                  Path:C:\ProgramData\Adobe\Adobe.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\ProgramData\Adobe\Adobe.exe"
                                                                  Imagebase:0xa50000
                                                                  File size:968'192 bytes
                                                                  MD5 hash:A21780A599C30BCF11B6152FF9D16BE2
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Antivirus matches:
                                                                  • Detection: 100%, Avira
                                                                  • Detection: 100%, Joe Sandbox ML
                                                                  • Detection: 53%, ReversingLabs
                                                                  Reputation:low
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:5
                                                                  Start time:16:05:06
                                                                  Start date:02/12/2024
                                                                  Path:C:\ProgramData\Adobe\Adobe.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\ProgramData\Adobe\Adobe.exe"
                                                                  Imagebase:0xb0000
                                                                  File size:968'192 bytes
                                                                  MD5 hash:A21780A599C30BCF11B6152FF9D16BE2
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:low
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:6
                                                                  Start time:16:05:06
                                                                  Start date:02/12/2024
                                                                  Path:C:\ProgramData\Adobe\Adobe.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\ProgramData\Adobe\Adobe.exe"
                                                                  Imagebase:0xb00000
                                                                  File size:968'192 bytes
                                                                  MD5 hash:A21780A599C30BCF11B6152FF9D16BE2
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000006.00000002.4488781563.0000000001117000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                  Reputation:low
                                                                  Has exited:false

                                                                  General

                                                                  Target ID:8
                                                                  Start time:16:05:12
                                                                  Start date:02/12/2024
                                                                  Path:C:\ProgramData\Adobe\Adobe.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\ProgramData\Adobe\Adobe.exe"
                                                                  Imagebase:0xbc0000
                                                                  File size:968'192 bytes
                                                                  MD5 hash:A21780A599C30BCF11B6152FF9D16BE2
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:low
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:9
                                                                  Start time:16:05:17
                                                                  Start date:02/12/2024
                                                                  Path:C:\ProgramData\Adobe\Adobe.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\lajbmlzkezuensg"
                                                                  Imagebase:0x800000
                                                                  File size:968'192 bytes
                                                                  MD5 hash:A21780A599C30BCF11B6152FF9D16BE2
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:low
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:10
                                                                  Start time:16:05:17
                                                                  Start date:02/12/2024
                                                                  Path:C:\ProgramData\Adobe\Adobe.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\vdpundkdshmrqyukhkq"
                                                                  Imagebase:0xa60000
                                                                  File size:968'192 bytes
                                                                  MD5 hash:A21780A599C30BCF11B6152FF9D16BE2
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:low
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:11
                                                                  Start time:16:05:17
                                                                  Start date:02/12/2024
                                                                  Path:C:\ProgramData\Adobe\Adobe.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\gxumowvfgpewamqoqvdmfn"
                                                                  Imagebase:0xeb0000
                                                                  File size:968'192 bytes
                                                                  MD5 hash:A21780A599C30BCF11B6152FF9D16BE2
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:low
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:12
                                                                  Start time:16:05:19
                                                                  Start date:02/12/2024
                                                                  Path:C:\ProgramData\Adobe\Adobe.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\ProgramData\Adobe\Adobe.exe"
                                                                  Imagebase:0xc40000
                                                                  File size:968'192 bytes
                                                                  MD5 hash:A21780A599C30BCF11B6152FF9D16BE2
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000C.00000002.2271330549.0000000001277000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                  Reputation:low
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:13
                                                                  Start time:16:05:21
                                                                  Start date:02/12/2024
                                                                  Path:C:\ProgramData\Adobe\Adobe.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\ProgramData\Adobe\Adobe.exe"
                                                                  Imagebase:0x5f0000
                                                                  File size:968'192 bytes
                                                                  MD5 hash:A21780A599C30BCF11B6152FF9D16BE2
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:low
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:14
                                                                  Start time:16:05:26
                                                                  Start date:02/12/2024
                                                                  Path:C:\ProgramData\Adobe\Adobe.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\ProgramData\Adobe\Adobe.exe"
                                                                  Imagebase:0x2a0000
                                                                  File size:968'192 bytes
                                                                  MD5 hash:A21780A599C30BCF11B6152FF9D16BE2
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:low
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:15
                                                                  Start time:16:05:26
                                                                  Start date:02/12/2024
                                                                  Path:C:\ProgramData\Adobe\Adobe.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\ProgramData\Adobe\Adobe.exe"
                                                                  Imagebase:0x250000
                                                                  File size:968'192 bytes
                                                                  MD5 hash:A21780A599C30BCF11B6152FF9D16BE2
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:low
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:16
                                                                  Start time:16:05:26
                                                                  Start date:02/12/2024
                                                                  Path:C:\ProgramData\Adobe\Adobe.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\ProgramData\Adobe\Adobe.exe"
                                                                  Imagebase:0x800000
                                                                  File size:968'192 bytes
                                                                  MD5 hash:A21780A599C30BCF11B6152FF9D16BE2
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000010.00000002.2350119787.0000000000E27000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                  Reputation:low
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:17
                                                                  Start time:16:05:29
                                                                  Start date:02/12/2024
                                                                  Path:C:\ProgramData\Adobe\Adobe.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\ProgramData\Adobe\Adobe.exe"
                                                                  Imagebase:0x8a0000
                                                                  File size:968'192 bytes
                                                                  MD5 hash:A21780A599C30BCF11B6152FF9D16BE2
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:low
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:18
                                                                  Start time:16:05:35
                                                                  Start date:02/12/2024
                                                                  Path:C:\ProgramData\Adobe\Adobe.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\ProgramData\Adobe\Adobe.exe"
                                                                  Imagebase:0x470000
                                                                  File size:968'192 bytes
                                                                  MD5 hash:A21780A599C30BCF11B6152FF9D16BE2
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:low
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:19
                                                                  Start time:16:05:35
                                                                  Start date:02/12/2024
                                                                  Path:C:\ProgramData\Adobe\Adobe.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\ProgramData\Adobe\Adobe.exe"
                                                                  Imagebase:0x390000
                                                                  File size:968'192 bytes
                                                                  MD5 hash:A21780A599C30BCF11B6152FF9D16BE2
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:low
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:20
                                                                  Start time:16:05:35
                                                                  Start date:02/12/2024
                                                                  Path:C:\ProgramData\Adobe\Adobe.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\ProgramData\Adobe\Adobe.exe"
                                                                  Imagebase:0x4f0000
                                                                  File size:968'192 bytes
                                                                  MD5 hash:A21780A599C30BCF11B6152FF9D16BE2
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000014.00000002.2432009216.0000000000A87000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                  Reputation:low
                                                                  Has exited:true

                                                                  Disassembly

                                                                  Reset < >

                                                                    Execution Graph

                                                                    Execution Coverage:9.3%
                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                    Signature Coverage:0%
                                                                    Total number of Nodes:212
                                                                    Total number of Limit Nodes:12
                                                                    execution_graph 25050 751d3d0 25051 751d55b 25050->25051 25053 751d3f6 25050->25053 25053->25051 25054 7519dd8 25053->25054 25055 751d650 PostMessageW 25054->25055 25056 751d6bc 25055->25056 25056->25053 25057 14e4668 25058 14e467a 25057->25058 25059 14e4686 25058->25059 25063 14e4778 25058->25063 25068 14e3e34 25059->25068 25061 14e46a5 25064 14e479d 25063->25064 25072 14e4878 25064->25072 25076 14e4888 25064->25076 25069 14e3e3f 25068->25069 25084 14e5c7c 25069->25084 25071 14e6ff1 25071->25061 25073 14e4888 25072->25073 25075 14e498c 25073->25075 25080 14e44b4 25073->25080 25077 14e48af 25076->25077 25078 14e498c 25077->25078 25079 14e44b4 CreateActCtxA 25077->25079 25078->25078 25079->25078 25081 14e5918 CreateActCtxA 25080->25081 25083 14e59db 25081->25083 25085 14e5c87 25084->25085 25088 14e5c9c 25085->25088 25087 14e712d 25087->25071 25089 14e5ca7 25088->25089 25092 14e5ccc 25089->25092 25091 14e7202 25091->25087 25093 14e5cd7 25092->25093 25096 14e5cfc 25093->25096 25095 14e7305 25095->25091 25097 14e5d07 25096->25097 25099 14e860b 25097->25099 25102 14eacb9 25097->25102 25098 14e8649 25098->25095 25099->25098 25108 14ecda0 25099->25108 25103 14eac5e 25102->25103 25104 14eacc2 25102->25104 25103->25099 25114 14eacdf 25104->25114 25118 14eacf0 25104->25118 25105 14eacce 25105->25099 25109 14ecdd1 25108->25109 25110 14ecdf5 25109->25110 25126 14ecf4f 25109->25126 25130 14ecf60 25109->25130 25134 14ecf1d 25109->25134 25110->25098 25115 14eacf0 25114->25115 25121 14eade8 25115->25121 25116 14eacff 25116->25105 25120 14eade8 GetModuleHandleW 25118->25120 25119 14eacff 25119->25105 25120->25119 25122 14eae1c 25121->25122 25123 14eadf9 25121->25123 25122->25116 25123->25122 25124 14eb020 GetModuleHandleW 25123->25124 25125 14eb04d 25124->25125 25125->25116 25127 14ecf60 25126->25127 25128 14ecfa7 25127->25128 25138 14eb7c0 25127->25138 25128->25110 25131 14ecf6d 25130->25131 25132 14eb7c0 GetModuleHandleW 25131->25132 25133 14ecfa7 25131->25133 25132->25133 25133->25110 25136 14ecf88 25134->25136 25135 14ecfa7 25135->25110 25136->25135 25137 14eb7c0 GetModuleHandleW 25136->25137 25137->25135 25140 14eb7cb 25138->25140 25139 14edcb8 25140->25139 25142 14ed0c4 25140->25142 25143 14ed0cf 25142->25143 25144 14e5cfc GetModuleHandleW 25143->25144 25145 14edd27 25144->25145 25145->25139 25317 14ed478 25318 14ed4be GetCurrentProcess 25317->25318 25320 14ed509 25318->25320 25321 14ed510 GetCurrentThread 25318->25321 25320->25321 25322 14ed54d GetCurrentProcess 25321->25322 25323 14ed546 25321->25323 25324 14ed583 25322->25324 25323->25322 25325 14ed5ab GetCurrentThreadId 25324->25325 25326 14ed5dc 25325->25326 25146 751ba38 25148 751b844 25146->25148 25147 751b88f 25148->25147 25152 751c266 25148->25152 25168 751c208 25148->25168 25183 751c1f9 25148->25183 25153 751c1f4 25152->25153 25155 751c269 25152->25155 25198 751cf21 25153->25198 25203 751c8ce 25153->25203 25208 751cd8f 25153->25208 25212 751c65a 25153->25212 25217 751ca3b 25153->25217 25222 751cab8 25153->25222 25227 751cc89 25153->25227 25232 751c7e9 25153->25232 25237 751c706 25153->25237 25242 751cce5 25153->25242 25248 751c795 25153->25248 25253 751c985 25153->25253 25154 751c246 25154->25148 25155->25148 25169 751c222 25168->25169 25171 751cf21 2 API calls 25169->25171 25172 751c985 2 API calls 25169->25172 25173 751c795 2 API calls 25169->25173 25174 751cce5 2 API calls 25169->25174 25175 751c706 2 API calls 25169->25175 25176 751c7e9 2 API calls 25169->25176 25177 751cc89 2 API calls 25169->25177 25178 751cab8 2 API calls 25169->25178 25179 751ca3b 2 API calls 25169->25179 25180 751c65a 2 API calls 25169->25180 25181 751cd8f 2 API calls 25169->25181 25182 751c8ce 2 API calls 25169->25182 25170 751c246 25170->25148 25171->25170 25172->25170 25173->25170 25174->25170 25175->25170 25176->25170 25177->25170 25178->25170 25179->25170 25180->25170 25181->25170 25182->25170 25184 751c208 25183->25184 25186 751cf21 2 API calls 25184->25186 25187 751c985 2 API calls 25184->25187 25188 751c795 2 API calls 25184->25188 25189 751cce5 2 API calls 25184->25189 25190 751c706 2 API calls 25184->25190 25191 751c7e9 2 API calls 25184->25191 25192 751cc89 2 API calls 25184->25192 25193 751cab8 2 API calls 25184->25193 25194 751ca3b 2 API calls 25184->25194 25195 751c65a 2 API calls 25184->25195 25196 751cd8f 2 API calls 25184->25196 25197 751c8ce 2 API calls 25184->25197 25185 751c246 25185->25148 25186->25185 25187->25185 25188->25185 25189->25185 25190->25185 25191->25185 25192->25185 25193->25185 25194->25185 25195->25185 25196->25185 25197->25185 25199 751cf27 25198->25199 25257 751af51 25199->25257 25261 751af58 25199->25261 25200 751cf4d 25204 751c8d4 25203->25204 25265 751b290 25204->25265 25269 751b289 25204->25269 25205 751c776 25205->25154 25273 751b001 25208->25273 25277 751b008 25208->25277 25209 751cda9 25213 751c668 25212->25213 25281 751b41c 25213->25281 25285 751b428 25213->25285 25218 751ca54 25217->25218 25289 751b0e0 25218->25289 25293 751b0d8 25218->25293 25219 751ca59 25223 751ca54 25222->25223 25224 751ca59 25222->25224 25225 751b0e0 VirtualAllocEx 25223->25225 25226 751b0d8 VirtualAllocEx 25223->25226 25225->25224 25226->25224 25228 751ce41 25227->25228 25297 751d289 25228->25297 25302 751d298 25228->25302 25229 751ccb2 25229->25154 25233 751c801 25232->25233 25307 751b1a0 25233->25307 25311 751b198 25233->25311 25234 751c822 25234->25154 25238 751c65e 25237->25238 25240 751b428 CreateProcessA 25238->25240 25241 751b41c CreateProcessA 25238->25241 25239 751c74e 25239->25154 25240->25239 25241->25239 25243 751ccf9 25242->25243 25244 751d087 25243->25244 25246 751af51 ResumeThread 25243->25246 25247 751af58 ResumeThread 25243->25247 25245 751cf4d 25246->25245 25247->25245 25249 751c7a7 25248->25249 25251 751b1a0 WriteProcessMemory 25249->25251 25252 751b198 WriteProcessMemory 25249->25252 25250 751c822 25250->25154 25251->25250 25252->25250 25255 751b1a0 WriteProcessMemory 25253->25255 25256 751b198 WriteProcessMemory 25253->25256 25254 751c9b3 25254->25154 25255->25254 25256->25254 25258 751af98 ResumeThread 25257->25258 25260 751afc9 25258->25260 25260->25200 25262 751af98 ResumeThread 25261->25262 25264 751afc9 25262->25264 25264->25200 25266 751b2db ReadProcessMemory 25265->25266 25268 751b31f 25266->25268 25268->25205 25270 751b290 ReadProcessMemory 25269->25270 25272 751b31f 25270->25272 25272->25205 25274 751b008 Wow64SetThreadContext 25273->25274 25276 751b095 25274->25276 25276->25209 25278 751b04d Wow64SetThreadContext 25277->25278 25280 751b095 25278->25280 25280->25209 25282 751b4b1 CreateProcessA 25281->25282 25284 751b673 25282->25284 25284->25284 25286 751b4b1 CreateProcessA 25285->25286 25288 751b673 25286->25288 25288->25288 25290 751b120 VirtualAllocEx 25289->25290 25292 751b15d 25290->25292 25292->25219 25294 751b0e0 VirtualAllocEx 25293->25294 25296 751b15d 25294->25296 25296->25219 25298 751d298 25297->25298 25300 751b001 Wow64SetThreadContext 25298->25300 25301 751b008 Wow64SetThreadContext 25298->25301 25299 751d2c3 25299->25229 25300->25299 25301->25299 25303 751d2ad 25302->25303 25305 751b001 Wow64SetThreadContext 25303->25305 25306 751b008 Wow64SetThreadContext 25303->25306 25304 751d2c3 25304->25229 25305->25304 25306->25304 25308 751b1e8 WriteProcessMemory 25307->25308 25310 751b23f 25308->25310 25310->25234 25312 751b1a0 WriteProcessMemory 25311->25312 25314 751b23f 25312->25314 25314->25234 25315 14ed6c0 DuplicateHandle 25316 14ed756 25315->25316

                                                                    Executed Functions

                                                                    Function 014ED468 Relevance: 6.1, APIs: 4, Instructions: 131threadCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 294 14ed468-14ed507 GetCurrentProcess 298 14ed509-14ed50f 294->298 299 14ed510-14ed544 GetCurrentThread 294->299 298->299 300 14ed54d-14ed581 GetCurrentProcess 299->300 301 14ed546-14ed54c 299->301 303 14ed58a-14ed5a5 call 14ed647 300->303 304 14ed583-14ed589 300->304 301->300 307 14ed5ab-14ed5da GetCurrentThreadId 303->307 304->303 308 14ed5dc-14ed5e2 307->308 309 14ed5e3-14ed645 307->309 308->309
                                                                    APIs
                                                                    • GetCurrentProcess.KERNEL32 ref: 014ED4F6
                                                                    • GetCurrentThread.KERNEL32 ref: 014ED533
                                                                    • GetCurrentProcess.KERNEL32 ref: 014ED570
                                                                    • GetCurrentThreadId.KERNEL32 ref: 014ED5C9
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2085329373.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_14e0000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Similarity
                                                                    • API ID: Current$ProcessThread
                                                                    • String ID:
                                                                    • API String ID: 2063062207-0
                                                                    • Opcode ID: 11fb34a6fd8cebed270aa34c2586d914c475b519688fe2343bceddd63141040c
                                                                    • Instruction ID: 62449d01ef300e05a0ae8b5502285151696d5886ad9e007302e4abd52a8b12aa
                                                                    • Opcode Fuzzy Hash: 11fb34a6fd8cebed270aa34c2586d914c475b519688fe2343bceddd63141040c
                                                                    • Instruction Fuzzy Hash: 855145B09003498FDB14CFA9D948B9EBFF1FF49314F24845AE409A7361DB399944CB65
                                                                    Function 014ED478 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 316 14ed478-14ed507 GetCurrentProcess 320 14ed509-14ed50f 316->320 321 14ed510-14ed544 GetCurrentThread 316->321 320->321 322 14ed54d-14ed581 GetCurrentProcess 321->322 323 14ed546-14ed54c 321->323 325 14ed58a-14ed5a5 call 14ed647 322->325 326 14ed583-14ed589 322->326 323->322 329 14ed5ab-14ed5da GetCurrentThreadId 325->329 326->325 330 14ed5dc-14ed5e2 329->330 331 14ed5e3-14ed645 329->331 330->331
                                                                    APIs
                                                                    • GetCurrentProcess.KERNEL32 ref: 014ED4F6
                                                                    • GetCurrentThread.KERNEL32 ref: 014ED533
                                                                    • GetCurrentProcess.KERNEL32 ref: 014ED570
                                                                    • GetCurrentThreadId.KERNEL32 ref: 014ED5C9
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2085329373.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_14e0000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Similarity
                                                                    • API ID: Current$ProcessThread
                                                                    • String ID:
                                                                    • API String ID: 2063062207-0
                                                                    • Opcode ID: 580c5db4a1895aa35b3870ec33000874f8e6cce45ce9180cba99d9b3985deb0e
                                                                    • Instruction ID: 8d54242ef0cef777b647d40632ad0940442d5d0d7fd4d7ebb35997222ee8c82f
                                                                    • Opcode Fuzzy Hash: 580c5db4a1895aa35b3870ec33000874f8e6cce45ce9180cba99d9b3985deb0e
                                                                    • Instruction Fuzzy Hash: DA5135B0D003098FDB14DFAAD948B9EBBF1FF89314F24845AE409A7360DB359944CB65
                                                                    Function 0751B41C Relevance: 1.7, APIs: 1, Instructions: 249processCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 423 751b41c-751b4bd 425 751b4f6-751b516 423->425 426 751b4bf-751b4c9 423->426 433 751b518-751b522 425->433 434 751b54f-751b57e 425->434 426->425 427 751b4cb-751b4cd 426->427 428 751b4f0-751b4f3 427->428 429 751b4cf-751b4d9 427->429 428->425 431 751b4db 429->431 432 751b4dd-751b4ec 429->432 431->432 432->432 435 751b4ee 432->435 433->434 436 751b524-751b526 433->436 440 751b580-751b58a 434->440 441 751b5b7-751b671 CreateProcessA 434->441 435->428 438 751b549-751b54c 436->438 439 751b528-751b532 436->439 438->434 442 751b534 439->442 443 751b536-751b545 439->443 440->441 444 751b58c-751b58e 440->444 454 751b673-751b679 441->454 455 751b67a-751b700 441->455 442->443 443->443 445 751b547 443->445 446 751b5b1-751b5b4 444->446 447 751b590-751b59a 444->447 445->438 446->441 449 751b59c 447->449 450 751b59e-751b5ad 447->450 449->450 450->450 451 751b5af 450->451 451->446 454->455 465 751b710-751b714 455->465 466 751b702-751b706 455->466 468 751b724-751b728 465->468 469 751b716-751b71a 465->469 466->465 467 751b708 466->467 467->465 471 751b738-751b73c 468->471 472 751b72a-751b72e 468->472 469->468 470 751b71c 469->470 470->468 474 751b74e-751b755 471->474 475 751b73e-751b744 471->475 472->471 473 751b730 472->473 473->471 476 751b757-751b766 474->476 477 751b76c 474->477 475->474 476->477 479 751b76d 477->479 479->479
                                                                    APIs
                                                                    • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0751B65E
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2091633106.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7510000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Similarity
                                                                    • API ID: CreateProcess
                                                                    • String ID:
                                                                    • API String ID: 963392458-0
                                                                    • Opcode ID: 35942e61d79c64cf7fe6432ee41cbe983592ada152ba30356f66825de6e85157
                                                                    • Instruction ID: 88e3d6c531ecc09153abab713db4e4b2a49a4a7f90469f4638229fdfe712ead4
                                                                    • Opcode Fuzzy Hash: 35942e61d79c64cf7fe6432ee41cbe983592ada152ba30356f66825de6e85157
                                                                    • Instruction Fuzzy Hash: 14A13BB1D0021A8FEB24CF69C881BEDBBB2FF48311F15856AD809A7250DB749985CF91
                                                                    Function 0751B428 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 480 751b428-751b4bd 482 751b4f6-751b516 480->482 483 751b4bf-751b4c9 480->483 490 751b518-751b522 482->490 491 751b54f-751b57e 482->491 483->482 484 751b4cb-751b4cd 483->484 485 751b4f0-751b4f3 484->485 486 751b4cf-751b4d9 484->486 485->482 488 751b4db 486->488 489 751b4dd-751b4ec 486->489 488->489 489->489 492 751b4ee 489->492 490->491 493 751b524-751b526 490->493 497 751b580-751b58a 491->497 498 751b5b7-751b671 CreateProcessA 491->498 492->485 495 751b549-751b54c 493->495 496 751b528-751b532 493->496 495->491 499 751b534 496->499 500 751b536-751b545 496->500 497->498 501 751b58c-751b58e 497->501 511 751b673-751b679 498->511 512 751b67a-751b700 498->512 499->500 500->500 502 751b547 500->502 503 751b5b1-751b5b4 501->503 504 751b590-751b59a 501->504 502->495 503->498 506 751b59c 504->506 507 751b59e-751b5ad 504->507 506->507 507->507 508 751b5af 507->508 508->503 511->512 522 751b710-751b714 512->522 523 751b702-751b706 512->523 525 751b724-751b728 522->525 526 751b716-751b71a 522->526 523->522 524 751b708 523->524 524->522 528 751b738-751b73c 525->528 529 751b72a-751b72e 525->529 526->525 527 751b71c 526->527 527->525 531 751b74e-751b755 528->531 532 751b73e-751b744 528->532 529->528 530 751b730 529->530 530->528 533 751b757-751b766 531->533 534 751b76c 531->534 532->531 533->534 536 751b76d 534->536 536->536
                                                                    APIs
                                                                    • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0751B65E
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2091633106.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7510000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Similarity
                                                                    • API ID: CreateProcess
                                                                    • String ID:
                                                                    • API String ID: 963392458-0
                                                                    • Opcode ID: 0f87f95e41dd92625706312907dc7a9375720266f31b2b4a50d6b0dabf21dc7b
                                                                    • Instruction ID: d3af6d998dc4cb852ab49178005f18557a6de71bc987bea094e5e357f20697bb
                                                                    • Opcode Fuzzy Hash: 0f87f95e41dd92625706312907dc7a9375720266f31b2b4a50d6b0dabf21dc7b
                                                                    • Instruction Fuzzy Hash: 58913BB1D0021ACFEF24CF69C891BEDBBB2BF48311F15856AD809A7250DB749985CF91
                                                                    Function 014EADE8 Relevance: 1.7, APIs: 1, Instructions: 195COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 537 14eade8-14eadf7 538 14eadf9-14eae06 call 14e9414 537->538 539 14eae23-14eae27 537->539 544 14eae1c 538->544 545 14eae08 538->545 540 14eae3b-14eae7c 539->540 541 14eae29-14eae33 539->541 548 14eae7e-14eae86 540->548 549 14eae89-14eae97 540->549 541->540 544->539 592 14eae0e call 14eb070 545->592 593 14eae0e call 14eb080 545->593 548->549 551 14eaebb-14eaebd 549->551 552 14eae99-14eae9e 549->552 550 14eae14-14eae16 550->544 555 14eaf58-14eb018 550->555 556 14eaec0-14eaec7 551->556 553 14eaea9 552->553 554 14eaea0-14eaea7 call 14ea150 552->554 558 14eaeab-14eaeb9 553->558 554->558 587 14eb01a-14eb01d 555->587 588 14eb020-14eb04b GetModuleHandleW 555->588 559 14eaec9-14eaed1 556->559 560 14eaed4-14eaedb 556->560 558->556 559->560 562 14eaedd-14eaee5 560->562 563 14eaee8-14eaef1 call 14ea160 560->563 562->563 568 14eaefe-14eaf03 563->568 569 14eaef3-14eaefb 563->569 571 14eaf05-14eaf0c 568->571 572 14eaf21-14eaf2e 568->572 569->568 571->572 573 14eaf0e-14eaf1e call 14ea170 call 14ea180 571->573 578 14eaf30-14eaf4e 572->578 579 14eaf51-14eaf57 572->579 573->572 578->579 587->588 589 14eb04d-14eb053 588->589 590 14eb054-14eb068 588->590 589->590 592->550 593->550
                                                                    APIs
                                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 014EB03E
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2085329373.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_14e0000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Similarity
                                                                    • API ID: HandleModule
                                                                    • String ID:
                                                                    • API String ID: 4139908857-0
                                                                    • Opcode ID: dab49c13b39dbae9892273afd3b05e66998aa1f8a76a4ec536d72388acd3c528
                                                                    • Instruction ID: 5066b1a3196a5a8d225ce3493519342743214c099c5bb348d73d169baf8fe1ce
                                                                    • Opcode Fuzzy Hash: dab49c13b39dbae9892273afd3b05e66998aa1f8a76a4ec536d72388acd3c528
                                                                    • Instruction Fuzzy Hash: 2D7132B0A00B058FDB24DF6AD44875ABBF1FF88215F10892ED58AD7B60D734E949CB90
                                                                    Function 014E590C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 702 14e590c-14e5913 703 14e5918-14e59d9 CreateActCtxA 702->703 705 14e59db-14e59e1 703->705 706 14e59e2-14e5a3c 703->706 705->706 713 14e5a3e-14e5a41 706->713 714 14e5a4b-14e5a4f 706->714 713->714 715 14e5a60 714->715 716 14e5a51-14e5a5d 714->716 718 14e5a61 715->718 716->715 718->718
                                                                    APIs
                                                                    • CreateActCtxA.KERNEL32(?), ref: 014E59C9
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2085329373.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_14e0000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Similarity
                                                                    • API ID: Create
                                                                    • String ID:
                                                                    • API String ID: 2289755597-0
                                                                    • Opcode ID: 6fa9c69fe8ac7c036d5a9ff4dbb1ebbff15ca0b65141302157cb0a1c8ead8ef2
                                                                    • Instruction ID: f4a58c5aa92286658637275e0d7aeb01622defd8d1be60aff146f3d8533effac
                                                                    • Opcode Fuzzy Hash: 6fa9c69fe8ac7c036d5a9ff4dbb1ebbff15ca0b65141302157cb0a1c8ead8ef2
                                                                    • Instruction Fuzzy Hash: 3941BFB5C00719CBDB24CFA9C884BDEBBF5BF49304F24815AD409AB261DB756949CF90
                                                                    Function 014E44B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 719 14e44b4-14e59d9 CreateActCtxA 722 14e59db-14e59e1 719->722 723 14e59e2-14e5a3c 719->723 722->723 730 14e5a3e-14e5a41 723->730 731 14e5a4b-14e5a4f 723->731 730->731 732 14e5a60 731->732 733 14e5a51-14e5a5d 731->733 735 14e5a61 732->735 733->732 735->735
                                                                    APIs
                                                                    • CreateActCtxA.KERNEL32(?), ref: 014E59C9
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2085329373.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_14e0000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Similarity
                                                                    • API ID: Create
                                                                    • String ID:
                                                                    • API String ID: 2289755597-0
                                                                    • Opcode ID: 90d560a3d7dbf5aa602a2e048c4e320662058e1dacd84d7c1afd2582a90e6e9e
                                                                    • Instruction ID: 399711c289b15695feb8710311c99d17537f091ac28342ed49ee4336189e0960
                                                                    • Opcode Fuzzy Hash: 90d560a3d7dbf5aa602a2e048c4e320662058e1dacd84d7c1afd2582a90e6e9e
                                                                    • Instruction Fuzzy Hash: C241C2B5C00719CBDB24DFA9C884BDEBBF5BF49304F20815AD408AB261DB756949CF90
                                                                    Function 0751B198 Relevance: 1.6, APIs: 1, Instructions: 76injectionCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 736 751b198-751b1ee 739 751b1f0-751b1fc 736->739 740 751b1fe-751b23d WriteProcessMemory 736->740 739->740 742 751b246-751b276 740->742 743 751b23f-751b245 740->743 743->742
                                                                    APIs
                                                                    • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0751B230
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2091633106.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7510000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Similarity
                                                                    • API ID: MemoryProcessWrite
                                                                    • String ID:
                                                                    • API String ID: 3559483778-0
                                                                    • Opcode ID: 613b05d57c413da33c4ababdc04125310da33c1f569bb6194ee2d18d3302856b
                                                                    • Instruction ID: 8e37442f60b523b24902eedcecd952447f9e4bcc5a9bfe9e34ed857237f177b2
                                                                    • Opcode Fuzzy Hash: 613b05d57c413da33c4ababdc04125310da33c1f569bb6194ee2d18d3302856b
                                                                    • Instruction Fuzzy Hash: 39215AB69003599FDB10CFA9D881BDEBBF5FF48320F50842AE918A7251C7789954CBA0
                                                                    Function 0751B1A0 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 758 751b1a0-751b1ee 760 751b1f0-751b1fc 758->760 761 751b1fe-751b23d WriteProcessMemory 758->761 760->761 763 751b246-751b276 761->763 764 751b23f-751b245 761->764 764->763
                                                                    APIs
                                                                    • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0751B230
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2091633106.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7510000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Similarity
                                                                    • API ID: MemoryProcessWrite
                                                                    • String ID:
                                                                    • API String ID: 3559483778-0
                                                                    • Opcode ID: 74a848dda6a34193d91261828102a52f8ac8cc094ee3b24889152d448d3dc8da
                                                                    • Instruction ID: 8b1fe13ebe50c9932b61aa653b53a992b9124312490f1585abf4ab6357043437
                                                                    • Opcode Fuzzy Hash: 74a848dda6a34193d91261828102a52f8ac8cc094ee3b24889152d448d3dc8da
                                                                    • Instruction Fuzzy Hash: 012139B29003599FDB10CFA9C885BDEBBF5FF48310F54842AE918A7250D7799944DBA0
                                                                    Function 0751B001 Relevance: 1.6, APIs: 1, Instructions: 69threadCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 747 751b001-751b053 750 751b063-751b093 Wow64SetThreadContext 747->750 751 751b055-751b061 747->751 753 751b095-751b09b 750->753 754 751b09c-751b0cc 750->754 751->750 753->754
                                                                    APIs
                                                                    • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0751B086
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2091633106.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7510000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Similarity
                                                                    • API ID: ContextThreadWow64
                                                                    • String ID:
                                                                    • API String ID: 983334009-0
                                                                    • Opcode ID: 8d5c21f9fa344d84d3674ba88da4a7b99ed7c07a20777628ea41a702846d76e8
                                                                    • Instruction ID: 734c5fce803d4ff77fd10ccf8c5bfbe4608857e32dcc1b3e6873d4839d7bc083
                                                                    • Opcode Fuzzy Hash: 8d5c21f9fa344d84d3674ba88da4a7b99ed7c07a20777628ea41a702846d76e8
                                                                    • Instruction Fuzzy Hash: F4215CB1D003098FDB10DFAAC485BEEBBF4EF48320F14842AD519A7241CB789944CBA0
                                                                    Function 0751B289 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 768 751b289-751b31d ReadProcessMemory 772 751b326-751b356 768->772 773 751b31f-751b325 768->773 773->772
                                                                    APIs
                                                                    • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0751B310
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2091633106.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7510000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Similarity
                                                                    • API ID: MemoryProcessRead
                                                                    • String ID:
                                                                    • API String ID: 1726664587-0
                                                                    • Opcode ID: 68fb4ad766bc8a27c6a4e090d74e767447f30dcd745e408c1c8a59e686d01514
                                                                    • Instruction ID: 826e5b8ee3a4a986fb4d833403925f64b5a17457ad0e7df9139b120492ec137e
                                                                    • Opcode Fuzzy Hash: 68fb4ad766bc8a27c6a4e090d74e767447f30dcd745e408c1c8a59e686d01514
                                                                    • Instruction Fuzzy Hash: 53214AB1D003199FDB10CFAAD881AEEBBF5FF48320F50842AE518A7240DB359540DBA0
                                                                    Function 0751B290 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0751B310
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2091633106.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7510000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Similarity
                                                                    • API ID: MemoryProcessRead
                                                                    • String ID:
                                                                    • API String ID: 1726664587-0
                                                                    • Opcode ID: fda609fcbcd34bbdc35b32e6cf7620f3509878d5f679afd04ccbd6eefef3145f
                                                                    • Instruction ID: 9b468779cc0c441ef63517d383641cb68e8ac4b6da4e2f60fabcbc6890d88de7
                                                                    • Opcode Fuzzy Hash: fda609fcbcd34bbdc35b32e6cf7620f3509878d5f679afd04ccbd6eefef3145f
                                                                    • Instruction Fuzzy Hash: 182139B1C003599FDB10CFAAC880AEEFBF5FF48320F54842AE518A7240D7389950DBA0
                                                                    Function 0751B008 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0751B086
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2091633106.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7510000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Similarity
                                                                    • API ID: ContextThreadWow64
                                                                    • String ID:
                                                                    • API String ID: 983334009-0
                                                                    • Opcode ID: 8fb7cf2a1dc5c72ca9869e6ea3fd0bf670d69ef6da3eb7de3f45a7835ba1e91b
                                                                    • Instruction ID: 30d1bbdf50c001f43aff139da02a86039b7f294b7776c226b188fa759bb6bbec
                                                                    • Opcode Fuzzy Hash: 8fb7cf2a1dc5c72ca9869e6ea3fd0bf670d69ef6da3eb7de3f45a7835ba1e91b
                                                                    • Instruction Fuzzy Hash: 592118B1D003098FDB10DFAAC485BEEBBF4EF48320F54842AD559A7241DB789945CFA4
                                                                    Function 014ED6C0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 014ED747
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2085329373.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_14e0000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Similarity
                                                                    • API ID: DuplicateHandle
                                                                    • String ID:
                                                                    • API String ID: 3793708945-0
                                                                    • Opcode ID: b7eb34493051fb32a55953c5c2c3115e7e11de12d9e6851877b70abe5a491b7d
                                                                    • Instruction ID: 8b5bde799b7a1d6733008b3b315c3753b99f5a419706758402cfbd551996a476
                                                                    • Opcode Fuzzy Hash: b7eb34493051fb32a55953c5c2c3115e7e11de12d9e6851877b70abe5a491b7d
                                                                    • Instruction Fuzzy Hash: 1021C4B5D002499FDB10CF9AD984ADEBFF8EB48310F14841AE914A3350D374A954DFA5
                                                                    Function 014ED6B9 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 014ED747
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2085329373.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_14e0000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Similarity
                                                                    • API ID: DuplicateHandle
                                                                    • String ID:
                                                                    • API String ID: 3793708945-0
                                                                    • Opcode ID: edcd72dd17d9e4817811d080d06d471ecbf17feb112c1c267c44489c5350be5d
                                                                    • Instruction ID: 1ac7d3e7e79dabdfa80c4635156c69cbdf6e93b83935972dcb2c05f7393e30b8
                                                                    • Opcode Fuzzy Hash: edcd72dd17d9e4817811d080d06d471ecbf17feb112c1c267c44489c5350be5d
                                                                    • Instruction Fuzzy Hash: 2721C4B5D00259DFDB10CFA9D985ADEBBF4EB48310F14841AE914B3350D374A954DF61
                                                                    Function 0751B0D8 Relevance: 1.6, APIs: 1, Instructions: 60memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0751B14E
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2091633106.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7510000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Similarity
                                                                    • API ID: AllocVirtual
                                                                    • String ID:
                                                                    • API String ID: 4275171209-0
                                                                    • Opcode ID: 25e2ba208908b2aca67b9a53cc9f8561410ba8cb7cebed112073a98305b507f2
                                                                    • Instruction ID: de07fff8164ebe4b336eb0113f662298f100665726d269cf71d8785337a7093f
                                                                    • Opcode Fuzzy Hash: 25e2ba208908b2aca67b9a53cc9f8561410ba8cb7cebed112073a98305b507f2
                                                                    • Instruction Fuzzy Hash: B6114AB69002099FDB10DFA9D8456DFBFF5EF88320F14841AD515A7250CB759544CBA0
                                                                    Function 0751B0E0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0751B14E
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2091633106.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7510000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Similarity
                                                                    • API ID: AllocVirtual
                                                                    • String ID:
                                                                    • API String ID: 4275171209-0
                                                                    • Opcode ID: 9610eeeeccbc2762b33a0e97d7e24a726ee7046186c5f2ba542ebcfd170cb557
                                                                    • Instruction ID: 4c3f91cb1ed04b367d4ebd28d7b213335538e35b61d2b0024d7079e740285e14
                                                                    • Opcode Fuzzy Hash: 9610eeeeccbc2762b33a0e97d7e24a726ee7046186c5f2ba542ebcfd170cb557
                                                                    • Instruction Fuzzy Hash: C31149B29002499FDB10DFAAC844ADFBFF5FF88320F14881AE519A7250CB759940DFA0
                                                                    Function 0751D648 Relevance: 1.6, APIs: 1, Instructions: 51windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • PostMessageW.USER32(?,00000010,00000000,?), ref: 0751D6AD
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2091633106.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7510000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Similarity
                                                                    • API ID: MessagePost
                                                                    • String ID:
                                                                    • API String ID: 410705778-0
                                                                    • Opcode ID: 0a3714abbdb187196590c4ac7c148c438d4a864b54fd28639ad977d2ed3a4b3f
                                                                    • Instruction ID: de228374214f2bf54dfff5c0d449291f32f6186213b8d7b066f6360ee54fd4e1
                                                                    • Opcode Fuzzy Hash: 0a3714abbdb187196590c4ac7c148c438d4a864b54fd28639ad977d2ed3a4b3f
                                                                    • Instruction Fuzzy Hash: 4811F5B69003499FDB20DF9AD845BDEFFF8EB48320F10841AE558A7200C375A544CFA1
                                                                    Function 0751AF51 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2091633106.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7510000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Similarity
                                                                    • API ID: ResumeThread
                                                                    • String ID:
                                                                    • API String ID: 947044025-0
                                                                    • Opcode ID: f3c815410d2fcacdec0ea8404586daf984563acfc562867a3d5a7c90234ed2ef
                                                                    • Instruction ID: f4e1c111194bfcc18ff8400ad76822afeda77d3b63e2bf0aa6eaec432da57142
                                                                    • Opcode Fuzzy Hash: f3c815410d2fcacdec0ea8404586daf984563acfc562867a3d5a7c90234ed2ef
                                                                    • Instruction Fuzzy Hash: 5F116AB5D002498FDB20DFAAC8457EEFBF4EF88320F14842AD519A7340CB355945CBA4
                                                                    Function 0751AF58 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2091633106.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7510000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Similarity
                                                                    • API ID: ResumeThread
                                                                    • String ID:
                                                                    • API String ID: 947044025-0
                                                                    • Opcode ID: 54ff39743679a8b18c7963b666c4a41758681f10a696c5d03aaec3c971d4ec11
                                                                    • Instruction ID: fba2835b12c430e35f120f392c16abe2e31926e1c08cc0292f93a8604244636c
                                                                    • Opcode Fuzzy Hash: 54ff39743679a8b18c7963b666c4a41758681f10a696c5d03aaec3c971d4ec11
                                                                    • Instruction Fuzzy Hash: 3E113AB5D002498FDB20DFAAC8457EFFBF4EF88320F14841AD519A7240CB756945CBA4
                                                                    Function 07519DD8 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • PostMessageW.USER32(?,00000010,00000000,?), ref: 0751D6AD
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2091633106.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7510000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Similarity
                                                                    • API ID: MessagePost
                                                                    • String ID:
                                                                    • API String ID: 410705778-0
                                                                    • Opcode ID: 769ebe3ead1e113f5aa45c3c8e9d3dff183f173682d14fd22fc2cf8083d0c58d
                                                                    • Instruction ID: fd3e605ca5e2f49502201ac36eb95bb114945a53bc7960cb86794b2fe58533a2
                                                                    • Opcode Fuzzy Hash: 769ebe3ead1e113f5aa45c3c8e9d3dff183f173682d14fd22fc2cf8083d0c58d
                                                                    • Instruction Fuzzy Hash: CF11F5B59007499FDB10DF99C884BDEBBF8FB48310F10841AE518A7200C375A944CFA5
                                                                    Function 014EAFD8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 014EB03E
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2085329373.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_14e0000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Similarity
                                                                    • API ID: HandleModule
                                                                    • String ID:
                                                                    • API String ID: 4139908857-0
                                                                    • Opcode ID: b93ff0dabfe71a753cec156bba51f20047ee86cbafc02db1193a8b71fa7dec0a
                                                                    • Instruction ID: 8089054dd6c60a7307edfb2bbe80466415b947fc756c8f7a100ef5e707ff7e50
                                                                    • Opcode Fuzzy Hash: b93ff0dabfe71a753cec156bba51f20047ee86cbafc02db1193a8b71fa7dec0a
                                                                    • Instruction Fuzzy Hash: 3F11DFB6C002498FDB20CF9AD848ADEFBF4EB88324F14841AD529B7610D379A545CFA1
                                                                    Function 0138D3D8 Relevance: .1, Instructions: 75COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2084439327.000000000138D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0138D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_138d000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 881fbec516fc39527cf7ad909e05e54dab17ed38cd541879cfa453e5a0220a1c
                                                                    • Instruction ID: ddcec6038c392de92c5093fdc14677df116d063fb1110a58165a8a58ca9dcabd
                                                                    • Opcode Fuzzy Hash: 881fbec516fc39527cf7ad909e05e54dab17ed38cd541879cfa453e5a0220a1c
                                                                    • Instruction Fuzzy Hash: 1C213671104304DFDB01EF98D9C0B56BF65FB88328F20C568D9091B296C736E406C6A1
                                                                    Function 0138D4C4 Relevance: .1, Instructions: 75COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2084439327.000000000138D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0138D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_138d000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5855a7e9bda3f87aba90d91116b44617dc33737cf2660fb26fc30ad054317a0c
                                                                    • Instruction ID: 8156fc444010b0d6bbb1bedae386534a997aa92f195f5194e24a0e214b647105
                                                                    • Opcode Fuzzy Hash: 5855a7e9bda3f87aba90d91116b44617dc33737cf2660fb26fc30ad054317a0c
                                                                    • Instruction Fuzzy Hash: 8D21F1B1504344DFDB06EF58D980B26BF65FB88328F24C56AE9090B696C336D416CAB1
                                                                    Function 0149D01C Relevance: .1, Instructions: 72COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2085030988.000000000149D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0149D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_149d000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b424a114c25a03fed2c50422e6aaa92be84ca312b93ff9dfee9025ef11f50f71
                                                                    • Instruction ID: cd813ef10c6c9aeacf8e096b52bad021cc0b4d85ab2a9226c91e219012a459fe
                                                                    • Opcode Fuzzy Hash: b424a114c25a03fed2c50422e6aaa92be84ca312b93ff9dfee9025ef11f50f71
                                                                    • Instruction Fuzzy Hash: EC21D3B5904200DFDF15DF58D984B16BF65EB84358F24C56ED90A4B366C33AD407CA61
                                                                    Function 0149D1D4 Relevance: .1, Instructions: 72COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2085030988.000000000149D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0149D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_149d000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 43223deefde363f0d7218d0bd332b6188e49f059af5539e8f034cf74d05a2438
                                                                    • Instruction ID: fcf5fb713f6b3bd046828a735e72f01edc663f5f40201d02494a1625d4447827
                                                                    • Opcode Fuzzy Hash: 43223deefde363f0d7218d0bd332b6188e49f059af5539e8f034cf74d05a2438
                                                                    • Instruction Fuzzy Hash: 3B21F975904204DFDF06DF98D9C4B26BF65FB84324F24C9AED9094B3A6C336D446CA61
                                                                    Function 0149D006 Relevance: .1, Instructions: 62COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2085030988.000000000149D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0149D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_149d000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 50b2ad5e7f3857818d8a71b507bd36dca938816b0174b86cceca7df0cfc2b055
                                                                    • Instruction ID: b3293630a1a7e41f1dd0e2cf07d7fe3701aef6ebb06732025520e86c23e3aa69
                                                                    • Opcode Fuzzy Hash: 50b2ad5e7f3857818d8a71b507bd36dca938816b0174b86cceca7df0cfc2b055
                                                                    • Instruction Fuzzy Hash: 502180755093808FDB07CF64D594716BF71EB46214F28C5DBD8498B2A7C33A980ACB62
                                                                    Function 0138D4BF Relevance: .1, Instructions: 56COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2084439327.000000000138D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0138D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_138d000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
                                                                    • Instruction ID: 2bc202953c652e01cb482201c894460dabafe2aa6d1bb0efaec6bcf964c3f664
                                                                    • Opcode Fuzzy Hash: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
                                                                    • Instruction Fuzzy Hash: 4511E176404380CFCB02DF54D5C4B16BF71FB84328F24C6AAD8090B656C33AD45ACBA1
                                                                    Function 0138D3D3 Relevance: .1, Instructions: 56COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2084439327.000000000138D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0138D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_138d000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
                                                                    • Instruction ID: 60fc87f5d0f4b382c7cb6a472ce67a81bb2cfcbfdc0c05a6d79b8859d036dbc4
                                                                    • Opcode Fuzzy Hash: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
                                                                    • Instruction Fuzzy Hash: 2B11DF76404340DFDB02DF48D5C4B56BF71FB84324F24C2A9D9091B256C33AE45ACBA1
                                                                    Function 0149D1CF Relevance: .1, Instructions: 53COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2085030988.000000000149D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0149D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_149d000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
                                                                    • Instruction ID: 551df182b717b887300eaef6670c568e49479ad3230716fbdfd11d989f8fe03d
                                                                    • Opcode Fuzzy Hash: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
                                                                    • Instruction Fuzzy Hash: 62118B75904280DFDB16CF54D6C4B16BFA1FB84324F24C6AED8494B7A6C33AD44ACB61

                                                                    Non-executed Functions

                                                                    Function 0751A730 Relevance: .3, Instructions: 312COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2091633106.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7510000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e5f30ab5364dcefa0171a620d25fcb8418617c383aca36f5f972a646d9c455b7
                                                                    • Instruction ID: d123fdcc5a948910d2193d980958bdf49aef28f96c47202bc81db71340fac737
                                                                    • Opcode Fuzzy Hash: e5f30ab5364dcefa0171a620d25fcb8418617c383aca36f5f972a646d9c455b7
                                                                    • Instruction Fuzzy Hash: 64E1F5B4E012198FDB15CFA9C5809AEBBB2FF89305F24C169E415AB355D734AD42CFA0
                                                                    Function 07518660 Relevance: .3, Instructions: 312COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2091633106.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7510000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0aecf3ee043b19fb0cb43742249f37896ddadfc0103add1fa618d75a13b2d674
                                                                    • Instruction ID: 30c7d3273ecb1dad17b6c155fe285aa5120ae3df2ce9732b024b1b5ba373ed65
                                                                    • Opcode Fuzzy Hash: 0aecf3ee043b19fb0cb43742249f37896ddadfc0103add1fa618d75a13b2d674
                                                                    • Instruction Fuzzy Hash: 7AE116B4E006198FDB14CFA8C5809AEFBB2FF89315F248169E415AB355C735AD41CFA1
                                                                    Function 07518ED0 Relevance: .3, Instructions: 312COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2091633106.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7510000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a4489d1b453ee68f13dca8b464c2c9cd43e76b41bfd18daea71303ebe3dc3c41
                                                                    • Instruction ID: b0fd4e312ba9a82424f8f7a32b991ce5eab997bdc7256314473c70b89bdffb5e
                                                                    • Opcode Fuzzy Hash: a4489d1b453ee68f13dca8b464c2c9cd43e76b41bfd18daea71303ebe3dc3c41
                                                                    • Instruction Fuzzy Hash: A7E116B4E002598FDB14CFA8C5909AEBBB2FF89305F24C169E415AB355C735AD81CFA0
                                                                    Function 07518A98 Relevance: .3, Instructions: 312COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2091633106.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7510000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: af5f2248fda8556d1bf11575677cb9de2288afc27914d412c78631f38ceb9356
                                                                    • Instruction ID: cae9ca4be36291c847e4d18e0726b80385b6365cc09f5dda206d099ddacbbcc0
                                                                    • Opcode Fuzzy Hash: af5f2248fda8556d1bf11575677cb9de2288afc27914d412c78631f38ceb9356
                                                                    • Instruction Fuzzy Hash: 4CE1F5B4E002198FDB24CFA9C5809AEBBB2FF89315F24C169E415AB355D734AD41CFA0
                                                                    Function 014ED3A4 Relevance: .3, Instructions: 264COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2085329373.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_14e0000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f5a198ac48275007ce18e8628a0b98bc1d2b7dad5f9097d4f98e8f5abc973d45
                                                                    • Instruction ID: 6f5aad0e05b54c09003f11136702538b9d58d174b7f8dfddf9d70778e96f1513
                                                                    • Opcode Fuzzy Hash: f5a198ac48275007ce18e8628a0b98bc1d2b7dad5f9097d4f98e8f5abc973d45
                                                                    • Instruction Fuzzy Hash: B4A17B32E0021A8FCF05DFB5C84859EBBF2FF95301B15856AE905AB265DB71E90ACB40

                                                                    Execution Graph

                                                                    Execution Coverage:1.9%
                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                    Signature Coverage:1.9%
                                                                    Total number of Nodes:720
                                                                    Total number of Limit Nodes:27
                                                                    execution_graph 47191 4429fc 47192 442a05 47191->47192 47193 442a1e 47191->47193 47194 442a0d 47192->47194 47198 442a84 47192->47198 47196 442a15 47196->47194 47209 442d51 22 API calls 2 library calls 47196->47209 47199 442a90 47198->47199 47200 442a8d 47198->47200 47210 44e1be GetEnvironmentStringsW 47199->47210 47200->47196 47205 442ad2 47205->47196 47207 442aa8 47218 446ac5 20 API calls __dosmaperr 47207->47218 47208 442a9d 47219 446ac5 20 API calls __dosmaperr 47208->47219 47209->47193 47211 44e1d2 47210->47211 47212 442a97 47210->47212 47220 446aff 47211->47220 47212->47208 47217 442ba9 26 API calls 3 library calls 47212->47217 47214 44e1e6 ctype 47227 446ac5 20 API calls __dosmaperr 47214->47227 47216 44e200 FreeEnvironmentStringsW 47216->47212 47217->47207 47218->47208 47219->47205 47221 446b3d 47220->47221 47226 446b0d _strftime 47220->47226 47229 445354 20 API calls _Atexit 47221->47229 47222 446b28 RtlAllocateHeap 47224 446b3b 47222->47224 47222->47226 47224->47214 47226->47221 47226->47222 47228 442200 7 API calls 2 library calls 47226->47228 47227->47216 47228->47226 47229->47224 47230 43a998 47233 43a9a4 _swprintf CallCatchBlock 47230->47233 47231 43a9b2 47246 445354 20 API calls _Atexit 47231->47246 47233->47231 47234 43a9dc 47233->47234 47241 444acc EnterCriticalSection 47234->47241 47236 43a9e7 47242 43aa88 47236->47242 47238 43a9b7 __wsopen_s 47241->47236 47244 43aa96 47242->47244 47243 43a9f2 47247 43aa0f LeaveCriticalSection std::_Lockit::~_Lockit 47243->47247 47244->47243 47248 448416 36 API calls 2 library calls 47244->47248 47246->47238 47247->47238 47248->47244 47249 402bcc 47250 402bd7 47249->47250 47251 402bdf 47249->47251 47267 403315 28 API calls __Getctype 47250->47267 47252 402beb 47251->47252 47257 4015d3 47251->47257 47255 402bdd 47259 43360d 47257->47259 47260 402be9 47259->47260 47262 43362e std::_Facet_Register 47259->47262 47268 43a88c 47259->47268 47275 442200 7 API calls 2 library calls 47259->47275 47263 433dec std::_Facet_Register 47262->47263 47276 437bd7 RaiseException 47262->47276 47277 437bd7 RaiseException 47263->47277 47265 433e09 47267->47255 47273 446aff _strftime 47268->47273 47269 446b3d 47279 445354 20 API calls _Atexit 47269->47279 47270 446b28 RtlAllocateHeap 47272 446b3b 47270->47272 47270->47273 47272->47259 47273->47269 47273->47270 47278 442200 7 API calls 2 library calls 47273->47278 47275->47259 47276->47263 47277->47265 47278->47273 47279->47272 47280 4339be 47281 4339ca CallCatchBlock 47280->47281 47312 4336b3 47281->47312 47283 433b24 47603 433b44 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 47283->47603 47285 4339d1 47285->47283 47287 4339fb 47285->47287 47286 433b2b 47604 4426be 28 API calls _Atexit 47286->47604 47298 433a3a ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 47287->47298 47597 4434d1 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 47287->47597 47289 433b31 47605 442670 28 API calls _Atexit 47289->47605 47292 433a14 47294 433a1a 47292->47294 47598 443475 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 47292->47598 47293 433b39 47296 433a9b 47323 433c5e 47296->47323 47298->47296 47599 43edf4 35 API calls 4 library calls 47298->47599 47306 433abd 47306->47286 47307 433ac1 47306->47307 47308 433aca 47307->47308 47601 442661 28 API calls _Atexit 47307->47601 47602 433842 13 API calls 2 library calls 47308->47602 47311 433ad2 47311->47294 47313 4336bc 47312->47313 47606 433e0a IsProcessorFeaturePresent 47313->47606 47315 4336c8 47607 4379ee 10 API calls 3 library calls 47315->47607 47317 4336cd 47322 4336d1 47317->47322 47608 44335e IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 47317->47608 47319 4336da 47320 4336e8 47319->47320 47609 437a17 8 API calls 3 library calls 47319->47609 47320->47285 47322->47285 47610 436050 47323->47610 47325 433c71 GetStartupInfoW 47326 433aa1 47325->47326 47327 443422 47326->47327 47611 44ddc9 47327->47611 47329 433aaa 47332 40d767 47329->47332 47330 44342b 47330->47329 47615 44e0d3 35 API calls 47330->47615 47617 41bce3 LoadLibraryA GetProcAddress 47332->47617 47334 40d783 GetModuleFileNameW 47622 40e168 47334->47622 47336 40d79f 47637 401fbd 47336->47637 47339 401fbd 28 API calls 47340 40d7bd 47339->47340 47641 41afc3 47340->47641 47344 40d7cf 47666 401d8c 47344->47666 47346 40d7d8 47347 40d835 47346->47347 47348 40d7eb 47346->47348 47672 401d64 47347->47672 47859 40e986 111 API calls 47348->47859 47351 40d7fd 47353 401d64 22 API calls 47351->47353 47352 40d845 47354 401d64 22 API calls 47352->47354 47357 40d809 47353->47357 47355 40d864 47354->47355 47677 404cbf 47355->47677 47860 40e937 65 API calls 47357->47860 47358 40d873 47681 405ce6 47358->47681 47361 40d87f 47684 401eef 47361->47684 47362 40d824 47861 40e155 65 API calls 47362->47861 47365 40d88b 47688 401eea 47365->47688 47367 40d894 47369 401eea 11 API calls 47367->47369 47368 401eea 11 API calls 47370 40dc9f 47368->47370 47371 40d89d 47369->47371 47600 433c94 GetModuleHandleW 47370->47600 47372 401d64 22 API calls 47371->47372 47373 40d8a6 47372->47373 47692 401ebd 47373->47692 47375 40d8b1 47376 401d64 22 API calls 47375->47376 47377 40d8ca 47376->47377 47378 401d64 22 API calls 47377->47378 47380 40d8e5 47378->47380 47379 40d946 47381 401d64 22 API calls 47379->47381 47397 40e134 47379->47397 47380->47379 47862 4085b4 28 API calls 47380->47862 47386 40d95d 47381->47386 47383 40d912 47384 401eef 11 API calls 47383->47384 47385 40d91e 47384->47385 47387 401eea 11 API calls 47385->47387 47392 4124b7 3 API calls 47386->47392 47400 40d9a4 47386->47400 47388 40d927 47387->47388 47863 4124b7 RegOpenKeyExA 47388->47863 47390 40d9aa 47391 40d82d 47390->47391 47699 41a463 47390->47699 47391->47368 47394 40d988 47392->47394 47394->47400 47866 412902 30 API calls 47394->47866 47396 40d9c5 47399 40da18 47396->47399 47716 40697b 47396->47716 47897 412902 30 API calls 47397->47897 47401 401d64 22 API calls 47399->47401 47696 40bed7 47400->47696 47404 40da21 47401->47404 47413 40da32 47404->47413 47414 40da2d 47404->47414 47406 40e14a 47898 4112b5 64 API calls ___scrt_fastfail 47406->47898 47407 40d9e4 47867 40699d 30 API calls 47407->47867 47408 40d9ee 47412 401d64 22 API calls 47408->47412 47421 40d9f7 47412->47421 47418 401d64 22 API calls 47413->47418 47870 4069ba CreateProcessA CloseHandle CloseHandle ___scrt_fastfail 47414->47870 47415 40d9e9 47868 4064d0 97 API calls 47415->47868 47419 40da3b 47418->47419 47720 41ae08 47419->47720 47421->47399 47423 40da13 47421->47423 47422 40da46 47724 401e18 47422->47724 47869 4064d0 97 API calls 47423->47869 47426 40da51 47728 401e13 47426->47728 47428 40da5a 47429 401d64 22 API calls 47428->47429 47430 40da63 47429->47430 47431 401d64 22 API calls 47430->47431 47432 40da7d 47431->47432 47433 401d64 22 API calls 47432->47433 47434 40da97 47433->47434 47435 401d64 22 API calls 47434->47435 47437 40dab0 47435->47437 47436 40db1d 47439 40db2c 47436->47439 47443 40dcaa ___scrt_fastfail 47436->47443 47437->47436 47438 401d64 22 API calls 47437->47438 47442 40dac5 _wcslen 47438->47442 47440 401d64 22 API calls 47439->47440 47446 40dbb1 47439->47446 47441 40db3e 47440->47441 47444 401d64 22 API calls 47441->47444 47442->47436 47447 401d64 22 API calls 47442->47447 47873 41265d RegOpenKeyExA RegQueryValueExA RegCloseKey 47443->47873 47445 40db50 47444->47445 47450 401d64 22 API calls 47445->47450 47468 40dbac ___scrt_fastfail 47446->47468 47448 40dae0 47447->47448 47452 401d64 22 API calls 47448->47452 47451 40db62 47450->47451 47455 401d64 22 API calls 47451->47455 47453 40daf5 47452->47453 47732 40c89e 47453->47732 47454 40dcef 47456 401d64 22 API calls 47454->47456 47458 40db8b 47455->47458 47459 40dd16 47456->47459 47463 401d64 22 API calls 47458->47463 47874 401f66 47459->47874 47461 401e18 11 API calls 47462 40db14 47461->47462 47466 401e13 11 API calls 47462->47466 47467 40db9c 47463->47467 47465 40dd25 47878 4126d2 14 API calls 47465->47878 47466->47436 47789 40bc67 47467->47789 47468->47446 47871 4128a2 31 API calls 47468->47871 47472 40dd3b 47474 401d64 22 API calls 47472->47474 47473 40dc45 ctype 47476 401d64 22 API calls 47473->47476 47475 40dd47 47474->47475 47879 43a5e7 39 API calls _strftime 47475->47879 47479 40dc5c 47476->47479 47478 40dd54 47480 40dd81 47478->47480 47880 41beb0 86 API calls ___scrt_fastfail 47478->47880 47479->47454 47481 401d64 22 API calls 47479->47481 47484 401f66 28 API calls 47480->47484 47482 40dc7e 47481->47482 47485 41ae08 28 API calls 47482->47485 47487 40dd96 47484->47487 47488 40dc87 47485->47488 47486 40dd65 CreateThread 47486->47480 48094 41c96f 10 API calls 47486->48094 47489 401f66 28 API calls 47487->47489 47872 40e219 109 API calls __common_dcos_data 47488->47872 47491 40dda5 47489->47491 47881 41a686 79 API calls 47491->47881 47492 40dc8c 47492->47454 47494 40dc93 47492->47494 47494->47391 47495 40ddaa 47496 401d64 22 API calls 47495->47496 47497 40ddb6 47496->47497 47498 401d64 22 API calls 47497->47498 47499 40ddcb 47498->47499 47500 401d64 22 API calls 47499->47500 47501 40ddeb 47500->47501 47882 43a5e7 39 API calls _strftime 47501->47882 47503 40ddf8 47504 401d64 22 API calls 47503->47504 47505 40de03 47504->47505 47506 401d64 22 API calls 47505->47506 47507 40de14 47506->47507 47508 401d64 22 API calls 47507->47508 47509 40de29 47508->47509 47510 401d64 22 API calls 47509->47510 47511 40de3a 47510->47511 47512 40de41 StrToIntA 47511->47512 47883 409517 142 API calls _wcslen 47512->47883 47514 40de53 47515 401d64 22 API calls 47514->47515 47517 40de5c 47515->47517 47516 40dea1 47519 401d64 22 API calls 47516->47519 47517->47516 47884 43360d 22 API calls 3 library calls 47517->47884 47525 40deb1 47519->47525 47520 40de71 47521 401d64 22 API calls 47520->47521 47522 40de84 47521->47522 47523 40de8b CreateThread 47522->47523 47523->47516 48088 419128 102 API calls 3 library calls 47523->48088 47524 40def9 47526 401d64 22 API calls 47524->47526 47525->47524 47885 43360d 22 API calls 3 library calls 47525->47885 47532 40df02 47526->47532 47528 40dec6 47529 401d64 22 API calls 47528->47529 47530 40ded8 47529->47530 47533 40dedf CreateThread 47530->47533 47531 40df6c 47534 401d64 22 API calls 47531->47534 47532->47531 47535 401d64 22 API calls 47532->47535 47533->47524 48093 419128 102 API calls 3 library calls 47533->48093 47537 40df75 47534->47537 47536 40df1e 47535->47536 47539 401d64 22 API calls 47536->47539 47538 40dfba 47537->47538 47541 401d64 22 API calls 47537->47541 47889 41a7a2 29 API calls 47538->47889 47542 40df33 47539->47542 47544 40df8a 47541->47544 47886 40c854 31 API calls 47542->47886 47543 40dfc3 47545 401e18 11 API calls 47543->47545 47550 401d64 22 API calls 47544->47550 47546 40dfce 47545->47546 47549 401e13 11 API calls 47546->47549 47548 40df46 47552 401e18 11 API calls 47548->47552 47553 40dfd7 CreateThread 47549->47553 47551 40df9f 47550->47551 47887 43a5e7 39 API calls _strftime 47551->47887 47554 40df52 47552->47554 47556 40e004 47553->47556 47557 40dff8 CreateThread 47553->47557 48089 40e54f 82 API calls 47553->48089 47558 401e13 11 API calls 47554->47558 47559 40e019 47556->47559 47560 40e00d CreateThread 47556->47560 47557->47556 48090 410f36 138 API calls __common_dcos_data 47557->48090 47562 40df5b CreateThread 47558->47562 47564 40e073 47559->47564 47566 401f66 28 API calls 47559->47566 47560->47559 48091 411524 38 API calls ___scrt_fastfail 47560->48091 47562->47531 48092 40196b 49 API calls _strftime 47562->48092 47563 40dfac 47888 40b95c 7 API calls 47563->47888 47892 41246e RegOpenKeyExA RegQueryValueExA RegCloseKey 47564->47892 47567 40e046 47566->47567 47890 404c9e 28 API calls 47567->47890 47570 40e08b 47572 40e12a 47570->47572 47575 41ae08 28 API calls 47570->47575 47571 40e053 47573 401f66 28 API calls 47571->47573 47895 40cbac 27 API calls 47572->47895 47576 40e062 47573->47576 47578 40e0a4 47575->47578 47891 41a686 79 API calls 47576->47891 47577 40e12f 47896 413fd4 168 API calls _strftime 47577->47896 47893 412584 31 API calls 47578->47893 47581 40e067 47582 401eea 11 API calls 47581->47582 47582->47564 47584 40e0ba 47585 401e13 11 API calls 47584->47585 47588 40e0c5 47585->47588 47586 40e0ed DeleteFileW 47587 40e0f4 47586->47587 47586->47588 47590 41ae08 28 API calls 47587->47590 47588->47586 47588->47587 47589 40e0db Sleep 47588->47589 47589->47588 47591 40e104 47590->47591 47894 41297a RegOpenKeyExW RegDeleteValueW 47591->47894 47593 40e117 47594 401e13 11 API calls 47593->47594 47595 40e121 47594->47595 47596 401e13 11 API calls 47595->47596 47596->47572 47597->47292 47598->47298 47599->47296 47600->47306 47601->47308 47602->47311 47603->47286 47604->47289 47605->47293 47606->47315 47607->47317 47608->47319 47609->47322 47610->47325 47612 44dddb 47611->47612 47613 44ddd2 47611->47613 47612->47330 47616 44dcc8 48 API calls 4 library calls 47613->47616 47615->47330 47616->47612 47618 41bd22 LoadLibraryA GetProcAddress 47617->47618 47619 41bd12 GetModuleHandleA GetProcAddress 47617->47619 47620 41bd4b 32 API calls 47618->47620 47621 41bd3b LoadLibraryA GetProcAddress 47618->47621 47619->47618 47620->47334 47621->47620 47899 41a63f FindResourceA 47622->47899 47625 43a88c ___crtLCMapStringA 21 API calls 47626 40e192 ctype 47625->47626 47902 401f86 47626->47902 47629 401eef 11 API calls 47630 40e1b8 47629->47630 47631 401eea 11 API calls 47630->47631 47632 40e1c1 47631->47632 47633 43a88c ___crtLCMapStringA 21 API calls 47632->47633 47634 40e1d2 ctype 47633->47634 47906 406052 47634->47906 47636 40e205 47636->47336 47638 401fcc __common_dcos_data 47637->47638 47914 402501 47638->47914 47640 401fea 47640->47339 47661 41afd6 47641->47661 47642 41b046 47643 401eea 11 API calls 47642->47643 47644 41b078 47643->47644 47645 401eea 11 API calls 47644->47645 47647 41b080 47645->47647 47646 41b048 47927 403b60 28 API calls 47646->47927 47650 401eea 11 API calls 47647->47650 47653 40d7c6 47650->47653 47651 41b054 47654 401eef 11 API calls 47651->47654 47652 401eef 11 API calls 47652->47661 47662 40e8bd 47653->47662 47655 41b05d 47654->47655 47656 401eea 11 API calls 47655->47656 47658 41b065 47656->47658 47657 401eea 11 API calls 47657->47661 47659 41bfa9 28 API calls 47658->47659 47659->47642 47661->47642 47661->47646 47661->47652 47661->47657 47919 403b60 28 API calls 47661->47919 47920 41bfa9 47661->47920 47663 40e8ca 47662->47663 47665 40e8da 47663->47665 47955 40200a 11 API calls 47663->47955 47665->47344 47667 40200a 47666->47667 47671 40203a 47667->47671 47956 402654 11 API calls 47667->47956 47669 40202b 47957 4026ba 11 API calls _Deallocate 47669->47957 47671->47346 47673 401d6c 47672->47673 47674 401d74 47673->47674 47958 401fff 22 API calls 47673->47958 47674->47352 47678 404ccb 47677->47678 47959 402e78 47678->47959 47680 404cee 47680->47358 47968 404bc4 47681->47968 47683 405cf4 47683->47361 47685 401efe 47684->47685 47687 401f0a 47685->47687 47977 4021b9 11 API calls __common_dcos_data 47685->47977 47687->47365 47689 4021b9 __common_dcos_data 47688->47689 47690 4021e8 47689->47690 47978 40262e 11 API calls _Deallocate 47689->47978 47690->47367 47694 401ec9 __common_dcos_data 47692->47694 47693 401ee4 47693->47375 47694->47693 47695 402325 28 API calls 47694->47695 47695->47693 47979 401e8f 47696->47979 47698 40bee1 CreateMutexA GetLastError 47698->47390 47981 41b15b 47699->47981 47704 401eef 11 API calls 47705 41a49f 47704->47705 47706 401eea 11 API calls 47705->47706 47707 41a4a7 47706->47707 47708 41a4fa 47707->47708 47709 412513 31 API calls 47707->47709 47708->47396 47710 41a4cd 47709->47710 47711 41a4d8 StrToIntA 47710->47711 47712 41a4ef 47711->47712 47713 41a4e6 47711->47713 47715 401eea 11 API calls 47712->47715 47989 41c102 22 API calls __common_dcos_data 47713->47989 47715->47708 47717 40698f 47716->47717 47718 4124b7 3 API calls 47717->47718 47719 406996 47718->47719 47719->47407 47719->47408 47721 41ae1c 47720->47721 47990 40b027 47721->47990 47723 41ae24 47723->47422 47725 401e27 47724->47725 47727 401e33 47725->47727 47999 402121 11 API calls __common_dcos_data 47725->47999 47727->47426 47730 402121 __common_dcos_data 47728->47730 47729 402150 __common_dcos_data 47729->47428 47730->47729 48000 402718 11 API calls _Deallocate 47730->48000 47733 40c8ba __common_dcos_data 47732->47733 47734 40c8da 47733->47734 47735 40c90f 47733->47735 47736 40c8d0 47733->47736 48005 41a74b 29 API calls 47734->48005 47739 41b15b GetCurrentProcess 47735->47739 47738 40ca03 GetLongPathNameW 47736->47738 48001 403b40 47738->48001 47740 40c914 47739->47740 47743 40c918 47740->47743 47744 40c96a 47740->47744 47741 40c8e3 47745 401e18 11 API calls 47741->47745 47748 403b40 28 API calls 47743->47748 47747 403b40 28 API calls 47744->47747 47784 40c8ed 47745->47784 47751 40c978 47747->47751 47752 40c926 47748->47752 47749 403b40 28 API calls 47750 40ca27 47749->47750 48008 40cc37 28 API calls __common_dcos_data 47750->48008 47757 403b40 28 API calls 47751->47757 47758 403b40 28 API calls 47752->47758 47754 401e13 11 API calls 47754->47736 47755 40ca3a 48009 402860 28 API calls 47755->48009 47760 40c98e 47757->47760 47761 40c93c 47758->47761 47759 40ca45 48010 402860 28 API calls 47759->48010 48007 402860 28 API calls 47760->48007 48006 402860 28 API calls 47761->48006 47765 40ca4f 47768 401e13 11 API calls 47765->47768 47766 40c999 47769 401e18 11 API calls 47766->47769 47767 40c947 47770 401e18 11 API calls 47767->47770 47771 40ca59 47768->47771 47772 40c9a4 47769->47772 47773 40c952 47770->47773 47774 401e13 11 API calls 47771->47774 47775 401e13 11 API calls 47772->47775 47776 401e13 11 API calls 47773->47776 47777 40ca62 47774->47777 47778 40c9ad 47775->47778 47779 40c95b 47776->47779 47780 401e13 11 API calls 47777->47780 47781 401e13 11 API calls 47778->47781 47782 401e13 11 API calls 47779->47782 47783 40ca6b 47780->47783 47781->47784 47782->47784 47785 401e13 11 API calls 47783->47785 47784->47754 47786 40ca74 47785->47786 47787 401e13 11 API calls 47786->47787 47788 40ca7d 47787->47788 47788->47461 47790 40bc7a _wcslen 47789->47790 47791 40bc84 47790->47791 47792 40bcce 47790->47792 47795 40bc8d CreateDirectoryW 47791->47795 47793 40c89e 31 API calls 47792->47793 47794 40bce0 47793->47794 47796 401e18 11 API calls 47794->47796 48012 40856b 47795->48012 47798 40bccc 47796->47798 47800 401e13 11 API calls 47798->47800 47799 40bca9 48046 4028cf 47799->48046 47806 40bcf7 47800->47806 47802 40bcb5 47803 401e18 11 API calls 47802->47803 47804 40bcc3 47803->47804 47805 401e13 11 API calls 47804->47805 47805->47798 47807 40bd10 47806->47807 47808 40bd2d 47806->47808 47810 40bb7b 31 API calls 47807->47810 47809 40bd36 CopyFileW 47808->47809 47811 40be07 47809->47811 47812 40bd48 _wcslen 47809->47812 47844 40bd21 47810->47844 48018 40bb7b 47811->48018 47812->47811 47814 40bd64 47812->47814 47815 40bdb7 47812->47815 47818 40c89e 31 API calls 47814->47818 47817 40c89e 31 API calls 47815->47817 47822 40bdbd 47817->47822 47823 40bd6a 47818->47823 47819 40be21 47824 40be2a SetFileAttributesW 47819->47824 47820 40be4d 47821 40be95 CloseHandle 47820->47821 47826 403b40 28 API calls 47820->47826 48044 401e07 47821->48044 47827 401e18 11 API calls 47822->47827 47828 401e18 11 API calls 47823->47828 47843 40be39 _wcslen 47824->47843 47830 40be63 47826->47830 47831 40bdb1 47827->47831 47832 40bd76 47828->47832 47829 40beb1 ShellExecuteW 47834 40bec4 47829->47834 47835 40bece ExitProcess 47829->47835 47836 41ae08 28 API calls 47830->47836 47837 401e13 11 API calls 47831->47837 47833 401e13 11 API calls 47832->47833 47838 40bd7f 47833->47838 47839 40bed7 CreateMutexA GetLastError 47834->47839 47840 40be76 47836->47840 47841 40bdcf 47837->47841 47842 40856b 28 API calls 47838->47842 47839->47844 48049 412774 RegCreateKeyW 47840->48049 47847 40bddb CreateDirectoryW 47841->47847 47845 40bd93 47842->47845 47843->47820 47846 40be4a SetFileAttributesW 47843->47846 47844->47468 47848 4028cf 28 API calls 47845->47848 47846->47820 47850 401e07 47847->47850 47851 40bd9f 47848->47851 47854 40bdeb CopyFileW 47850->47854 47855 401e18 11 API calls 47851->47855 47853 401e13 11 API calls 47853->47821 47854->47811 47856 40bdf8 47854->47856 47857 40bda8 47855->47857 47856->47844 47858 401e13 11 API calls 47857->47858 47858->47831 47859->47351 47860->47362 47862->47383 47864 4124e1 RegQueryValueExA RegCloseKey 47863->47864 47865 41250b 47863->47865 47864->47865 47865->47379 47866->47400 47867->47415 47868->47408 47869->47399 47870->47413 47871->47473 47872->47492 47873->47454 47875 401f6e __common_dcos_data 47874->47875 48083 402301 47875->48083 47878->47472 47879->47478 47880->47486 47881->47495 47882->47503 47883->47514 47884->47520 47885->47528 47886->47548 47887->47563 47888->47538 47889->47543 47890->47571 47891->47581 47892->47570 47893->47584 47894->47593 47895->47577 48087 419e89 104 API calls 47896->48087 47897->47406 47900 40e183 47899->47900 47901 41a65c LoadResource LockResource SizeofResource 47899->47901 47900->47625 47901->47900 47903 401f8e __common_dcos_data 47902->47903 47909 402325 47903->47909 47905 401fa4 47905->47629 47907 401f86 28 API calls 47906->47907 47908 406066 47907->47908 47908->47636 47910 40232f __common_dcos_data 47909->47910 47912 40233a 47910->47912 47913 40294a 28 API calls __common_dcos_data 47910->47913 47912->47905 47913->47912 47915 40250d __common_dcos_data 47914->47915 47916 40252b 47915->47916 47918 40261a 28 API calls 47915->47918 47916->47640 47918->47916 47919->47661 47921 41bfae 47920->47921 47922 41bfd2 47921->47922 47923 41bfcb 47921->47923 47928 41c552 47922->47928 47947 41bfe3 28 API calls 47923->47947 47925 41bfd0 47925->47661 47927->47651 47929 41c55c __EH_prolog 47928->47929 47930 41c673 47929->47930 47931 41c595 47929->47931 47954 402649 22 API calls std::_Xinvalid_argument 47930->47954 47948 4026a7 28 API calls 47931->47948 47935 41c5a9 47949 41c536 28 API calls 47935->47949 47937 41c5dc 47938 41c603 47937->47938 47939 41c5f7 47937->47939 47951 41c7cf 11 API calls __common_dcos_data 47938->47951 47950 41c7b2 11 API calls 47939->47950 47942 41c60f 47952 41c7cf 11 API calls __common_dcos_data 47942->47952 47943 41c601 47953 41c75a 11 API calls 47943->47953 47946 41c63e 47946->47925 47947->47925 47948->47935 47949->47937 47950->47943 47951->47942 47952->47943 47953->47946 47955->47665 47956->47669 47957->47671 47960 402e85 __common_dcos_data 47959->47960 47961 402e98 47960->47961 47963 402ea9 47960->47963 47964 402eae 47960->47964 47966 403445 28 API calls __common_dcos_data 47961->47966 47963->47680 47964->47963 47967 40225b 11 API calls __common_dcos_data 47964->47967 47966->47963 47967->47963 47969 404bd0 47968->47969 47972 40245c 47969->47972 47971 404be4 47971->47683 47973 402469 __common_dcos_data 47972->47973 47975 402478 47973->47975 47976 402ad3 28 API calls __common_dcos_data 47973->47976 47975->47971 47976->47975 47977->47687 47978->47690 47980 401e94 __common_dcos_data 47979->47980 47982 41a471 47981->47982 47983 41b168 GetCurrentProcess 47981->47983 47984 412513 RegOpenKeyExA 47982->47984 47983->47982 47985 412541 RegQueryValueExA RegCloseKey 47984->47985 47986 412569 47984->47986 47985->47986 47987 401f66 28 API calls 47986->47987 47988 41257e 47987->47988 47988->47704 47989->47712 47991 40b02f __common_dcos_data 47990->47991 47994 40b04b 47991->47994 47993 40b045 47993->47723 47995 40b055 __common_dcos_data 47994->47995 47997 40b060 __common_dcos_data 47995->47997 47998 40b138 28 API calls __common_dcos_data 47995->47998 47997->47993 47998->47997 47999->47727 48000->47729 48002 403b48 __common_dcos_data 48001->48002 48011 403b7a 28 API calls 48002->48011 48004 403b5a 48004->47749 48005->47741 48006->47767 48007->47766 48008->47755 48009->47759 48010->47765 48011->48004 48013 408577 __common_dcos_data 48012->48013 48055 402ca8 48013->48055 48017 4085a3 48017->47799 48019 40bba1 48018->48019 48020 40bbdd 48018->48020 48073 40b0dd 48019->48073 48022 40bc1e 48020->48022 48025 40b0dd 28 API calls 48020->48025 48024 40bc5f 48022->48024 48027 40b0dd 28 API calls 48022->48027 48024->47819 48024->47820 48028 40bbf4 48025->48028 48026 4028cf 28 API calls 48029 40bbbd 48026->48029 48030 40bc35 48027->48030 48031 4028cf 28 API calls 48028->48031 48033 412774 14 API calls 48029->48033 48034 4028cf 28 API calls 48030->48034 48032 40bbfe 48031->48032 48035 412774 14 API calls 48032->48035 48036 40bbd1 48033->48036 48037 40bc3f 48034->48037 48038 40bc12 48035->48038 48039 401e13 11 API calls 48036->48039 48040 412774 14 API calls 48037->48040 48041 401e13 11 API calls 48038->48041 48039->48020 48042 40bc53 48040->48042 48041->48022 48043 401e13 11 API calls 48042->48043 48043->48024 48045 401e0c __common_dcos_data 48044->48045 48079 402d8b 48046->48079 48048 4028dd 48048->47802 48050 4127c6 48049->48050 48052 412789 48049->48052 48051 401e13 11 API calls 48050->48051 48053 40be89 48051->48053 48054 4127a2 RegSetValueExW RegCloseKey 48052->48054 48053->47853 48054->48050 48056 402cb5 __common_dcos_data 48055->48056 48057 402cc8 48056->48057 48059 402cd9 48056->48059 48060 402cde 48056->48060 48066 403374 28 API calls __common_dcos_data 48057->48066 48062 402de3 48059->48062 48060->48059 48067 402f21 11 API calls __common_dcos_data 48060->48067 48063 402daf __common_dcos_data 48062->48063 48068 4030f7 48063->48068 48065 402dcd 48065->48017 48066->48059 48067->48059 48069 403101 __common_dcos_data 48068->48069 48071 403115 __common_dcos_data 48069->48071 48072 4036c2 28 API calls __common_dcos_data 48069->48072 48071->48065 48072->48071 48074 40b0e9 __common_dcos_data 48073->48074 48075 402ca8 28 API calls 48074->48075 48076 40b10c 48075->48076 48077 402de3 28 API calls 48076->48077 48078 40b11f 48077->48078 48078->48026 48080 402d97 48079->48080 48081 4030f7 28 API calls 48080->48081 48082 402dab 48081->48082 48082->48048 48084 40230d 48083->48084 48085 402325 28 API calls 48084->48085 48086 401f80 48085->48086 48086->47465 48095 411637 62 API calls 48090->48095

                                                                    Executed Functions

                                                                    Function 0041BCE3 Relevance: 115.6, APIs: 40, Strings: 26, Instructions: 140libraryloaderCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BCF8
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041BD01
                                                                    • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD18
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041BD1B
                                                                    • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD2D
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041BD30
                                                                    • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD41
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041BD44
                                                                    • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040D783), ref: 0041BD55
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041BD58
                                                                    • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040D783), ref: 0041BD65
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041BD68
                                                                    • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D783), ref: 0041BD75
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041BD78
                                                                    • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D783), ref: 0041BD85
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041BD88
                                                                    • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D783), ref: 0041BD99
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041BD9C
                                                                    • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D783), ref: 0041BDA9
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041BDAC
                                                                    • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D783), ref: 0041BDBD
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041BDC0
                                                                    • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D783), ref: 0041BDD1
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041BDD4
                                                                    • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D783), ref: 0041BDE5
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041BDE8
                                                                    • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040D783), ref: 0041BDF5
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041BDF8
                                                                    • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040D783), ref: 0041BE06
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041BE09
                                                                    • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040D783), ref: 0041BE16
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041BE19
                                                                    • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040D783), ref: 0041BE2B
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041BE2E
                                                                    • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040D783), ref: 0041BE3B
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041BE3E
                                                                    • LoadLibraryA.KERNELBASE(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040D783), ref: 0041BE50
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041BE53
                                                                    • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040D783), ref: 0041BE60
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041BE63
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AddressProc$HandleLibraryLoadModule
                                                                    • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                                                    • API String ID: 384173800-625181639
                                                                    • Opcode ID: 0789f4e3f810de028ed60e0db8f6a6efc83e65cfda48e5b03c752fe52fb7e632
                                                                    • Instruction ID: 894fbade80705e672e772900be83df88f70523cf1842e1027a1ce5ee2e2841b6
                                                                    • Opcode Fuzzy Hash: 0789f4e3f810de028ed60e0db8f6a6efc83e65cfda48e5b03c752fe52fb7e632
                                                                    • Instruction Fuzzy Hash: 2831EDA0E4031C7ADA107FB69C49E5B7E9CD944B953110827B508D3162FBBDA9809EEE
                                                                    Function 0040D767 Relevance: 93.5, APIs: 12, Strings: 41, Instructions: 799COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 5 40d767-40d7e9 call 41bce3 GetModuleFileNameW call 40e168 call 401fbd * 2 call 41afc3 call 40e8bd call 401d8c call 43e820 22 40d835-40d8fd call 401d64 call 401e8f call 401d64 call 404cbf call 405ce6 call 401eef call 401eea * 2 call 401d64 call 401ebd call 40541d call 401d64 call 404bb1 call 401d64 call 404bb1 5->22 23 40d7eb-40d830 call 40e986 call 401d64 call 401e8f call 40fcba call 40e937 call 40e155 5->23 69 40d950-40d96b call 401d64 call 40b125 22->69 70 40d8ff-40d94a call 4085b4 call 401eef call 401eea call 401e8f call 4124b7 22->70 49 40dc96-40dca7 call 401eea 23->49 79 40d9a5-40d9ac call 40bed7 69->79 80 40d96d-40d98c call 401e8f call 4124b7 69->80 70->69 101 40e134-40e154 call 401e8f call 412902 call 4112b5 70->101 89 40d9b5-40d9bc 79->89 90 40d9ae-40d9b0 79->90 80->79 99 40d98e-40d9a4 call 401e8f call 412902 80->99 94 40d9c0-40d9cc call 41a463 89->94 95 40d9be 89->95 93 40dc95 90->93 93->49 105 40d9d5-40d9d9 94->105 106 40d9ce-40d9d0 94->106 95->94 99->79 108 40da18-40da2b call 401d64 call 401e8f 105->108 109 40d9db call 40697b 105->109 106->105 127 40da32-40daba call 401d64 call 41ae08 call 401e18 call 401e13 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f 108->127 128 40da2d call 4069ba 108->128 117 40d9e0-40d9e2 109->117 120 40d9e4-40d9e9 call 40699d call 4064d0 117->120 121 40d9ee-40da01 call 401d64 call 401e8f 117->121 120->121 121->108 138 40da03-40da09 121->138 163 40db22-40db26 127->163 164 40dabc-40dad5 call 401d64 call 401e8f call 43a611 127->164 128->127 138->108 140 40da0b-40da11 138->140 140->108 141 40da13 call 4064d0 140->141 141->108 166 40dcaa-40dd01 call 436050 call 4022f8 call 401e8f * 2 call 41265d call 4082d7 163->166 167 40db2c-40db33 163->167 164->163 190 40dad7-40db03 call 401d64 call 401e8f call 401d64 call 401e8f call 40c89e 164->190 222 40dd06-40dd5c call 401d64 call 401e8f call 401f66 call 401e8f call 4126d2 call 401d64 call 401e8f call 43a5e7 166->222 169 40dbb1-40dbbb call 4082d7 167->169 170 40db35-40dba7 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 40bc67 167->170 177 40dbc0-40dbe4 call 4022f8 call 4338c8 169->177 257 40dbac-40dbaf 170->257 198 40dbf3 177->198 199 40dbe6-40dbf1 call 436050 177->199 232 40db08-40db1d call 401e18 call 401e13 190->232 204 40dbf5-40dc6a call 401e07 call 43e349 call 4022f8 call 401e8f call 4022f8 call 401e8f call 4128a2 call 4338d1 call 401d64 call 40b125 198->204 199->204 204->222 272 40dc70-40dc91 call 401d64 call 41ae08 call 40e219 204->272 273 40dd79-40dd7b 222->273 274 40dd5e 222->274 232->163 257->177 272->222 292 40dc93 272->292 275 40dd81 273->275 276 40dd7d-40dd7f 273->276 278 40dd60-40dd77 call 41beb0 CreateThread 274->278 279 40dd87-40de66 call 401f66 * 2 call 41a686 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 43a5e7 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f StrToIntA call 409517 call 401d64 call 401e8f 275->279 276->278 278->279 330 40dea1 279->330 331 40de68-40de9f call 43360d call 401d64 call 401e8f CreateThread 279->331 292->93 332 40dea3-40debb call 401d64 call 401e8f 330->332 331->332 343 40def9-40df0c call 401d64 call 401e8f 332->343 344 40debd-40def4 call 43360d call 401d64 call 401e8f CreateThread 332->344 353 40df6c-40df7f call 401d64 call 401e8f 343->353 354 40df0e-40df67 call 401d64 call 401e8f call 401d64 call 401e8f call 40c854 call 401e18 call 401e13 CreateThread 343->354 344->343 365 40df81-40dfb5 call 401d64 call 401e8f call 401d64 call 401e8f call 43a5e7 call 40b95c 353->365 366 40dfba-40dfde call 41a7a2 call 401e18 call 401e13 353->366 354->353 365->366 388 40dfe0 366->388 389 40dfe3-40dff6 CreateThread 366->389 388->389 390 40e004-40e00b 389->390 391 40dff8-40e002 CreateThread 389->391 394 40e019-40e020 390->394 395 40e00d-40e017 CreateThread 390->395 391->390 398 40e022-40e025 394->398 399 40e033-40e038 394->399 395->394 401 40e073-40e08e call 401e8f call 41246e 398->401 402 40e027-40e031 398->402 404 40e03d-40e06e call 401f66 call 404c9e call 401f66 call 41a686 call 401eea 399->404 413 40e094-40e0d4 call 41ae08 call 401e07 call 412584 call 401e13 call 401e07 401->413 414 40e12a-40e12f call 40cbac call 413fd4 401->414 402->404 404->401 433 40e0ed-40e0f2 DeleteFileW 413->433 414->101 434 40e0f4-40e125 call 41ae08 call 401e07 call 41297a call 401e13 * 2 433->434 435 40e0d6-40e0d9 433->435 434->414 435->434 436 40e0db-40e0e8 Sleep call 401e07 435->436 436->433
                                                                    APIs
                                                                      • Part of subcall function 0041BCE3: LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BCF8
                                                                      • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD01
                                                                      • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD18
                                                                      • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD1B
                                                                      • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD2D
                                                                      • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD30
                                                                      • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD41
                                                                      • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD44
                                                                      • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040D783), ref: 0041BD55
                                                                      • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD58
                                                                      • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040D783), ref: 0041BD65
                                                                      • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD68
                                                                      • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D783), ref: 0041BD75
                                                                      • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD78
                                                                      • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D783), ref: 0041BD85
                                                                      • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD88
                                                                      • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D783), ref: 0041BD99
                                                                      • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD9C
                                                                      • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D783), ref: 0041BDA9
                                                                      • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDAC
                                                                      • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D783), ref: 0041BDBD
                                                                      • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDC0
                                                                      • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D783), ref: 0041BDD1
                                                                      • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDD4
                                                                      • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D783), ref: 0041BDE5
                                                                      • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDE8
                                                                      • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040D783), ref: 0041BDF5
                                                                      • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDF8
                                                                      • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040D783), ref: 0041BE06
                                                                    • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe,00000104), ref: 0040D790
                                                                      • Part of subcall function 0040FCBA: __EH_prolog.LIBCMT ref: 0040FCBF
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                                                    • String ID: (CG$(CG$0DG$@CG$@CG$Access Level: $Administrator$C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe$Exe$Inj$Remcos Agent initialized$Software\$User$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$`=G$dCG$del$del$exepath$licence$license_code.txt$BG$BG$BG$BG$BG
                                                                    • API String ID: 2830904901-3176640232
                                                                    • Opcode ID: 162acc86a66230b9b3e4adaddac357115f1680ca5faa5d0831c95cfefcbb57ab
                                                                    • Instruction ID: 4071723a11783d2da8da933f82134b9c6f3815e49c8d87d463163304bf45e319
                                                                    • Opcode Fuzzy Hash: 162acc86a66230b9b3e4adaddac357115f1680ca5faa5d0831c95cfefcbb57ab
                                                                    • Instruction Fuzzy Hash: 4032A360B043406ADA18B776DC57BBE269A8FC1748F04443FB8467B2E2DE7C9D45839E
                                                                    Function 0040BC67 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 203fileCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • _wcslen.LIBCMT ref: 0040BC75
                                                                    • CreateDirectoryW.KERNELBASE(00000000,00000000,00000000,00000000,?,00474358,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040BC8E
                                                                    • CopyFileW.KERNELBASE(C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe,00000000,00000000,00000000,00000000,00000000,?,00474358,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040BD3E
                                                                    • _wcslen.LIBCMT ref: 0040BD54
                                                                    • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040BDDC
                                                                    • CopyFileW.KERNEL32(C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe,00000000,00000000), ref: 0040BDF2
                                                                    • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BE31
                                                                    • _wcslen.LIBCMT ref: 0040BE34
                                                                    • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BE4B
                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00474358,0000000E), ref: 0040BE9B
                                                                    • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000001), ref: 0040BEB9
                                                                    • ExitProcess.KERNEL32 ref: 0040BED0
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                                                    • String ID: 6$C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe$del$open$BG$BG
                                                                    • API String ID: 1579085052-915434433
                                                                    • Opcode ID: 1dfc8a95e9f2fa8f15eef755b153a8034996a407d8c67b2864cbd51f99b60f53
                                                                    • Instruction ID: b3868b96a5a73c1b880f625a38b4c220dd420420d05b0a2cc1e840e3cd02b35d
                                                                    • Opcode Fuzzy Hash: 1dfc8a95e9f2fa8f15eef755b153a8034996a407d8c67b2864cbd51f99b60f53
                                                                    • Instruction Fuzzy Hash: D251B0212043406BD609B722EC52EBF77999F81719F10443FF985A66E2DF3CAD4582EE
                                                                    Function 0040C89E Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • GetLongPathNameW.KERNELBASE(00000000,?,00000208), ref: 0040CA04
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: LongNamePath
                                                                    • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                                                    • API String ID: 82841172-425784914
                                                                    • Opcode ID: c2d06ea8c2a66cf5c705706c372c41cf9f81b2c3d5dea1c7eec24b750922d7eb
                                                                    • Instruction ID: 51cedb133b73bca78a9fc1065318242b3d6e678e936cb09da4a185c9a299c852
                                                                    • Opcode Fuzzy Hash: c2d06ea8c2a66cf5c705706c372c41cf9f81b2c3d5dea1c7eec24b750922d7eb
                                                                    • Instruction Fuzzy Hash: 39413A721442009BC214FB21DD96DAFB7A4AE90759F10063FB546720E2EE7CAA49C69F
                                                                    Function 0041A463 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 59COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                      • Part of subcall function 0041B15B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B16C
                                                                      • Part of subcall function 00412513: RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 00412537
                                                                      • Part of subcall function 00412513: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 00412554
                                                                      • Part of subcall function 00412513: RegCloseKey.KERNELBASE(?), ref: 0041255F
                                                                    • StrToIntA.SHLWAPI(00000000,0046BC48,?,00000000,00000000,00474358,00000003,Exe,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0041A4D9
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CloseCurrentOpenProcessQueryValue
                                                                    • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                                    • API String ID: 1866151309-2070987746
                                                                    • Opcode ID: c28e8bf06c7bd464c54825a7174b2fee0dd0f803164bd22ac966e04bdcbe38d4
                                                                    • Instruction ID: 19977b185b3bcff34fa520d2ecc4782d624f476aadfe6515b429a208ce335d2f
                                                                    • Opcode Fuzzy Hash: c28e8bf06c7bd464c54825a7174b2fee0dd0f803164bd22ac966e04bdcbe38d4
                                                                    • Instruction Fuzzy Hash: EF11E9A060020166C704B365DCABDBF765ADB90304F50443FB906E31D2EB6C9E9683EE
                                                                    Function 00412774 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 652 412774-412787 RegCreateKeyW 653 4127c6 652->653 654 412789-4127c4 call 4022f8 call 401e07 RegSetValueExW RegCloseKey 652->654 656 4127c8-4127d4 call 401e13 653->656 654->656
                                                                    APIs
                                                                    • RegCreateKeyW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,?), ref: 0041277F
                                                                    • RegSetValueExW.KERNELBASE(?,00000000,00000000,00000001,00000000,00000000,?,?,?,?,00000000,004742E0,759237E0,?), ref: 004127AD
                                                                    • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,004742E0,759237E0,?,?,?,?,?,0040BE18,?,00000000), ref: 004127B8
                                                                    Strings
                                                                    • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0041277D
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CloseCreateValue
                                                                    • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                                                    • API String ID: 1818849710-1051519024
                                                                    • Opcode ID: f3f4d92ea395f83514c7fc898d5ccc6e166341d4c45edfed3dd661c905dadffd
                                                                    • Instruction ID: fff2d7bcc465bc574364a4979b4b77ba115ffea085319746951fe37a0eeb78e5
                                                                    • Opcode Fuzzy Hash: f3f4d92ea395f83514c7fc898d5ccc6e166341d4c45edfed3dd661c905dadffd
                                                                    • Instruction Fuzzy Hash: 9FF0CD31500218BBDF109FA0ED46EEF37ACAB40B50F104539F902A60A1E675DB14DAA4
                                                                    Function 0040BED7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 662 40bed7-40bf03 call 401e8f CreateMutexA GetLastError
                                                                    APIs
                                                                    • CreateMutexA.KERNELBASE(00000000,00000001,00000000,0040D9AA,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0040BEE6
                                                                    • GetLastError.KERNEL32 ref: 0040BEF1
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateErrorLastMutex
                                                                    • String ID: (CG
                                                                    • API String ID: 1925916568-4210230975
                                                                    • Opcode ID: defc0333e3605ddb085507e8cb5f1de2847b42d11ba618549d06c615cf8541f0
                                                                    • Instruction ID: f970ec9d0541ab61c93bafde2a4f59c5c821b48a7874ab2150ad5935bc14b509
                                                                    • Opcode Fuzzy Hash: defc0333e3605ddb085507e8cb5f1de2847b42d11ba618549d06c615cf8541f0
                                                                    • Instruction Fuzzy Hash: 75D012707083009BD7181774BC8A77D3555E784703F00417AB90FD55E1CB6888409919
                                                                    Function 00412513 Relevance: 4.5, APIs: 3, Instructions: 42registryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 665 412513-41253f RegOpenKeyExA 666 412541-412567 RegQueryValueExA RegCloseKey 665->666 667 412572 665->667 666->667 668 412569-412570 666->668 669 412577-412583 call 401f66 667->669 668->669
                                                                    APIs
                                                                    • RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 00412537
                                                                    • RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 00412554
                                                                    • RegCloseKey.KERNELBASE(?), ref: 0041255F
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CloseOpenQueryValue
                                                                    • String ID:
                                                                    • API String ID: 3677997916-0
                                                                    • Opcode ID: 1596a47d3a3a9d7b824bf65cdf317066f9d5dabbc4d5e1023ecf94da71e9672a
                                                                    • Instruction ID: 155fce86b91483c744b9f02885d56de91ccd1cdd8f33956e2d71fd22bd1c87ae
                                                                    • Opcode Fuzzy Hash: 1596a47d3a3a9d7b824bf65cdf317066f9d5dabbc4d5e1023ecf94da71e9672a
                                                                    • Instruction Fuzzy Hash: F0F08176900118BBCB209BA1ED48DEF7FBDEB44751F004066BA06E2150D6749E55DBA8
                                                                    Function 004124B7 Relevance: 4.5, APIs: 3, Instructions: 38registryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 672 4124b7-4124df RegOpenKeyExA 673 4124e1-412509 RegQueryValueExA RegCloseKey 672->673 674 41250f-412512 672->674 673->674 675 41250b-41250e 673->675
                                                                    APIs
                                                                    • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,00000000), ref: 004124D7
                                                                    • RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 004124F5
                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 00412500
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CloseOpenQueryValue
                                                                    • String ID:
                                                                    • API String ID: 3677997916-0
                                                                    • Opcode ID: 9045fb9a7a6208df116313aaf282ceb7280aaf27367a6f7e2add9e4d3bf57581
                                                                    • Instruction ID: 3c8b5742b91bab9b7a0bfd6479237677f271592d1db5ef4b45a1d16c6b8d7bbd
                                                                    • Opcode Fuzzy Hash: 9045fb9a7a6208df116313aaf282ceb7280aaf27367a6f7e2add9e4d3bf57581
                                                                    • Instruction Fuzzy Hash: C0F03A76900208BFDF119FA0AC45FDF7BB9EB04B55F1040A1FA05F6291D670DA54EB98
                                                                    Function 0044E1BE Relevance: 4.5, APIs: 3, Instructions: 37COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • GetEnvironmentStringsW.KERNEL32 ref: 0044E1C2
                                                                    • _free.LIBCMT ref: 0044E1FB
                                                                    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044E202
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: EnvironmentStrings$Free_free
                                                                    • String ID:
                                                                    • API String ID: 2716640707-0
                                                                    • Opcode ID: 032fcb4f66621f9a486cbfb9aa35bb7b186a8ceb34f2922937091fe798fd91d5
                                                                    • Instruction ID: bde093253d31ff8e435db0bb20b1dc60884eb56c9c20eb6ac573b4202a4b54cd
                                                                    • Opcode Fuzzy Hash: 032fcb4f66621f9a486cbfb9aa35bb7b186a8ceb34f2922937091fe798fd91d5
                                                                    • Instruction Fuzzy Hash: B8E0653714492126F211362B7C89D6F2A1DEFC2775B26013AF50596243EE688D0641EA
                                                                    Function 0043360D Relevance: 3.0, APIs: 2, Instructions: 38COMMONLIBRARYCODE
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 718 43360d-433610 719 43361f-433622 call 43a88c 718->719 721 433627-43362a 719->721 722 433612-43361d call 442200 721->722 723 43362c-43362d 721->723 722->719 726 43362e-433632 722->726 727 433638-433dec call 433d58 call 437bd7 726->727 728 433ded-433e09 call 433d8b call 437bd7 726->728 727->728
                                                                    APIs
                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00433DE7
                                                                      • Part of subcall function 00437BD7: RaiseException.KERNEL32(?,?,1DC,?,00475B70,00473D54,00000000,?,?,?,?,00434431,?,0046D680,?), ref: 00437C37
                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00433E04
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Exception@8Throw$ExceptionRaise
                                                                    • String ID:
                                                                    • API String ID: 3476068407-0
                                                                    • Opcode ID: 0c813f605dd2a6606fe246f0cee3a0605bca7c2744777b4a7d98c309a0a34cf7
                                                                    • Instruction ID: 1b32a2814776e74a5aaecdac66354fa275a8f3c838098619b8de34dc4906cb01
                                                                    • Opcode Fuzzy Hash: 0c813f605dd2a6606fe246f0cee3a0605bca7c2744777b4a7d98c309a0a34cf7
                                                                    • Instruction Fuzzy Hash: 33F02B30C0020D77CB14BEA5E80699D772C4D08319F20923BB920915E1EF7CEB05858D
                                                                    Function 00446AFF Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 738 446aff-446b0b 739 446b3d-446b48 call 445354 738->739 740 446b0d-446b0f 738->740 747 446b4a-446b4c 739->747 741 446b11-446b12 740->741 742 446b28-446b39 RtlAllocateHeap 740->742 741->742 744 446b14-446b1b call 4447c5 742->744 745 446b3b 742->745 744->739 750 446b1d-446b26 call 442200 744->750 745->747 750->739 750->742
                                                                    APIs
                                                                    • RtlAllocateHeap.NTDLL(00000000,00434423,?,?,00437227,?,?,00000000,00475B70,?,0040CC87,00434423,?,?,?,?), ref: 00446B31
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AllocateHeap
                                                                    • String ID:
                                                                    • API String ID: 1279760036-0
                                                                    • Opcode ID: dc6ea950822f8571e228d4b4fa6025b1dc9324ca9cf531c4426aa18bd07b2452
                                                                    • Instruction ID: 23017b4f7b15ec8d1e6c8205d578d5100ba2a3a3bb6c043e3f5ab96588fe2cc9
                                                                    • Opcode Fuzzy Hash: dc6ea950822f8571e228d4b4fa6025b1dc9324ca9cf531c4426aa18bd07b2452
                                                                    • Instruction Fuzzy Hash: 16E0E5312002B556FB202A6A9C05F5B7A88DB437A4F160133AC09D62D0CF5CEC4181AF

                                                                    Non-executed Functions

                                                                    Function 00406F06 Relevance: 46.3, APIs: 10, Strings: 16, Instructions: 849filesleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetEvent.KERNEL32(?,?), ref: 00406F28
                                                                    • GetFileAttributesW.KERNEL32(00000000,00000000,00000000), ref: 00406FF8
                                                                    • DeleteFileW.KERNEL32(00000000), ref: 00407018
                                                                      • Part of subcall function 0041B42F: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B489
                                                                      • Part of subcall function 0041B42F: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B4BB
                                                                      • Part of subcall function 0041B42F: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B50C
                                                                      • Part of subcall function 0041B42F: FindClose.KERNEL32(00000000,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B561
                                                                      • Part of subcall function 0041B42F: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B568
                                                                      • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                      • Part of subcall function 00406BE9: CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00465454,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C38
                                                                      • Part of subcall function 00406BE9: WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C80
                                                                      • Part of subcall function 00406BE9: CloseHandle.KERNEL32(00000000,?,?,00000000,00407273,00000000,?,0000000A,00000000,00000000), ref: 00406CC0
                                                                      • Part of subcall function 00406BE9: MoveFileW.KERNEL32(00000000,00000000), ref: 00406CDD
                                                                      • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                      • Part of subcall function 00404468: WaitForSingleObject.KERNEL32(?,00000000,00401943,?,?,00000004,?,?,00000004,00475B70,00473EE8,00000000), ref: 0040450E
                                                                      • Part of subcall function 00404468: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00475B70,00473EE8,00000000,?,?,?,?,?,00401943), ref: 0040453C
                                                                    • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00407416
                                                                    • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004074F5
                                                                    • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 0040773A
                                                                    • DeleteFileA.KERNEL32(?), ref: 004078CC
                                                                      • Part of subcall function 00407A8C: __EH_prolog.LIBCMT ref: 00407A91
                                                                      • Part of subcall function 00407A8C: FindFirstFileW.KERNEL32(00000000,?,00465AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B4A
                                                                      • Part of subcall function 00407A8C: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B6E
                                                                    • Sleep.KERNEL32(000007D0), ref: 00407976
                                                                    • StrToIntA.SHLWAPI(00000000,00000000), ref: 004079BA
                                                                      • Part of subcall function 0041BB77: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BC6C
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: File$Find$AttributesCloseDeleteDirectoryEventFirstNextRemove$CreateDriveExecuteH_prologHandleInfoLocalLogicalMoveObjectParametersShellSingleSleepStringsSystemTimeWaitWritesend
                                                                    • String ID: Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $H@G$Unable to delete: $Unable to rename file!$V>G$open$x@G$x@G$x@G$x@G$>G
                                                                    • API String ID: 2918587301-599666313
                                                                    • Opcode ID: 837214dce98ca1b2b2073b1697b820e369ac81518af4a92b317c91ee19e5831a
                                                                    • Instruction ID: 8a4068a2e00c67808ff4e441dc576a613f01372a1abbdcb91e63f440e0dcd641
                                                                    • Opcode Fuzzy Hash: 837214dce98ca1b2b2073b1697b820e369ac81518af4a92b317c91ee19e5831a
                                                                    • Instruction Fuzzy Hash: 60429371A043005BC614F776C8979AE77A99F90718F40493FF946731E2EE3CAA09C69B
                                                                    Function 00405042 Relevance: 38.8, APIs: 15, Strings: 7, Instructions: 280pipesleepfileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __Init_thread_footer.LIBCMT ref: 0040508E
                                                                      • Part of subcall function 004334CF: EnterCriticalSection.KERNEL32(00470D18,00475BF0,?,004017C1,00475BF0,00000000), ref: 004334D9
                                                                      • Part of subcall function 004334CF: LeaveCriticalSection.KERNEL32(00470D18,?,004017C1,00475BF0,00000000), ref: 0043350C
                                                                      • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                    • __Init_thread_footer.LIBCMT ref: 004050CB
                                                                    • CreatePipe.KERNEL32(00475CEC,00475CD4,00475BF8,00000000,0046556C,00000000), ref: 0040515E
                                                                    • CreatePipe.KERNEL32(00475CD8,00475CF4,00475BF8,00000000), ref: 00405174
                                                                    • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00475C08,00475CDC), ref: 004051E7
                                                                      • Part of subcall function 00433519: EnterCriticalSection.KERNEL32(00470D18,00475B70,00475BF0,?,0040179E,00475BF0), ref: 00433524
                                                                      • Part of subcall function 00433519: LeaveCriticalSection.KERNEL32(00470D18,?,0040179E,00475BF0), ref: 00433561
                                                                    • Sleep.KERNEL32(0000012C,00000093,?), ref: 0040523F
                                                                    • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00405264
                                                                    • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 00405291
                                                                      • Part of subcall function 004338A5: __onexit.LIBCMT ref: 004338AB
                                                                    • WriteFile.KERNEL32(00000000,00000000,?,00000000,00473F98,00465570,00000062,00465554), ref: 0040538E
                                                                    • Sleep.KERNEL32(00000064,00000062,00465554), ref: 004053A8
                                                                    • TerminateProcess.KERNEL32(00000000), ref: 004053C1
                                                                    • CloseHandle.KERNEL32 ref: 004053CD
                                                                    • CloseHandle.KERNEL32 ref: 004053D5
                                                                    • CloseHandle.KERNEL32 ref: 004053E7
                                                                    • CloseHandle.KERNEL32 ref: 004053EF
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CloseCriticalHandleSection$CreatePipe$EnterFileInit_thread_footerLeaveProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                                                    • String ID: P\G$P\G$P\G$P\G$P\G$SystemDrive$cmd.exe
                                                                    • API String ID: 3815868655-81343324
                                                                    • Opcode ID: bfcb8ec680749e1ff3d96b83f6722c7489f5814a8e376730b38478a1694e7e9c
                                                                    • Instruction ID: b18bac6d60c4c725a58799f80733fb47b3e4e6a61b1262bf76379e9ec18ff918
                                                                    • Opcode Fuzzy Hash: bfcb8ec680749e1ff3d96b83f6722c7489f5814a8e376730b38478a1694e7e9c
                                                                    • Instruction Fuzzy Hash: A691E5716007056FD705BB65AC41A6F37A8EB80348F50403FF94ABA1E2EEBC9C448B6D
                                                                    Function 00410F36 Relevance: 33.5, APIs: 7, Strings: 12, Instructions: 238threadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetCurrentProcessId.KERNEL32 ref: 00410F45
                                                                      • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                                      • Part of subcall function 004127D5: RegSetValueExA.ADVAPI32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                                      • Part of subcall function 004127D5: RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                                    • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00410F81
                                                                    • CreateThread.KERNEL32(00000000,00000000,00411637,00000000,00000000,00000000), ref: 00410FE6
                                                                      • Part of subcall function 004124B7: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,00000000), ref: 004124D7
                                                                      • Part of subcall function 004124B7: RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 004124F5
                                                                      • Part of subcall function 004124B7: RegCloseKey.ADVAPI32(00000000), ref: 00412500
                                                                    • CloseHandle.KERNEL32(00000000), ref: 00410F90
                                                                      • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                    • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0041125A
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CloseOpen$CreateProcessValue$CurrentHandleLocalMutexQueryThreadTime
                                                                    • String ID: 0DG$Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe$BG
                                                                    • API String ID: 65172268-860466531
                                                                    • Opcode ID: 5a81626a4609f3178aed30ff3a92a065a3326e2b32edd8bbe01bcb9fad261df8
                                                                    • Instruction ID: 2ec41641ff7d981187ed77e29e7d519fc89a207972baa733902a05010441332b
                                                                    • Opcode Fuzzy Hash: 5a81626a4609f3178aed30ff3a92a065a3326e2b32edd8bbe01bcb9fad261df8
                                                                    • Instruction Fuzzy Hash: 97719E3160420157C614FB32D8579AE77A8AED4718F40053FF582A21F2EF7CAA49869F
                                                                    Function 0040B335 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 145fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B3B4
                                                                    • FindClose.KERNEL32(00000000), ref: 0040B3CE
                                                                    • FindNextFileA.KERNEL32(00000000,?), ref: 0040B4F1
                                                                    • FindClose.KERNEL32(00000000), ref: 0040B517
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Find$CloseFile$FirstNext
                                                                    • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                                                    • API String ID: 1164774033-3681987949
                                                                    • Opcode ID: 012abd7bd482f24294ec220c5f3416e7c12077f4aefc2c6d47742caa5bc96ad8
                                                                    • Instruction ID: 89bba1744b34cafda07904381260291e44814ca984bf7dbd554ee600cd7873bd
                                                                    • Opcode Fuzzy Hash: 012abd7bd482f24294ec220c5f3416e7c12077f4aefc2c6d47742caa5bc96ad8
                                                                    • Instruction Fuzzy Hash: 4D512C319042195ADB14FBA1EC96AEE7768EF50318F50007FF805B31E2EF389A45CA9D
                                                                    Function 0040B53A Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 130fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B5B2
                                                                    • FindClose.KERNEL32(00000000), ref: 0040B5CC
                                                                    • FindNextFileA.KERNEL32(00000000,?), ref: 0040B68C
                                                                    • FindClose.KERNEL32(00000000), ref: 0040B6B2
                                                                    • FindClose.KERNEL32(00000000), ref: 0040B6D1
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Find$Close$File$FirstNext
                                                                    • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                                    • API String ID: 3527384056-432212279
                                                                    • Opcode ID: eec28e5122cf95747afd0231d26089d1190572cbd646818cfb2ab67d48c7021b
                                                                    • Instruction ID: 41d59f58487c11b5b23c2ebc8e3123b77d6604a8f5f59a85184e8f88ff1ca84c
                                                                    • Opcode Fuzzy Hash: eec28e5122cf95747afd0231d26089d1190572cbd646818cfb2ab67d48c7021b
                                                                    • Instruction Fuzzy Hash: 65413A319042196ACB14F7A1EC569EE7768EE21318F50017FF801B31E2EF399A458A9E
                                                                    Function 0040E219 Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 212processCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,?,?,00474358), ref: 0040E233
                                                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,00474358), ref: 0040E25E
                                                                    • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040E27A
                                                                    • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E2FD
                                                                    • CloseHandle.KERNEL32(00000000,?,?,00474358), ref: 0040E30C
                                                                      • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                                      • Part of subcall function 004127D5: RegSetValueExA.ADVAPI32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                                      • Part of subcall function 004127D5: RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                                    • CloseHandle.KERNEL32(00000000,?,?,00474358), ref: 0040E371
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Close$CreateHandleProcess32$FileFirstModuleNameNextSnapshotToolhelp32Value
                                                                    • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe$BG
                                                                    • API String ID: 726551946-3025026198
                                                                    • Opcode ID: 2298112d5e9beca4c64cadb89c7e546d0899f31810f4b1b50fdabc55d78eae7e
                                                                    • Instruction ID: ae31f71cb8b9f969ca9e83e5ca698076ed3bac053ed440982de07d1dc4d90588
                                                                    • Opcode Fuzzy Hash: 2298112d5e9beca4c64cadb89c7e546d0899f31810f4b1b50fdabc55d78eae7e
                                                                    • Instruction Fuzzy Hash: ED7172311083019BC714FB61D8519EF77A5BF91358F400D3EF986631E2EF38A959CA9A
                                                                    Function 004159C6 Relevance: 18.1, APIs: 12, Instructions: 80clipboardmemoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • OpenClipboard.USER32 ref: 004159C7
                                                                    • EmptyClipboard.USER32 ref: 004159D5
                                                                    • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 004159F5
                                                                    • GlobalLock.KERNEL32(00000000), ref: 004159FE
                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 00415A34
                                                                    • SetClipboardData.USER32(0000000D,00000000), ref: 00415A3D
                                                                    • CloseClipboard.USER32 ref: 00415A5A
                                                                    • OpenClipboard.USER32 ref: 00415A61
                                                                    • GetClipboardData.USER32(0000000D), ref: 00415A71
                                                                    • GlobalLock.KERNEL32(00000000), ref: 00415A7A
                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 00415A83
                                                                    • CloseClipboard.USER32 ref: 00415A89
                                                                      • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                                                    • String ID:
                                                                    • API String ID: 3520204547-0
                                                                    • Opcode ID: 5bf6c0a188ebc9cd77caef7c6d8a55023eea9b799c8747cd0bf31199529283f8
                                                                    • Instruction ID: b8e523df9fc7c7245f85f50a48877f09888e29e8b5459684195c928b546a98bf
                                                                    • Opcode Fuzzy Hash: 5bf6c0a188ebc9cd77caef7c6d8a55023eea9b799c8747cd0bf31199529283f8
                                                                    • Instruction Fuzzy Hash: E02183712043009BC714BBB1EC5AAAE76A9AF80752F00453EFD06961E2EF38C845D66A
                                                                    Function 00418754 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 197COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 0$1$2$3$4$5$6$7
                                                                    • API String ID: 0-3177665633
                                                                    • Opcode ID: cde1b3d257b3b84ac0aca3a867a652d949c29c2e455d7912b36e5a4a136b74f3
                                                                    • Instruction ID: 2879f211a781d1662389055333b9a248a4bc7621c6500268a6892da51c348380
                                                                    • Opcode Fuzzy Hash: cde1b3d257b3b84ac0aca3a867a652d949c29c2e455d7912b36e5a4a136b74f3
                                                                    • Instruction Fuzzy Hash: CC61A370508301AEDB00EF21D862FEA77E4AF85754F40485EFA91672E1DF789A48C797
                                                                    Function 00409B10 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 108keyboardthreadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetForegroundWindow.USER32 ref: 00409B3F
                                                                    • GetWindowThreadProcessId.USER32(00000000,?), ref: 00409B4B
                                                                    • GetKeyboardLayout.USER32(00000000), ref: 00409B52
                                                                    • GetKeyState.USER32(00000010), ref: 00409B5C
                                                                    • GetKeyboardState.USER32(?), ref: 00409B67
                                                                    • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00409B8A
                                                                    • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 00409BE3
                                                                    • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00409C1C
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                                                    • String ID: 8[G
                                                                    • API String ID: 1888522110-1691237782
                                                                    • Opcode ID: 0057a6b8e9be89c2a124ace2c7aa15ce6e2280d77a8450e2501583d43799386c
                                                                    • Instruction ID: f24a8317de74a0bbad47f265c67a45df51816e9018bfad09e00086f3728f1c27
                                                                    • Opcode Fuzzy Hash: 0057a6b8e9be89c2a124ace2c7aa15ce6e2280d77a8450e2501583d43799386c
                                                                    • Instruction Fuzzy Hash: EE318172508309AFD700DF90DC85FDBB7ECEB48715F00083ABA45961A1D6B5E948DB96
                                                                    Function 00406764 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 55COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _wcslen.LIBCMT ref: 00406788
                                                                    • CoGetObject.OLE32(?,00000024,004659B0,00000000), ref: 004067E9
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Object_wcslen
                                                                    • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                                                    • API String ID: 240030777-3166923314
                                                                    • Opcode ID: db32128b02a1ccbc70c4588b7822f6c775a314ba91b6364ff21a4127614396bf
                                                                    • Instruction ID: dba8c49f7cecafb8ed31af17d29d910bb03d3c12ecd117c8e18c4d6c9c114880
                                                                    • Opcode Fuzzy Hash: db32128b02a1ccbc70c4588b7822f6c775a314ba91b6364ff21a4127614396bf
                                                                    • Instruction Fuzzy Hash: 811170B2901118AEDB10FAA5884AA9EB7BCDB48714F55007FE905F3281E7789A148A7D
                                                                    Function 004198C2 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004748F8), ref: 004198D8
                                                                    • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 00419927
                                                                    • GetLastError.KERNEL32 ref: 00419935
                                                                    • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041996D
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                                                    • String ID:
                                                                    • API String ID: 3587775597-0
                                                                    • Opcode ID: 46cfc2a1174990e4b59b9ee5729c715e61cf9958b22909a5f2789daa8df81af0
                                                                    • Instruction ID: 5304d2aa3016a1bb8b693e548c532b43deb082133906afc562c92feca393f19d
                                                                    • Opcode Fuzzy Hash: 46cfc2a1174990e4b59b9ee5729c715e61cf9958b22909a5f2789daa8df81af0
                                                                    • Instruction Fuzzy Hash: 37812F711083049BC614FB21DC959AFB7A8BF94718F50493EF582521E2EF78AA05CB9A
                                                                    Function 004513B7 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 188COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                                      • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                      • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                                      • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                      • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446F1E
                                                                      • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F2B
                                                                    • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 004514C3
                                                                    • IsValidCodePage.KERNEL32(00000000), ref: 0045151E
                                                                    • IsValidLocale.KERNEL32(?,00000001), ref: 0045152D
                                                                    • GetLocaleInfoW.KERNEL32(?,00001001,<D,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 00451575
                                                                    • GetLocaleInfoW.KERNEL32(?,00001002,00000000,00000040), ref: 00451594
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                                                    • String ID: <D$<D$<D
                                                                    • API String ID: 745075371-3495170934
                                                                    • Opcode ID: 5c8e94395c66df2641350def7a129c2a5847567c9c00908226c609ff7e549d11
                                                                    • Instruction ID: fdda48fcf8ef828b158f806230e01f9d82b9b72a6df542884d0e4dc3e0683d2c
                                                                    • Opcode Fuzzy Hash: 5c8e94395c66df2641350def7a129c2a5847567c9c00908226c609ff7e549d11
                                                                    • Instruction Fuzzy Hash: 5A51D571900205ABEF10EFA5CC40BBF73B8AF05702F14056BFD11EB262E7789A488769
                                                                    Function 0041B42F Relevance: 13.6, APIs: 9, Instructions: 105fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B489
                                                                    • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B4BB
                                                                    • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B529
                                                                    • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B536
                                                                      • Part of subcall function 0041B42F: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B50C
                                                                    • FindClose.KERNEL32(00000000,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B561
                                                                    • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B568
                                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,00473EE8,00000000), ref: 0041B570
                                                                    • FindClose.KERNEL32(00000000,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B583
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                                                    • String ID:
                                                                    • API String ID: 2341273852-0
                                                                    • Opcode ID: 38605e05b284b3287545d71b9912fe11a1e5e192bb535f2a18b99cb8ec032d5d
                                                                    • Instruction ID: e81c2b0307560c21eb772b723951cbad4d8c7a866ea933437d0d5d39764c0eb1
                                                                    • Opcode Fuzzy Hash: 38605e05b284b3287545d71b9912fe11a1e5e192bb535f2a18b99cb8ec032d5d
                                                                    • Instruction Fuzzy Hash: 0031627184921CAACB20D7B1AC89ADA77BCAF04309F4405EBF505D3181EB799AC5CE69
                                                                    Function 00418C69 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 245fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FindFirstFileW.KERNEL32(00000000,?), ref: 00418EBF
                                                                    • FindNextFileW.KERNEL32(00000000,?,?), ref: 00418F8B
                                                                      • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,00403AF3,00465324), ref: 0041B633
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: File$Find$CreateFirstNext
                                                                    • String ID: @CG$XCG$`HG$`HG$>G
                                                                    • API String ID: 341183262-3780268858
                                                                    • Opcode ID: c7ab7af1c0f5eed08ada90e0087c4ff74bdb9080a69c09e479a4fb32dedf6aac
                                                                    • Instruction ID: 861c71bda04042c44626cba1538e35c757a91b728f0af2478fb4c1063bb13cc5
                                                                    • Opcode Fuzzy Hash: c7ab7af1c0f5eed08ada90e0087c4ff74bdb9080a69c09e479a4fb32dedf6aac
                                                                    • Instruction Fuzzy Hash: B08141315042405BC314FB62C892EEFB3A5AFD1718F50493FF946671E2EF389A49C69A
                                                                    Function 004099E4 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 65windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 00409A01
                                                                    • SetWindowsHookExA.USER32(0000000D,004099D0,00000000), ref: 00409A0F
                                                                    • GetLastError.KERNEL32 ref: 00409A1B
                                                                      • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                    • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00409A6B
                                                                    • TranslateMessage.USER32(?), ref: 00409A7A
                                                                    • DispatchMessageA.USER32(?), ref: 00409A85
                                                                    Strings
                                                                    • Keylogger initialization failure: error , xrefs: 00409A32
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                                                    • String ID: Keylogger initialization failure: error
                                                                    • API String ID: 3219506041-952744263
                                                                    • Opcode ID: 10065da0f80e2b1588f186909b8751ab17816e81d90ef01b858d99eb9022e310
                                                                    • Instruction ID: 76b292cdb4e6355f9a4176d1f10d626d2d11be3de55f9aee7ae49bf60faff0c2
                                                                    • Opcode Fuzzy Hash: 10065da0f80e2b1588f186909b8751ab17816e81d90ef01b858d99eb9022e310
                                                                    • Instruction Fuzzy Hash: 201194716043015BC710AB7AAC4996B77ECAB94B15B10057FFC45D2291FB34DE01CBAB
                                                                    Function 00412F45 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 391registrylibraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 0041301A
                                                                    • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 00413026
                                                                      • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                    • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 004131ED
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 004131F4
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AddressCloseCreateLibraryLoadProcsend
                                                                    • String ID: SHDeleteKeyW$Shlwapi.dll
                                                                    • API String ID: 2127411465-314212984
                                                                    • Opcode ID: 1163e221b778e35c2499fbcc33069a612b15ae3562f6ed67ec451ccccf7f4a1f
                                                                    • Instruction ID: cc67afc49b78d61a2372e1362dfc4f5d4a672f2d1b5b468e2109e7b1f18a6fb5
                                                                    • Opcode Fuzzy Hash: 1163e221b778e35c2499fbcc33069a612b15ae3562f6ed67ec451ccccf7f4a1f
                                                                    • Instruction Fuzzy Hash: 4FB1B671A043006BC614BA76CC979BE76989F94718F40063FF946B31E2EF7C9A4486DB
                                                                    Function 0040E54F Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 88sleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 004124B7: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,00000000), ref: 004124D7
                                                                      • Part of subcall function 004124B7: RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 004124F5
                                                                      • Part of subcall function 004124B7: RegCloseKey.ADVAPI32(00000000), ref: 00412500
                                                                    • Sleep.KERNEL32(00000BB8), ref: 0040E603
                                                                    • ExitProcess.KERNEL32 ref: 0040E672
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CloseExitOpenProcessQuerySleepValue
                                                                    • String ID: 5.3.0 Pro$override$pth_unenc$BG
                                                                    • API String ID: 2281282204-3981147832
                                                                    • Opcode ID: e7420bd81adcf7ecaeb63c441a7eb2a496d40f418d65372005f5d4e07d0bafb2
                                                                    • Instruction ID: 346becae97c590b24629de205d3f766cc2ad037e5fc603921d36f10068cff0f4
                                                                    • Opcode Fuzzy Hash: e7420bd81adcf7ecaeb63c441a7eb2a496d40f418d65372005f5d4e07d0bafb2
                                                                    • Instruction Fuzzy Hash: 6B21A131B0030027C608767A891BA6F359A9B91719F90443EF805A76D7EE7D8A6083DF
                                                                    Function 0040B21B Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040B257
                                                                    • GetLastError.KERNEL32 ref: 0040B261
                                                                    Strings
                                                                    • [Chrome StoredLogins not found], xrefs: 0040B27B
                                                                    • UserProfile, xrefs: 0040B227
                                                                    • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040B222
                                                                    • [Chrome StoredLogins found, cleared!], xrefs: 0040B287
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: DeleteErrorFileLast
                                                                    • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                                                    • API String ID: 2018770650-1062637481
                                                                    • Opcode ID: b5e309dbdaf0aeabe7af2cd1639cb477138ee585283f82b93ad88acdd4edf375
                                                                    • Instruction ID: 236ee74dc97b4bdf00ef4875347123a6b81b21ae8e03a402b83ae8c28ff1bd46
                                                                    • Opcode Fuzzy Hash: b5e309dbdaf0aeabe7af2cd1639cb477138ee585283f82b93ad88acdd4edf375
                                                                    • Instruction Fuzzy Hash: 3001A23168410597CA0477B5ED6F8AE3624E921704F50017FF802731E2FF3A9A0586DE
                                                                    Function 00416AB7 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 32COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetCurrentProcess.KERNEL32(00000028,?), ref: 00416AC4
                                                                    • OpenProcessToken.ADVAPI32(00000000), ref: 00416ACB
                                                                    • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00416ADD
                                                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00416AFC
                                                                    • GetLastError.KERNEL32 ref: 00416B02
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                                                    • String ID: SeShutdownPrivilege
                                                                    • API String ID: 3534403312-3733053543
                                                                    • Opcode ID: e04eb0b34037921419aad719b93aaa051d7dc20f4e189cf25d4eb9764effedfd
                                                                    • Instruction ID: c28276ca820f5d67da4083ad645d4fedab17ddc29f560671af9b7c8b6b4fa774
                                                                    • Opcode Fuzzy Hash: e04eb0b34037921419aad719b93aaa051d7dc20f4e189cf25d4eb9764effedfd
                                                                    • Instruction Fuzzy Hash: 25F0D4B5805229BBDB10ABA1EC4DEEF7EBCEF05656F100061B805E2192D6748A44CAB5
                                                                    Function 004089A9 Relevance: 9.3, APIs: 6, Instructions: 288fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog.LIBCMT ref: 004089AE
                                                                      • Part of subcall function 004041F1: socket.WS2_32(?,00000001,00000006), ref: 00404212
                                                                      • Part of subcall function 0040428C: connect.WS2_32(?,?,?), ref: 004042A5
                                                                    • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 00408A8D
                                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 00408AE0
                                                                    • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00408AF7
                                                                      • Part of subcall function 00404468: WaitForSingleObject.KERNEL32(?,00000000,00401943,?,?,00000004,?,?,00000004,00475B70,00473EE8,00000000), ref: 0040450E
                                                                      • Part of subcall function 00404468: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00475B70,00473EE8,00000000,?,?,?,?,?,00401943), ref: 0040453C
                                                                      • Part of subcall function 004047EB: WaitForSingleObject.KERNEL32(?,000000FF,00475B70,?,?,00000000,00475B70,004017F3), ref: 004047FD
                                                                      • Part of subcall function 004047EB: SetEvent.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 00404808
                                                                      • Part of subcall function 004047EB: CloseHandle.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 00404811
                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00408DA1
                                                                      • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Find$CloseEventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsendsocket
                                                                    • String ID:
                                                                    • API String ID: 4043647387-0
                                                                    • Opcode ID: 09a69e0303e81d48d1e7444200da9c76687e86ed7c9a89389c8c98f32268c2c3
                                                                    • Instruction ID: d7705bc86650fd6632c5f082d335fbcd32bd3fe840799e2454ee74f5ab9ae988
                                                                    • Opcode Fuzzy Hash: 09a69e0303e81d48d1e7444200da9c76687e86ed7c9a89389c8c98f32268c2c3
                                                                    • Instruction Fuzzy Hash: 11A15C729001089ACB14EBA1DD92AEDB778AF54318F10427FF546B71D2EF385E498B98
                                                                    Function 00419BC4 Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,?,?,0041981A,00000000,00000000), ref: 00419BCD
                                                                    • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,?,0041981A,00000000,00000000), ref: 00419BE2
                                                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,0041981A,00000000,00000000), ref: 00419BEF
                                                                    • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,?,0041981A,00000000,00000000), ref: 00419BFA
                                                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,0041981A,00000000,00000000), ref: 00419C0C
                                                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,0041981A,00000000,00000000), ref: 00419C0F
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Service$CloseHandle$Open$ManagerStart
                                                                    • String ID:
                                                                    • API String ID: 276877138-0
                                                                    • Opcode ID: 413273253f7cbae0f6bd9debfc52a3b8d95171ad4a984208ec06c12d82ce07c5
                                                                    • Instruction ID: 9ab78235182221d9a13884b701025ebbd4d22640777282bd149d85cf0e5c5631
                                                                    • Opcode Fuzzy Hash: 413273253f7cbae0f6bd9debfc52a3b8d95171ad4a984208ec06c12d82ce07c5
                                                                    • Instruction Fuzzy Hash: 46F0E971404314AFD2115B31FC88DBF2AACEF85BA2B00043AF54193191CF68CD4595B9
                                                                    Function 004158B9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97libraryloadershutdownCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00416AB7: GetCurrentProcess.KERNEL32(00000028,?), ref: 00416AC4
                                                                      • Part of subcall function 00416AB7: OpenProcessToken.ADVAPI32(00000000), ref: 00416ACB
                                                                      • Part of subcall function 00416AB7: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00416ADD
                                                                      • Part of subcall function 00416AB7: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00416AFC
                                                                      • Part of subcall function 00416AB7: GetLastError.KERNEL32 ref: 00416B02
                                                                    • ExitWindowsEx.USER32(00000000,00000001), ref: 0041595B
                                                                    • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 00415970
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 00415977
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                                                    • String ID: PowrProf.dll$SetSuspendState
                                                                    • API String ID: 1589313981-1420736420
                                                                    • Opcode ID: 760194600065aa930d76b91875d7e389ee81a04dff370ffb8731a3af4adaf024
                                                                    • Instruction ID: 94bd0be5b4d635cf3270abd21b93e0cba208aed3fdadf5553bbce7524c8ebf13
                                                                    • Opcode Fuzzy Hash: 760194600065aa930d76b91875d7e389ee81a04dff370ffb8731a3af4adaf024
                                                                    • Instruction Fuzzy Hash: 7D2150B0604741E6CA14F7B19856AEF225A9F80748F40883FB402A72D2EF7CDC89865E
                                                                    Function 004511E3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,00451502,?,00000000), ref: 0045127C
                                                                    • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,00451502,?,00000000), ref: 004512A5
                                                                    • GetACP.KERNEL32(?,?,00451502,?,00000000), ref: 004512BA
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: InfoLocale
                                                                    • String ID: ACP$OCP
                                                                    • API String ID: 2299586839-711371036
                                                                    • Opcode ID: 3e26eff85c0b030be7827b2fbb91fc7191fc27f2fce1bf15d40cdf94764cc661
                                                                    • Instruction ID: bcb6c1b5649eca6e102b6d6ca9fa22aa61ab34f591545d84575f60c76f210f03
                                                                    • Opcode Fuzzy Hash: 3e26eff85c0b030be7827b2fbb91fc7191fc27f2fce1bf15d40cdf94764cc661
                                                                    • Instruction Fuzzy Hash: 50212722600100A6D7348F54D900BAB73A6AB40B66F1645E6FD09E7322F736DD49C799
                                                                    Function 0041A63F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041A650
                                                                    • LoadResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A664
                                                                    • LockResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A66B
                                                                    • SizeofResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A67A
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Resource$FindLoadLockSizeof
                                                                    • String ID: SETTINGS
                                                                    • API String ID: 3473537107-594951305
                                                                    • Opcode ID: e32b0715ad7aadeb38a8c4a618404dc1e86643bbbf9351d1ef3d996740a46f90
                                                                    • Instruction ID: 83a829ee02157d331b98a48cb758db5ec39b6d120b3a3db205f860a33549a403
                                                                    • Opcode Fuzzy Hash: e32b0715ad7aadeb38a8c4a618404dc1e86643bbbf9351d1ef3d996740a46f90
                                                                    • Instruction Fuzzy Hash: 3EE01A3A200710ABCB211BA5BC8CD477E39E7867633140036F90582331DA358850CA59
                                                                    Function 00407A8C Relevance: 7.7, APIs: 5, Instructions: 183fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog.LIBCMT ref: 00407A91
                                                                    • FindFirstFileW.KERNEL32(00000000,?,00465AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B4A
                                                                    • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B6E
                                                                    • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407C76
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Find$File$CloseFirstH_prologNext
                                                                    • String ID:
                                                                    • API String ID: 1157919129-0
                                                                    • Opcode ID: be329e02f9a977489ec03ab4a587285a9e8b683dbacd723bef2334c22b0cd63e
                                                                    • Instruction ID: c296e4c637b16ec180f1d25cf2666c4e6f2336455dd814d501b84ef2841b6e91
                                                                    • Opcode Fuzzy Hash: be329e02f9a977489ec03ab4a587285a9e8b683dbacd723bef2334c22b0cd63e
                                                                    • Instruction Fuzzy Hash: 485173329041085ACB14FB65DD969DD7778AF50318F50417EB806B31E2EF38AB498B99
                                                                    Function 0044800F Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045D478), ref: 00448079
                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,0047179C,000000FF,00000000,0000003F,00000000,?,?), ref: 004480F1
                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,004717F0,000000FF,?,0000003F,00000000,?), ref: 0044811E
                                                                    • _free.LIBCMT ref: 00448067
                                                                      • Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                                                      • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                                                    • _free.LIBCMT ref: 00448233
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                                                    • String ID:
                                                                    • API String ID: 1286116820-0
                                                                    • Opcode ID: c081d488f34b9915cd9b048b6b498da186ffe618eda021c7ed3f66206b9427ec
                                                                    • Instruction ID: adcac59616ce0bf4d9b6f5e4feac4fc1c4b096f081e8a0f87c9a15d47e4c4f65
                                                                    • Opcode Fuzzy Hash: c081d488f34b9915cd9b048b6b498da186ffe618eda021c7ed3f66206b9427ec
                                                                    • Instruction Fuzzy Hash: 13510B719002099BE714DF69DC819AFB7BCEF41354F10456FE454A32A1EF389E46CB58
                                                                    Function 00406128 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406234
                                                                    • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 00406318
                                                                    Strings
                                                                    • open, xrefs: 0040622E
                                                                    • C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe, xrefs: 0040627F, 004063A7
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: DownloadExecuteFileShell
                                                                    • String ID: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe$open
                                                                    • API String ID: 2825088817-3100014232
                                                                    • Opcode ID: 5adff465ff0e5c6f3c124b44dbfa886a055acdc78a66fe405cab157b341b5a3e
                                                                    • Instruction ID: f68f5450864a8ef507c8d3860f756bd811b48be2db930e76b40a644c5c1bb7bc
                                                                    • Opcode Fuzzy Hash: 5adff465ff0e5c6f3c124b44dbfa886a055acdc78a66fe405cab157b341b5a3e
                                                                    • Instruction Fuzzy Hash: 0761A33160434067CA14FA76C8569BE77A69F81718F00493FBC46772D6EF3C9A05C69B
                                                                    Function 00406AC2 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406ADD
                                                                    • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406BA5
                                                                      • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: FileFind$FirstNextsend
                                                                    • String ID: x@G$x@G
                                                                    • API String ID: 4113138495-3390264752
                                                                    • Opcode ID: be8fdfc8a6072efbca1459ab7643d284853c2ddcf9d8b62b0637e10f69e8db4b
                                                                    • Instruction ID: 9df0c8526107c53e8273efc1e688d8f669138e67c86485f4ac558c26d22f9560
                                                                    • Opcode Fuzzy Hash: be8fdfc8a6072efbca1459ab7643d284853c2ddcf9d8b62b0637e10f69e8db4b
                                                                    • Instruction Fuzzy Hash: B42147725043015BC714FB61D8959AF77A8AFD1358F40093EF996A31D1EF38AA088A9B
                                                                    Function 0041BB77 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BC6C
                                                                      • Part of subcall function 004126D2: RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,004655B0), ref: 004126E1
                                                                      • Part of subcall function 004126D2: RegSetValueExA.ADVAPI32(004655B0,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0041BC46,WallpaperStyle,004655B0,00000001,00473EE8,00000000), ref: 00412709
                                                                      • Part of subcall function 004126D2: RegCloseKey.ADVAPI32(004655B0,?,?,0041BC46,WallpaperStyle,004655B0,00000001,00473EE8,00000000,?,004079DD,00000001), ref: 00412714
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CloseCreateInfoParametersSystemValue
                                                                    • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                                                    • API String ID: 4127273184-3576401099
                                                                    • Opcode ID: b2749757bbb715b84591827a24ab2664cb1dcc6a43466099e0f50718dd789739
                                                                    • Instruction ID: a6c166168c7895b99543370299e99232025f4d6daba66cbb636fef562e17b9dc
                                                                    • Opcode Fuzzy Hash: b2749757bbb715b84591827a24ab2664cb1dcc6a43466099e0f50718dd789739
                                                                    • Instruction Fuzzy Hash: 06112432B8060433D514303A4E6FBAE1806D356B60FA4415FF6026A6DAFA9E5AE103DF
                                                                    Function 00450A7F Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                                      • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                      • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                                      • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                    • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00443CF3,?,?,?,?,?,?,00000004), ref: 00450B61
                                                                    • _wcschr.LIBVCRUNTIME ref: 00450BF1
                                                                    • _wcschr.LIBVCRUNTIME ref: 00450BFF
                                                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00443CF3,00000000,00443E13), ref: 00450CA2
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                                                    • String ID:
                                                                    • API String ID: 4212172061-0
                                                                    • Opcode ID: 11e9d858be2eef57e51fe3ee5abaff11ba74f3cf781d1ad02b19bd3dc5989495
                                                                    • Instruction ID: a02e79dc60b90d06ce6287b0e519d5a2a37574338541b46fb9e412c2f7ec0900
                                                                    • Opcode Fuzzy Hash: 11e9d858be2eef57e51fe3ee5abaff11ba74f3cf781d1ad02b19bd3dc5989495
                                                                    • Instruction Fuzzy Hash: D7613B79600306AAD729AB75CC82AAB73ACEF05316F14052FFD05D7243E778E909C768
                                                                    Function 00408DA7 Relevance: 6.2, APIs: 4, Instructions: 206fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog.LIBCMT ref: 00408DAC
                                                                    • FindFirstFileW.KERNEL32(00000000,?), ref: 00408E24
                                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 00408E4D
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: FileFind$FirstH_prologNext
                                                                    • String ID:
                                                                    • API String ID: 301083792-0
                                                                    • Opcode ID: 0245cb435e7972fa9dc1819fe4f867f76e5734f3076513a46e64ed25397209d2
                                                                    • Instruction ID: 60446431aa0b45b5fc099c057f6d50f3e7887136e12703af2d86415be67689ac
                                                                    • Opcode Fuzzy Hash: 0245cb435e7972fa9dc1819fe4f867f76e5734f3076513a46e64ed25397209d2
                                                                    • Instruction Fuzzy Hash: 357140328001099BCB15EBA1DC919EE7778AF54318F10427FE856B71E2EF386E45CB98
                                                                    Function 00450E6A Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                                      • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                      • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                                      • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                      • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446F1E
                                                                      • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F2B
                                                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450EBE
                                                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450F0F
                                                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450FCF
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ErrorInfoLastLocale$_free$_abort
                                                                    • String ID:
                                                                    • API String ID: 2829624132-0
                                                                    • Opcode ID: 022617d048d67c565bd8cd478daba609af81f9e307d0efc84ddd0a3e182c2dec
                                                                    • Instruction ID: e92eb603d23812efeda5bde14236c6fbce748c008cf001f3fb8de25b7fcb8669
                                                                    • Opcode Fuzzy Hash: 022617d048d67c565bd8cd478daba609af81f9e307d0efc84ddd0a3e182c2dec
                                                                    • Instruction Fuzzy Hash: AC61D3365002079FDB289F24CD82BBB77A8EF04706F1041BBED05C6696E778D989DB58
                                                                    Function 0043A65D Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 0043A755
                                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 0043A75F
                                                                    • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 0043A76C
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                    • String ID:
                                                                    • API String ID: 3906539128-0
                                                                    • Opcode ID: 3fa352bae2dd0906ed67bad857870cf194ce26166e1b5da63b4ea542d53f5057
                                                                    • Instruction ID: 15fc2c217458336097e8e19d69e2940e7c5a4b77666d4e23b7e272f62fea865b
                                                                    • Opcode Fuzzy Hash: 3fa352bae2dd0906ed67bad857870cf194ce26166e1b5da63b4ea542d53f5057
                                                                    • Instruction Fuzzy Hash: 2D31D47490121CABCB21DF64D98979DBBB8BF08310F5052EAE81CA7251E7349F81CF49
                                                                    Function 0043293A Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,00000001,004326C2,00000024,?,?,?), ref: 0043294C
                                                                    • CryptGenRandom.ADVAPI32(?,?,?,?,?,?,?,?,?,0042CBBE,?), ref: 00432962
                                                                    • CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,0042CBBE,?), ref: 00432974
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Crypt$Context$AcquireRandomRelease
                                                                    • String ID:
                                                                    • API String ID: 1815803762-0
                                                                    • Opcode ID: 04772303a0a25dfd0b8e93efaf4bd4cd6a07a437a7117abaa9b2762516ca9460
                                                                    • Instruction ID: 80435fde6f6b62f03973a002229794bf261f16e8857de4c024377aa862d1bdf3
                                                                    • Opcode Fuzzy Hash: 04772303a0a25dfd0b8e93efaf4bd4cd6a07a437a7117abaa9b2762516ca9460
                                                                    • Instruction Fuzzy Hash: 11E06D31308211BBEB310E25BC08F573F94AF89B71F71053AB211E40E4C2A188419A1C
                                                                    Function 00442554 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetCurrentProcess.KERNEL32(?,?,0044252A,?), ref: 00442575
                                                                    • TerminateProcess.KERNEL32(00000000,?,0044252A,?), ref: 0044257C
                                                                    • ExitProcess.KERNEL32 ref: 0044258E
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Process$CurrentExitTerminate
                                                                    • String ID:
                                                                    • API String ID: 1703294689-0
                                                                    • Opcode ID: 7c471b5b7a391410b3ce269feae26e49b4a02911a71997b74fd7744fcc246e6d
                                                                    • Instruction ID: 6e58600c80f72e94ca833af3256d2da28fe7ef7edb4b61bff2e48710a34f1207
                                                                    • Opcode Fuzzy Hash: 7c471b5b7a391410b3ce269feae26e49b4a02911a71997b74fd7744fcc246e6d
                                                                    • Instruction Fuzzy Hash: 65E08C31004648BFDF016F14EE18A893F29EF10346F408475F80A8A632CFB9DE92CB88
                                                                    Function 0044D5E9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: .
                                                                    • API String ID: 0-248832578
                                                                    • Opcode ID: 97cc3c3166f0870dddbca3780dbfd7dbd2d9d0e9e098b336076252ce6a3ce59f
                                                                    • Instruction ID: db76f937e81630575b2700384d205b0ac401e8f874fa32e43cac1aabc581782c
                                                                    • Opcode Fuzzy Hash: 97cc3c3166f0870dddbca3780dbfd7dbd2d9d0e9e098b336076252ce6a3ce59f
                                                                    • Instruction Fuzzy Hash: CB310471900209AFEB249E79CC84EEB7BBDDB86318F1101AEF91897251E6389D458B64
                                                                    Function 00450D42 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                                      • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                      • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                                      • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                    • EnumSystemLocalesW.KERNEL32(00450E6A,00000001,00000000,?,<D,?,00451497,00000000,?,?,?), ref: 00450DB4
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                    • String ID: <D
                                                                    • API String ID: 1084509184-3866323178
                                                                    • Opcode ID: 99518e0148a584110f8bf4689e731d5402797eff59b4f7bbd4ab81c0230e503e
                                                                    • Instruction ID: b1cdb4a87285138648e71eec5b58018a028c0508cbf90fbfa4a5e64eba390ba2
                                                                    • Opcode Fuzzy Hash: 99518e0148a584110f8bf4689e731d5402797eff59b4f7bbd4ab81c0230e503e
                                                                    • Instruction Fuzzy Hash: 9C11293B2007055FDB189F79D8916BAB7A1FF8031AB14442DE94647741D375B846C744
                                                                    Function 00450DDD Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                                      • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                      • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                                      • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                    • EnumSystemLocalesW.KERNEL32(004510BA,00000001,?,?,<D,?,0045145B,<D,?,?,?,?,?,00443CEC,?,?), ref: 00450E29
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                    • String ID: <D
                                                                    • API String ID: 1084509184-3866323178
                                                                    • Opcode ID: e0c48b72e2c1269c4cdc51d0e461bd75820cdd7fcb75359b91497d16354a5322
                                                                    • Instruction ID: d323619e2976bd52c5edaa4f55efd93dda7e8b303aa23e489220a9c0c916f3e4
                                                                    • Opcode Fuzzy Hash: e0c48b72e2c1269c4cdc51d0e461bd75820cdd7fcb75359b91497d16354a5322
                                                                    • Instruction Fuzzy Hash: 5BF0223A2003045FDB145F3AD882AAB7B95EF81729B25842EFD058B782D275AC42C644
                                                                    Function 00447597 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,?,?,00000004), ref: 004475EA
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: InfoLocale
                                                                    • String ID: GetLocaleInfoEx
                                                                    • API String ID: 2299586839-2904428671
                                                                    • Opcode ID: 8dab955c83ead38f4190d8cd68b3baa1d28bcda2227728d0cef18aa89ebed625
                                                                    • Instruction ID: 80a81796b135a3e0eaabc3ca7fb48afb6b687e063e78a0117ef0368584b3b56e
                                                                    • Opcode Fuzzy Hash: 8dab955c83ead38f4190d8cd68b3baa1d28bcda2227728d0cef18aa89ebed625
                                                                    • Instruction Fuzzy Hash: 82F0F031A44308BBDB11AF61EC06F6E7B25EF04712F00416AFC046A2A2CB359E11969E
                                                                    Function 004510BA Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                                      • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                      • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                                      • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                      • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446F1E
                                                                      • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F2B
                                                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0045110E
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ErrorLast$_free$InfoLocale_abort
                                                                    • String ID:
                                                                    • API String ID: 1663032902-0
                                                                    • Opcode ID: 9286f156abac91c7ed9d9ee6f3e5b08bc3c26a4b89b9db52a82557d4143127a2
                                                                    • Instruction ID: 725ff80feb3504da526bb6f16fdbe645276de1ecdd37ac2f1e7666d8a95350e0
                                                                    • Opcode Fuzzy Hash: 9286f156abac91c7ed9d9ee6f3e5b08bc3c26a4b89b9db52a82557d4143127a2
                                                                    • Instruction Fuzzy Hash: 2D21B332500606ABDB249A25DC46B7B73A8EB09316F1041BBFE01C6252EB79DD48CB99
                                                                    Function 004512EA Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                                      • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                      • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                                      • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                    • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00451088,00000000,00000000,?), ref: 00451316
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ErrorLast$InfoLocale_abort_free
                                                                    • String ID:
                                                                    • API String ID: 2692324296-0
                                                                    • Opcode ID: b6b1206c8d774c000a1b4b507e47eef55c4aaf57ff81984432bbf3fd36f42e7a
                                                                    • Instruction ID: 964a9937ac5a020d26487979adcc3deadbef587b10f76395f6381cc8137ce6dd
                                                                    • Opcode Fuzzy Hash: b6b1206c8d774c000a1b4b507e47eef55c4aaf57ff81984432bbf3fd36f42e7a
                                                                    • Instruction Fuzzy Hash: 10F07D32500111BBEB286A25CC16BFF7758EB00716F15046BEC06A3651FA38FD49C6D4
                                                                    Function 0041A7A2 Relevance: 1.5, APIs: 1, Instructions: 40COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetUserNameW.ADVAPI32(?,0040DFC3), ref: 0041A7D7
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: NameUser
                                                                    • String ID:
                                                                    • API String ID: 2645101109-0
                                                                    • Opcode ID: b83c9b6e74ee29b4b3c5d203829dc1b50a3012795622bded812fc81b4dbbb1d6
                                                                    • Instruction ID: 0a408ea7b536296bc4698588bf682dce528bd2697060893402f21fe22c13e40a
                                                                    • Opcode Fuzzy Hash: b83c9b6e74ee29b4b3c5d203829dc1b50a3012795622bded812fc81b4dbbb1d6
                                                                    • Instruction Fuzzy Hash: 8801FF7290011CAADB14EB90DC45ADDBBBCEF44715F10017AB501B21D5EFB4AB898A98
                                                                    Function 004470AE Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00444ACC: EnterCriticalSection.KERNEL32(?,?,0044225B,00000000,0046DAC0,0000000C,00442216,?,?,?,00448739,?,?,00446F74,00000001,00000364), ref: 00444ADB
                                                                    • EnumSystemLocalesW.KERNEL32(00447068,00000001,0046DC48,0000000C), ref: 004470E6
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CriticalEnterEnumLocalesSectionSystem
                                                                    • String ID:
                                                                    • API String ID: 1272433827-0
                                                                    • Opcode ID: 294c88a1965c44704c377604ff0a5917817e93c6b6b84f866ad5a3c5a2dedf6a
                                                                    • Instruction ID: 877f7ae5c491a2fbf36f534f7b8138893028b6a81f24f5c3744eb9f6a7677366
                                                                    • Opcode Fuzzy Hash: 294c88a1965c44704c377604ff0a5917817e93c6b6b84f866ad5a3c5a2dedf6a
                                                                    • Instruction Fuzzy Hash: F6F04932A10200EFEB04EF68E806B4D77B0EB44725F10816AF414DB2E2DB7889818B49
                                                                    Function 00450CF7 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                                      • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                      • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                                      • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                    • EnumSystemLocalesW.KERNEL32(00450C4E,00000001,?,?,?,004514B9,<D,?,?,?,?,?,00443CEC,?,?,?), ref: 00450D2E
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                                    • String ID:
                                                                    • API String ID: 1084509184-0
                                                                    • Opcode ID: 8c2bccbfd0fc102635c006ca31f830fd57f68f19690e6c985b1f52cdbb333b18
                                                                    • Instruction ID: ec648f77c102ae861fabd43d141f98194b25f4d0b1f390d0839222eb7000fb0b
                                                                    • Opcode Fuzzy Hash: 8c2bccbfd0fc102635c006ca31f830fd57f68f19690e6c985b1f52cdbb333b18
                                                                    • Instruction Fuzzy Hash: CBF05C3D30020557CB159F35D81576B7F94EFC2711B07405AFE098B381C239D846C754
                                                                    Function 0040E679 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,004145AD,00473EE8,00474A10,00473EE8,00000000,00473EE8,?,00473EE8,5.3.0 Pro), ref: 0040E68D
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: InfoLocale
                                                                    • String ID:
                                                                    • API String ID: 2299586839-0
                                                                    • Opcode ID: 5e9075a3806edf431e091a568af27ae769e925cdac090a6302122e919684f26a
                                                                    • Instruction ID: fdf89a5244b67fc368892e36cd71d3b7bc7b33248e42f87f25a9228cb5794c84
                                                                    • Opcode Fuzzy Hash: 5e9075a3806edf431e091a568af27ae769e925cdac090a6302122e919684f26a
                                                                    • Instruction Fuzzy Hash: E6D05E607002197BEA109291DC0AE9B7A9CE700B66F000165BA01E72C0E9A0AF008AE1
                                                                    Function 004260F7 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: recv
                                                                    • String ID:
                                                                    • API String ID: 1507349165-0
                                                                    • Opcode ID: 7e529be0125f3c130d8a14787ec60c5f2794d52df3155d2474e8bb3275198ed8
                                                                    • Instruction ID: fbcf0fb35859d26dd0bec2a34c6193cd90ff2e5205aa97c5c9b80f8ed11fde70
                                                                    • Opcode Fuzzy Hash: 7e529be0125f3c130d8a14787ec60c5f2794d52df3155d2474e8bb3275198ed8
                                                                    • Instruction Fuzzy Hash: 35B09279118202FFCA051B60DC0887ABEBAABCC381F108D2DB586501B0CA37C451AB26
                                                                    Function 00433CD7 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetUnhandledExceptionFilter.KERNEL32(Function_00033CE3,004339B1), ref: 00433CDC
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ExceptionFilterUnhandled
                                                                    • String ID:
                                                                    • API String ID: 3192549508-0
                                                                    • Opcode ID: 3670727f3e8651977646328ecd403d2a1b3c6ba49dd5bfb528ab2007e995f695
                                                                    • Instruction ID: 83953e3dca8a62111c248ad4478ddd9c1373f985a30770e5fc8846644fe13ce9
                                                                    • Opcode Fuzzy Hash: 3670727f3e8651977646328ecd403d2a1b3c6ba49dd5bfb528ab2007e995f695
                                                                    • Instruction Fuzzy Hash:
                                                                    Function 0044E92E Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: HeapProcess
                                                                    • String ID:
                                                                    • API String ID: 54951025-0
                                                                    • Opcode ID: c4eeb5daf7d20212f04cf1a35fe49476965deb7007d4ee0647dc212291e34da0
                                                                    • Instruction ID: 9504a653bcf427532d5064532c05f1d04939bb5561e35e6535c2a7eba45b7a60
                                                                    • Opcode Fuzzy Hash: c4eeb5daf7d20212f04cf1a35fe49476965deb7007d4ee0647dc212291e34da0
                                                                    • Instruction Fuzzy Hash: 84A00270506201CB57404F756F0525937D9654559170580755409C5571D62585905615
                                                                    Function 00417F9F Relevance: 51.1, APIs: 28, Strings: 1, Instructions: 324windowmemoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00417FB9
                                                                    • CreateCompatibleDC.GDI32(00000000), ref: 00417FC4
                                                                      • Part of subcall function 00418452: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00418482
                                                                    • CreateCompatibleBitmap.GDI32(?,00000000), ref: 00418045
                                                                    • DeleteDC.GDI32(?), ref: 0041805D
                                                                    • DeleteDC.GDI32(00000000), ref: 00418060
                                                                    • SelectObject.GDI32(00000000,00000000), ref: 0041806B
                                                                    • StretchBlt.GDI32(00000000,00000000,00000000,00000000,?,?,?,?,00000000,?,00CC0020), ref: 00418093
                                                                    • GetIconInfo.USER32(?,?), ref: 004180CB
                                                                    • DeleteObject.GDI32(?), ref: 004180FA
                                                                    • DeleteObject.GDI32(?), ref: 00418107
                                                                    • DrawIcon.USER32(00000000,?,?,?), ref: 00418114
                                                                    • BitBlt.GDI32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00660046), ref: 00418144
                                                                    • GetObjectA.GDI32(?,00000018,?), ref: 00418173
                                                                    • LocalAlloc.KERNEL32(00000040,00000028), ref: 004181BC
                                                                    • LocalAlloc.KERNEL32(00000040,00000001), ref: 004181DF
                                                                    • GlobalAlloc.KERNEL32(00000000,?), ref: 00418248
                                                                    • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041826B
                                                                    • DeleteDC.GDI32(?), ref: 0041827F
                                                                    • DeleteDC.GDI32(00000000), ref: 00418282
                                                                    • DeleteObject.GDI32(00000000), ref: 00418285
                                                                    • GlobalFree.KERNEL32(00CC0020), ref: 00418290
                                                                    • DeleteObject.GDI32(00000000), ref: 00418344
                                                                    • GlobalFree.KERNEL32(?), ref: 0041834B
                                                                    • DeleteDC.GDI32(?), ref: 0041835B
                                                                    • DeleteDC.GDI32(00000000), ref: 00418366
                                                                    • DeleteDC.GDI32(?), ref: 00418398
                                                                    • DeleteDC.GDI32(00000000), ref: 0041839B
                                                                    • DeleteObject.GDI32(?), ref: 004183A1
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Delete$Object$AllocCreateGlobal$CompatibleFreeIconLocal$BitmapBitsDisplayDrawEnumInfoSelectSettingsStretch
                                                                    • String ID: DISPLAY
                                                                    • API String ID: 1765752176-865373369
                                                                    • Opcode ID: 86e38cefe18f60a5317b990390b8ef0f53fe4f457a10542f643d98f04a2d82c8
                                                                    • Instruction ID: f05cd178694609e891ba83f5bdf02bb76ea447df34f4969275af8919d08089d1
                                                                    • Opcode Fuzzy Hash: 86e38cefe18f60a5317b990390b8ef0f53fe4f457a10542f643d98f04a2d82c8
                                                                    • Instruction Fuzzy Hash: 12C17C31508345AFD3209F25DC44BABBBE9FF88751F04082EF989932A1DB34E945CB5A
                                                                    Function 00417245 Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 290libraryloaderthreadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 0041728C
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041728F
                                                                    • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 004172A0
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 004172A3
                                                                    • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 004172B4
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 004172B7
                                                                    • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004172C8
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 004172CB
                                                                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 0041736C
                                                                    • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 00417384
                                                                    • GetThreadContext.KERNEL32(?,00000000), ref: 0041739A
                                                                    • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 004173C0
                                                                    • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00417440
                                                                    • TerminateProcess.KERNEL32(?,00000000), ref: 00417454
                                                                    • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041748B
                                                                    • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00417558
                                                                    • SetThreadContext.KERNEL32(?,00000000), ref: 00417575
                                                                    • ResumeThread.KERNEL32(?), ref: 00417582
                                                                    • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041759A
                                                                    • GetCurrentProcess.KERNEL32(?), ref: 004175A5
                                                                    • TerminateProcess.KERNEL32(?,00000000), ref: 004175BF
                                                                    • GetLastError.KERNEL32 ref: 004175C7
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                                                    • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                                                                    • API String ID: 4188446516-3035715614
                                                                    • Opcode ID: 42c1c999d1834e7e824fdbb4d1330a48ff0e689257c4ebc4fb7692fa9ae4ea32
                                                                    • Instruction ID: f03761d26bac9a2bfb1ad98f85ac7da09ef0bd98ba300517d6d91d37beebd467
                                                                    • Opcode Fuzzy Hash: 42c1c999d1834e7e824fdbb4d1330a48ff0e689257c4ebc4fb7692fa9ae4ea32
                                                                    • Instruction Fuzzy Hash: EEA17C71508304AFD7209F65DC45B6B7BF9FF48345F00082AF689C2661E775E984CB6A
                                                                    Function 004112B5 Relevance: 43.9, APIs: 17, Strings: 8, Instructions: 189synchronizationsleepfileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateMutexA.KERNEL32(00000000,00000001,00000000,004742F8,?,00000000), ref: 004112D4
                                                                    • ExitProcess.KERNEL32 ref: 0041151D
                                                                      • Part of subcall function 0041265D: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 00412679
                                                                      • Part of subcall function 0041265D: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 00412692
                                                                      • Part of subcall function 0041265D: RegCloseKey.ADVAPI32(?), ref: 0041269D
                                                                      • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,00403AF3,00465324), ref: 0041B633
                                                                    • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,00000000), ref: 0041135B
                                                                    • OpenProcess.KERNEL32(00100000,00000000,T@,?,?,?,?,00000000), ref: 0041136A
                                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 00411375
                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 0041137C
                                                                    • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 00411382
                                                                      • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                                      • Part of subcall function 004127D5: RegSetValueExA.ADVAPI32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                                      • Part of subcall function 004127D5: RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                                    • PathFileExistsW.SHLWAPI(?,?,?,?,?,00000000), ref: 004113B3
                                                                    • GetTempPathW.KERNEL32(00000104,?,?,?,?,?,?,?,?,00000000), ref: 0041140F
                                                                    • GetTempFileNameW.KERNEL32(?,temp_,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00411429
                                                                    • lstrcatW.KERNEL32(?,.exe,?,?,?,?,?,?,?,00000000), ref: 0041143B
                                                                      • Part of subcall function 0041B58F: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000004,00000000,0041B6A5,00000000,00000000), ref: 0041B5EB
                                                                      • Part of subcall function 0041B58F: WriteFile.KERNEL32(00000000,00000000,00000000,004061FD,00000000,?,00000004,00000000,0041B6A5,00000000,00000000), ref: 0041B5FF
                                                                      • Part of subcall function 0041B58F: CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041B6A5,00000000,00000000), ref: 0041B60C
                                                                    • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00411483
                                                                    • Sleep.KERNEL32(000001F4,?,?,?,?,00000000), ref: 004114C4
                                                                    • OpenProcess.KERNEL32(00100000,00000000,?,?,?,?,?,00000000), ref: 004114D9
                                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 004114E4
                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 004114EB
                                                                    • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 004114F1
                                                                      • Part of subcall function 0041B58F: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041B6A5,00000000,00000000,00000000), ref: 0041B5CE
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: File$CloseCreateProcess$HandleOpen$CurrentObjectPathSingleTempValueWait$ExecuteExistsExitMutexNamePointerQueryShellSleepWritelstrcat
                                                                    • String ID: .exe$0DG$@CG$T@$WDH$exepath$open$temp_
                                                                    • API String ID: 4250697656-2665858469
                                                                    • Opcode ID: b68df8224523070e2f82cd34dc7b2adce00a37accb578c29d62ccc5e9000c55b
                                                                    • Instruction ID: b1cd6038c3dd2fca16f1d1fb39a824579eeb1b45f376adef666059b0b2e54ae4
                                                                    • Opcode Fuzzy Hash: b68df8224523070e2f82cd34dc7b2adce00a37accb578c29d62ccc5e9000c55b
                                                                    • Instruction Fuzzy Hash: D751B671A043156BDB00A7A0AC49EFE736D9B44715F1041BBF905A72D2EF7C8E828A9D
                                                                    Function 0040C28E Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 282registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,?,0040C67D), ref: 004116A9
                                                                      • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF,?,0040C67D), ref: 004116BC
                                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040C38B
                                                                    • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C39E
                                                                    • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040C3B7
                                                                    • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040C3E7
                                                                      • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(004099A9,00000000,00000000,?,0040C2B0,?,00000000), ref: 0040AFC9
                                                                      • Part of subcall function 0040AFBA: UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
                                                                      • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(00409993,00000000,?,0040C2B0,?,00000000), ref: 0040AFE3
                                                                      • Part of subcall function 0041B58F: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041B6A5,00000000,00000000,00000000), ref: 0041B5CE
                                                                    • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C632
                                                                    • ExitProcess.KERNEL32 ref: 0040C63E
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                                    • String ID: """, 0$")$@CG$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$`=G$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                                                                    • API String ID: 1861856835-3168347843
                                                                    • Opcode ID: bc9ec409533e283fce2af8f1342da00a8cbb2ade10869ce45b4ee9a54c8ef04e
                                                                    • Instruction ID: c8b5e11b4abf5c95f8ab28b2bb359051ef64700817c412cd349ec45860bdb676
                                                                    • Opcode Fuzzy Hash: bc9ec409533e283fce2af8f1342da00a8cbb2ade10869ce45b4ee9a54c8ef04e
                                                                    • Instruction Fuzzy Hash: EB9175316042005AC314FB25D852ABF7799AF91718F10453FF98A631E2EF7CAD49C69E
                                                                    Function 0040BF04 Relevance: 40.5, APIs: 6, Strings: 17, Instructions: 260registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,?,0040C67D), ref: 004116A9
                                                                      • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF,?,0040C67D), ref: 004116BC
                                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C013
                                                                    • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C026
                                                                    • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C056
                                                                    • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C065
                                                                      • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(004099A9,00000000,00000000,?,0040C2B0,?,00000000), ref: 0040AFC9
                                                                      • Part of subcall function 0040AFBA: UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
                                                                      • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(00409993,00000000,?,0040C2B0,?,00000000), ref: 0040AFE3
                                                                      • Part of subcall function 0041AB38: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,00403A40), ref: 0041AB5F
                                                                    • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C280
                                                                    • ExitProcess.KERNEL32 ref: 0040C287
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                                    • String ID: ")$.vbs$@CG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$`=G$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("
                                                                    • API String ID: 3797177996-1998216422
                                                                    • Opcode ID: dffb05e8999f19a92d485080abe1753edacd729e18a2bd4646b419d6321fb820
                                                                    • Instruction ID: 1063ce1f4075510d90626cdc8b34ac690c3cf2dc76fa2c9c3337a4c1feab76e8
                                                                    • Opcode Fuzzy Hash: dffb05e8999f19a92d485080abe1753edacd729e18a2bd4646b419d6321fb820
                                                                    • Instruction Fuzzy Hash: B78191316042005BC315FB21D862ABF77A9ABD1308F10453FF586A71E2EF7CAD49869E
                                                                    Function 0041A1BB Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041A2B2
                                                                    • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041A2C6
                                                                    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,00465554), ref: 0041A2EE
                                                                    • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00473EE8,00000000), ref: 0041A2FF
                                                                    • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041A340
                                                                    • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041A358
                                                                    • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041A36D
                                                                    • SetEvent.KERNEL32 ref: 0041A38A
                                                                    • WaitForSingleObject.KERNEL32(000001F4), ref: 0041A39B
                                                                    • CloseHandle.KERNEL32 ref: 0041A3AB
                                                                    • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041A3CD
                                                                    • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041A3D7
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                                                    • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$>G
                                                                    • API String ID: 738084811-1408154895
                                                                    • Opcode ID: 67a24f6113aabf6128109dc61cf26ab2441941a35e225fe1c9d441213504bd5b
                                                                    • Instruction ID: 9d48d6c6e0579c1e833a8367b0d02802659df9f73890df0c3e8ff2b6504ede8e
                                                                    • Opcode Fuzzy Hash: 67a24f6113aabf6128109dc61cf26ab2441941a35e225fe1c9d441213504bd5b
                                                                    • Instruction Fuzzy Hash: 9A51C2712443056AD214BB31DC82EBF3B5CEB91758F10043FF455A21E2EE389D9986AF
                                                                    Function 00401BE8 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401C54
                                                                    • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401C7E
                                                                    • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401C8E
                                                                    • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401C9E
                                                                    • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401CAE
                                                                    • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401CBE
                                                                    • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401CCF
                                                                    • WriteFile.KERNEL32(00000000,00471B02,00000002,00000000,00000000), ref: 00401CE0
                                                                    • WriteFile.KERNEL32(00000000,00471B04,00000004,00000000,00000000), ref: 00401CF0
                                                                    • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401D00
                                                                    • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401D11
                                                                    • WriteFile.KERNEL32(00000000,00471B0E,00000002,00000000,00000000), ref: 00401D22
                                                                    • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401D32
                                                                    • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401D42
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: File$Write$Create
                                                                    • String ID: RIFF$WAVE$data$fmt
                                                                    • API String ID: 1602526932-4212202414
                                                                    • Opcode ID: 78ad8e7e5bc68969d37ee031f4dc22a1157de1b6325161424f695ba0fa01d69c
                                                                    • Instruction ID: 129ba3454a43ec42bedb537cb07bfa8f9eb5569c2d2d4c431363fc199bcfbd5c
                                                                    • Opcode Fuzzy Hash: 78ad8e7e5bc68969d37ee031f4dc22a1157de1b6325161424f695ba0fa01d69c
                                                                    • Instruction Fuzzy Hash: 66416F726443187AE210DB51DD86FBB7EECEB85F54F40081AFA44D6090E7A4E909DBB3
                                                                    Function 004064E0 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe,00000001,004068B2,C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe,00000003,004068DA,004742E0,00406933), ref: 004064F4
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 004064FD
                                                                    • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 0040650E
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 00406511
                                                                    • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 00406522
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 00406525
                                                                    • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 00406536
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 00406539
                                                                    • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 0040654A
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 0040654D
                                                                    • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 0040655E
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 00406561
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AddressHandleModuleProc
                                                                    • String ID: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                                                    • API String ID: 1646373207-1884963611
                                                                    • Opcode ID: 4215aa750f6926a1b4092da29332a0681cdff8c3ca49fe138229b5bb5280378e
                                                                    • Instruction ID: b313d74494c875c8407327c43f2905d2eb3972c2d2e01a1e2b33da4df8ba43a1
                                                                    • Opcode Fuzzy Hash: 4215aa750f6926a1b4092da29332a0681cdff8c3ca49fe138229b5bb5280378e
                                                                    • Instruction Fuzzy Hash: 1F011EA4E40B1675DB21677A7C54D176EAC9E502917190433B40AF22B1FEBCD410CD7D
                                                                    Function 0041B1BB Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • lstrlenW.KERNEL32(?), ref: 0041B1D6
                                                                    • _memcmp.LIBVCRUNTIME ref: 0041B1EE
                                                                    • lstrlenW.KERNEL32(?), ref: 0041B207
                                                                    • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041B242
                                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041B255
                                                                    • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041B299
                                                                    • lstrcmpW.KERNEL32(?,?), ref: 0041B2B4
                                                                    • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041B2CC
                                                                    • _wcslen.LIBCMT ref: 0041B2DB
                                                                    • FindVolumeClose.KERNEL32(?), ref: 0041B2FB
                                                                    • GetLastError.KERNEL32 ref: 0041B313
                                                                    • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041B340
                                                                    • lstrcatW.KERNEL32(?,?), ref: 0041B359
                                                                    • lstrcpyW.KERNEL32(?,?), ref: 0041B368
                                                                    • GetLastError.KERNEL32 ref: 0041B370
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                                                    • String ID: ?
                                                                    • API String ID: 3941738427-1684325040
                                                                    • Opcode ID: d489e3e95fd4da7a256b353d04e65c95c699bf3c253225e66008eb700c534145
                                                                    • Instruction ID: 2e0df54dd889987763cd5022c3700ac4418931210c184d5857636408485aa128
                                                                    • Opcode Fuzzy Hash: d489e3e95fd4da7a256b353d04e65c95c699bf3c253225e66008eb700c534145
                                                                    • Instruction Fuzzy Hash: 8B416F71508305AAD7209FA1EC8C9EBB7E8EB49715F00096BF541C2261EB78C98887D6
                                                                    Function 0044E20E Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: _free$EnvironmentVariable$_wcschr
                                                                    • String ID:
                                                                    • API String ID: 3899193279-0
                                                                    • Opcode ID: 8f41269c20bd7867c5cee3d16b4b1ea97dee87ff38f7f4f352333e12906372dc
                                                                    • Instruction ID: 8ac3cd9939a067627e1c481289c57a7f9f94b657261427fab31af25724b0c78e
                                                                    • Opcode Fuzzy Hash: 8f41269c20bd7867c5cee3d16b4b1ea97dee87ff38f7f4f352333e12906372dc
                                                                    • Instruction Fuzzy Hash: 96D13C719007007FFB25AF7B9881A6F7BA4BF02314F0541AFF905A7381E63989418B9D
                                                                    Function 00411C81 Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 479sleepfileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00411C9A
                                                                      • Part of subcall function 0041AB38: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,00403A40), ref: 0041AB5F
                                                                      • Part of subcall function 004176B6: CloseHandle.KERNEL32(00403AB9,?,?,00403AB9,00465324), ref: 004176CC
                                                                      • Part of subcall function 004176B6: CloseHandle.KERNEL32($SF,?,?,00403AB9,00465324), ref: 004176D5
                                                                    • Sleep.KERNEL32(0000000A,00465324), ref: 00411DEC
                                                                    • Sleep.KERNEL32(0000000A,00465324,00465324), ref: 00411E8E
                                                                    • Sleep.KERNEL32(0000000A,00465324,00465324,00465324), ref: 00411F30
                                                                    • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00411F91
                                                                    • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00411FC8
                                                                    • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00412004
                                                                    • Sleep.KERNEL32(000001F4,00465324,00465324,00465324), ref: 0041201E
                                                                    • Sleep.KERNEL32(00000064), ref: 00412060
                                                                      • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                                                    • String ID: /stext "$HDG$HDG$>G$>G
                                                                    • API String ID: 1223786279-3931108886
                                                                    • Opcode ID: 36ecec2bd287229840889fa2f21ce4d309759ff1e99f2e4f361d0ee51ee9b760
                                                                    • Instruction ID: 1febf249a593eb43810efab42e14b6693ac358e03ba90545e56d33427da79e18
                                                                    • Opcode Fuzzy Hash: 36ecec2bd287229840889fa2f21ce4d309759ff1e99f2e4f361d0ee51ee9b760
                                                                    • Instruction Fuzzy Hash: 960243315083414AC325FB61D891AEFB7D5AFD4308F50493FF88A931E2EF785A49C69A
                                                                    Function 00413E37 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 109libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00413E86
                                                                    • LoadLibraryA.KERNEL32(?), ref: 00413EC8
                                                                    • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413EE8
                                                                    • FreeLibrary.KERNEL32(00000000), ref: 00413EEF
                                                                    • LoadLibraryA.KERNEL32(?), ref: 00413F27
                                                                    • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413F39
                                                                    • FreeLibrary.KERNEL32(00000000), ref: 00413F40
                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 00413F4F
                                                                    • FreeLibrary.KERNEL32(00000000), ref: 00413F66
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                                                    • String ID: \ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
                                                                    • API String ID: 2490988753-744132762
                                                                    • Opcode ID: ba6e91efba9758633ea9bec27d31a254a4df24d425156724d9bfa6bc4db7eb59
                                                                    • Instruction ID: a4547f3d416e9253f7b1cbdd0907a67efdadb69b2b53743d1710677937ed8fa2
                                                                    • Opcode Fuzzy Hash: ba6e91efba9758633ea9bec27d31a254a4df24d425156724d9bfa6bc4db7eb59
                                                                    • Instruction Fuzzy Hash: 6D31C4B1906315A7D320AF25DC44ACBB7ECEF44745F400A2AF844D3201D778DA858AEE
                                                                    Function 0041B824 Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041B846
                                                                    • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041B88A
                                                                    • RegCloseKey.ADVAPI32(?), ref: 0041BB54
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CloseEnumOpen
                                                                    • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
                                                                    • API String ID: 1332880857-3714951968
                                                                    • Opcode ID: c129c5d3b2225b1f8cda05c9a3a6c18510288d4317852ec5d704d9b0c7986d58
                                                                    • Instruction ID: 4ca6cd9db44c7b11bab16217f2b7ba144dfc64e74838f3250c32f9e768a6938f
                                                                    • Opcode Fuzzy Hash: c129c5d3b2225b1f8cda05c9a3a6c18510288d4317852ec5d704d9b0c7986d58
                                                                    • Instruction Fuzzy Hash: 8C812E311082449BD324EB11DC51AEFB7E9FFD4314F10493FB58A921E1EF74AA49CA9A
                                                                    Function 0041CA9E Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 73windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041CAE9
                                                                    • GetCursorPos.USER32(?), ref: 0041CAF8
                                                                    • SetForegroundWindow.USER32(?), ref: 0041CB01
                                                                    • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041CB1B
                                                                    • Shell_NotifyIconA.SHELL32(00000002,00473B50), ref: 0041CB6C
                                                                    • ExitProcess.KERNEL32 ref: 0041CB74
                                                                    • CreatePopupMenu.USER32 ref: 0041CB7A
                                                                    • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041CB8F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                                                    • String ID: Close
                                                                    • API String ID: 1657328048-3535843008
                                                                    • Opcode ID: 17791859dac929b483a24ff72816a8478769eebc5405c417f6cbcdd658e3cffe
                                                                    • Instruction ID: a66ed96c0d91d71762f770de87d5f41dd37c70c4e97b210e23d221b2b7ccacbc
                                                                    • Opcode Fuzzy Hash: 17791859dac929b483a24ff72816a8478769eebc5405c417f6cbcdd658e3cffe
                                                                    • Instruction Fuzzy Hash: 68212B71188209FFDB064F64FD4EAAA3F65EB04342F044135B906D40B2D7B9EA90EB18
                                                                    Function 00444F3D Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: _free$Info
                                                                    • String ID:
                                                                    • API String ID: 2509303402-0
                                                                    • Opcode ID: 4f311dc35998d231116b4ef065710eb7bf66da857f64ae236b680615c36f9f73
                                                                    • Instruction ID: 0af7f9009007d8880989bd470fdb3e4a62bb8e65dbd2af1b74ff5c8893cb1db7
                                                                    • Opcode Fuzzy Hash: 4f311dc35998d231116b4ef065710eb7bf66da857f64ae236b680615c36f9f73
                                                                    • Instruction Fuzzy Hash: D0B18F71900605AFEF11DFA9C881BEEBBF4BF49304F14406EF855B7242DA79A8458B64
                                                                    Function 00407DEF Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 325fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00407F4C
                                                                    • GetFileSizeEx.KERNEL32(00000000,00000000), ref: 00407FC2
                                                                    • __aulldiv.LIBCMT ref: 00407FE9
                                                                    • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 0040810D
                                                                    • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408128
                                                                    • CloseHandle.KERNEL32(00000000), ref: 00408200
                                                                    • CloseHandle.KERNEL32(00000000,00000052,00000000,?), ref: 0040821A
                                                                    • CloseHandle.KERNEL32(00000000), ref: 00408256
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: File$CloseHandle$CreatePointerReadSize__aulldiv
                                                                    • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $>G
                                                                    • API String ID: 1884690901-3066803209
                                                                    • Opcode ID: 7205d9af98df91b965123a054d585fa7c0d52e82773df9d6c890248cdbc6b411
                                                                    • Instruction ID: 222450ca6543349723abdfa1177da379b39b5876d7444fbb960ea0ab75079841
                                                                    • Opcode Fuzzy Hash: 7205d9af98df91b965123a054d585fa7c0d52e82773df9d6c890248cdbc6b411
                                                                    • Instruction Fuzzy Hash: DAB191316083409BC214FB25C892AAFB7E5AFD4314F40492EF885632D2EF789945C79B
                                                                    Function 00409E48 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163sleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • Sleep.KERNEL32(00001388), ref: 00409E62
                                                                      • Part of subcall function 00409D97: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409E6F), ref: 00409DCD
                                                                      • Part of subcall function 00409D97: GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409E6F), ref: 00409DDC
                                                                      • Part of subcall function 00409D97: Sleep.KERNEL32(00002710,?,?,?,00409E6F), ref: 00409E09
                                                                      • Part of subcall function 00409D97: CloseHandle.KERNEL32(00000000,?,?,?,00409E6F), ref: 00409E10
                                                                    • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00409E9E
                                                                    • GetFileAttributesW.KERNEL32(00000000), ref: 00409EAF
                                                                    • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 00409EC6
                                                                    • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 00409F40
                                                                      • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,00403AF3,00465324), ref: 0041B633
                                                                    • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00465900,00000000,00000000,00000000), ref: 0040A049
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                                                    • String ID: @CG$@CG$XCG$XCG$xAG$xAG
                                                                    • API String ID: 3795512280-3163867910
                                                                    • Opcode ID: 859471ff5ae44976aba126b0bcf56bf0f182264686a8061ac70fe12e31261d66
                                                                    • Instruction ID: b7dfc09a395f5416f32c5fe597dbb364f69b6ed32616efff49b152d1c9b912f4
                                                                    • Opcode Fuzzy Hash: 859471ff5ae44976aba126b0bcf56bf0f182264686a8061ac70fe12e31261d66
                                                                    • Instruction Fuzzy Hash: 30518D716043005ACB05BB72D866ABF769AAFD1309F00053FF886B71E2DF3D9D44869A
                                                                    Function 0045006D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ___free_lconv_mon.LIBCMT ref: 004500B1
                                                                      • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F300
                                                                      • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F312
                                                                      • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F324
                                                                      • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F336
                                                                      • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F348
                                                                      • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F35A
                                                                      • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F36C
                                                                      • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F37E
                                                                      • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F390
                                                                      • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3A2
                                                                      • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3B4
                                                                      • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3C6
                                                                      • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3D8
                                                                    • _free.LIBCMT ref: 004500A6
                                                                      • Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                                                      • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                                                    • _free.LIBCMT ref: 004500C8
                                                                    • _free.LIBCMT ref: 004500DD
                                                                    • _free.LIBCMT ref: 004500E8
                                                                    • _free.LIBCMT ref: 0045010A
                                                                    • _free.LIBCMT ref: 0045011D
                                                                    • _free.LIBCMT ref: 0045012B
                                                                    • _free.LIBCMT ref: 00450136
                                                                    • _free.LIBCMT ref: 0045016E
                                                                    • _free.LIBCMT ref: 00450175
                                                                    • _free.LIBCMT ref: 00450192
                                                                    • _free.LIBCMT ref: 004501AA
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                    • String ID:
                                                                    • API String ID: 161543041-0
                                                                    • Opcode ID: bcc467a133590e08c2246ffecdc9577bb20b6303625806e8b1892e2aaa35b24d
                                                                    • Instruction ID: 6df0fc8d0da410edbfddc8482cd9dc810a80ebbb5b2f86b8c24a0bb33e3d08c7
                                                                    • Opcode Fuzzy Hash: bcc467a133590e08c2246ffecdc9577bb20b6303625806e8b1892e2aaa35b24d
                                                                    • Instruction Fuzzy Hash: 96317235500B00AFEB20AA35D845B5B73E5AF42355F15841FF849E7292DF39AC98CB1A
                                                                    Function 00419128 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 174sleeptimeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog.LIBCMT ref: 0041912D
                                                                    • GdiplusStartup.GDIPLUS(00473AF0,?,00000000), ref: 0041915F
                                                                    • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 004191EB
                                                                    • Sleep.KERNEL32(000003E8), ref: 0041926D
                                                                    • GetLocalTime.KERNEL32(?), ref: 0041927C
                                                                    • Sleep.KERNEL32(00000000,00000018,00000000), ref: 00419365
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                                                    • String ID: XCG$XCG$XCG$time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
                                                                    • API String ID: 489098229-65789007
                                                                    • Opcode ID: 91d1b4f4dea65f3b826fcaa200c07d0103cb4320fd1aa60c718ca5279f5f8068
                                                                    • Instruction ID: b922dce7c629cfc9b1bb11cb74a08c0e3353b39699bf4d86e46594d10c943285
                                                                    • Opcode Fuzzy Hash: 91d1b4f4dea65f3b826fcaa200c07d0103cb4320fd1aa60c718ca5279f5f8068
                                                                    • Instruction Fuzzy Hash: 33519F71A002449ACB14BBB5C856AFE7BA9AB55304F00407FF84AB71D2EF3C5E85C799
                                                                    Function 0040428C Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 147networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • connect.WS2_32(?,?,?), ref: 004042A5
                                                                    • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0040192B), ref: 004043CB
                                                                    • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0040192B), ref: 004043D5
                                                                    • WSAGetLastError.WS2_32(?,?,?,0040192B), ref: 004043E7
                                                                      • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                                                    • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                                                    • API String ID: 994465650-2151626615
                                                                    • Opcode ID: 62f3c4882b49c5ff5d63aa71430f88bee7d31ae11dd357ee521aebef95a1510e
                                                                    • Instruction ID: b196b808fbc66b1ac8da6b4b51d7f626a0d3d22bc4cde50e21f83cd2c7739b74
                                                                    • Opcode Fuzzy Hash: 62f3c4882b49c5ff5d63aa71430f88bee7d31ae11dd357ee521aebef95a1510e
                                                                    • Instruction Fuzzy Hash: ED4128B1B00202A7CB04B77A8C5B66D7A55AB81368B40007FF901676D3EE7DAD6087DF
                                                                    Function 0040C66D Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 147COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,?,0040C67D), ref: 004116A9
                                                                      • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF,?,0040C67D), ref: 004116BC
                                                                      • Part of subcall function 0041265D: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 00412679
                                                                      • Part of subcall function 0041265D: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 00412692
                                                                      • Part of subcall function 0041265D: RegCloseKey.ADVAPI32(?), ref: 0041269D
                                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040C6C7
                                                                    • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C826
                                                                    • ExitProcess.KERNEL32 ref: 0040C832
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                                                    • String ID: """, 0$.vbs$@CG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                                                                    • API String ID: 1913171305-390638927
                                                                    • Opcode ID: 0ceb5a7906efabe13d82fb8a69420ea189243682d85e34c24b2e68e6ac54103e
                                                                    • Instruction ID: a795a6540db69397e2c5d2b70f340dd787df27bacd58b350937fb1c0aad7b7c4
                                                                    • Opcode Fuzzy Hash: 0ceb5a7906efabe13d82fb8a69420ea189243682d85e34c24b2e68e6ac54103e
                                                                    • Instruction Fuzzy Hash: A2416D329001185ACB14F762DC56DFE7779AF50718F50417FF906B30E2EE386A8ACA99
                                                                    Function 0044F3E1 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: _free
                                                                    • String ID:
                                                                    • API String ID: 269201875-0
                                                                    • Opcode ID: 6a70e4c358ef45cffe19a9afdbed41fda2ec9c769272c29d9eaec76f650a350b
                                                                    • Instruction ID: 48066223020562dfe8895eb3edc0e70975ef38ab3c96fc6f1fb07286cb8ca08d
                                                                    • Opcode Fuzzy Hash: 6a70e4c358ef45cffe19a9afdbed41fda2ec9c769272c29d9eaec76f650a350b
                                                                    • Instruction Fuzzy Hash: 2BC15772D80204BFEB20DBA9CC82FDE77F89B45704F15416AFA04FB282D6749D458B58
                                                                    Function 004047EB Relevance: 18.1, APIs: 12, Instructions: 66synchronizationCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • WaitForSingleObject.KERNEL32(?,000000FF,00475B70,?,?,00000000,00475B70,004017F3), ref: 004047FD
                                                                    • SetEvent.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 00404808
                                                                    • CloseHandle.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 00404811
                                                                    • closesocket.WS2_32(?), ref: 0040481F
                                                                    • WaitForSingleObject.KERNEL32(?,000000FF,?,?,00000000,00475B70,004017F3), ref: 00404856
                                                                    • SetEvent.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 00404867
                                                                    • WaitForSingleObject.KERNEL32(?,000000FF,?,?,00000000,00475B70,004017F3), ref: 0040486E
                                                                    • SetEvent.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 00404880
                                                                    • CloseHandle.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 00404885
                                                                    • CloseHandle.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 0040488A
                                                                    • SetEvent.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 00404895
                                                                    • CloseHandle.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 0040489A
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                                                    • String ID:
                                                                    • API String ID: 3658366068-0
                                                                    • Opcode ID: 064d6b1f915996a70041b40538a6eeea030a706771223880b65586d948e925f6
                                                                    • Instruction ID: 5504d0c870acfe65fd0076db90b097e51f0e6d2514c589c74abed5ba37c9c78a
                                                                    • Opcode Fuzzy Hash: 064d6b1f915996a70041b40538a6eeea030a706771223880b65586d948e925f6
                                                                    • Instruction Fuzzy Hash: 3C212C71104B149FCB216B26EC45A27BBE1EF40325F104A7EF2E612AF1CB76E851DB48
                                                                    Function 00454982 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00454650: CreateFileW.KERNEL32(00000000,?,?,+JE,?,?,00000000,?,00454A2B,00000000,0000000C), ref: 0045466D
                                                                    • GetLastError.KERNEL32 ref: 00454A96
                                                                    • __dosmaperr.LIBCMT ref: 00454A9D
                                                                    • GetFileType.KERNEL32(00000000), ref: 00454AA9
                                                                    • GetLastError.KERNEL32 ref: 00454AB3
                                                                    • __dosmaperr.LIBCMT ref: 00454ABC
                                                                    • CloseHandle.KERNEL32(00000000), ref: 00454ADC
                                                                    • CloseHandle.KERNEL32(?), ref: 00454C26
                                                                    • GetLastError.KERNEL32 ref: 00454C58
                                                                    • __dosmaperr.LIBCMT ref: 00454C5F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                    • String ID: H
                                                                    • API String ID: 4237864984-2852464175
                                                                    • Opcode ID: b64a76ded07e6414476391b57ad8ab2edcfe93df9d200e18b46d3283e817940b
                                                                    • Instruction ID: 324c09394b40af715295ff654573b8bda7a64cd12b4111e7ce26936e53f9a861
                                                                    • Opcode Fuzzy Hash: b64a76ded07e6414476391b57ad8ab2edcfe93df9d200e18b46d3283e817940b
                                                                    • Instruction Fuzzy Hash: B0A148329041044FDF19EF78D8427AE7BA0AB86319F14015EFC159F392DB398C86C75A
                                                                    Function 0040A3F4 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 158sleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __Init_thread_footer.LIBCMT ref: 0040A456
                                                                    • Sleep.KERNEL32(000001F4), ref: 0040A461
                                                                    • GetForegroundWindow.USER32 ref: 0040A467
                                                                    • GetWindowTextLengthW.USER32(00000000), ref: 0040A470
                                                                    • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040A4A4
                                                                    • Sleep.KERNEL32(000003E8), ref: 0040A574
                                                                      • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,00000000,0040A91C,00000000), ref: 00409D84
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                                                    • String ID: [${ User has been idle for $ minutes }$]
                                                                    • API String ID: 911427763-3954389425
                                                                    • Opcode ID: a59f2f13793784003892e63950edf61f9792dfbe12456e4cbfe946a207096c8a
                                                                    • Instruction ID: 0ecdfa35f4bf358d0b6072dbfc0ad8fc4f94b2a12b5a089c7f39fa9b67fb4d59
                                                                    • Opcode Fuzzy Hash: a59f2f13793784003892e63950edf61f9792dfbe12456e4cbfe946a207096c8a
                                                                    • Instruction Fuzzy Hash: C451DF316083005BC614FB21D84AAAE7794BF84318F50493FF846A62E2EF7C9E55C69F
                                                                    Function 00413C67 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 155COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 65535$udp
                                                                    • API String ID: 0-1267037602
                                                                    • Opcode ID: dd6860ede333d1e13d8ba8fd5b9e65b3a11d6160404ba42ca097fcd4ed7c504e
                                                                    • Instruction ID: a76ad32841e4dbbb66723cf4e0556afe3febbbe66cdf8f55616d13ac9502c32b
                                                                    • Opcode Fuzzy Hash: dd6860ede333d1e13d8ba8fd5b9e65b3a11d6160404ba42ca097fcd4ed7c504e
                                                                    • Instruction Fuzzy Hash: 9D4118716083019BD7209F29E905BAB7BD8EF85706F04082FF84197391E76DCEC186AE
                                                                    Function 00439361 Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393B9
                                                                    • GetLastError.KERNEL32(?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393C6
                                                                    • __dosmaperr.LIBCMT ref: 004393CD
                                                                    • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393F9
                                                                    • GetLastError.KERNEL32(?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439403
                                                                    • __dosmaperr.LIBCMT ref: 0043940A
                                                                    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401AD8,?), ref: 0043944D
                                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439457
                                                                    • __dosmaperr.LIBCMT ref: 0043945E
                                                                    • _free.LIBCMT ref: 0043946A
                                                                    • _free.LIBCMT ref: 00439471
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                                                    • String ID:
                                                                    • API String ID: 2441525078-0
                                                                    • Opcode ID: 8e17339ee731380b0b3a8ef5924022403d85b839411af4cfbf9d52c7b12deab7
                                                                    • Instruction ID: 902c93592471d116807dca9985149206a76c62e8192f2f9a6cc20a0486345b12
                                                                    • Opcode Fuzzy Hash: 8e17339ee731380b0b3a8ef5924022403d85b839411af4cfbf9d52c7b12deab7
                                                                    • Instruction Fuzzy Hash: F531F17140820ABBEF11AFA5DC449AF3B78EF09364F14016AF81066291DB79CC12DBA9
                                                                    Function 00404E52 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetEvent.KERNEL32(?,?), ref: 00404E71
                                                                    • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00404F21
                                                                    • TranslateMessage.USER32(?), ref: 00404F30
                                                                    • DispatchMessageA.USER32(?), ref: 00404F3B
                                                                    • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00473F80), ref: 00404FF3
                                                                    • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 0040502B
                                                                      • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                                                    • String ID: CloseChat$DisplayMessage$GetMessage
                                                                    • API String ID: 2956720200-749203953
                                                                    • Opcode ID: 58bd3a0ae6df6a0bdf912a68ced102d79291154801096aaee71947f3f084d5d0
                                                                    • Instruction ID: a70547b48422ce96676d24762269450ce3f1821fc9982c67352fb5fd346d99ba
                                                                    • Opcode Fuzzy Hash: 58bd3a0ae6df6a0bdf912a68ced102d79291154801096aaee71947f3f084d5d0
                                                                    • Instruction Fuzzy Hash: F741BFB16043016BC714FB75DC5A8AE77A9ABC1714F40093EF906A31E6EF38DA05C79A
                                                                    Function 00416E27 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 107filesynchronizationCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,00465554), ref: 00416F24
                                                                    • CloseHandle.KERNEL32(00000000), ref: 00416F2D
                                                                    • DeleteFileA.KERNEL32(00000000), ref: 00416F3C
                                                                    • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00416EF0
                                                                      • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CloseDeleteExecuteFileHandleObjectShellSingleWaitsend
                                                                    • String ID: <$@$@FG$@FG$Temp
                                                                    • API String ID: 1107811701-2245803885
                                                                    • Opcode ID: 248dd396e914dd493217af7d7ad54a5765675a85d7a0f101f9c1831ea090813b
                                                                    • Instruction ID: 21bac8b1790940aaec7d6d8591dec239f7d6dde33bc15b5890dc9a9e7f2861e5
                                                                    • Opcode Fuzzy Hash: 248dd396e914dd493217af7d7ad54a5765675a85d7a0f101f9c1831ea090813b
                                                                    • Instruction Fuzzy Hash: E8319C319002099BCB04FBA1DC56AFE7775AF50308F00417EF906760E2EF785A8ACB99
                                                                    Function 00406616 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 98COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetCurrentProcess.KERNEL32(00474A28,00000000,BG3i@,00003000,00000004,00000000,00000001), ref: 00406647
                                                                    • GetCurrentProcess.KERNEL32(00474A28,00000000,00008000,?,00000000,00000001,00000000,004068BB,C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe), ref: 00406705
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CurrentProcess
                                                                    • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir$BG3i@
                                                                    • API String ID: 2050909247-4145329354
                                                                    • Opcode ID: a25a50d4c2e43c50d9b1e39939b2cfdedfae0b5b41f18b30c59be5b4ed444aac
                                                                    • Instruction ID: 423827b33d6c667fb1d0fc3afb55bdad30249121d517be796f0b9763ce16cf58
                                                                    • Opcode Fuzzy Hash: a25a50d4c2e43c50d9b1e39939b2cfdedfae0b5b41f18b30c59be5b4ed444aac
                                                                    • Instruction Fuzzy Hash: B2310871250700AFC300AB65EC45F6A37B8EB84716F11043EF50AE76E1EB79A8508B6D
                                                                    Function 00419C85 Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419C94
                                                                    • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CAB
                                                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CB8
                                                                    • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CC7
                                                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CD8
                                                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CDB
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Service$CloseHandle$Open$ControlManager
                                                                    • String ID:
                                                                    • API String ID: 221034970-0
                                                                    • Opcode ID: 90cb661901cd042af288c915e3e3b558208b36f008bb68e694e16de296acffd5
                                                                    • Instruction ID: aaf019a9b49167a30595a2ca3c371567d0eeee9026f0995440eeab6e66ec65be
                                                                    • Opcode Fuzzy Hash: 90cb661901cd042af288c915e3e3b558208b36f008bb68e694e16de296acffd5
                                                                    • Instruction Fuzzy Hash: 00118632901218AFD7116B64EC85DFF3FACDB45BA5B000036F502921D1DB64DD46AAF5
                                                                    Function 00446DCB Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _free.LIBCMT ref: 00446DDF
                                                                      • Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                                                      • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                                                    • _free.LIBCMT ref: 00446DEB
                                                                    • _free.LIBCMT ref: 00446DF6
                                                                    • _free.LIBCMT ref: 00446E01
                                                                    • _free.LIBCMT ref: 00446E0C
                                                                    • _free.LIBCMT ref: 00446E17
                                                                    • _free.LIBCMT ref: 00446E22
                                                                    • _free.LIBCMT ref: 00446E2D
                                                                    • _free.LIBCMT ref: 00446E38
                                                                    • _free.LIBCMT ref: 00446E46
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                    • String ID:
                                                                    • API String ID: 776569668-0
                                                                    • Opcode ID: 97a3f4e44069bc11c8e401312368c96959fa26c4fc1008248271593ee2688753
                                                                    • Instruction ID: b6db37451886405a3c03f61b360184b61b1678451e8b30ee63348233c964278a
                                                                    • Opcode Fuzzy Hash: 97a3f4e44069bc11c8e401312368c96959fa26c4fc1008248271593ee2688753
                                                                    • Instruction Fuzzy Hash: F011E975100408BFEB01EF55C842CDD3B65EF46354B06C0AAF9086F222DA35DE649F85
                                                                    Function 00410314 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 192COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Eventinet_ntoa
                                                                    • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$>G
                                                                    • API String ID: 3578746661-4192532303
                                                                    • Opcode ID: 059a6457884d082c372b150a0b2831a4c1b83238499cd6d378c5b4a446b252df
                                                                    • Instruction ID: 9533851bb4e74ac183efc1d320b4a1154e984465ef7073577260c431c5a81f81
                                                                    • Opcode Fuzzy Hash: 059a6457884d082c372b150a0b2831a4c1b83238499cd6d378c5b4a446b252df
                                                                    • Instruction Fuzzy Hash: E8518471A042009BC714F779D85AAAE36A59B80318F40453FF849972E2DF7CAD85CB9F
                                                                    Function 00455139 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,00455DAF), ref: 0045515C
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: DecodePointer
                                                                    • String ID: acos$asin$exp$log$log10$pow$sqrt
                                                                    • API String ID: 3527080286-3064271455
                                                                    • Opcode ID: 3eb206b15bda214751c6835efce86a307732660d26cd42cbd6c0713da10ca2d5
                                                                    • Instruction ID: 89d0c260ad138193cc60bb845925db7455dcb75d1c4d79333749f45855522aa5
                                                                    • Opcode Fuzzy Hash: 3eb206b15bda214751c6835efce86a307732660d26cd42cbd6c0713da10ca2d5
                                                                    • Instruction Fuzzy Hash: DA516D70900E09CBCF14DF99E9581BDBBB0FB09342F244297EC41A6266CB798A1DCB1D
                                                                    Function 004165FC Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 103sleepfileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 0041665C
                                                                      • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,00403AF3,00465324), ref: 0041B633
                                                                    • Sleep.KERNEL32(00000064), ref: 00416688
                                                                    • DeleteFileW.KERNEL32(00000000), ref: 004166BC
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: File$CreateDeleteExecuteShellSleep
                                                                    • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                                                    • API String ID: 1462127192-2001430897
                                                                    • Opcode ID: 6f7592da00a282af32ff41b540dad8098d47f26c763fabcb562c03d6f79861a4
                                                                    • Instruction ID: 72b86f905f1643b809cd09d25b02ba286255726e8958c1b91c3bd62dba73c542
                                                                    • Opcode Fuzzy Hash: 6f7592da00a282af32ff41b540dad8098d47f26c763fabcb562c03d6f79861a4
                                                                    • Instruction Fuzzy Hash: FD313E719001085ADB14FBA1DC96EEE7764AF50708F00013FF906731E2EF786A8ACA9D
                                                                    Function 00401A8E Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _strftime.LIBCMT ref: 00401AD3
                                                                      • Part of subcall function 00401BE8: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401C54
                                                                    • waveInUnprepareHeader.WINMM(00471AC0,00000020,00000000,?), ref: 00401B85
                                                                    • waveInPrepareHeader.WINMM(00471AC0,00000020), ref: 00401BC3
                                                                    • waveInAddBuffer.WINMM(00471AC0,00000020), ref: 00401BD2
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                                                    • String ID: %Y-%m-%d %H.%M$.wav$`=G$x=G
                                                                    • API String ID: 3809562944-3643129801
                                                                    • Opcode ID: 05fbe3f0275308aa01def130e1c9f559704be22902734a160a2ccb4d88025906
                                                                    • Instruction ID: ec6e8c75c27496dd15f6dcc160753dc5291fcfbcfc36b55cd818fae73feeac55
                                                                    • Opcode Fuzzy Hash: 05fbe3f0275308aa01def130e1c9f559704be22902734a160a2ccb4d88025906
                                                                    • Instruction Fuzzy Hash: 6C317E315053009BC314EF25DC56A9E77E8BB94314F00883EF559A21F1EF78AA49CB9A
                                                                    Function 0040196B Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 72COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040197B
                                                                    • waveInOpen.WINMM(00471AF8,000000FF,00471B00,Function_00001A8E,00000000,00000000,00000024), ref: 00401A11
                                                                    • waveInPrepareHeader.WINMM(00471AC0,00000020,00000000), ref: 00401A66
                                                                    • waveInAddBuffer.WINMM(00471AC0,00000020), ref: 00401A75
                                                                    • waveInStart.WINMM ref: 00401A81
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                                                    • String ID: XCG$`=G$x=G
                                                                    • API String ID: 1356121797-903574159
                                                                    • Opcode ID: ccd0c3bdb441db855719f52f26becbf2123e5d26e4d3fe3fdac9f84fbce65878
                                                                    • Instruction ID: 1c4952ee711c82e1d68262a7885cb64ec938acb60d992cd4a46dee1db52e037b
                                                                    • Opcode Fuzzy Hash: ccd0c3bdb441db855719f52f26becbf2123e5d26e4d3fe3fdac9f84fbce65878
                                                                    • Instruction Fuzzy Hash: 87215C316012009BC704DF7EFD1696A7BA9FB85742B00843AF50DE76B0EBB89880CB4C
                                                                    Function 0041C96F Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 47windowstringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041C988
                                                                      • Part of subcall function 0041CA1F: RegisterClassExA.USER32(00000030), ref: 0041CA6C
                                                                      • Part of subcall function 0041CA1F: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041CA87
                                                                      • Part of subcall function 0041CA1F: GetLastError.KERNEL32 ref: 0041CA91
                                                                    • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041C9BF
                                                                    • lstrcpynA.KERNEL32(00473B68,Remcos,00000080), ref: 0041C9D9
                                                                    • Shell_NotifyIconA.SHELL32(00000000,00473B50), ref: 0041C9EF
                                                                    • TranslateMessage.USER32(?), ref: 0041C9FB
                                                                    • DispatchMessageA.USER32(?), ref: 0041CA05
                                                                    • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041CA12
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                                                    • String ID: Remcos
                                                                    • API String ID: 1970332568-165870891
                                                                    • Opcode ID: 3916a83a2764b610bd39468394578f6b6e569060e520b3e5816c6a16bad35c1f
                                                                    • Instruction ID: 0af2178feff80faf092f0d4c6bffee9b758878d1eb04e36c9ad6546aee081b39
                                                                    • Opcode Fuzzy Hash: 3916a83a2764b610bd39468394578f6b6e569060e520b3e5816c6a16bad35c1f
                                                                    • Instruction Fuzzy Hash: 760121B1944344ABD7109FA5FC4CEDA7BBCAB45B16F004035F605E2162D7B8A285DB2D
                                                                    Function 0044B450 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f2151e197df712fc1f3efd7529e5cab30ffe5da6e1140182427377c3cf1bf9f3
                                                                    • Instruction ID: 1e235cce983953b2f50cc3566bc78ab2d8216d31b9fa4c429b6f00869d8f9d70
                                                                    • Opcode Fuzzy Hash: f2151e197df712fc1f3efd7529e5cab30ffe5da6e1140182427377c3cf1bf9f3
                                                                    • Instruction Fuzzy Hash: 27C1D774D04249AFEF11DFA9C8417AEBBB4FF4A304F14405AE814A7392C778D941CBA9
                                                                    Function 00452B2A Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,00452E03,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00452BD6
                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,00452E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00452C59
                                                                    • __alloca_probe_16.LIBCMT ref: 00452C91
                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,00452E03,?,00452E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00452CEC
                                                                    • __alloca_probe_16.LIBCMT ref: 00452D3B
                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00452E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00452D03
                                                                      • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434423,?,?,00437227,?,?,00000000,00475B70,?,0040CC87,00434423,?,?,?,?), ref: 00446B31
                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00452E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00452D7F
                                                                    • __freea.LIBCMT ref: 00452DAA
                                                                    • __freea.LIBCMT ref: 00452DB6
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                                                    • String ID:
                                                                    • API String ID: 201697637-0
                                                                    • Opcode ID: 526ec53c1ec1ba6df620155d9200090ddd68624b921cdf3bb5e3273f0fe9ddbf
                                                                    • Instruction ID: c0da75549b7b47b94c7346473649b17197e9394d7568cc7349c1d05b16f9ad8a
                                                                    • Opcode Fuzzy Hash: 526ec53c1ec1ba6df620155d9200090ddd68624b921cdf3bb5e3273f0fe9ddbf
                                                                    • Instruction Fuzzy Hash: F391D872E002169BDF218E64CA51EEF7BB5AF0A315F14055BEC04E7243D7A9DC48CB68
                                                                    Function 004443F9 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                                      • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                                      • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                                      • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                                    • _memcmp.LIBVCRUNTIME ref: 004446A3
                                                                    • _free.LIBCMT ref: 00444714
                                                                    • _free.LIBCMT ref: 0044472D
                                                                    • _free.LIBCMT ref: 0044475F
                                                                    • _free.LIBCMT ref: 00444768
                                                                    • _free.LIBCMT ref: 00444774
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: _free$ErrorLast$_abort_memcmp
                                                                    • String ID: C
                                                                    • API String ID: 1679612858-1037565863
                                                                    • Opcode ID: 26cb60d2ded69649c8d9c7e918b2274f2eed3a3cb47f2210c16fd85809fb6344
                                                                    • Instruction ID: 3c523a64da6f7cdf058c983f33271b3c05ff2f19a58e511a78fa6d1555c07658
                                                                    • Opcode Fuzzy Hash: 26cb60d2ded69649c8d9c7e918b2274f2eed3a3cb47f2210c16fd85809fb6344
                                                                    • Instruction Fuzzy Hash: 19B13975A012199FEB24DF18C885BAEB7B4FB49304F1485AEE909A7350D739AE90CF44
                                                                    Function 004139C7 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 228COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: tcp$udp
                                                                    • API String ID: 0-3725065008
                                                                    • Opcode ID: feee9516c16efef68815b89ade9cbffe5bf55ce5106af849680fee818ce7e4b0
                                                                    • Instruction ID: e59cad8d3053530f07be13ad944632c35d9115139dfdf9e987abb4c2b311e0ee
                                                                    • Opcode Fuzzy Hash: feee9516c16efef68815b89ade9cbffe5bf55ce5106af849680fee818ce7e4b0
                                                                    • Instruction Fuzzy Hash: 9171AB316083128FDB24CE5584847ABB6E4AF84746F10043FF885A7352E778DE85CB9A
                                                                    Function 00401768 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142threadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ExitThread.KERNEL32 ref: 004017F4
                                                                      • Part of subcall function 00433519: EnterCriticalSection.KERNEL32(00470D18,00475B70,00475BF0,?,0040179E,00475BF0), ref: 00433524
                                                                      • Part of subcall function 00433519: LeaveCriticalSection.KERNEL32(00470D18,?,0040179E,00475BF0), ref: 00433561
                                                                    • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00473EE8,00000000), ref: 00401902
                                                                      • Part of subcall function 004338A5: __onexit.LIBCMT ref: 004338AB
                                                                    • __Init_thread_footer.LIBCMT ref: 004017BC
                                                                      • Part of subcall function 004334CF: EnterCriticalSection.KERNEL32(00470D18,00475BF0,?,004017C1,00475BF0,00000000), ref: 004334D9
                                                                      • Part of subcall function 004334CF: LeaveCriticalSection.KERNEL32(00470D18,?,004017C1,00475BF0,00000000), ref: 0043350C
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CriticalSection$EnterLeave$ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                                                    • String ID: T=G$p[G$>G$>G
                                                                    • API String ID: 1596592924-2461731529
                                                                    • Opcode ID: 8f70ea2b40fb44211d0b69bbfe51e678a1d722ca5741e51af6e8456a38407156
                                                                    • Instruction ID: b2aa677fe1363808454ef9d3704f93b9908b7cd688e3fd59dcdd6ad405d7ff49
                                                                    • Opcode Fuzzy Hash: 8f70ea2b40fb44211d0b69bbfe51e678a1d722ca5741e51af6e8456a38407156
                                                                    • Instruction Fuzzy Hash: 0D41A0316042019BC324FB65DCA6EAE73A4EB94318F00453FF54AA71F2DF78A945C65E
                                                                    Function 00406BE9 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00465454,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C38
                                                                    • WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C80
                                                                      • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                    • CloseHandle.KERNEL32(00000000,?,?,00000000,00407273,00000000,?,0000000A,00000000,00000000), ref: 00406CC0
                                                                    • MoveFileW.KERNEL32(00000000,00000000), ref: 00406CDD
                                                                    • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 00406D08
                                                                    • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 00406D18
                                                                      • Part of subcall function 0040455B: WaitForSingleObject.KERNEL32(?,000000FF,?,?,0040460E,00000000,?,?), ref: 0040456A
                                                                      • Part of subcall function 0040455B: SetEvent.KERNEL32(?,?,?,0040460E,00000000,?,?), ref: 00404588
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                                                    • String ID: .part
                                                                    • API String ID: 1303771098-3499674018
                                                                    • Opcode ID: bc587de7adb1460b3aabd07d1d3e6798b8d85c5b62109ba090974b2b68d51c1e
                                                                    • Instruction ID: a9f2b94bfe891e644ef5b97f564769cd4b441703f4f7d546a0b6aea2ef9939f1
                                                                    • Opcode Fuzzy Hash: bc587de7adb1460b3aabd07d1d3e6798b8d85c5b62109ba090974b2b68d51c1e
                                                                    • Instruction Fuzzy Hash: 1C31C2715083019FD210EF21DD459AFB7A8FB85715F40093FF9C6A21A1DB38AA48CB9A
                                                                    Function 0041A81D Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 90COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00412584: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 004125A6
                                                                      • Part of subcall function 00412584: RegQueryValueExW.ADVAPI32(?,0040E0BA,00000000,00000000,?,00000400), ref: 004125C5
                                                                      • Part of subcall function 00412584: RegCloseKey.ADVAPI32(?), ref: 004125CE
                                                                      • Part of subcall function 0041B15B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B16C
                                                                    • _wcslen.LIBCMT ref: 0041A8F6
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CloseCurrentOpenProcessQueryValue_wcslen
                                                                    • String ID: .exe$:@$XCG$http\shell\open\command$program files (x86)\$program files\
                                                                    • API String ID: 37874593-703403762
                                                                    • Opcode ID: 8d7f7000506fb44ae307e9e559f48fe1fd4854344d8ef950826ae216f426f9bc
                                                                    • Instruction ID: cf464564bb47d370653928ac6653466accee15d45f6204cdc17a1bec324f9b19
                                                                    • Opcode Fuzzy Hash: 8d7f7000506fb44ae307e9e559f48fe1fd4854344d8ef950826ae216f426f9bc
                                                                    • Instruction Fuzzy Hash: 3021B8727001043BDB04BAB58C96DEE366D9B85358F14083FF402F72C2ED3C9D5942A9
                                                                    Function 00449950 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,0042CE53,?,?,?,00449BA1,00000001,00000001,?), ref: 004499AA
                                                                    • __alloca_probe_16.LIBCMT ref: 004499E2
                                                                    • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,0042CE53,?,?,?,00449BA1,00000001,00000001,?), ref: 00449A30
                                                                    • __alloca_probe_16.LIBCMT ref: 00449AC7
                                                                    • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00449B2A
                                                                    • __freea.LIBCMT ref: 00449B37
                                                                      • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434423,?,?,00437227,?,?,00000000,00475B70,?,0040CC87,00434423,?,?,?,?), ref: 00446B31
                                                                    • __freea.LIBCMT ref: 00449B40
                                                                    • __freea.LIBCMT ref: 00449B65
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                                                    • String ID:
                                                                    • API String ID: 3864826663-0
                                                                    • Opcode ID: dc07b2b70d5d15ed1bcd67b1f24feaf136ebd40b623740e78a86a330a3ab3b56
                                                                    • Instruction ID: d3450b84a68f20df6837e20b70452335b33749c243a385fd48b45426a0ff81fe
                                                                    • Opcode Fuzzy Hash: dc07b2b70d5d15ed1bcd67b1f24feaf136ebd40b623740e78a86a330a3ab3b56
                                                                    • Instruction Fuzzy Hash: 89511572610246AFFB258F65DC81EBB77A9EB44754F15462EFC04E6240EF38EC40E668
                                                                    Function 00418ABE Relevance: 12.1, APIs: 8, Instructions: 117keyboardCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendInput.USER32 ref: 00418B08
                                                                    • SendInput.USER32(00000001,?,0000001C), ref: 00418B30
                                                                    • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B57
                                                                    • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B75
                                                                    • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B95
                                                                    • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BBA
                                                                    • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BDC
                                                                    • SendInput.USER32(00000001,?,0000001C), ref: 00418BFF
                                                                      • Part of subcall function 00418AB1: MapVirtualKeyA.USER32(00000000,00000000), ref: 00418AB7
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: InputSend$Virtual
                                                                    • String ID:
                                                                    • API String ID: 1167301434-0
                                                                    • Opcode ID: 88f93acc81d4616b4190e12117d1b14dafb1e9928c91053c24dee7c09840eeb6
                                                                    • Instruction ID: ee8b26819532887277ba411a2a2a0296f2420856d0f10470abe43a11d9a37015
                                                                    • Opcode Fuzzy Hash: 88f93acc81d4616b4190e12117d1b14dafb1e9928c91053c24dee7c09840eeb6
                                                                    • Instruction Fuzzy Hash: 3231A471248345AAE210DF65D841FDFFBECAFC5B44F04080FB98457291DAA4D98C87AB
                                                                    Function 00415A45 Relevance: 12.0, APIs: 8, Instructions: 46clipboardCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • OpenClipboard.USER32 ref: 00415A46
                                                                    • EmptyClipboard.USER32 ref: 00415A54
                                                                    • CloseClipboard.USER32 ref: 00415A5A
                                                                    • OpenClipboard.USER32 ref: 00415A61
                                                                    • GetClipboardData.USER32(0000000D), ref: 00415A71
                                                                    • GlobalLock.KERNEL32(00000000), ref: 00415A7A
                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 00415A83
                                                                    • CloseClipboard.USER32 ref: 00415A89
                                                                      • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                                                    • String ID:
                                                                    • API String ID: 2172192267-0
                                                                    • Opcode ID: ed1c07982b29d0ead8c7efce27f1f73f7a3c6531811b5a16733390c9f1490fe0
                                                                    • Instruction ID: 9b100a12d13cc6c4196ee8fc3e520842cce62831b2d72284ea91ff5550736cd9
                                                                    • Opcode Fuzzy Hash: ed1c07982b29d0ead8c7efce27f1f73f7a3c6531811b5a16733390c9f1490fe0
                                                                    • Instruction Fuzzy Hash: A10152312083009FC314BB75EC5AAEE77A5AFC0762F41457EFD06861A2DF38C845D65A
                                                                    Function 00447E3A Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _free.LIBCMT ref: 00447EBC
                                                                    • _free.LIBCMT ref: 00447EE0
                                                                    • _free.LIBCMT ref: 00448067
                                                                    • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045D478), ref: 00448079
                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,0047179C,000000FF,00000000,0000003F,00000000,?,?), ref: 004480F1
                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,004717F0,000000FF,?,0000003F,00000000,?), ref: 0044811E
                                                                    • _free.LIBCMT ref: 00448233
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                                                    • String ID:
                                                                    • API String ID: 314583886-0
                                                                    • Opcode ID: 8f2632b67193357a83db75d9b5d73d353fce2e4dc276e18d9d86292fc31d1611
                                                                    • Instruction ID: d74e55ca02e924b9256a88f94e7be2aa31ce1fd8fbfcff02d88bcfbefc6cbd9d
                                                                    • Opcode Fuzzy Hash: 8f2632b67193357a83db75d9b5d73d353fce2e4dc276e18d9d86292fc31d1611
                                                                    • Instruction Fuzzy Hash: 32C12871904205ABFB24DF799C41AAE7BB8EF46314F2441AFE484A7351EB388E47C758
                                                                    Function 0044F806 Relevance: 10.7, APIs: 7, Instructions: 204COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: _free
                                                                    • String ID:
                                                                    • API String ID: 269201875-0
                                                                    • Opcode ID: 67e449e53c8ad906785535aafbfbe26c0ba071591af106f4c86beb5beaf16e94
                                                                    • Instruction ID: 5fecc71d39e6a90402c47f7728bb4f6831cdfeb90858b0dfc168023e2edb8b83
                                                                    • Opcode Fuzzy Hash: 67e449e53c8ad906785535aafbfbe26c0ba071591af106f4c86beb5beaf16e94
                                                                    • Instruction Fuzzy Hash: 2361BFB1900205AFEB20DF69C841BAABBF4EB45720F24417BE944FB392E7349D45CB59
                                                                    Function 00443F7B Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434423,?,?,00437227,?,?,00000000,00475B70,?,0040CC87,00434423,?,?,?,?), ref: 00446B31
                                                                    • _free.LIBCMT ref: 00444086
                                                                    • _free.LIBCMT ref: 0044409D
                                                                    • _free.LIBCMT ref: 004440BC
                                                                    • _free.LIBCMT ref: 004440D7
                                                                    • _free.LIBCMT ref: 004440EE
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: _free$AllocateHeap
                                                                    • String ID: J7D
                                                                    • API String ID: 3033488037-1677391033
                                                                    • Opcode ID: 8c925fd0856db186306c7281cb720ff9f4ffcac0ad0a05797528cb4255118f5a
                                                                    • Instruction ID: b5a2c1f2d034459fb850ff781f480331835685433a1d37f27cfcf8091ebf3f31
                                                                    • Opcode Fuzzy Hash: 8c925fd0856db186306c7281cb720ff9f4ffcac0ad0a05797528cb4255118f5a
                                                                    • Instruction Fuzzy Hash: 9251E371A00604AFEB20DF6AC841B6AB3F4EF95724F14416EE909D7251E739ED15CB88
                                                                    Function 0044A0C3 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,0044A838,?,00000000,00000000,00000000,00000000,0000000C), ref: 0044A105
                                                                    • __fassign.LIBCMT ref: 0044A180
                                                                    • __fassign.LIBCMT ref: 0044A19B
                                                                    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 0044A1C1
                                                                    • WriteFile.KERNEL32(?,00000000,00000000,0044A838,00000000,?,?,?,?,?,?,?,?,?,0044A838,?), ref: 0044A1E0
                                                                    • WriteFile.KERNEL32(?,?,00000001,0044A838,00000000,?,?,?,?,?,?,?,?,?,0044A838,?), ref: 0044A219
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                    • String ID:
                                                                    • API String ID: 1324828854-0
                                                                    • Opcode ID: c2a57007ecaabeafdb2dea6b541a07f99f491d21749d301156e70ae2fc22959b
                                                                    • Instruction ID: b40464c9ec282996611fef5cbd20273031f87559cdf671a411eba52403cbf28d
                                                                    • Opcode Fuzzy Hash: c2a57007ecaabeafdb2dea6b541a07f99f491d21749d301156e70ae2fc22959b
                                                                    • Instruction Fuzzy Hash: DB51E270E002099FEB10CFA8D881AEEBBF8FF09300F14416BE815E3391D6749951CB6A
                                                                    Function 004559CA Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 152COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: _free
                                                                    • String ID: HE$HE
                                                                    • API String ID: 269201875-1978648262
                                                                    • Opcode ID: 396dac2f3812ff065a3283cc201ba07d86737f2a766ab43e7d660d85bd51e2e6
                                                                    • Instruction ID: 4134de32792d44acead4bb36f8da9b5b282593f8ffe10db144b1eaf4d9577b64
                                                                    • Opcode Fuzzy Hash: 396dac2f3812ff065a3283cc201ba07d86737f2a766ab43e7d660d85bd51e2e6
                                                                    • Instruction Fuzzy Hash: 90412A31A009106BEF24AABA8CD5A7F3B64DF45375F14031BFC1896293D67C8C4996AA
                                                                    Function 00412C88 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 135registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00412CC1
                                                                      • Part of subcall function 004129AA: RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00412A1D
                                                                      • Part of subcall function 004129AA: RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 00412A4C
                                                                      • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                    • RegCloseKey.ADVAPI32(TUFTUF,00465554,00465554,00465900,00465900,00000071), ref: 00412E31
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CloseEnumInfoOpenQuerysend
                                                                    • String ID: TUFTUF$>G$DG$DG
                                                                    • API String ID: 3114080316-344394840
                                                                    • Opcode ID: bf697a078cb867d97e45357ac50b9e71af34c85f47cf55f872e92a0cd902ea26
                                                                    • Instruction ID: 92049c6ae7fba3f13a57cd60a3827c89810429dfa6cf24b756c0ab1f01d338b1
                                                                    • Opcode Fuzzy Hash: bf697a078cb867d97e45357ac50b9e71af34c85f47cf55f872e92a0cd902ea26
                                                                    • Instruction Fuzzy Hash: 0141A2316042009BC224F635D9A2AEF7394AFD0708F50843FF94A671E2EF7C5D4986AE
                                                                    Function 00437A80 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _ValidateLocalCookies.LIBCMT ref: 00437AAB
                                                                    • ___except_validate_context_record.LIBVCRUNTIME ref: 00437AB3
                                                                    • _ValidateLocalCookies.LIBCMT ref: 00437B41
                                                                    • __IsNonwritableInCurrentImage.LIBCMT ref: 00437B6C
                                                                    • _ValidateLocalCookies.LIBCMT ref: 00437BC1
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                    • String ID: csm
                                                                    • API String ID: 1170836740-1018135373
                                                                    • Opcode ID: 47e26074ed3df67517ea761fc7c27dd00097028ab85dfbf9f1f14e41715e449f
                                                                    • Instruction ID: 9404c61c081bc4e6da2099be8a52027e1297fde76841380def533d3eaa533744
                                                                    • Opcode Fuzzy Hash: 47e26074ed3df67517ea761fc7c27dd00097028ab85dfbf9f1f14e41715e449f
                                                                    • Instruction Fuzzy Hash: CD410970A04209DBCF20EF19C844A9FBBB5AF0932CF14915BE8556B392D739EE05CB95
                                                                    Function 0040B6EA Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 85COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00412513: RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 00412537
                                                                      • Part of subcall function 00412513: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 00412554
                                                                      • Part of subcall function 00412513: RegCloseKey.KERNELBASE(?), ref: 0041255F
                                                                    • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040B76C
                                                                    • PathFileExistsA.SHLWAPI(?), ref: 0040B779
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                                                    • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                                                    • API String ID: 1133728706-4073444585
                                                                    • Opcode ID: f18917443f7c6820299f50b24860e0ced39b7309a667dc30009aa6e24bb425c3
                                                                    • Instruction ID: d844a8c095f6bc09782a4352348c5dfd082864f820bca84d12e352ec49be167e
                                                                    • Opcode Fuzzy Hash: f18917443f7c6820299f50b24860e0ced39b7309a667dc30009aa6e24bb425c3
                                                                    • Instruction Fuzzy Hash: 5F216D71A00109A6CB04F7B2DCA69EE7764AE95318F40013FE902771D2EB7C9A49C6DE
                                                                    Function 00455903 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: baa808ce9aba2e31bda6eba52dd091397fabc77087c94bec0579852e2f8fce8d
                                                                    • Instruction ID: 969edc756a0dffe936139f0dc9bce31aed38431af2e56c5058bd22e5c2f4fad6
                                                                    • Opcode Fuzzy Hash: baa808ce9aba2e31bda6eba52dd091397fabc77087c94bec0579852e2f8fce8d
                                                                    • Instruction Fuzzy Hash: 991124B1508654FBDB202F769C4493B3B6CEF82376B10016FFC15D7242DA7C8805C2AA
                                                                    Function 0040FBEF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0040FBFC
                                                                    • int.LIBCPMT ref: 0040FC0F
                                                                      • Part of subcall function 0040CEE0: std::_Lockit::_Lockit.LIBCPMT ref: 0040CEF1
                                                                      • Part of subcall function 0040CEE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CF0B
                                                                    • std::_Facet_Register.LIBCPMT ref: 0040FC4B
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 0040FC71
                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 0040FC8D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                                    • String ID: P[G
                                                                    • API String ID: 2536120697-571123470
                                                                    • Opcode ID: 31ce6fe8dfd7390de1d64992225249e105d572f1378bab70f4a441faf385e78a
                                                                    • Instruction ID: a46b155a0a589d4ea75c4983af6a631921b9d9812a15003568faaf62f6f01cf1
                                                                    • Opcode Fuzzy Hash: 31ce6fe8dfd7390de1d64992225249e105d572f1378bab70f4a441faf385e78a
                                                                    • Instruction Fuzzy Hash: 7611F331904518A7CB14FBA5D8469DEB7689E44358B20007BF905B72C1EB7CAE45C79D
                                                                    Function 0041A51B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68networkfileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041A53E
                                                                    • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041A554
                                                                    • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041A56D
                                                                    • InternetCloseHandle.WININET(00000000), ref: 0041A5B3
                                                                    • InternetCloseHandle.WININET(00000000), ref: 0041A5B6
                                                                    Strings
                                                                    • http://geoplugin.net/json.gp, xrefs: 0041A54E
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Internet$CloseHandleOpen$FileRead
                                                                    • String ID: http://geoplugin.net/json.gp
                                                                    • API String ID: 3121278467-91888290
                                                                    • Opcode ID: 8d796e82819d20c7747317835cdf85fb334a8da14db2c504802a4fd71c56bfc3
                                                                    • Instruction ID: 402fbdb1aff19a1981f8347c65821a4f206ec005c70a85ea4635686413b1fe25
                                                                    • Opcode Fuzzy Hash: 8d796e82819d20c7747317835cdf85fb334a8da14db2c504802a4fd71c56bfc3
                                                                    • Instruction Fuzzy Hash: 2711C87110A3126BD214AA169C45DBF7FDCEF46365F00053EF905D2191DB689C48C6B6
                                                                    Function 0044FCDB Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0044FA22: _free.LIBCMT ref: 0044FA4B
                                                                    • _free.LIBCMT ref: 0044FD29
                                                                      • Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                                                      • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                                                    • _free.LIBCMT ref: 0044FD34
                                                                    • _free.LIBCMT ref: 0044FD3F
                                                                    • _free.LIBCMT ref: 0044FD93
                                                                    • _free.LIBCMT ref: 0044FD9E
                                                                    • _free.LIBCMT ref: 0044FDA9
                                                                    • _free.LIBCMT ref: 0044FDB4
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                    • String ID:
                                                                    • API String ID: 776569668-0
                                                                    • Opcode ID: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
                                                                    • Instruction ID: b6f47af98b99390d2ca34363280ce03bc5e4d1be0f6c4f29549f69d6ae0d3a9a
                                                                    • Opcode Fuzzy Hash: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
                                                                    • Instruction Fuzzy Hash: 5F119031711B04B6F520FBB2CC07FCBB7DC9F42308F814C2EB29E76152E628A9184645
                                                                    Function 00406815 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe), ref: 00406835
                                                                      • Part of subcall function 00406764: _wcslen.LIBCMT ref: 00406788
                                                                      • Part of subcall function 00406764: CoGetObject.OLE32(?,00000024,004659B0,00000000), ref: 004067E9
                                                                    • CoUninitialize.OLE32 ref: 0040688E
                                                                    Strings
                                                                    • [+] before ShellExec, xrefs: 00406856
                                                                    • [+] ucmCMLuaUtilShellExecMethod, xrefs: 0040681A
                                                                    • C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe, xrefs: 00406815, 00406818, 0040686A
                                                                    • [+] ShellExec success, xrefs: 00406873
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: InitializeObjectUninitialize_wcslen
                                                                    • String ID: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                                                    • API String ID: 3851391207-3068729581
                                                                    • Opcode ID: cc256bbe825efe690782e207798e63cf697be23d062579cdcaa40baaa38e88a5
                                                                    • Instruction ID: 622c6236034ee416db36617ed9a374104512909f75adacabffe0517dc70a223e
                                                                    • Opcode Fuzzy Hash: cc256bbe825efe690782e207798e63cf697be23d062579cdcaa40baaa38e88a5
                                                                    • Instruction Fuzzy Hash: A501C0722013106FE2287B11DC0EF3B2658DB4176AF22413FF946A71C1EAA9AC104669
                                                                    Function 0040FED2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0040FEDF
                                                                    • int.LIBCPMT ref: 0040FEF2
                                                                      • Part of subcall function 0040CEE0: std::_Lockit::_Lockit.LIBCPMT ref: 0040CEF1
                                                                      • Part of subcall function 0040CEE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CF0B
                                                                    • std::_Facet_Register.LIBCPMT ref: 0040FF2E
                                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 0040FF54
                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 0040FF70
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                                    • String ID: H]G
                                                                    • API String ID: 2536120697-1717957184
                                                                    • Opcode ID: 3e4a8574ab9db7722bfa12a95caa071d2d4e3d0815d43ad0032f2c9a3dec5087
                                                                    • Instruction ID: c39742161ac3258eace465d30f2780732a1ff9819e97f4bd037edafe9ec39b9f
                                                                    • Opcode Fuzzy Hash: 3e4a8574ab9db7722bfa12a95caa071d2d4e3d0815d43ad0032f2c9a3dec5087
                                                                    • Instruction Fuzzy Hash: 9011BF31900419ABCB24FBA5C8468DDB7799F95318B20007FF505B72C1EB78AF09C799
                                                                    Function 0040B2A8 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040B2E4
                                                                    • GetLastError.KERNEL32 ref: 0040B2EE
                                                                    Strings
                                                                    • UserProfile, xrefs: 0040B2B4
                                                                    • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040B2AF
                                                                    • [Chrome Cookies found, cleared!], xrefs: 0040B314
                                                                    • [Chrome Cookies not found], xrefs: 0040B308
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: DeleteErrorFileLast
                                                                    • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                                                    • API String ID: 2018770650-304995407
                                                                    • Opcode ID: 89984b89c506dd7c72a5c030867ac5c43e97c4af1a23029286eaf0e318e25243
                                                                    • Instruction ID: 647c9f6895dd19beb09db90be4e639f81332b1b521455d1adc7a9c6a9ee315b4
                                                                    • Opcode Fuzzy Hash: 89984b89c506dd7c72a5c030867ac5c43e97c4af1a23029286eaf0e318e25243
                                                                    • Instruction Fuzzy Hash: 3301A23164410557CB047BB5DD6B8AF3624ED50708F60013FF802B32E2FE3A9A0586CE
                                                                    Function 0041BEB0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 47memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • AllocConsole.KERNEL32(00474358), ref: 0041BEB9
                                                                    • ShowWindow.USER32(00000000,00000000), ref: 0041BED2
                                                                    • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041BEF7
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Console$AllocOutputShowWindow
                                                                    • String ID: Remcos v$5.3.0 Pro$CONOUT$
                                                                    • API String ID: 2425139147-2527699604
                                                                    • Opcode ID: 665a097808b038229c9a37eafed355beb7ea993dcaa7ec452e19bba1328996a1
                                                                    • Instruction ID: 482f1cdaf256b8236abc94a0b12de3dc55517b66349f776fa4240982defd8f75
                                                                    • Opcode Fuzzy Hash: 665a097808b038229c9a37eafed355beb7ea993dcaa7ec452e19bba1328996a1
                                                                    • Instruction Fuzzy Hash: 180171B19803047BD600FBF29D4BFDD37AC9B14705F5004277644E7093EABCA554866D
                                                                    Function 004064D0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 40COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • (CG, xrefs: 0040693F
                                                                    • C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe, xrefs: 00406927
                                                                    • BG, xrefs: 00406909
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: (CG$C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe$BG
                                                                    • API String ID: 0-2613091526
                                                                    • Opcode ID: d1be4aec57154437973d558091bbe471e33116169eb7d1567a4c56866b781843
                                                                    • Instruction ID: a0817f974ad937f6cb5b9dd001e5131ae01746641b95ac10126ddf8aadfa6e31
                                                                    • Opcode Fuzzy Hash: d1be4aec57154437973d558091bbe471e33116169eb7d1567a4c56866b781843
                                                                    • Instruction Fuzzy Hash: 05F096B17022109BDB103774BC1967A3645A780356F01847BF94BFA6E5DB3C8851869C
                                                                    Function 004395FC Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __allrem.LIBCMT ref: 00439789
                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004397A5
                                                                    • __allrem.LIBCMT ref: 004397BC
                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004397DA
                                                                    • __allrem.LIBCMT ref: 004397F1
                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043980F
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                    • String ID:
                                                                    • API String ID: 1992179935-0
                                                                    • Opcode ID: f1fde5a02fd595428c5ea82786117b3ca59670a7c5a9c6947d2ee4ceb3542413
                                                                    • Instruction ID: 29148231e9435c1f59b8c02308e8e4f0c882d016d38a0f6ab7871d26eba04b65
                                                                    • Opcode Fuzzy Hash: f1fde5a02fd595428c5ea82786117b3ca59670a7c5a9c6947d2ee4ceb3542413
                                                                    • Instruction Fuzzy Hash: 7A811B726017069BE724AE79CC82B6F73A8AF49328F24512FF511D66C1E7B8DD018B58
                                                                    Function 00444B3D Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: __cftoe
                                                                    • String ID:
                                                                    • API String ID: 4189289331-0
                                                                    • Opcode ID: 9b2fc1694d82a2623a89bc6481469fa908d9f87ebd85e1474d8b0e6b87dad09b
                                                                    • Instruction ID: 646e0444ce84107b4b6d0ff1d92098e8eb0dfa86acef9ec08128487301265115
                                                                    • Opcode Fuzzy Hash: 9b2fc1694d82a2623a89bc6481469fa908d9f87ebd85e1474d8b0e6b87dad09b
                                                                    • Instruction Fuzzy Hash: A851FC72900105ABFB249F598C81F6F77A9EFC9324F15421FF815A6281DB3DDD01866D
                                                                    Function 00446159 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: __freea$__alloca_probe_16
                                                                    • String ID: a/p$am/pm
                                                                    • API String ID: 3509577899-3206640213
                                                                    • Opcode ID: 878f267278134c9071f936cebdfefb8e9459c977e50b15d673de31b0c138741a
                                                                    • Instruction ID: cf09b504ad0dd49156c227457699755419044adef71e8be36bbdd309731302d4
                                                                    • Opcode Fuzzy Hash: 878f267278134c9071f936cebdfefb8e9459c977e50b15d673de31b0c138741a
                                                                    • Instruction Fuzzy Hash: 5FD1F271A00206EAFB249F68D945ABBB7B0FF06300F26415BE905AB749D37D8D41CB5B
                                                                    Function 00403DE7 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 135sleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • Sleep.KERNEL32(00000000), ref: 00403E8A
                                                                      • Part of subcall function 00403FCD: __EH_prolog.LIBCMT ref: 00403FD2
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: H_prologSleep
                                                                    • String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera$P>G
                                                                    • API String ID: 3469354165-462540288
                                                                    • Opcode ID: fd84d583727d63a22948aa60d8945a9d52214e7481cacf893f5ebe8d1c8ecc38
                                                                    • Instruction ID: 0dce3c58988623f436d5c5d916b021fc345e3c2d86dff9f08dc17926b78fee06
                                                                    • Opcode Fuzzy Hash: fd84d583727d63a22948aa60d8945a9d52214e7481cacf893f5ebe8d1c8ecc38
                                                                    • Instruction Fuzzy Hash: A441A330A0420197CA14FB79C816AAD3A655B45704F00453FF809A73E2EF7C9A45C7CF
                                                                    Function 00419DEC Relevance: 9.1, APIs: 6, Instructions: 66serviceCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419DFC
                                                                    • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E10
                                                                    • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E1D
                                                                    • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00419507), ref: 00419E52
                                                                    • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E64
                                                                    • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E67
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                                                    • String ID:
                                                                    • API String ID: 493672254-0
                                                                    • Opcode ID: 02b88ba3e7911ce8c5ead6755d78df319317ed7b9ebc03ba342fc4c032229c57
                                                                    • Instruction ID: c28812c6d5a3476d8c1fe7dae916194da5da8b168be8dbaba893861dad7fc5da
                                                                    • Opcode Fuzzy Hash: 02b88ba3e7911ce8c5ead6755d78df319317ed7b9ebc03ba342fc4c032229c57
                                                                    • Instruction Fuzzy Hash: 3301F5311483147AD7119B39EC5EEBF3AACDB42B71F10022BF526D62D1DA68DE8181A9
                                                                    Function 00437E06 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetLastError.KERNEL32(?,?,00437DFD,004377B1), ref: 00437E14
                                                                    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00437E22
                                                                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00437E3B
                                                                    • SetLastError.KERNEL32(00000000,?,00437DFD,004377B1), ref: 00437E8D
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ErrorLastValue___vcrt_
                                                                    • String ID:
                                                                    • API String ID: 3852720340-0
                                                                    • Opcode ID: 8677577c8e37d81537f7299acd8b5f5a9cc683e2404a7ed47504fd76d00458cf
                                                                    • Instruction ID: be779a20f6972cc68ff7cd304671387be2c97454b743a33de387a584dbd8fa65
                                                                    • Opcode Fuzzy Hash: 8677577c8e37d81537f7299acd8b5f5a9cc683e2404a7ed47504fd76d00458cf
                                                                    • Instruction Fuzzy Hash: 2A01D8B222D315ADEB3427757C87A172699EB09779F2013BFF228851E1EF294C41914C
                                                                    Function 00446EBF Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                                    • _free.LIBCMT ref: 00446EF6
                                                                    • _free.LIBCMT ref: 00446F1E
                                                                    • SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F2B
                                                                    • SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                                    • _abort.LIBCMT ref: 00446F3D
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ErrorLast$_free$_abort
                                                                    • String ID:
                                                                    • API String ID: 3160817290-0
                                                                    • Opcode ID: c8da7f0c6bc53abe63124bd11b18efa7ba6299d8fddab580282761fd2749e6ad
                                                                    • Instruction ID: 3d2b287d931d31d162837175e2379b90ae0e47a7897f975c134f35b9cb22fcab
                                                                    • Opcode Fuzzy Hash: c8da7f0c6bc53abe63124bd11b18efa7ba6299d8fddab580282761fd2749e6ad
                                                                    • Instruction Fuzzy Hash: 2AF0F93560870177F6226339BD45A6F16559BC37A6F36003FF414A2293EE2D8C46451F
                                                                    Function 00419C20 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C2F
                                                                    • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C43
                                                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C50
                                                                    • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C5F
                                                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C71
                                                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C74
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Service$CloseHandle$Open$ControlManager
                                                                    • String ID:
                                                                    • API String ID: 221034970-0
                                                                    • Opcode ID: b7b71ddbdcb9800aa748b97a69a48af82292e20b181655901ef109c96cd029b9
                                                                    • Instruction ID: e05d85410d15b39c35b215a1997cf582e970b4d0c8f2e3caff6268b58306b2a8
                                                                    • Opcode Fuzzy Hash: b7b71ddbdcb9800aa748b97a69a48af82292e20b181655901ef109c96cd029b9
                                                                    • Instruction Fuzzy Hash: F2F0F6325003147BD3116B25EC89EFF3BACDB45BA1F000036F902921D2DB68CD4685F5
                                                                    Function 00419D22 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D31
                                                                    • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D45
                                                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D52
                                                                    • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D61
                                                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D73
                                                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D76
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Service$CloseHandle$Open$ControlManager
                                                                    • String ID:
                                                                    • API String ID: 221034970-0
                                                                    • Opcode ID: e9ecc3ae41f79f47d3bdca3e192fe5417343a180787152718365ee8199a3ebfc
                                                                    • Instruction ID: 9e91e616c68215657d038be5823d6e3897a30bcf6e0764f9fcdf2292ad9a2404
                                                                    • Opcode Fuzzy Hash: e9ecc3ae41f79f47d3bdca3e192fe5417343a180787152718365ee8199a3ebfc
                                                                    • Instruction Fuzzy Hash: C5F062725003146BD2116B65EC89EBF3BACDB45BA5B00003AFA06A21D2DB68DD4696F9
                                                                    Function 00419D87 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419D96
                                                                    • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DAA
                                                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DB7
                                                                    • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DC6
                                                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DD8
                                                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DDB
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Service$CloseHandle$Open$ControlManager
                                                                    • String ID:
                                                                    • API String ID: 221034970-0
                                                                    • Opcode ID: 578fdff71443f11c3fca357d736e88dc82f16117349863ef7b695c473245d396
                                                                    • Instruction ID: abda6543b9bae7672c93be1b0f3a8a56711a85df89096aceaf06b6c73a90a6e4
                                                                    • Opcode Fuzzy Hash: 578fdff71443f11c3fca357d736e88dc82f16117349863ef7b695c473245d396
                                                                    • Instruction Fuzzy Hash: C2F0C2325002146BD2116B24FC49EBF3AACDB45BA1B04003AFA06A21D2DB28CE4685F8
                                                                    Function 004129AA Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 173registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00412A1D
                                                                    • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 00412A4C
                                                                    • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,?,?,00002710,?,?,?,00000000,?,?,?,?), ref: 00412AED
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Enum$InfoQueryValue
                                                                    • String ID: [regsplt]$DG
                                                                    • API String ID: 3554306468-1089238109
                                                                    • Opcode ID: 420c64221c8be20a0884beaa9dc5826c3a8ed3ed3fba4086070cd80455fd0dc1
                                                                    • Instruction ID: 09469598a034e88a10af8fecb22bb8a395a4bc85e225d04bcc93034602455e52
                                                                    • Opcode Fuzzy Hash: 420c64221c8be20a0884beaa9dc5826c3a8ed3ed3fba4086070cd80455fd0dc1
                                                                    • Instruction Fuzzy Hash: D8512E72108345AFD310EB61D995DEFB7ECEF84744F00493EB585D2191EB74EA088B6A
                                                                    Function 0040AE58 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 87COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00433519: EnterCriticalSection.KERNEL32(00470D18,00475B70,00475BF0,?,0040179E,00475BF0), ref: 00433524
                                                                      • Part of subcall function 00433519: LeaveCriticalSection.KERNEL32(00470D18,?,0040179E,00475BF0), ref: 00433561
                                                                      • Part of subcall function 004338A5: __onexit.LIBCMT ref: 004338AB
                                                                    • __Init_thread_footer.LIBCMT ref: 0040AEA7
                                                                      • Part of subcall function 004334CF: EnterCriticalSection.KERNEL32(00470D18,00475BF0,?,004017C1,00475BF0,00000000), ref: 004334D9
                                                                      • Part of subcall function 004334CF: LeaveCriticalSection.KERNEL32(00470D18,?,004017C1,00475BF0,00000000), ref: 0043350C
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit
                                                                    • String ID: [End of clipboard]$[Text copied to clipboard]$,]G$0]G
                                                                    • API String ID: 2974294136-753205382
                                                                    • Opcode ID: de3fba35412e8d9275b285bd9e157dc8c129506901d01536abad46e7e0bd6fc8
                                                                    • Instruction ID: 172b4b58ae75f988d3b3a293bba3f35c56e57800f0e036023c2a0486d145437f
                                                                    • Opcode Fuzzy Hash: de3fba35412e8d9275b285bd9e157dc8c129506901d01536abad46e7e0bd6fc8
                                                                    • Instruction Fuzzy Hash: 44219F31A002099ACB14FB75D8929EE7774AF54318F50403FF406771E2EF386E4A8A8D
                                                                    Function 0040A876 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 67timeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetLocalTime.KERNEL32(?,Offline Keylogger Started,004740F8), ref: 0040A884
                                                                    • wsprintfW.USER32 ref: 0040A905
                                                                      • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,00000000,0040A91C,00000000), ref: 00409D84
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: EventLocalTimewsprintf
                                                                    • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                                                                    • API String ID: 1497725170-248792730
                                                                    • Opcode ID: d47f6fbfcddc5f950be7bc6af301cd0dd5aecde9aff08f33bdbb9e4de45e3f1a
                                                                    • Instruction ID: 8a7b6ca92c081f7f17d03b5bac770d689c192d548357e869dbc211d44db93d1d
                                                                    • Opcode Fuzzy Hash: d47f6fbfcddc5f950be7bc6af301cd0dd5aecde9aff08f33bdbb9e4de45e3f1a
                                                                    • Instruction Fuzzy Hash: BB118172400118AACB18BB56EC55CFE77BCAE48325F00013FF842620D1EF7C5A86C6E9
                                                                    Function 00409D97 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409E6F), ref: 00409DCD
                                                                    • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409E6F), ref: 00409DDC
                                                                    • Sleep.KERNEL32(00002710,?,?,?,00409E6F), ref: 00409E09
                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,00409E6F), ref: 00409E10
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: File$CloseCreateHandleSizeSleep
                                                                    • String ID: `AG
                                                                    • API String ID: 1958988193-3058481221
                                                                    • Opcode ID: d7248f5b3272c1b8e158f3ed59b8642bc51f6090f2ebac6ec2a2f06e31ed32df
                                                                    • Instruction ID: 61dc848fc85204ea7fc5a67171cad01df1347b3512dd41eabc6ad436608203b4
                                                                    • Opcode Fuzzy Hash: d7248f5b3272c1b8e158f3ed59b8642bc51f6090f2ebac6ec2a2f06e31ed32df
                                                                    • Instruction Fuzzy Hash: 3A11C4303407406AE731E764E88962B7A9AAB91311F44057EF18562AE3D7389CD1829D
                                                                    Function 0041CA1F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RegisterClassExA.USER32(00000030), ref: 0041CA6C
                                                                    • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041CA87
                                                                    • GetLastError.KERNEL32 ref: 0041CA91
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ClassCreateErrorLastRegisterWindow
                                                                    • String ID: 0$MsgWindowClass
                                                                    • API String ID: 2877667751-2410386613
                                                                    • Opcode ID: 8e3fabf9294f4d788ff0190a2140b1e52dfb9086da58b750c2f99102573e0e65
                                                                    • Instruction ID: bff961279ea7560c1ff94ea7b7e8445e3758215821d07408c43b005d8adda241
                                                                    • Opcode Fuzzy Hash: 8e3fabf9294f4d788ff0190a2140b1e52dfb9086da58b750c2f99102573e0e65
                                                                    • Instruction Fuzzy Hash: 2D01E9B1D1431EAB8B01DFE9DCC4AEFBBBDBE49255B50452AE410B2200E7704A448BA5
                                                                    Function 004069BA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42processCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 00406A00
                                                                    • CloseHandle.KERNEL32(?), ref: 00406A0F
                                                                    • CloseHandle.KERNEL32(?), ref: 00406A14
                                                                    Strings
                                                                    • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 004069F6
                                                                    • C:\Windows\System32\cmd.exe, xrefs: 004069FB
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CloseHandle$CreateProcess
                                                                    • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                                                    • API String ID: 2922976086-4183131282
                                                                    • Opcode ID: eb4121427644dbe92f0faf5bfcaaefbe4213ddeedd11a12955cf8af7f240737c
                                                                    • Instruction ID: 91eee74bc7ca160cae255ad37e89f65ee2415c19472677646c1a5aeb81073604
                                                                    • Opcode Fuzzy Hash: eb4121427644dbe92f0faf5bfcaaefbe4213ddeedd11a12955cf8af7f240737c
                                                                    • Instruction Fuzzy Hash: 8AF030B69002A9BACB30ABD69C0EFDF7F7DEBC6B11F00042AB615A6051D6745144CAB9
                                                                    Function 004425D9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0044258A,?,?,0044252A,?), ref: 004425F9
                                                                    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044260C
                                                                    • FreeLibrary.KERNEL32(00000000,?,?,?,0044258A,?,?,0044252A,?), ref: 0044262F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AddressFreeHandleLibraryModuleProc
                                                                    • String ID: CorExitProcess$mscoree.dll
                                                                    • API String ID: 4061214504-1276376045
                                                                    • Opcode ID: 84f8467b83475f4999ab7b265d6d7c22c059d91a263d45f4d19e228ed4a2ac86
                                                                    • Instruction ID: 32bca75c9846dbfd0145c2b425e1dcbc158e0b1ec8d75d3d798e8c7ef3c4518a
                                                                    • Opcode Fuzzy Hash: 84f8467b83475f4999ab7b265d6d7c22c059d91a263d45f4d19e228ed4a2ac86
                                                                    • Instruction Fuzzy Hash: 14F04430904209FBDB169FA5ED09B9EBFB5EB08756F4140B9F805A2251DF749D40CA9C
                                                                    Function 00404AB1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00475B70,0040483F,00000001,?,?,00000000,00475B70,004017F3), ref: 00404AED
                                                                    • SetEvent.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 00404AF9
                                                                    • WaitForSingleObject.KERNEL32(?,000000FF,?,?,00000000,00475B70,004017F3), ref: 00404B04
                                                                    • CloseHandle.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 00404B0D
                                                                      • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                                                    • String ID: KeepAlive | Disabled
                                                                    • API String ID: 2993684571-305739064
                                                                    • Opcode ID: 68b50adcbc3edbb9d4c8525224eb9d153fc5f31cab3a74662374d300908f4771
                                                                    • Instruction ID: d6da77504ed7f85403cc54e6f32b3900d2337039667ff8d97479a9328fe4a552
                                                                    • Opcode Fuzzy Hash: 68b50adcbc3edbb9d4c8525224eb9d153fc5f31cab3a74662374d300908f4771
                                                                    • Instruction Fuzzy Hash: F8F0BBB19043007FDB1137759D0E66B7F58AB46325F00457FF892926F1DA38D890875B
                                                                    Function 00419F32 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                    • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 00419F64
                                                                    • PlaySoundW.WINMM(00000000,00000000), ref: 00419F72
                                                                    • Sleep.KERNEL32(00002710), ref: 00419F79
                                                                    • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 00419F82
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: PlaySound$HandleLocalModuleSleepTime
                                                                    • String ID: Alarm triggered
                                                                    • API String ID: 614609389-2816303416
                                                                    • Opcode ID: 141847ae0a337ee7d375b115724b17f178aaf380715d2b927a7afb315ef2a384
                                                                    • Instruction ID: 0fe531f7edf44dbbc4d7c544cb5d4c76277d8d7fe89cd9bd4aa838a143c441bc
                                                                    • Opcode Fuzzy Hash: 141847ae0a337ee7d375b115724b17f178aaf380715d2b927a7afb315ef2a384
                                                                    • Instruction Fuzzy Hash: 50E09A22A0422033862033BA7C0FC6F3E28DAC6B75B4100BFF905A21A2AE54081086FB
                                                                    Function 0041BE6F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 26COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041BF02), ref: 0041BE79
                                                                    • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041BF02), ref: 0041BE86
                                                                    • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041BF02), ref: 0041BE93
                                                                    • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041BF02), ref: 0041BEA6
                                                                    Strings
                                                                    • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041BE99
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Console$AttributeText$BufferHandleInfoScreen
                                                                    • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                                                    • API String ID: 3024135584-2418719853
                                                                    • Opcode ID: ebe4511383e55350cb7437214035f9f9245c880b4d311b5a557d4aca1c5ac6fb
                                                                    • Instruction ID: 2ebb83c1e7e70c4501562f07591cf8b091918c9767bda4cb27a2f29097fd03e7
                                                                    • Opcode Fuzzy Hash: ebe4511383e55350cb7437214035f9f9245c880b4d311b5a557d4aca1c5ac6fb
                                                                    • Instruction Fuzzy Hash: C7E04F62104348ABD31437F5BC8ECAB3B7CE784613B100536F612903D3EA7484448A79
                                                                    Function 0044016A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 540239c3c7a8b78e424bcf486381df198cb5d8aead86a72beee1c9aef6a9193c
                                                                    • Instruction ID: 5f24fa964153eb206603784754227e3bedeb81a57cd12874f4c303f17d5dd595
                                                                    • Opcode Fuzzy Hash: 540239c3c7a8b78e424bcf486381df198cb5d8aead86a72beee1c9aef6a9193c
                                                                    • Instruction Fuzzy Hash: FD71C231900216DBEB218F55C884ABFBB75FF55360F14026BEE10A7281D7B89D61CBA9
                                                                    Function 00410B19 Relevance: 7.7, APIs: 5, Instructions: 198memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 004105B9: SetLastError.KERNEL32(0000000D,00410B38,?,00000000), ref: 004105BF
                                                                    • GetNativeSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00410B15), ref: 00410BC4
                                                                    • GetProcessHeap.KERNEL32(00000008,00000040,?,?,00000000), ref: 00410C2A
                                                                    • HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00410C31
                                                                    • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00410D3F
                                                                    • SetLastError.KERNEL32(000000C1,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00410B15), ref: 00410D69
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ErrorLast$Heap$AllocInfoNativeProcessSystem
                                                                    • String ID:
                                                                    • API String ID: 3525466593-0
                                                                    • Opcode ID: 79ee37443a4366c3bbea1b893000b12d050509257f9cb6c9a6ccb14135485088
                                                                    • Instruction ID: 414678d8c61d87a8872ee73c425a8c4ab38aff0ef96490e16bc3f9b9534d1ba0
                                                                    • Opcode Fuzzy Hash: 79ee37443a4366c3bbea1b893000b12d050509257f9cb6c9a6ccb14135485088
                                                                    • Instruction Fuzzy Hash: 1861C270200301ABD720DF66C981BA77BE6BF44744F04412AF9058B786EBF8E8C5CB99
                                                                    Function 0040E6A3 Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0041B15B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B16C
                                                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040E6C1
                                                                    • Process32FirstW.KERNEL32(00000000,?), ref: 0040E6E5
                                                                    • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E6F4
                                                                    • CloseHandle.KERNEL32(00000000), ref: 0040E8AB
                                                                      • Part of subcall function 0041B187: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040E4D0,00000000,?,?,00474358), ref: 0041B19C
                                                                      • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B395
                                                                      • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3A8
                                                                    • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E89C
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Process$OpenProcess32$Next$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                                                    • String ID:
                                                                    • API String ID: 4269425633-0
                                                                    • Opcode ID: 296a05bfb99c111a27fc262cb636efe6a000d6565ad7e80475f435e5bd850ba0
                                                                    • Instruction ID: 1ccfc3ca83e07eb3b8bade3b71d1bee95701cef3987deea6625860c00c24977f
                                                                    • Opcode Fuzzy Hash: 296a05bfb99c111a27fc262cb636efe6a000d6565ad7e80475f435e5bd850ba0
                                                                    • Instruction Fuzzy Hash: F641E1311083415BC325F761D8A1AEFB7E9EFA4305F50453EF84A931E1EF389A49C65A
                                                                    Function 00443098 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: _free
                                                                    • String ID:
                                                                    • API String ID: 269201875-0
                                                                    • Opcode ID: f0a2e76299140c1b889b6a2776586b742041be663085ede9ef76686f57abf0cb
                                                                    • Instruction ID: 1dbcf13812f0ad7c91f1b1cf961d24232ef3b5dad0ac29e3e9285c08b65e5f3f
                                                                    • Opcode Fuzzy Hash: f0a2e76299140c1b889b6a2776586b742041be663085ede9ef76686f57abf0cb
                                                                    • Instruction Fuzzy Hash: 4A41D532E002049FEB24DF79C881A5EB3A5EF89718F15856EE915EB341DB35EE01CB84
                                                                    Function 0044FED3 Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,0042CE53,?,?,?,00000001,?,?,00000001,0042CE53,0042CE53), ref: 0044FF20
                                                                    • __alloca_probe_16.LIBCMT ref: 0044FF58
                                                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,0042CE53,?,?,?,00000001,?,?,00000001,0042CE53,0042CE53,?), ref: 0044FFA9
                                                                    • GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,?,?,00000001,0042CE53,0042CE53,?,00000002,?), ref: 0044FFBB
                                                                    • __freea.LIBCMT ref: 0044FFC4
                                                                      • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434423,?,?,00437227,?,?,00000000,00475B70,?,0040CC87,00434423,?,?,?,?), ref: 00446B31
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                                                    • String ID:
                                                                    • API String ID: 313313983-0
                                                                    • Opcode ID: 578e6bc7a4fc1a2bb7a9e58197017e828bee5b66154445d614d46d91064b4efe
                                                                    • Instruction ID: fd0d2a6e26420063bd1679c32ed8e9021f1b2be81e6a043fb7466d0fa567ef17
                                                                    • Opcode Fuzzy Hash: 578e6bc7a4fc1a2bb7a9e58197017e828bee5b66154445d614d46d91064b4efe
                                                                    • Instruction Fuzzy Hash: 9831FE32A0021AABEF248F65DC41EAF7BA5EB05314F05017BFC04D6290EB39DD58CBA4
                                                                    Function 0044E13B Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetEnvironmentStringsW.KERNEL32 ref: 0044E144
                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044E167
                                                                      • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434423,?,?,00437227,?,?,00000000,00475B70,?,0040CC87,00434423,?,?,?,?), ref: 00446B31
                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044E18D
                                                                    • _free.LIBCMT ref: 0044E1A0
                                                                    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044E1AF
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                    • String ID:
                                                                    • API String ID: 336800556-0
                                                                    • Opcode ID: cbfa98b2cae8c11c90072c2e77890abdc970385a4e1e7188d4ee333dffee03c0
                                                                    • Instruction ID: 38685928f53d0fdec7f9771a1fbcf5508afe04d06d5fe5a1692e2fd93afee85f
                                                                    • Opcode Fuzzy Hash: cbfa98b2cae8c11c90072c2e77890abdc970385a4e1e7188d4ee333dffee03c0
                                                                    • Instruction Fuzzy Hash: 8201B1726417117F73215ABB6C8CC7B6A6DEEC2BA2315013ABD04D6201DA788C0291B9
                                                                    Function 00446F43 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetLastError.KERNEL32(?,00000000,00000000,0043A7C2,00000000,?,?,0043A846,00000000,00000000,00000000,00000000,00000000,00000000,00402C08,?), ref: 00446F48
                                                                    • _free.LIBCMT ref: 00446F7D
                                                                    • _free.LIBCMT ref: 00446FA4
                                                                    • SetLastError.KERNEL32(00000000), ref: 00446FB1
                                                                    • SetLastError.KERNEL32(00000000), ref: 00446FBA
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ErrorLast$_free
                                                                    • String ID:
                                                                    • API String ID: 3170660625-0
                                                                    • Opcode ID: d9a11e8b10a3382acc57acd06360e0df9f500200efacd02ff515e0ca4c66fe47
                                                                    • Instruction ID: 6bd692df8320938abc1815071491dbd9703328d73d2f54107518a18b095bb187
                                                                    • Opcode Fuzzy Hash: d9a11e8b10a3382acc57acd06360e0df9f500200efacd02ff515e0ca4c66fe47
                                                                    • Instruction Fuzzy Hash: 7401D13620C70067F61266757C85D2F266DDBC3B66727013FF958A2292EE2CCC0A452F
                                                                    Function 0044F79D Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _free.LIBCMT ref: 0044F7B5
                                                                      • Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                                                      • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                                                    • _free.LIBCMT ref: 0044F7C7
                                                                    • _free.LIBCMT ref: 0044F7D9
                                                                    • _free.LIBCMT ref: 0044F7EB
                                                                    • _free.LIBCMT ref: 0044F7FD
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                    • String ID:
                                                                    • API String ID: 776569668-0
                                                                    • Opcode ID: 24d082c4c32556380d94a426a0797d769337f58152c77e2724906da83e703e03
                                                                    • Instruction ID: 78b16e2cd2bc6e4547488c8f4e3d182d22cf8911186b8f77a4a783cd10448158
                                                                    • Opcode Fuzzy Hash: 24d082c4c32556380d94a426a0797d769337f58152c77e2724906da83e703e03
                                                                    • Instruction Fuzzy Hash: 9AF01232505600BBE620EB59E8C5C1773E9EB827147A9482BF408F7641CB3DFCC48A6C
                                                                    Function 004432E7 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _free.LIBCMT ref: 00443305
                                                                      • Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                                                      • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                                                    • _free.LIBCMT ref: 00443317
                                                                    • _free.LIBCMT ref: 0044332A
                                                                    • _free.LIBCMT ref: 0044333B
                                                                    • _free.LIBCMT ref: 0044334C
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                    • String ID:
                                                                    • API String ID: 776569668-0
                                                                    • Opcode ID: ab870860b33c9a3cd44b9e2e3565930e421ff68453c6808a8f097650461ead98
                                                                    • Instruction ID: 76e6a482bc9a1727a28655d1f271e5fc3ecde01143ea680422932a64b095765e
                                                                    • Opcode Fuzzy Hash: ab870860b33c9a3cd44b9e2e3565930e421ff68453c6808a8f097650461ead98
                                                                    • Instruction Fuzzy Hash: B9F05EF08075209FAB12AF2DBD014893BA0B786755306413BF41EB2772EB380D95DB8E
                                                                    Function 00416751 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 182threadwindowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetWindowThreadProcessId.USER32(?,?), ref: 00416768
                                                                    • GetWindowTextW.USER32(?,?,0000012C), ref: 0041679A
                                                                    • IsWindowVisible.USER32(?), ref: 004167A1
                                                                      • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B395
                                                                      • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3A8
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ProcessWindow$Open$TextThreadVisible
                                                                    • String ID: (FG
                                                                    • API String ID: 3142014140-2273637114
                                                                    • Opcode ID: c7140c968b57e192add68dc6676992042de4a480ef872d90ee77a690e46fad53
                                                                    • Instruction ID: 6337817d5adb2ff800b6fe7f9081d1b6a06097940366009b721c4d78a1625a25
                                                                    • Opcode Fuzzy Hash: c7140c968b57e192add68dc6676992042de4a480ef872d90ee77a690e46fad53
                                                                    • Instruction Fuzzy Hash: FD71E6321082414AC325FB61D8A5ADFB3E4AFE4319F50453EF58A530E1EF746A49C79A
                                                                    Function 0044D459 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _strpbrk.LIBCMT ref: 0044D4A8
                                                                    • _free.LIBCMT ref: 0044D5C5
                                                                      • Part of subcall function 0043A854: IsProcessorFeaturePresent.KERNEL32(00000017,0043A826,?,?,00401962,?,?,00000000,?,?,0043A846,00000000,00000000,00000000,00000000,00000000), ref: 0043A856
                                                                      • Part of subcall function 0043A854: GetCurrentProcess.KERNEL32(C0000417), ref: 0043A878
                                                                      • Part of subcall function 0043A854: TerminateProcess.KERNEL32(00000000), ref: 0043A87F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                                                                    • String ID: *?$.
                                                                    • API String ID: 2812119850-3972193922
                                                                    • Opcode ID: 5e5281a7710df1af016e28c269081ecff319cf0b763ae5275be817dad69de84b
                                                                    • Instruction ID: 2d4433a3afc190a5690657b280c6536bac4d5ba0d1806d6c31be7b1549e3be36
                                                                    • Opcode Fuzzy Hash: 5e5281a7710df1af016e28c269081ecff319cf0b763ae5275be817dad69de84b
                                                                    • Instruction Fuzzy Hash: 7251B371E00109AFEF14DFA9C881AAEB7F5EF58318F24416FE854E7301DA799E018B54
                                                                    Function 004095D6 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 158COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetKeyboardLayoutNameA.USER32(?), ref: 00409601
                                                                      • Part of subcall function 004041F1: socket.WS2_32(?,00000001,00000006), ref: 00404212
                                                                      • Part of subcall function 0040428C: connect.WS2_32(?,?,?), ref: 004042A5
                                                                      • Part of subcall function 0041B6AA: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00409689,00473EE8,?,00473EE8,00000000,00473EE8,00000000), ref: 0041B6BF
                                                                      • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateFileKeyboardLayoutNameconnectsendsocket
                                                                    • String ID: XCG$`AG$>G
                                                                    • API String ID: 2334542088-2372832151
                                                                    • Opcode ID: 57430c91427567827473bab5627dcff1f7b98a8ead265141081511e002c0e5a5
                                                                    • Instruction ID: 7adbea44916697806613a62f0197ef330eb15d5bc584e2d7fa9685cab7613629
                                                                    • Opcode Fuzzy Hash: 57430c91427567827473bab5627dcff1f7b98a8ead265141081511e002c0e5a5
                                                                    • Instruction Fuzzy Hash: 865143321042405BC325F775D8A2AEF73D5AFE4308F50483FF84A671E2EE785949C69A
                                                                    Function 004426D4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe,00000104), ref: 00442714
                                                                    • _free.LIBCMT ref: 004427DF
                                                                    • _free.LIBCMT ref: 004427E9
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: _free$FileModuleName
                                                                    • String ID: C:\Users\user\Desktop\ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exe
                                                                    • API String ID: 2506810119-980253379
                                                                    • Opcode ID: 037ffcd8ae4620a35ea0d85ea656a28a2901847f16e257e4da60b9a7372ecd68
                                                                    • Instruction ID: 3cff5717343a4e3a710d875500e96c622d597d45f5ef159119de948e6b6562f0
                                                                    • Opcode Fuzzy Hash: 037ffcd8ae4620a35ea0d85ea656a28a2901847f16e257e4da60b9a7372ecd68
                                                                    • Instruction Fuzzy Hash: 3E31B371A00218AFEB21DF9ADD81D9EBBFCEB85314F54406BF804A7311D6B88E41DB59
                                                                    Function 00403A10 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 92sleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00403A2A
                                                                      • Part of subcall function 0041AB38: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,00403A40), ref: 0041AB5F
                                                                      • Part of subcall function 004176B6: CloseHandle.KERNEL32(00403AB9,?,?,00403AB9,00465324), ref: 004176CC
                                                                      • Part of subcall function 004176B6: CloseHandle.KERNEL32($SF,?,?,00403AB9,00465324), ref: 004176D5
                                                                      • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,00403AF3,00465324), ref: 0041B633
                                                                    • Sleep.KERNEL32(000000FA,00465324), ref: 00403AFC
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                                                    • String ID: /sort "Visit Time" /stext "$8>G
                                                                    • API String ID: 368326130-2663660666
                                                                    • Opcode ID: 1a768b4e587f7e37ad4e89c2dbfac3ccd6e7f3946661fbe69184ab2adc4031be
                                                                    • Instruction ID: 7eda923cdb9144c2d3fbd791e6ccfb72172be11f11f2a08a3aebfaec1b2861d2
                                                                    • Opcode Fuzzy Hash: 1a768b4e587f7e37ad4e89c2dbfac3ccd6e7f3946661fbe69184ab2adc4031be
                                                                    • Instruction Fuzzy Hash: E5317331A0021456CB14FBB6DC969EE7775AF90318F40017FF906B71D2EF385A8ACA99
                                                                    Function 004098A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateThread.KERNEL32(00000000,00000000,004099A9,004740F8,00000000,00000000), ref: 0040992A
                                                                    • CreateThread.KERNEL32(00000000,00000000,00409993,004740F8,00000000,00000000), ref: 0040993A
                                                                    • CreateThread.KERNEL32(00000000,00000000,004099B5,004740F8,00000000,00000000), ref: 00409946
                                                                      • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004740F8), ref: 0040A884
                                                                      • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateThread$LocalTimewsprintf
                                                                    • String ID: Offline Keylogger Started
                                                                    • API String ID: 465354869-4114347211
                                                                    • Opcode ID: 0185d7c11a47f4d1cc67a4ecd2b8329abf3b52d4ddc89e50534bed34fd3ab50c
                                                                    • Instruction ID: 73cd13916ef890eca76c0e29a3751801184202c96e3ca0ae9416a03768ca9078
                                                                    • Opcode Fuzzy Hash: 0185d7c11a47f4d1cc67a4ecd2b8329abf3b52d4ddc89e50534bed34fd3ab50c
                                                                    • Instruction Fuzzy Hash: CF11ABB15003097AD220BA36DC87CBF765CDA813A8B40053EF845225D3EA785E54C6FB
                                                                    Function 0040A611 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64threadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004740F8), ref: 0040A884
                                                                      • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                                                      • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                    • CreateThread.KERNEL32(00000000,00000000,00409993,?,00000000,00000000), ref: 0040A691
                                                                    • CreateThread.KERNEL32(00000000,00000000,004099B5,?,00000000,00000000), ref: 0040A69D
                                                                    • CreateThread.KERNEL32(00000000,00000000,004099C1,?,00000000,00000000), ref: 0040A6A9
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateThread$LocalTime$wsprintf
                                                                    • String ID: Online Keylogger Started
                                                                    • API String ID: 112202259-1258561607
                                                                    • Opcode ID: 0ab913a718ddbccfb03f45b8536d2eca94befdef1450a1bc42c59ede1cf71113
                                                                    • Instruction ID: 3917ec9fcb61ff418b23047d8298326e5ff7fd14d64f683336ff9c65b5464130
                                                                    • Opcode Fuzzy Hash: 0ab913a718ddbccfb03f45b8536d2eca94befdef1450a1bc42c59ede1cf71113
                                                                    • Instruction Fuzzy Hash: DE01C4916003093AE62076368C87DBF3A6DCA813A8F40043EF541362C3E97D5D5582FB
                                                                    Function 0044AA73 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CloseHandle.KERNEL32(00000000,00000000,`@,?,0044A991,`@,0046DD28,0000000C), ref: 0044AAC9
                                                                    • GetLastError.KERNEL32(?,0044A991,`@,0046DD28,0000000C), ref: 0044AAD3
                                                                    • __dosmaperr.LIBCMT ref: 0044AAFE
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CloseErrorHandleLast__dosmaperr
                                                                    • String ID: `@
                                                                    • API String ID: 2583163307-951712118
                                                                    • Opcode ID: e5cf9cf0863519c22c59f520a66439faf8bffb0939932f5db486048d3d382d3d
                                                                    • Instruction ID: 1bd3c876d7044edfb1a6812000b34c32b622226010ed5631802de8abdb52b33d
                                                                    • Opcode Fuzzy Hash: e5cf9cf0863519c22c59f520a66439faf8bffb0939932f5db486048d3d382d3d
                                                                    • Instruction Fuzzy Hash: F8018E366446201AF7206674698577F77898B82738F2A027FF904972D2DE6DCCC5C19F
                                                                    Function 00404915 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60timethreadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetLocalTime.KERNEL32(?), ref: 00404946
                                                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00404994
                                                                    • CreateThread.KERNEL32(00000000,00000000,00404B1D,?,00000000,00000000), ref: 004049A7
                                                                    Strings
                                                                    • KeepAlive | Enabled | Timeout: , xrefs: 0040495C
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Create$EventLocalThreadTime
                                                                    • String ID: KeepAlive | Enabled | Timeout:
                                                                    • API String ID: 2532271599-1507639952
                                                                    • Opcode ID: 039a83a3673151248ce1c058b5ed99207d7e0ff837a33c13ebd59ef1524b6346
                                                                    • Instruction ID: c7daaf492e0cec12b0841424890a61be8e5b61f5a3177df3d8f4b9063cedc03f
                                                                    • Opcode Fuzzy Hash: 039a83a3673151248ce1c058b5ed99207d7e0ff837a33c13ebd59ef1524b6346
                                                                    • Instruction Fuzzy Hash: 38113AB19042547AC710A7BA8C49BCB7F9C9F86364F00407BF40462192C7789845CBFA
                                                                    Function 00404B29 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47synchronizationCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00404B26), ref: 00404B40
                                                                    • CloseHandle.KERNEL32(?,?,?,?,00404B26), ref: 00404B98
                                                                    • SetEvent.KERNEL32(?,?,?,?,00404B26), ref: 00404BA7
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CloseEventHandleObjectSingleWait
                                                                    • String ID: Connection Timeout
                                                                    • API String ID: 2055531096-499159329
                                                                    • Opcode ID: a97e81c914b9350505812461b63a63b2fd2cd8a093a8b12f04dedae0d79932b3
                                                                    • Instruction ID: ea4abd021a31a941d528121f8d879e106695b0b6a7a7fd2d86c7f06b9a048df4
                                                                    • Opcode Fuzzy Hash: a97e81c914b9350505812461b63a63b2fd2cd8a093a8b12f04dedae0d79932b3
                                                                    • Instruction Fuzzy Hash: 7A01F5B1940B41AFD325BB3A9C4645ABBE4AB45315700053FF6D392BB1DA38E8408B5A
                                                                    Function 0040CDBE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0040CDC9
                                                                    • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040CE08
                                                                      • Part of subcall function 004347BD: _Yarn.LIBCPMT ref: 004347DC
                                                                      • Part of subcall function 004347BD: _Yarn.LIBCPMT ref: 00434800
                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 0040CE2C
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                                                    • String ID: bad locale name
                                                                    • API String ID: 3628047217-1405518554
                                                                    • Opcode ID: 07a2f8cd9595a8075203c453c032e2fb497ed10d9d6fcf4fa69d5ee2e3489bdb
                                                                    • Instruction ID: 69d9b4558c1556c2c918d31b5ea24064f6fee533cc814fb99c42b36f0b05f267
                                                                    • Opcode Fuzzy Hash: 07a2f8cd9595a8075203c453c032e2fb497ed10d9d6fcf4fa69d5ee2e3489bdb
                                                                    • Instruction Fuzzy Hash: 1AF08171400204EAC724FB23D853ACA73A49F54748F90497FB506214D2EF38A618CA8C
                                                                    Function 004126D2 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,004655B0), ref: 004126E1
                                                                    • RegSetValueExA.ADVAPI32(004655B0,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0041BC46,WallpaperStyle,004655B0,00000001,00473EE8,00000000), ref: 00412709
                                                                    • RegCloseKey.ADVAPI32(004655B0,?,?,0041BC46,WallpaperStyle,004655B0,00000001,00473EE8,00000000,?,004079DD,00000001), ref: 00412714
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CloseCreateValue
                                                                    • String ID: Control Panel\Desktop
                                                                    • API String ID: 1818849710-27424756
                                                                    • Opcode ID: 3aedce82be745f7a8d31741b6ddf3b86529f340df0cdc46c1cf573c60441b443
                                                                    • Instruction ID: d7c223529d0a909ac1d5b5cf1be9cbd74eb10d05c00374dbcf2eb8abb0eb8976
                                                                    • Opcode Fuzzy Hash: 3aedce82be745f7a8d31741b6ddf3b86529f340df0cdc46c1cf573c60441b443
                                                                    • Instruction Fuzzy Hash: 98F09032040104FBCB019FA0ED55EEF37ACEF04751F108139FD06A61A1EA75DE04EA94
                                                                    Function 004127D5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                                    • RegSetValueExA.ADVAPI32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                                    • RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CloseCreateValue
                                                                    • String ID: TUF
                                                                    • API String ID: 1818849710-3431404234
                                                                    • Opcode ID: 386e33d00f3fb5cef405d4ff1ae12e7e359dce24562d3d83ccac8fce873b9f24
                                                                    • Instruction ID: 4d8f19d4f5fba69279ea975c705bdc3302fb28fe13ea63ccb444db4f968143a5
                                                                    • Opcode Fuzzy Hash: 386e33d00f3fb5cef405d4ff1ae12e7e359dce24562d3d83ccac8fce873b9f24
                                                                    • Instruction Fuzzy Hash: 8DE03071540204BFEF115B909C05FDB3BA8EB05B95F004161FA05F6191D271CE14D7A4
                                                                    Function 004151B2 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 004151F4
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ExecuteShell
                                                                    • String ID: /C $cmd.exe$open
                                                                    • API String ID: 587946157-3896048727
                                                                    • Opcode ID: b29912c7ec69b7e063321f84cff0ad8ed8559f61d9423d2534ea1fccbc267807
                                                                    • Instruction ID: 3ae8c2b06d9b1922b9065f49b1512f2a4b1b87a12dccb2265ed1bd098505db2c
                                                                    • Opcode Fuzzy Hash: b29912c7ec69b7e063321f84cff0ad8ed8559f61d9423d2534ea1fccbc267807
                                                                    • Instruction Fuzzy Hash: D8E030701043006AC708FB61DC95C7F77AC9A80708F10083EB542A21E2EF3CA949C65E
                                                                    Function 00401430 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 0040143A
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 00401441
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AddressHandleModuleProc
                                                                    • String ID: GetCursorInfo$User32.dll
                                                                    • API String ID: 1646373207-2714051624
                                                                    • Opcode ID: f39e1638c21b7beb4c7105e5daed03b820dcbd0345c10e5d325762a4e30a7452
                                                                    • Instruction ID: fea3bfcfa5ad703f85b7dd8d5f3eac54d033561bc9bd2fc33d3800e380b32b62
                                                                    • Opcode Fuzzy Hash: f39e1638c21b7beb4c7105e5daed03b820dcbd0345c10e5d325762a4e30a7452
                                                                    • Instruction Fuzzy Hash: 51B092B868A3059BC7306BE0BD0EA093B24EA44703B1000B2F087C12A1EB7880809A6E
                                                                    Function 004014D5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 004014DF
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 004014E6
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AddressLibraryLoadProc
                                                                    • String ID: GetLastInputInfo$User32.dll
                                                                    • API String ID: 2574300362-1519888992
                                                                    • Opcode ID: 3fc7b1db73b7af1b2a271cc819159fe1e403f0356e3f7920f37c5b1d7d3a7c56
                                                                    • Instruction ID: 425bdc246283df71b7ad83aa0519e38d385401eab2b134f4ae8d574857069069
                                                                    • Opcode Fuzzy Hash: 3fc7b1db73b7af1b2a271cc819159fe1e403f0356e3f7920f37c5b1d7d3a7c56
                                                                    • Instruction Fuzzy Hash: D7B092B85843849BC7202BE0BC0DA297BA4FA48B43720447AF406D11A1EB7881809F6F
                                                                    Function 00448D0B Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: __alldvrm$_strrchr
                                                                    • String ID:
                                                                    • API String ID: 1036877536-0
                                                                    • Opcode ID: fd79a7ba97117714d85021eba27869df20238d29c0b4b296cd839071043617be
                                                                    • Instruction ID: 63a095292c52d92af2bf19a392fdfa9b0d117a80b68c781492b1ecdde0b53e6f
                                                                    • Opcode Fuzzy Hash: fd79a7ba97117714d85021eba27869df20238d29c0b4b296cd839071043617be
                                                                    • Instruction Fuzzy Hash: 60A168729042469FFB21CF58C8817AEBBE2EF55314F24416FE5849B382DA3C8D45C759
                                                                    Function 00441A81 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9b4993e58d5b3b7c0490c3bd99df1984d1f8f515a64746adb67fb48e1b339b7f
                                                                    • Instruction ID: 90b3d0a8f148eb65ba096d855dd205fb67a40d318d5acb0a54968c3478788488
                                                                    • Opcode Fuzzy Hash: 9b4993e58d5b3b7c0490c3bd99df1984d1f8f515a64746adb67fb48e1b339b7f
                                                                    • Instruction Fuzzy Hash: 10412B71A00744AFF724AF78CC41B6ABBE8EF88714F10452FF511DB291E679A9458788
                                                                    Function 00404688 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,?), ref: 00404778
                                                                    • CreateThread.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 0040478C
                                                                    • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00000000,?,?,00000000), ref: 00404797
                                                                    • CloseHandle.KERNEL32(?,?,00000000,00000000,?,?,00000000), ref: 004047A0
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                                                    • String ID:
                                                                    • API String ID: 3360349984-0
                                                                    • Opcode ID: e7efdc3c20157fe016eb29e5a130d6f8c33beeccd37b3f6c9988191ed4582187
                                                                    • Instruction ID: f4983b6e647f91c6eb1a16b69ab68a2f9d5597509a23169db7b615edd0c6cdea
                                                                    • Opcode Fuzzy Hash: e7efdc3c20157fe016eb29e5a130d6f8c33beeccd37b3f6c9988191ed4582187
                                                                    • Instruction Fuzzy Hash: 34417171508301ABC700FB61CC55D7FB7E9AFD5315F00093EF892A32E2EA389909866A
                                                                    Function 0040B806 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    • Cleared browsers logins and cookies., xrefs: 0040B8EF
                                                                    • [Cleared browsers logins and cookies.], xrefs: 0040B8DE
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Sleep
                                                                    • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                                                    • API String ID: 3472027048-1236744412
                                                                    • Opcode ID: c1d9957bbb0b6ffbc53675b18bda7a9e9a83474d3c872a81f0d626b3d463543d
                                                                    • Instruction ID: 8ec9c8031b8ac0664cfb8a22ca307bf710261ddd843e88104a77dac6ce00e7b7
                                                                    • Opcode Fuzzy Hash: c1d9957bbb0b6ffbc53675b18bda7a9e9a83474d3c872a81f0d626b3d463543d
                                                                    • Instruction Fuzzy Hash: FA31891564C3816ACA11777514167EB6F958A93754F0884BFF8C4273E3DB7A480893EF
                                                                    Function 00411524 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 93sleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0041265D: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 00412679
                                                                      • Part of subcall function 0041265D: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 00412692
                                                                      • Part of subcall function 0041265D: RegCloseKey.ADVAPI32(?), ref: 0041269D
                                                                    • Sleep.KERNEL32(00000BB8), ref: 004115C3
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CloseOpenQuerySleepValue
                                                                    • String ID: @CG$exepath$BG
                                                                    • API String ID: 4119054056-3221201242
                                                                    • Opcode ID: bf5574a8b4d2f3dae16cf885c7a16fb18bb29924f8325a853eaea5d7e5cb2135
                                                                    • Instruction ID: 48aadeccb903c06d46a934e3c92f1fe58b0119fffb77d403c20537554d94cb98
                                                                    • Opcode Fuzzy Hash: bf5574a8b4d2f3dae16cf885c7a16fb18bb29924f8325a853eaea5d7e5cb2135
                                                                    • Instruction Fuzzy Hash: C721F4A0B002042BD614B77A6C06ABF724E8BD1308F00457FBD4AA72D3DE7D9D4581AD
                                                                    Function 00409C4B Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0041B6E6: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041B6F6
                                                                      • Part of subcall function 0041B6E6: GetWindowTextLengthW.USER32(00000000), ref: 0041B6FF
                                                                      • Part of subcall function 0041B6E6: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041B729
                                                                    • Sleep.KERNEL32(000001F4), ref: 00409C95
                                                                    • Sleep.KERNEL32(00000064), ref: 00409D1F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Window$SleepText$ForegroundLength
                                                                    • String ID: [ $ ]
                                                                    • API String ID: 3309952895-93608704
                                                                    • Opcode ID: f97a645a0d2da22bcac442ef33f0edb303259d95a1ef08cf99aa338e08c2de75
                                                                    • Instruction ID: a5f4dc9a3e016f43683dc3f70dfd76a68f9d753ffdb665cb1c6be196efeb7d0c
                                                                    • Opcode Fuzzy Hash: f97a645a0d2da22bcac442ef33f0edb303259d95a1ef08cf99aa338e08c2de75
                                                                    • Instruction Fuzzy Hash: 4611C0325082005BD218FB25DC17AAEB7A8AF51708F40047FF542221E3EF39AE1986DF
                                                                    Function 0041B58F Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041B6A5,00000000,00000000,00000000), ref: 0041B5CE
                                                                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000004,00000000,0041B6A5,00000000,00000000), ref: 0041B5EB
                                                                    • WriteFile.KERNEL32(00000000,00000000,00000000,004061FD,00000000,?,00000004,00000000,0041B6A5,00000000,00000000), ref: 0041B5FF
                                                                    • CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041B6A5,00000000,00000000), ref: 0041B60C
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: File$CloseCreateHandlePointerWrite
                                                                    • String ID:
                                                                    • API String ID: 3604237281-0
                                                                    • Opcode ID: cba3a97e1e2bda49592f8a8e1d6d35a5d6160c6c563f13c2ae5fe5c742252b28
                                                                    • Instruction ID: 083799f3d1f95ebfb1fb2bbe8bc155d348f6fb5eb74ded268dd94cd43ec1eb57
                                                                    • Opcode Fuzzy Hash: cba3a97e1e2bda49592f8a8e1d6d35a5d6160c6c563f13c2ae5fe5c742252b28
                                                                    • Instruction Fuzzy Hash: 7501F5712092157FE6104F28AC89EBB739EEB86379F10063AF552C22C0D725CD8586BE
                                                                    Function 00442CD2 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 18f7b12d8fbd203e6fe2bd4c4423912ade4cd6e2ab417617722edd39325a2eb9
                                                                    • Instruction ID: c84c011be516b9a55b4d27d1f6be1bd7d35570b7e88518a67a440710abbdd315
                                                                    • Opcode Fuzzy Hash: 18f7b12d8fbd203e6fe2bd4c4423912ade4cd6e2ab417617722edd39325a2eb9
                                                                    • Instruction Fuzzy Hash: 780126F26097153EF62016796CC1F6B230CDF823B8B34073BF421652E1EAA8CC01506C
                                                                    Function 00442D51 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8aedf970bdaeb9d9c72bc659829c2e19759f544123fe9e87a80c2ba2346fca48
                                                                    • Instruction ID: e6f180ecc181abb5a77ec057abe27f8575e00a75e8bcf6cd4df5c03139e47140
                                                                    • Opcode Fuzzy Hash: 8aedf970bdaeb9d9c72bc659829c2e19759f544123fe9e87a80c2ba2346fca48
                                                                    • Instruction Fuzzy Hash: E10121F2A092163EB62016797DD0DA7260DDF823B8374033BF421722D2EAA88C004068
                                                                    Function 004380F5 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ___BuildCatchObject.LIBVCRUNTIME ref: 0043810F
                                                                      • Part of subcall function 0043805C: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 0043808B
                                                                      • Part of subcall function 0043805C: ___AdjustPointer.LIBCMT ref: 004380A6
                                                                    • _UnwindNestedFrames.LIBCMT ref: 00438124
                                                                    • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00438135
                                                                    • CallCatchBlock.LIBVCRUNTIME ref: 0043815D
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                                                    • String ID:
                                                                    • API String ID: 737400349-0
                                                                    • Opcode ID: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
                                                                    • Instruction ID: 9a8277e88b86f5caaa8344fd0510e130f37262ecddc885b6c63592dc4fca678f
                                                                    • Opcode Fuzzy Hash: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
                                                                    • Instruction Fuzzy Hash: 09014032100208BBDF126E96CC45DEB7B69EF4C758F04500DFE4866121C739E861DBA8
                                                                    Function 00447210 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,004471B7,?,00000000,00000000,00000000,?,004474E3,00000006,FlsSetValue), ref: 00447242
                                                                    • GetLastError.KERNEL32(?,004471B7,?,00000000,00000000,00000000,?,004474E3,00000006,FlsSetValue,0045D328,FlsSetValue,00000000,00000364,?,00446F91), ref: 0044724E
                                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004471B7,?,00000000,00000000,00000000,?,004474E3,00000006,FlsSetValue,0045D328,FlsSetValue,00000000), ref: 0044725C
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: LibraryLoad$ErrorLast
                                                                    • String ID:
                                                                    • API String ID: 3177248105-0
                                                                    • Opcode ID: ae052748fea16bfd64aed14cfe47709c8c773e0353203442da9e9610ebb1fa47
                                                                    • Instruction ID: 998cab178f840ac2caaf283a3a5c141d85ba25b8fcaedc139a46ff50caeaa73b
                                                                    • Opcode Fuzzy Hash: ae052748fea16bfd64aed14cfe47709c8c773e0353203442da9e9610ebb1fa47
                                                                    • Instruction Fuzzy Hash: FC01D83261D7236BD7214B79AC44A577798BB05BA1B1106B2F906E3241D768D802C6D8
                                                                    Function 0041B61A Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,00403AF3,00465324), ref: 0041B633
                                                                    • GetFileSize.KERNEL32(00000000,00000000,00000000,?,?,00000000,00403AF3,00465324), ref: 0041B647
                                                                    • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00403AF3,00465324), ref: 0041B66C
                                                                    • CloseHandle.KERNEL32(00000000,?,00000000,00403AF3,00465324), ref: 0041B67A
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: File$CloseCreateHandleReadSize
                                                                    • String ID:
                                                                    • API String ID: 3919263394-0
                                                                    • Opcode ID: 5b639659936e0bf80293aa969ecd5facc1abbd81689efef7b5bf737102e1771e
                                                                    • Instruction ID: 0a6fce4b3becde4f67ebc64a516323d43c368a538d14007d95c0a1c89629aad3
                                                                    • Opcode Fuzzy Hash: 5b639659936e0bf80293aa969ecd5facc1abbd81689efef7b5bf737102e1771e
                                                                    • Instruction Fuzzy Hash: B3F0F6B12053047FE6101B25FC85FBF375CDB867A5F00023EFC01A22D1DA658C459179
                                                                    Function 0041850C Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetSystemMetrics.USER32(0000004C), ref: 00418519
                                                                    • GetSystemMetrics.USER32(0000004D), ref: 0041851F
                                                                    • GetSystemMetrics.USER32(0000004E), ref: 00418525
                                                                    • GetSystemMetrics.USER32(0000004F), ref: 0041852B
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: MetricsSystem
                                                                    • String ID:
                                                                    • API String ID: 4116985748-0
                                                                    • Opcode ID: 5cbd94679aa6c8e7ceff70e29103114ee131790299e318eb9a9968d7a4031cfb
                                                                    • Instruction ID: 928f1b056b10b768f566869b0c9e39fed015f0adb742d9b99f9daccd71f82e50
                                                                    • Opcode Fuzzy Hash: 5cbd94679aa6c8e7ceff70e29103114ee131790299e318eb9a9968d7a4031cfb
                                                                    • Instruction Fuzzy Hash: 96F0D672B043216BCA00EA798C4556FBB97DFD02A4F25083FE6059B341DEB8EC4687D9
                                                                    Function 0041B37D Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B395
                                                                    • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3A8
                                                                    • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041B3D3
                                                                    • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041B3DB
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CloseHandleOpenProcess
                                                                    • String ID:
                                                                    • API String ID: 39102293-0
                                                                    • Opcode ID: 51a17e5294b38f17d5f3a71b1001121c929f89ba237b4680bf25dfaaaa51ef0d
                                                                    • Instruction ID: bb9aee54fd4b55ef2446b45ef4d52834339351c189d8e7c886657dc3bd6b5f1d
                                                                    • Opcode Fuzzy Hash: 51a17e5294b38f17d5f3a71b1001121c929f89ba237b4680bf25dfaaaa51ef0d
                                                                    • Instruction Fuzzy Hash: 2FF04971204209ABD3106754AC4AFA7B27CDB40B96F000037FA61D22A1FFB4CCC146AE
                                                                    Function 00441EDD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __startOneArgErrorHandling.LIBCMT ref: 00441F6D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ErrorHandling__start
                                                                    • String ID: pow
                                                                    • API String ID: 3213639722-2276729525
                                                                    • Opcode ID: c11d7b0c0eb8e10153fe90c38a808d625a788e1790705f3c08302100bb714254
                                                                    • Instruction ID: c296867054112a427edbdd16b3baf579c6faf9d8481746a729c2ad46b2c40409
                                                                    • Opcode Fuzzy Hash: c11d7b0c0eb8e10153fe90c38a808d625a788e1790705f3c08302100bb714254
                                                                    • Instruction Fuzzy Hash: 2A517B61A1620196F7117714C98137F2BD0DB50741F688D6BF085423F9DF3D8CDA9A4E
                                                                    Function 00414B9B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 163COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CountEventTick
                                                                    • String ID: >G
                                                                    • API String ID: 180926312-1296849874
                                                                    • Opcode ID: ed7abf5ed144e69c3d2872f5d5d6cab4558b4505d3eee695e95c0055fa3f6914
                                                                    • Instruction ID: d5b3ec7783a4dd7183bbf31121b5a8e130ff38f85bff4fd723ced1f164cd3d8d
                                                                    • Opcode Fuzzy Hash: ed7abf5ed144e69c3d2872f5d5d6cab4558b4505d3eee695e95c0055fa3f6914
                                                                    • Instruction Fuzzy Hash: 1A5170315042409AC624FB71D8A2AEF73A5AFD1314F40853FF94A671E2EF389949C69A
                                                                    Function 0044DB34 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 132COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetCPInfo.KERNEL32(?,?,00000005,?,00000000), ref: 0044DB59
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Info
                                                                    • String ID: $fD
                                                                    • API String ID: 1807457897-3092946448
                                                                    • Opcode ID: 5a1be195421d57dadb90a7404d285975d7b8ac1b4122976fa75ce4288470c48d
                                                                    • Instruction ID: 070357306f4c5095a08430c9ceac02bf5c2973ae7142a422f036c1757655e3b4
                                                                    • Opcode Fuzzy Hash: 5a1be195421d57dadb90a7404d285975d7b8ac1b4122976fa75ce4288470c48d
                                                                    • Instruction Fuzzy Hash: C241FA7090439C9AEB218F24CCC4BF6BBB9DF45308F1404EEE59A87242D279AE45DF65
                                                                    Function 004508DE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00450B39,?,00000050,?,?,?,?,?), ref: 004509B9
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: ACP$OCP
                                                                    • API String ID: 0-711371036
                                                                    • Opcode ID: c357b999de04d1742fe2857fcf8a245ff63c46433d95171d83c673f3fe2cd13c
                                                                    • Instruction ID: 7e3e8aaac6bfe0b7539266298c93f9b0706a3ab6a9e9f394231f134d2b8bf5b7
                                                                    • Opcode Fuzzy Hash: c357b999de04d1742fe2857fcf8a245ff63c46433d95171d83c673f3fe2cd13c
                                                                    • Instruction Fuzzy Hash: 072138EAA04201A6F7348B558801B9B7396AF54B23F164826EC49D730BF739DD49C358
                                                                    Function 004049BA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68timeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetLocalTime.KERNEL32(?,00473EE8,004745A8,?,?,?,?,?,?,?,00414D7D,?,00000001,0000004C,00000000), ref: 004049F1
                                                                      • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                    • GetLocalTime.KERNEL32(?,00473EE8,004745A8,?,?,?,?,?,?,?,00414D7D,?,00000001,0000004C,00000000), ref: 00404A4E
                                                                    Strings
                                                                    • KeepAlive | Enabled | Timeout: , xrefs: 004049E5
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: LocalTime
                                                                    • String ID: KeepAlive | Enabled | Timeout:
                                                                    • API String ID: 481472006-1507639952
                                                                    • Opcode ID: 4fbf8cc4982cbc942d3db3f2afc9c4eacdcd9657b35503fb3d66e7a76927aef2
                                                                    • Instruction ID: fa495feba5854bec2644a8330ceabc5ae1d4c14ac10d4033695aa89a80f4fa5c
                                                                    • Opcode Fuzzy Hash: 4fbf8cc4982cbc942d3db3f2afc9c4eacdcd9657b35503fb3d66e7a76927aef2
                                                                    • Instruction Fuzzy Hash: 5A2126A1A042806BC310FB6AD80A76B7B9497D1319F44407EF849532E2DB3C5999CB9F
                                                                    Function 0041A686 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: LocalTime
                                                                    • String ID: | $%02i:%02i:%02i:%03i
                                                                    • API String ID: 481472006-2430845779
                                                                    • Opcode ID: 49072da793dd1067c8c4d4b952bdc095bcf71ad5a1237c39b773f575b27685be
                                                                    • Instruction ID: d205b4ebe2adc0156a37935a73d605e8b5d9817e81284f53efab16a15aec7ece
                                                                    • Opcode Fuzzy Hash: 49072da793dd1067c8c4d4b952bdc095bcf71ad5a1237c39b773f575b27685be
                                                                    • Instruction Fuzzy Hash: 80114C725082045AC704EBA5D8568AF73E8AB94708F10053FFC85931E1EF38DA84C69E
                                                                    Function 00419E89 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • PathFileExistsW.SHLWAPI(00000000), ref: 00419EAE
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ExistsFilePath
                                                                    • String ID: alarm.wav$xIG
                                                                    • API String ID: 1174141254-4080756945
                                                                    • Opcode ID: a83789ed06d4bd6bc78d9f5caa1c4ae1948ed669f67617dd6d77616b3b752c21
                                                                    • Instruction ID: 7a4fe07350b1461b8d7cab7706a536354aa1130be6e3c83a2e6414618e768e61
                                                                    • Opcode Fuzzy Hash: a83789ed06d4bd6bc78d9f5caa1c4ae1948ed669f67617dd6d77616b3b752c21
                                                                    • Instruction Fuzzy Hash: 8B01802060420166C604B676D866AEE77458BC1719F40413FF89A966E2EF6CAEC6C2DF
                                                                    Function 0040A767 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004740F8), ref: 0040A884
                                                                      • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                                                      • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                                    • CloseHandle.KERNEL32(?), ref: 0040A7CA
                                                                    • UnhookWindowsHookEx.USER32 ref: 0040A7DD
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                                                    • String ID: Online Keylogger Stopped
                                                                    • API String ID: 1623830855-1496645233
                                                                    • Opcode ID: a471bc76fffd1fbac32a3585e4c4fab67e2de2ee53134a9f9046e82175b62acd
                                                                    • Instruction ID: 3c154674506c802d119dc10506b29c5389a087cae46ba36945c53301bfe6088f
                                                                    • Opcode Fuzzy Hash: a471bc76fffd1fbac32a3585e4c4fab67e2de2ee53134a9f9046e82175b62acd
                                                                    • Instruction Fuzzy Hash: CC01D431A043019BDB25BB35C80B7AEBBB59B45315F80407FE481225D2EB7999A6C3DB
                                                                    Function 004016E8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • waveInPrepareHeader.WINMM(?,00000020,?,?,00000000,00475B70,00473EE8,?,00000000,00401913), ref: 00401747
                                                                    • waveInAddBuffer.WINMM(?,00000020,?,00000000,00401913), ref: 0040175D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: wave$BufferHeaderPrepare
                                                                    • String ID: T=G
                                                                    • API String ID: 2315374483-379896819
                                                                    • Opcode ID: 0ff4070462d876ba9a0314f854ca9e5b2f4718fb39603aa566027c6b2d74496f
                                                                    • Instruction ID: f8644d152c35c587af506687758c025c54344a6e575747702fe1289d7b8da532
                                                                    • Opcode Fuzzy Hash: 0ff4070462d876ba9a0314f854ca9e5b2f4718fb39603aa566027c6b2d74496f
                                                                    • Instruction Fuzzy Hash: 65018B71301300AFD7209F39EC45A69BBA9EB4931AF01413EB808D32B1EB34A8509B98
                                                                    Function 00447790 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • IsValidLocale.KERNEL32(00000000,j=D,00000000,00000001,?,?,00443D6A,?,?,?,?,00000004), ref: 004477DC
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: LocaleValid
                                                                    • String ID: IsValidLocaleName$j=D
                                                                    • API String ID: 1901932003-3128777819
                                                                    • Opcode ID: 34048a5779238571e042b1bd9c847fb843bb8be3ea41a6d98ed8d0d1ded4c140
                                                                    • Instruction ID: d075984350fdfa8650c9f53b231b8a0b142c4dacf6ed37e79753978632a381d4
                                                                    • Opcode Fuzzy Hash: 34048a5779238571e042b1bd9c847fb843bb8be3ea41a6d98ed8d0d1ded4c140
                                                                    • Instruction Fuzzy Hash: B7F0E930A45218F7EA116B61DC06F5EBB54CF49B11F50407AFD056A293CB796D0195DC
                                                                    Function 00401D91 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: H_prolog
                                                                    • String ID: T=G$T=G
                                                                    • API String ID: 3519838083-3732185208
                                                                    • Opcode ID: ece060f59eec47038b163f6730b9b4774a9df75ced3df6c836fae2af045d366e
                                                                    • Instruction ID: 37a3980bbf64332544f5ef03d086655580814226aad47650f393c0c18fea351b
                                                                    • Opcode Fuzzy Hash: ece060f59eec47038b163f6730b9b4774a9df75ced3df6c836fae2af045d366e
                                                                    • Instruction Fuzzy Hash: BCF0E971A00220ABC714BB65C80669EB774EF41369F10827FB416B72E1CBBD5D04D65D
                                                                    Function 0040AD56 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetKeyState.USER32(00000011), ref: 0040AD5B
                                                                      • Part of subcall function 00409B10: GetForegroundWindow.USER32 ref: 00409B3F
                                                                      • Part of subcall function 00409B10: GetWindowThreadProcessId.USER32(00000000,?), ref: 00409B4B
                                                                      • Part of subcall function 00409B10: GetKeyboardLayout.USER32(00000000), ref: 00409B52
                                                                      • Part of subcall function 00409B10: GetKeyState.USER32(00000010), ref: 00409B5C
                                                                      • Part of subcall function 00409B10: GetKeyboardState.USER32(?), ref: 00409B67
                                                                      • Part of subcall function 00409B10: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00409B8A
                                                                      • Part of subcall function 00409B10: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 00409BE3
                                                                      • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,00000000,0040A91C,00000000), ref: 00409D84
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                                                    • String ID: [AltL]$[AltR]
                                                                    • API String ID: 2738857842-2658077756
                                                                    • Opcode ID: 2d4b77a5ab42310f07ca9c8b3da7c02f816ae55a84891d8b572aa7cd1e2c76fb
                                                                    • Instruction ID: d2c0c429c9fe13b3c6c970781ecfc4970ab7400740a1dec538c1fc9fef0a0b20
                                                                    • Opcode Fuzzy Hash: 2d4b77a5ab42310f07ca9c8b3da7c02f816ae55a84891d8b572aa7cd1e2c76fb
                                                                    • Instruction Fuzzy Hash: 47E0652134072117C898323EA91E6EE3A228F82B65B80416FF8866BAD6DD6D4D5053CB
                                                                    Function 00448803 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _free.LIBCMT ref: 00448825
                                                                      • Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                                                      • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ErrorFreeHeapLast_free
                                                                    • String ID: `@$`@
                                                                    • API String ID: 1353095263-20545824
                                                                    • Opcode ID: 9a963da6b0d453c70d37714207bd95daf40472698ea915a46c6a843fe12f4396
                                                                    • Instruction ID: 46705ffcfacdd7a720b29fb61e5cb4af2d59a6418439a2947ca99394172970e0
                                                                    • Opcode Fuzzy Hash: 9a963da6b0d453c70d37714207bd95daf40472698ea915a46c6a843fe12f4396
                                                                    • Instruction Fuzzy Hash: B9E06D761006059F8720DE6DD400A86B7E4EF95360320852AE89DE3310DB32E812CB40
                                                                    Function 0040ADB0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetKeyState.USER32(00000012), ref: 0040ADB5
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: State
                                                                    • String ID: [CtrlL]$[CtrlR]
                                                                    • API String ID: 1649606143-2446555240
                                                                    • Opcode ID: b832f2ba8c23f1ed675ed1d8fb8a36e3adfa50d2a3dfff7a7859d4c0b25c7229
                                                                    • Instruction ID: 615b7dbe40c0b8188db9493e0f2b19f017fb36a74fa458c508a435569d7d4a1e
                                                                    • Opcode Fuzzy Hash: b832f2ba8c23f1ed675ed1d8fb8a36e3adfa50d2a3dfff7a7859d4c0b25c7229
                                                                    • Instruction Fuzzy Hash: 71E0862170071117C514353DD61A67F39228F41776F80013FF882ABAC6E96D8D6023CB
                                                                    Function 0041297A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040C33C,00000000,?,00000000), ref: 00412988
                                                                    • RegDeleteValueW.ADVAPI32(?,?,?,00000000), ref: 00412998
                                                                    Strings
                                                                    • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00412986
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: DeleteOpenValue
                                                                    • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                                                    • API String ID: 2654517830-1051519024
                                                                    • Opcode ID: 37dabd9028f0cede140cc98497e4e15f557d68d096268be44a89a64eb946223e
                                                                    • Instruction ID: 4813e9247c8a4fa7715124fbb4df20ddc3d96ddce1d5e270e7c0f337b45b5704
                                                                    • Opcode Fuzzy Hash: 37dabd9028f0cede140cc98497e4e15f557d68d096268be44a89a64eb946223e
                                                                    • Instruction Fuzzy Hash: 0AE01270310304BFEF104F61ED06FDB37ACBB80B89F004165F505E5191E2B5DD54A658
                                                                    Function 0043FA5E Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401AD8), ref: 0043FAF4
                                                                    • GetLastError.KERNEL32 ref: 0043FB02
                                                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0043FB5D
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2085729414.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_400000_ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ByteCharMultiWide$ErrorLast
                                                                    • String ID:
                                                                    • API String ID: 1717984340-0
                                                                    • Opcode ID: 3f0ff04a5dcf7e8fd5b137fcdb20dceab511bd439b95d46b3d550210e9ecb368
                                                                    • Instruction ID: ecac45699e256c48587d6f27f66036641a8fb520bb473c9b2adecd150689d728
                                                                    • Opcode Fuzzy Hash: 3f0ff04a5dcf7e8fd5b137fcdb20dceab511bd439b95d46b3d550210e9ecb368
                                                                    • Instruction Fuzzy Hash: 65414871E00206AFCF258F65C854ABBFBA4EF09310F1451BAF858973A1DB38AD09C759

                                                                    Execution Graph

                                                                    Execution Coverage:9.2%
                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                    Signature Coverage:0%
                                                                    Total number of Nodes:38
                                                                    Total number of Limit Nodes:7
                                                                    execution_graph 15435 2cc4668 15436 2cc467a 15435->15436 15437 2cc4686 15436->15437 15439 2cc4778 15436->15439 15440 2cc479d 15439->15440 15444 2cc4888 15440->15444 15448 2cc4878 15440->15448 15445 2cc48af 15444->15445 15446 2cc498c 15445->15446 15452 2cc44b4 15445->15452 15450 2cc4888 15448->15450 15449 2cc498c 15449->15449 15450->15449 15451 2cc44b4 CreateActCtxA 15450->15451 15451->15449 15453 2cc5918 CreateActCtxA 15452->15453 15455 2cc59db 15453->15455 15456 2ccd478 15457 2ccd4be GetCurrentProcess 15456->15457 15459 2ccd509 15457->15459 15460 2ccd510 GetCurrentThread 15457->15460 15459->15460 15461 2ccd54d GetCurrentProcess 15460->15461 15462 2ccd546 15460->15462 15463 2ccd583 15461->15463 15462->15461 15464 2ccd5ab GetCurrentThreadId 15463->15464 15465 2ccd5dc 15464->15465 15466 2ccd6c0 DuplicateHandle 15467 2ccd756 15466->15467 15468 2ccacf0 15469 2ccacff 15468->15469 15472 2ccadd8 15468->15472 15477 2ccade8 15468->15477 15473 2ccadf9 15472->15473 15474 2ccae1c 15472->15474 15473->15474 15475 2ccb020 GetModuleHandleW 15473->15475 15474->15469 15476 2ccb04d 15475->15476 15476->15469 15478 2ccae1c 15477->15478 15479 2ccadf9 15477->15479 15478->15469 15479->15478 15480 2ccb020 GetModuleHandleW 15479->15480 15481 2ccb04d 15480->15481 15481->15469

                                                                    Executed Functions

                                                                    Function 02CCD468 Relevance: 6.1, APIs: 4, Instructions: 131threadCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 294 2ccd468-2ccd507 GetCurrentProcess 298 2ccd509-2ccd50f 294->298 299 2ccd510-2ccd544 GetCurrentThread 294->299 298->299 300 2ccd54d-2ccd581 GetCurrentProcess 299->300 301 2ccd546-2ccd54c 299->301 303 2ccd58a-2ccd5a5 call 2ccd647 300->303 304 2ccd583-2ccd589 300->304 301->300 306 2ccd5ab-2ccd5da GetCurrentThreadId 303->306 304->303 308 2ccd5dc-2ccd5e2 306->308 309 2ccd5e3-2ccd645 306->309 308->309
                                                                    APIs
                                                                    • GetCurrentProcess.KERNEL32 ref: 02CCD4F6
                                                                    • GetCurrentThread.KERNEL32 ref: 02CCD533
                                                                    • GetCurrentProcess.KERNEL32 ref: 02CCD570
                                                                    • GetCurrentThreadId.KERNEL32 ref: 02CCD5C9
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2143702323.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_2cc0000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: Current$ProcessThread
                                                                    • String ID:
                                                                    • API String ID: 2063062207-0
                                                                    • Opcode ID: 6aca39e721606439949e64c7cb0c81c2e0de1f18ff9d310de6693b857889b8f4
                                                                    • Instruction ID: a3a1b5692a02d70cba1f50fd32f51c00eba013d3eab8d277151124e8d59d6757
                                                                    • Opcode Fuzzy Hash: 6aca39e721606439949e64c7cb0c81c2e0de1f18ff9d310de6693b857889b8f4
                                                                    • Instruction Fuzzy Hash: D05146B19003498FDB15CFAADA48BAEBBF1EF88314F2484ADD409A73A1D7345945CB61
                                                                    Function 02CCD478 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 316 2ccd478-2ccd507 GetCurrentProcess 320 2ccd509-2ccd50f 316->320 321 2ccd510-2ccd544 GetCurrentThread 316->321 320->321 322 2ccd54d-2ccd581 GetCurrentProcess 321->322 323 2ccd546-2ccd54c 321->323 325 2ccd58a-2ccd5a5 call 2ccd647 322->325 326 2ccd583-2ccd589 322->326 323->322 328 2ccd5ab-2ccd5da GetCurrentThreadId 325->328 326->325 330 2ccd5dc-2ccd5e2 328->330 331 2ccd5e3-2ccd645 328->331 330->331
                                                                    APIs
                                                                    • GetCurrentProcess.KERNEL32 ref: 02CCD4F6
                                                                    • GetCurrentThread.KERNEL32 ref: 02CCD533
                                                                    • GetCurrentProcess.KERNEL32 ref: 02CCD570
                                                                    • GetCurrentThreadId.KERNEL32 ref: 02CCD5C9
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2143702323.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_2cc0000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: Current$ProcessThread
                                                                    • String ID:
                                                                    • API String ID: 2063062207-0
                                                                    • Opcode ID: 0f5cabdff563f0df5e3eb2b372ffe9239d2cb8fdb86c08fbc4e5f7b47071e765
                                                                    • Instruction ID: 63e4a9aa1113a7c4d144a755e8e26d001279680ee7778dbc65522cffa144ae6f
                                                                    • Opcode Fuzzy Hash: 0f5cabdff563f0df5e3eb2b372ffe9239d2cb8fdb86c08fbc4e5f7b47071e765
                                                                    • Instruction Fuzzy Hash: 345136B19002498FDB14CFAADA48BAEBBF1EF88314F24846DE409A7361D7345985CF65
                                                                    Function 02CCADE8 Relevance: 1.7, APIs: 1, Instructions: 195COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 360 2ccade8-2ccadf7 361 2ccadf9-2ccae06 call 2cc9414 360->361 362 2ccae23-2ccae27 360->362 369 2ccae1c 361->369 370 2ccae08 361->370 364 2ccae29-2ccae33 362->364 365 2ccae3b-2ccae7c 362->365 364->365 371 2ccae7e-2ccae86 365->371 372 2ccae89-2ccae97 365->372 369->362 415 2ccae0e call 2ccb080 370->415 416 2ccae0e call 2ccb070 370->416 371->372 373 2ccae99-2ccae9e 372->373 374 2ccaebb-2ccaebd 372->374 377 2ccaea9 373->377 378 2ccaea0-2ccaea7 call 2cca150 373->378 376 2ccaec0-2ccaec7 374->376 375 2ccae14-2ccae16 375->369 379 2ccaf58-2ccb018 375->379 381 2ccaec9-2ccaed1 376->381 382 2ccaed4-2ccaedb 376->382 383 2ccaeab-2ccaeb9 377->383 378->383 410 2ccb01a-2ccb01d 379->410 411 2ccb020-2ccb04b GetModuleHandleW 379->411 381->382 386 2ccaedd-2ccaee5 382->386 387 2ccaee8-2ccaef1 call 2cca160 382->387 383->376 386->387 391 2ccaefe-2ccaf03 387->391 392 2ccaef3-2ccaefb 387->392 393 2ccaf05-2ccaf0c 391->393 394 2ccaf21-2ccaf2e 391->394 392->391 393->394 396 2ccaf0e-2ccaf1e call 2cca170 call 2cca180 393->396 401 2ccaf30-2ccaf4e 394->401 402 2ccaf51-2ccaf57 394->402 396->394 401->402 410->411 412 2ccb04d-2ccb053 411->412 413 2ccb054-2ccb068 411->413 412->413 415->375 416->375
                                                                    APIs
                                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 02CCB03E
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2143702323.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_2cc0000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: HandleModule
                                                                    • String ID:
                                                                    • API String ID: 4139908857-0
                                                                    • Opcode ID: 1199a9515ef040d85b97feeb2443a07c7c1afe3b1c118d38551548790c06cd1f
                                                                    • Instruction ID: 031996a3a937da61b2dec0addf1938c9545d58ee2355fc534f58a49bdaf7c7a4
                                                                    • Opcode Fuzzy Hash: 1199a9515ef040d85b97feeb2443a07c7c1afe3b1c118d38551548790c06cd1f
                                                                    • Instruction Fuzzy Hash: DE7143B0A00B498FDB24DF6AD44975ABBF2FF88304F108A2DD08AD7A40D735E955CB90
                                                                    Function 02CC44B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 417 2cc44b4-2cc59d9 CreateActCtxA 420 2cc59db-2cc59e1 417->420 421 2cc59e2-2cc5a3c 417->421 420->421 428 2cc5a3e-2cc5a41 421->428 429 2cc5a4b-2cc5a4f 421->429 428->429 430 2cc5a60-2cc5a90 429->430 431 2cc5a51-2cc5a5d 429->431 435 2cc5a42-2cc5a47 430->435 436 2cc5a92-2cc5b14 430->436 431->430 435->429
                                                                    APIs
                                                                    • CreateActCtxA.KERNEL32(?), ref: 02CC59C9
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2143702323.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_2cc0000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: Create
                                                                    • String ID:
                                                                    • API String ID: 2289755597-0
                                                                    • Opcode ID: fe85370eaa13ae47752ddaedfa7ac0566400d79c54c9abb43f2b2dc9b8b2986e
                                                                    • Instruction ID: a4b094f3cb1171cfa5aad693ca850931b12ad635544509ff28b2899b5dbe25b1
                                                                    • Opcode Fuzzy Hash: fe85370eaa13ae47752ddaedfa7ac0566400d79c54c9abb43f2b2dc9b8b2986e
                                                                    • Instruction Fuzzy Hash: 7841F2B0C00719CBDB24DFAAC944B9EBBF5BF89304F60806AD409AB251DB71694ACF50
                                                                    Function 02CC590C Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 439 2cc590c-2cc59d9 CreateActCtxA 441 2cc59db-2cc59e1 439->441 442 2cc59e2-2cc5a3c 439->442 441->442 449 2cc5a3e-2cc5a41 442->449 450 2cc5a4b-2cc5a4f 442->450 449->450 451 2cc5a60-2cc5a90 450->451 452 2cc5a51-2cc5a5d 450->452 456 2cc5a42-2cc5a47 451->456 457 2cc5a92-2cc5b14 451->457 452->451 456->450
                                                                    APIs
                                                                    • CreateActCtxA.KERNEL32(?), ref: 02CC59C9
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2143702323.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_2cc0000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: Create
                                                                    • String ID:
                                                                    • API String ID: 2289755597-0
                                                                    • Opcode ID: ba154f2f085abb52b6d531fdab2a7c651d6e42f77b8592e97452940c630dc0fd
                                                                    • Instruction ID: a338cea8b4c381f95292b936b48d2ecab59586b1db560acf08c8882e24a1fa4f
                                                                    • Opcode Fuzzy Hash: ba154f2f085abb52b6d531fdab2a7c651d6e42f77b8592e97452940c630dc0fd
                                                                    • Instruction Fuzzy Hash: B34101B0C00759CBDB24CFAAC984BDEBBB5BF89304F20815AD408AB251DB71694ACF50
                                                                    Function 02CCD6C0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 465 2ccd6c0-2ccd754 DuplicateHandle 466 2ccd75d-2ccd77a 465->466 467 2ccd756-2ccd75c 465->467 467->466
                                                                    APIs
                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02CCD747
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2143702323.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_2cc0000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: DuplicateHandle
                                                                    • String ID:
                                                                    • API String ID: 3793708945-0
                                                                    • Opcode ID: 0edb0820a2d95a012bbefc525bc354da6c503f661561cbe0eff911f45e06ec4a
                                                                    • Instruction ID: 3fa3ffead43b8df171f6a1aad466c99b3b9730da6e1092139ee69cc1309b829e
                                                                    • Opcode Fuzzy Hash: 0edb0820a2d95a012bbefc525bc354da6c503f661561cbe0eff911f45e06ec4a
                                                                    • Instruction Fuzzy Hash: 1E21C4B59002499FDB10CF9AD984ADEFBF9EB48310F14842AE918A3350D374A944DF65
                                                                    Function 02CCD6B9 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 460 2ccd6b9-2ccd754 DuplicateHandle 461 2ccd75d-2ccd77a 460->461 462 2ccd756-2ccd75c 460->462 462->461
                                                                    APIs
                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02CCD747
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2143702323.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_2cc0000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: DuplicateHandle
                                                                    • String ID:
                                                                    • API String ID: 3793708945-0
                                                                    • Opcode ID: a41aac59c96baa8fcb03b850d5121338628fa7b19ead15c58927afe94df393ad
                                                                    • Instruction ID: b79332d633e2d89ec14bafdff65d1a061b728e678340dcd808b3e108c5bdc292
                                                                    • Opcode Fuzzy Hash: a41aac59c96baa8fcb03b850d5121338628fa7b19ead15c58927afe94df393ad
                                                                    • Instruction Fuzzy Hash: 0821E0B59002099FDB10CFAAD984ADEBBF4EB48320F14842AE918B3311D374A940CF61
                                                                    Function 02CCAFD8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 470 2ccafd8-2ccb018 471 2ccb01a-2ccb01d 470->471 472 2ccb020-2ccb04b GetModuleHandleW 470->472 471->472 473 2ccb04d-2ccb053 472->473 474 2ccb054-2ccb068 472->474 473->474
                                                                    APIs
                                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 02CCB03E
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2143702323.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_2cc0000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: HandleModule
                                                                    • String ID:
                                                                    • API String ID: 4139908857-0
                                                                    • Opcode ID: c11d1539242d22d706eef7f0be76f7359568c2a054c73e7c43034f27330c0408
                                                                    • Instruction ID: 1e1d51719bdda4e963f704669d63ae4170e631589ca294b1173893c402868c65
                                                                    • Opcode Fuzzy Hash: c11d1539242d22d706eef7f0be76f7359568c2a054c73e7c43034f27330c0408
                                                                    • Instruction Fuzzy Hash: 5C1102B6C003498FDB10CF9AC944ADEFBF8EB88224F10841AD528A7610D375A945CFA1
                                                                    Function 02BFD01C Relevance: .1, Instructions: 72COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2143504052.0000000002BFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BFD000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_2bfd000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 65bb72e8b4c70af83a8e0191d1d2bb519c306bcc1d9f47910b2e1a557bc82da2
                                                                    • Instruction ID: 504e2b17e6caafdcab6571dc61fb549fb652579c241110ab94bbb4a32dc1598b
                                                                    • Opcode Fuzzy Hash: 65bb72e8b4c70af83a8e0191d1d2bb519c306bcc1d9f47910b2e1a557bc82da2
                                                                    • Instruction Fuzzy Hash: FE213471604201DFDB55DF24D9D0B26BB65FB88324F20C9ADEA0A4B746C33BD80BCA61
                                                                    Function 02BFD1D4 Relevance: .1, Instructions: 72COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2143504052.0000000002BFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BFD000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_2bfd000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2b8aacbf731801f5e587bf7d1f3d70e85a1439218705aae8d1d326165d265df1
                                                                    • Instruction ID: ab3a116872919c6ed57d23ea4d49e0065e877151470b08af5d014cb8b6abf75b
                                                                    • Opcode Fuzzy Hash: 2b8aacbf731801f5e587bf7d1f3d70e85a1439218705aae8d1d326165d265df1
                                                                    • Instruction Fuzzy Hash: EA212971604201DFDB45DF14D9C0B26BB65FB88314F24C9ADEA494B256C336D44ACAA1
                                                                    Function 02BFD006 Relevance: .1, Instructions: 60COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2143504052.0000000002BFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BFD000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_2bfd000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b27e85d9f1e7cd6ab03bdc9cb34958c4a5390614a27eb79e08eada70d7deaf49
                                                                    • Instruction ID: 79a588a242090aa7981611996cf70c6b9ca214b1dba0bdbb6efe02fdec3f8761
                                                                    • Opcode Fuzzy Hash: b27e85d9f1e7cd6ab03bdc9cb34958c4a5390614a27eb79e08eada70d7deaf49
                                                                    • Instruction Fuzzy Hash: CC21C6755093808FCB06CF20D594715BF71EB46314F28C5EAD9498B697C33AD80ACB62
                                                                    Function 02BFD1CF Relevance: .1, Instructions: 53COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2143504052.0000000002BFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BFD000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_2bfd000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
                                                                    • Instruction ID: 5c02774605169525d2bca8cd84bc0ced2647561383fc17836a563b66bd38a431
                                                                    • Opcode Fuzzy Hash: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
                                                                    • Instruction Fuzzy Hash: 4E11DD76504280DFCB02CF10C5C4B15FBB1FB84314F24C6AED9894B296C33AD40ACBA1
                                                                    Function 02BED745 Relevance: .0, Instructions: 45COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2143449266.0000000002BED000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BED000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_2bed000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8bf1c53b120e4a325fb4656cb4ce56611720390277076c5109747f5f891d5afc
                                                                    • Instruction ID: 17271be3c13bf0ae0d9542d7dff784ebed120e103ebb7c3cfefc7d3c30f0761e
                                                                    • Opcode Fuzzy Hash: 8bf1c53b120e4a325fb4656cb4ce56611720390277076c5109747f5f891d5afc
                                                                    • Instruction Fuzzy Hash: 7F01A2711043459BEB219F29CD85B66BFACDF42334F18C59AED1A0A286D7B99840CAB1
                                                                    Function 02BED744 Relevance: .0, Instructions: 36COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2143449266.0000000002BED000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BED000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_2bed000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: fb7394181ab191c74720a82a4b84892054c5de99b8a5f2cfe3a4ae400131e481
                                                                    • Instruction ID: f2b869b2117425ad2eff5119807099e4e1148631cd957d53f5afc51127dfdb63
                                                                    • Opcode Fuzzy Hash: fb7394181ab191c74720a82a4b84892054c5de99b8a5f2cfe3a4ae400131e481
                                                                    • Instruction Fuzzy Hash: C2F062724043459EEB108F15C989B62FFACEB91734F18C55AED494A296C3799844CBB1

                                                                    Execution Graph

                                                                    Execution Coverage:2.6%
                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                    Signature Coverage:0%
                                                                    Total number of Nodes:1668
                                                                    Total number of Limit Nodes:5
                                                                    execution_graph 6510 10008640 6513 10008657 6510->6513 6514 10008665 6513->6514 6515 10008679 6513->6515 6518 10006368 _free 20 API calls 6514->6518 6516 10008681 6515->6516 6517 10008693 6515->6517 6520 10006368 _free 20 API calls 6516->6520 6524 10008652 6517->6524 6526 100054a7 6517->6526 6519 1000866a 6518->6519 6521 100062ac _abort 26 API calls 6519->6521 6522 10008686 6520->6522 6521->6524 6525 100062ac _abort 26 API calls 6522->6525 6525->6524 6527 100054ba 6526->6527 6528 100054c4 6526->6528 6527->6524 6528->6527 6529 10005af6 _abort 38 API calls 6528->6529 6530 100054e5 6529->6530 6534 10007a00 6530->6534 6535 10007a13 6534->6535 6536 100054fe 6534->6536 6535->6536 6542 10007f0f 6535->6542 6538 10007a2d 6536->6538 6539 10007a40 6538->6539 6540 10007a55 6538->6540 6539->6540 6677 10006d7e 6539->6677 6540->6527 6543 10007f1b ___scrt_is_nonwritable_in_current_image 6542->6543 6544 10005af6 _abort 38 API calls 6543->6544 6545 10007f24 6544->6545 6546 10007f72 _abort 6545->6546 6554 10005671 RtlEnterCriticalSection 6545->6554 6546->6536 6548 10007f42 6555 10007f86 6548->6555 6553 100055a8 _abort 38 API calls 6553->6546 6554->6548 6556 10007f56 6555->6556 6557 10007f94 __fassign 6555->6557 6559 10007f75 6556->6559 6557->6556 6562 10007cc2 6557->6562 6676 100056b9 RtlLeaveCriticalSection 6559->6676 6561 10007f69 6561->6546 6561->6553 6563 10007d42 6562->6563 6566 10007cd8 6562->6566 6564 10007d90 6563->6564 6567 1000571e _free 20 API calls 6563->6567 6630 10007e35 6564->6630 6566->6563 6568 10007d0b 6566->6568 6573 1000571e _free 20 API calls 6566->6573 6569 10007d64 6567->6569 6570 10007d2d 6568->6570 6575 1000571e _free 20 API calls 6568->6575 6571 1000571e _free 20 API calls 6569->6571 6572 1000571e _free 20 API calls 6570->6572 6574 10007d77 6571->6574 6577 10007d37 6572->6577 6579 10007d00 6573->6579 6576 1000571e _free 20 API calls 6574->6576 6581 10007d22 6575->6581 6582 10007d85 6576->6582 6583 1000571e _free 20 API calls 6577->6583 6578 10007dfe 6584 1000571e _free 20 API calls 6578->6584 6590 100090ba 6579->6590 6580 10007d9e 6580->6578 6588 1000571e 20 API calls _free 6580->6588 6618 100091b8 6581->6618 6587 1000571e _free 20 API calls 6582->6587 6583->6563 6589 10007e04 6584->6589 6587->6564 6588->6580 6589->6556 6591 100090cb 6590->6591 6617 100091b4 6590->6617 6592 100090dc 6591->6592 6593 1000571e _free 20 API calls 6591->6593 6594 100090ee 6592->6594 6596 1000571e _free 20 API calls 6592->6596 6593->6592 6595 10009100 6594->6595 6597 1000571e _free 20 API calls 6594->6597 6598 10009112 6595->6598 6599 1000571e _free 20 API calls 6595->6599 6596->6594 6597->6595 6600 10009124 6598->6600 6601 1000571e _free 20 API calls 6598->6601 6599->6598 6602 10009136 6600->6602 6604 1000571e _free 20 API calls 6600->6604 6601->6600 6603 10009148 6602->6603 6605 1000571e _free 20 API calls 6602->6605 6606 1000915a 6603->6606 6607 1000571e _free 20 API calls 6603->6607 6604->6602 6605->6603 6608 1000571e _free 20 API calls 6606->6608 6611 1000916c 6606->6611 6607->6606 6608->6611 6609 10009190 6614 100091a2 6609->6614 6615 1000571e _free 20 API calls 6609->6615 6610 1000917e 6610->6609 6613 1000571e _free 20 API calls 6610->6613 6611->6610 6612 1000571e _free 20 API calls 6611->6612 6612->6610 6613->6609 6616 1000571e _free 20 API calls 6614->6616 6614->6617 6615->6614 6616->6617 6617->6568 6619 100091c5 6618->6619 6629 1000921d 6618->6629 6620 1000571e _free 20 API calls 6619->6620 6621 100091d5 6619->6621 6620->6621 6622 100091e7 6621->6622 6623 1000571e _free 20 API calls 6621->6623 6624 100091f9 6622->6624 6626 1000571e _free 20 API calls 6622->6626 6623->6622 6625 1000920b 6624->6625 6627 1000571e _free 20 API calls 6624->6627 6628 1000571e _free 20 API calls 6625->6628 6625->6629 6626->6624 6627->6625 6628->6629 6629->6570 6631 10007e60 6630->6631 6632 10007e42 6630->6632 6631->6580 6632->6631 6636 1000925d 6632->6636 6635 1000571e _free 20 API calls 6635->6631 6637 10007e5a 6636->6637 6638 1000926e 6636->6638 6637->6635 6672 10009221 6638->6672 6641 10009221 __fassign 20 API calls 6642 10009281 6641->6642 6643 10009221 __fassign 20 API calls 6642->6643 6644 1000928c 6643->6644 6645 10009221 __fassign 20 API calls 6644->6645 6646 10009297 6645->6646 6647 10009221 __fassign 20 API calls 6646->6647 6648 100092a5 6647->6648 6649 1000571e _free 20 API calls 6648->6649 6650 100092b0 6649->6650 6651 1000571e _free 20 API calls 6650->6651 6652 100092bb 6651->6652 6653 1000571e _free 20 API calls 6652->6653 6654 100092c6 6653->6654 6655 10009221 __fassign 20 API calls 6654->6655 6656 100092d4 6655->6656 6657 10009221 __fassign 20 API calls 6656->6657 6658 100092e2 6657->6658 6659 10009221 __fassign 20 API calls 6658->6659 6660 100092f3 6659->6660 6661 10009221 __fassign 20 API calls 6660->6661 6662 10009301 6661->6662 6663 10009221 __fassign 20 API calls 6662->6663 6664 1000930f 6663->6664 6665 1000571e _free 20 API calls 6664->6665 6666 1000931a 6665->6666 6667 1000571e _free 20 API calls 6666->6667 6668 10009325 6667->6668 6669 1000571e _free 20 API calls 6668->6669 6670 10009330 6669->6670 6671 1000571e _free 20 API calls 6670->6671 6671->6637 6673 10009258 6672->6673 6674 10009248 6672->6674 6673->6641 6674->6673 6675 1000571e _free 20 API calls 6674->6675 6675->6674 6676->6561 6678 10006d8a ___scrt_is_nonwritable_in_current_image 6677->6678 6679 10005af6 _abort 38 API calls 6678->6679 6681 10006d94 6679->6681 6682 10006e18 _abort 6681->6682 6683 100055a8 _abort 38 API calls 6681->6683 6685 1000571e _free 20 API calls 6681->6685 6686 10005671 RtlEnterCriticalSection 6681->6686 6687 10006e0f 6681->6687 6682->6540 6683->6681 6685->6681 6686->6681 6690 100056b9 RtlLeaveCriticalSection 6687->6690 6689 10006e16 6689->6681 6690->6689 7257 10007a80 7258 10007a8d 7257->7258 7259 1000637b _abort 20 API calls 7258->7259 7260 10007aa7 7259->7260 7261 1000571e _free 20 API calls 7260->7261 7262 10007ab3 7261->7262 7263 1000637b _abort 20 API calls 7262->7263 7266 10007ad9 7262->7266 7265 10007acd 7263->7265 7264 10005eb7 11 API calls 7264->7266 7267 1000571e _free 20 API calls 7265->7267 7266->7264 7268 10007ae5 7266->7268 7267->7266 6082 10007103 GetCommandLineA GetCommandLineW 6083 10005303 6086 100050a5 6083->6086 6095 1000502f 6086->6095 6089 1000502f 5 API calls 6090 100050c3 6089->6090 6099 10005000 6090->6099 6093 10005000 20 API calls 6094 100050d9 6093->6094 6096 10005048 6095->6096 6097 10002ada _ValidateLocalCookies 5 API calls 6096->6097 6098 10005069 6097->6098 6098->6089 6100 1000502a 6099->6100 6101 1000500d 6099->6101 6100->6093 6102 10005024 6101->6102 6103 1000571e _free 20 API calls 6101->6103 6104 1000571e _free 20 API calls 6102->6104 6103->6101 6104->6100 6691 1000af43 6692 1000af59 6691->6692 6693 1000af4d 6691->6693 6693->6692 6694 1000af52 CloseHandle 6693->6694 6694->6692 6695 1000a945 6696 1000a96d 6695->6696 6697 1000a9a5 6696->6697 6698 1000a997 6696->6698 6699 1000a99e 6696->6699 6704 1000aa17 6698->6704 6708 1000aa00 6699->6708 6705 1000aa20 6704->6705 6712 1000b19b 6705->6712 6709 1000aa20 6708->6709 6710 1000b19b __startOneArgErrorHandling 21 API calls 6709->6710 6711 1000a9a3 6710->6711 6713 1000b1da __startOneArgErrorHandling 6712->6713 6715 1000b25c __startOneArgErrorHandling 6713->6715 6722 1000b59e 6713->6722 6720 1000b286 6715->6720 6725 100078a3 6715->6725 6717 1000b292 6719 10002ada _ValidateLocalCookies 5 API calls 6717->6719 6721 1000a99c 6719->6721 6720->6717 6729 1000b8b2 6720->6729 6736 1000b5c1 6722->6736 6726 100078cb 6725->6726 6727 10002ada _ValidateLocalCookies 5 API calls 6726->6727 6728 100078e8 6727->6728 6728->6720 6730 1000b8d4 6729->6730 6731 1000b8bf 6729->6731 6733 10006368 _free 20 API calls 6730->6733 6732 1000b8d9 6731->6732 6734 10006368 _free 20 API calls 6731->6734 6732->6717 6733->6732 6735 1000b8cc 6734->6735 6735->6717 6737 1000b5ec __raise_exc 6736->6737 6738 1000b7e5 RaiseException 6737->6738 6739 1000b5bc 6738->6739 6739->6715 7520 1000a1c6 IsProcessorFeaturePresent 7521 10007bc7 7522 10007bd3 ___scrt_is_nonwritable_in_current_image 7521->7522 7523 10007c0a _abort 7522->7523 7529 10005671 RtlEnterCriticalSection 7522->7529 7525 10007be7 7526 10007f86 __fassign 20 API calls 7525->7526 7527 10007bf7 7526->7527 7530 10007c10 7527->7530 7529->7525 7533 100056b9 RtlLeaveCriticalSection 7530->7533 7532 10007c17 7532->7523 7533->7532 6740 10005348 6741 10003529 ___vcrt_uninitialize 8 API calls 6740->6741 6742 1000534f 6741->6742 6743 10007b48 6753 10008ebf 6743->6753 6747 10007b55 6766 1000907c 6747->6766 6750 10007b7f 6751 1000571e _free 20 API calls 6750->6751 6752 10007b8a 6751->6752 6770 10008ec8 6753->6770 6755 10007b50 6756 10008fdc 6755->6756 6757 10008fe8 ___scrt_is_nonwritable_in_current_image 6756->6757 6790 10005671 RtlEnterCriticalSection 6757->6790 6759 1000905e 6804 10009073 6759->6804 6761 10009032 RtlDeleteCriticalSection 6764 1000571e _free 20 API calls 6761->6764 6762 1000906a _abort 6762->6747 6765 10008ff3 6764->6765 6765->6759 6765->6761 6791 1000a09c 6765->6791 6767 10009092 6766->6767 6768 10007b64 RtlDeleteCriticalSection 6766->6768 6767->6768 6769 1000571e _free 20 API calls 6767->6769 6768->6747 6768->6750 6769->6768 6771 10008ed4 ___scrt_is_nonwritable_in_current_image 6770->6771 6780 10005671 RtlEnterCriticalSection 6771->6780 6773 10008f77 6785 10008f97 6773->6785 6776 10008f83 _abort 6776->6755 6778 10008e78 66 API calls 6779 10008ee3 6778->6779 6779->6773 6779->6778 6781 10007b94 RtlEnterCriticalSection 6779->6781 6782 10008f6d 6779->6782 6780->6779 6781->6779 6788 10007ba8 RtlLeaveCriticalSection 6782->6788 6784 10008f75 6784->6779 6789 100056b9 RtlLeaveCriticalSection 6785->6789 6787 10008f9e 6787->6776 6788->6784 6789->6787 6790->6765 6792 1000a0a8 ___scrt_is_nonwritable_in_current_image 6791->6792 6793 1000a0b9 6792->6793 6794 1000a0ce 6792->6794 6795 10006368 _free 20 API calls 6793->6795 6803 1000a0c9 _abort 6794->6803 6807 10007b94 RtlEnterCriticalSection 6794->6807 6797 1000a0be 6795->6797 6799 100062ac _abort 26 API calls 6797->6799 6798 1000a0ea 6808 1000a026 6798->6808 6799->6803 6801 1000a0f5 6824 1000a112 6801->6824 6803->6765 7072 100056b9 RtlLeaveCriticalSection 6804->7072 6806 1000907a 6806->6762 6807->6798 6809 1000a033 6808->6809 6810 1000a048 6808->6810 6811 10006368 _free 20 API calls 6809->6811 6816 1000a043 6810->6816 6827 10008e12 6810->6827 6812 1000a038 6811->6812 6814 100062ac _abort 26 API calls 6812->6814 6814->6816 6816->6801 6817 1000907c 20 API calls 6818 1000a064 6817->6818 6833 10007a5a 6818->6833 6820 1000a06a 6840 1000adce 6820->6840 6823 1000571e _free 20 API calls 6823->6816 7071 10007ba8 RtlLeaveCriticalSection 6824->7071 6826 1000a11a 6826->6803 6828 10008e2a 6827->6828 6829 10008e26 6827->6829 6828->6829 6830 10007a5a 26 API calls 6828->6830 6829->6817 6831 10008e4a 6830->6831 6855 10009a22 6831->6855 6834 10007a66 6833->6834 6835 10007a7b 6833->6835 6836 10006368 _free 20 API calls 6834->6836 6835->6820 6837 10007a6b 6836->6837 6838 100062ac _abort 26 API calls 6837->6838 6839 10007a76 6838->6839 6839->6820 6841 1000adf2 6840->6841 6842 1000addd 6840->6842 6843 1000ae2d 6841->6843 6848 1000ae19 6841->6848 6844 10006355 __dosmaperr 20 API calls 6842->6844 6845 10006355 __dosmaperr 20 API calls 6843->6845 6846 1000ade2 6844->6846 6849 1000ae32 6845->6849 6847 10006368 _free 20 API calls 6846->6847 6852 1000a070 6847->6852 7028 1000ada6 6848->7028 6851 10006368 _free 20 API calls 6849->6851 6853 1000ae3a 6851->6853 6852->6816 6852->6823 6854 100062ac _abort 26 API calls 6853->6854 6854->6852 6856 10009a2e ___scrt_is_nonwritable_in_current_image 6855->6856 6857 10009a36 6856->6857 6858 10009a4e 6856->6858 6880 10006355 6857->6880 6860 10009aec 6858->6860 6864 10009a83 6858->6864 6862 10006355 __dosmaperr 20 API calls 6860->6862 6865 10009af1 6862->6865 6863 10006368 _free 20 API calls 6866 10009a43 _abort 6863->6866 6883 10008c7b RtlEnterCriticalSection 6864->6883 6868 10006368 _free 20 API calls 6865->6868 6866->6829 6870 10009af9 6868->6870 6869 10009a89 6871 10009aa5 6869->6871 6872 10009aba 6869->6872 6873 100062ac _abort 26 API calls 6870->6873 6874 10006368 _free 20 API calls 6871->6874 6884 10009b0d 6872->6884 6873->6866 6876 10009aaa 6874->6876 6878 10006355 __dosmaperr 20 API calls 6876->6878 6877 10009ab5 6935 10009ae4 6877->6935 6878->6877 6881 10005b7a _abort 20 API calls 6880->6881 6882 1000635a 6881->6882 6882->6863 6883->6869 6885 10009b34 6884->6885 6886 10009b3b 6884->6886 6889 10002ada _ValidateLocalCookies 5 API calls 6885->6889 6887 10009b5e 6886->6887 6888 10009b3f 6886->6888 6891 10009baf 6887->6891 6892 10009b92 6887->6892 6890 10006355 __dosmaperr 20 API calls 6888->6890 6893 10009d15 6889->6893 6894 10009b44 6890->6894 6896 10009bc5 6891->6896 6938 1000a00b 6891->6938 6895 10006355 __dosmaperr 20 API calls 6892->6895 6893->6877 6897 10006368 _free 20 API calls 6894->6897 6899 10009b97 6895->6899 6941 100096b2 6896->6941 6901 10009b4b 6897->6901 6904 10006368 _free 20 API calls 6899->6904 6902 100062ac _abort 26 API calls 6901->6902 6902->6885 6907 10009b9f 6904->6907 6905 10009bd3 6908 10009bf9 6905->6908 6913 10009bd7 6905->6913 6906 10009c0c 6910 10009c20 6906->6910 6911 10009c66 WriteFile 6906->6911 6909 100062ac _abort 26 API calls 6907->6909 6953 10009492 GetConsoleCP 6908->6953 6909->6885 6916 10009c56 6910->6916 6917 10009c28 6910->6917 6915 10009c89 GetLastError 6911->6915 6922 10009bef 6911->6922 6912 10009ccd 6912->6885 6924 10006368 _free 20 API calls 6912->6924 6913->6912 6948 10009645 6913->6948 6915->6922 6979 10009728 6916->6979 6918 10009c46 6917->6918 6919 10009c2d 6917->6919 6971 100098f5 6918->6971 6919->6912 6964 10009807 6919->6964 6922->6885 6922->6912 6927 10009ca9 6922->6927 6926 10009cf2 6924->6926 6930 10006355 __dosmaperr 20 API calls 6926->6930 6928 10009cb0 6927->6928 6929 10009cc4 6927->6929 6931 10006368 _free 20 API calls 6928->6931 6986 10006332 6929->6986 6930->6885 6933 10009cb5 6931->6933 6934 10006355 __dosmaperr 20 API calls 6933->6934 6934->6885 7027 10008c9e RtlLeaveCriticalSection 6935->7027 6937 10009aea 6937->6866 6991 10009f8d 6938->6991 7013 10008dbc 6941->7013 6943 100096c2 6944 100096c7 6943->6944 6945 10005af6 _abort 38 API calls 6943->6945 6944->6905 6944->6906 6946 100096ea 6945->6946 6946->6944 6947 10009708 GetConsoleMode 6946->6947 6947->6944 6951 1000966a 6948->6951 6952 1000969f 6948->6952 6949 1000a181 WriteConsoleW CreateFileW 6949->6951 6950 100096a1 GetLastError 6950->6952 6951->6949 6951->6950 6951->6952 6952->6922 6957 100094f5 6953->6957 6963 10009607 6953->6963 6954 10002ada _ValidateLocalCookies 5 API calls 6955 10009641 6954->6955 6955->6922 6958 1000957b WideCharToMultiByte 6957->6958 6960 100079e6 40 API calls __fassign 6957->6960 6962 100095d2 WriteFile 6957->6962 6957->6963 7022 10007c19 6957->7022 6959 100095a1 WriteFile 6958->6959 6958->6963 6959->6957 6961 1000962a GetLastError 6959->6961 6960->6957 6961->6963 6962->6957 6962->6961 6963->6954 6966 10009816 6964->6966 6965 100098d8 6968 10002ada _ValidateLocalCookies 5 API calls 6965->6968 6966->6965 6967 10009894 WriteFile 6966->6967 6967->6966 6969 100098da GetLastError 6967->6969 6970 100098f1 6968->6970 6969->6965 6970->6922 6978 10009904 6971->6978 6972 10009a0f 6973 10002ada _ValidateLocalCookies 5 API calls 6972->6973 6975 10009a1e 6973->6975 6974 10009986 WideCharToMultiByte 6976 10009a07 GetLastError 6974->6976 6977 100099bb WriteFile 6974->6977 6975->6922 6976->6972 6977->6976 6977->6978 6978->6972 6978->6974 6978->6977 6984 10009737 6979->6984 6980 100097ea 6981 10002ada _ValidateLocalCookies 5 API calls 6980->6981 6983 10009803 6981->6983 6982 100097a9 WriteFile 6982->6984 6985 100097ec GetLastError 6982->6985 6983->6922 6984->6980 6984->6982 6985->6980 6987 10006355 __dosmaperr 20 API calls 6986->6987 6988 1000633d _free 6987->6988 6989 10006368 _free 20 API calls 6988->6989 6990 10006350 6989->6990 6990->6885 7000 10008d52 6991->7000 6993 10009f9f 6994 10009fa7 6993->6994 6995 10009fb8 SetFilePointerEx 6993->6995 6996 10006368 _free 20 API calls 6994->6996 6997 10009fd0 GetLastError 6995->6997 6998 10009fac 6995->6998 6996->6998 6999 10006332 __dosmaperr 20 API calls 6997->6999 6998->6896 6999->6998 7001 10008d74 7000->7001 7002 10008d5f 7000->7002 7005 10006355 __dosmaperr 20 API calls 7001->7005 7007 10008d99 7001->7007 7003 10006355 __dosmaperr 20 API calls 7002->7003 7004 10008d64 7003->7004 7006 10006368 _free 20 API calls 7004->7006 7008 10008da4 7005->7008 7009 10008d6c 7006->7009 7007->6993 7010 10006368 _free 20 API calls 7008->7010 7009->6993 7011 10008dac 7010->7011 7012 100062ac _abort 26 API calls 7011->7012 7012->7009 7014 10008dd6 7013->7014 7015 10008dc9 7013->7015 7017 10008de2 7014->7017 7018 10006368 _free 20 API calls 7014->7018 7016 10006368 _free 20 API calls 7015->7016 7019 10008dce 7016->7019 7017->6943 7020 10008e03 7018->7020 7019->6943 7021 100062ac _abort 26 API calls 7020->7021 7021->7019 7023 10005af6 _abort 38 API calls 7022->7023 7024 10007c24 7023->7024 7025 10007a00 __fassign 38 API calls 7024->7025 7026 10007c34 7025->7026 7026->6957 7027->6937 7031 1000ad24 7028->7031 7030 1000adca 7030->6852 7032 1000ad30 ___scrt_is_nonwritable_in_current_image 7031->7032 7042 10008c7b RtlEnterCriticalSection 7032->7042 7034 1000ad3e 7035 1000ad70 7034->7035 7036 1000ad65 7034->7036 7038 10006368 _free 20 API calls 7035->7038 7043 1000ae4d 7036->7043 7039 1000ad6b 7038->7039 7058 1000ad9a 7039->7058 7041 1000ad8d _abort 7041->7030 7042->7034 7044 10008d52 26 API calls 7043->7044 7046 1000ae5d 7044->7046 7045 1000ae63 7061 10008cc1 7045->7061 7046->7045 7048 1000ae95 7046->7048 7051 10008d52 26 API calls 7046->7051 7048->7045 7049 10008d52 26 API calls 7048->7049 7052 1000aea1 CloseHandle 7049->7052 7054 1000ae8c 7051->7054 7052->7045 7056 1000aead GetLastError 7052->7056 7053 1000aedd 7053->7039 7055 10008d52 26 API calls 7054->7055 7055->7048 7056->7045 7057 10006332 __dosmaperr 20 API calls 7057->7053 7070 10008c9e RtlLeaveCriticalSection 7058->7070 7060 1000ada4 7060->7041 7062 10008cd0 7061->7062 7063 10008d37 7061->7063 7062->7063 7068 10008cfa 7062->7068 7064 10006368 _free 20 API calls 7063->7064 7065 10008d3c 7064->7065 7066 10006355 __dosmaperr 20 API calls 7065->7066 7067 10008d27 7066->7067 7067->7053 7067->7057 7068->7067 7069 10008d21 SetStdHandle 7068->7069 7069->7067 7070->7060 7071->6826 7072->6806 7073 10002049 7074 10002055 ___scrt_is_nonwritable_in_current_image 7073->7074 7075 100020d3 7074->7075 7076 1000207d 7074->7076 7086 1000205e 7074->7086 7077 10002639 ___scrt_fastfail 4 API calls 7075->7077 7087 1000244c 7076->7087 7079 100020da 7077->7079 7080 10002082 7096 10002308 7080->7096 7082 10002087 __RTC_Initialize 7099 100020c4 7082->7099 7084 1000209f 7102 1000260b 7084->7102 7088 10002451 ___scrt_release_startup_lock 7087->7088 7089 10002461 7088->7089 7090 10002455 7088->7090 7093 1000246e 7089->7093 7094 1000499b _abort 28 API calls 7089->7094 7091 1000527a _abort 20 API calls 7090->7091 7092 1000245f 7091->7092 7092->7080 7093->7080 7095 10004bbd 7094->7095 7095->7080 7108 100034c7 RtlInterlockedFlushSList 7096->7108 7098 10002312 7098->7082 7110 1000246f 7099->7110 7101 100020c9 ___scrt_release_startup_lock 7101->7084 7103 10002617 7102->7103 7104 1000262d 7103->7104 7129 100053ed 7103->7129 7104->7086 7107 10003529 ___vcrt_uninitialize 8 API calls 7107->7104 7109 100034d7 7108->7109 7109->7098 7115 100053ff 7110->7115 7113 1000391b ___vcrt_uninitialize_ptd 6 API calls 7114 1000354d 7113->7114 7114->7101 7118 10005c2b 7115->7118 7119 10005c35 7118->7119 7121 10002476 7118->7121 7122 10005db2 7119->7122 7121->7113 7123 10005c45 _abort 5 API calls 7122->7123 7124 10005dd9 7123->7124 7125 10005df1 TlsFree 7124->7125 7126 10005de5 7124->7126 7125->7126 7127 10002ada _ValidateLocalCookies 5 API calls 7126->7127 7128 10005e02 7127->7128 7128->7121 7132 100074da 7129->7132 7135 100074f3 7132->7135 7133 10002ada _ValidateLocalCookies 5 API calls 7134 10002625 7133->7134 7134->7107 7135->7133 7269 10008a89 7272 10006d60 7269->7272 7273 10006d69 7272->7273 7274 10006d72 7272->7274 7276 10006c5f 7273->7276 7277 10005af6 _abort 38 API calls 7276->7277 7278 10006c6c 7277->7278 7279 10006d7e __fassign 38 API calls 7278->7279 7280 10006c74 7279->7280 7296 100069f3 7280->7296 7283 10006c8b 7283->7274 7286 10006cce 7289 1000571e _free 20 API calls 7286->7289 7289->7283 7290 10006cc9 7291 10006368 _free 20 API calls 7290->7291 7291->7286 7292 10006d12 7292->7286 7320 100068c9 7292->7320 7293 10006ce6 7293->7292 7294 1000571e _free 20 API calls 7293->7294 7294->7292 7297 100054a7 __fassign 38 API calls 7296->7297 7298 10006a05 7297->7298 7299 10006a14 GetOEMCP 7298->7299 7300 10006a26 7298->7300 7302 10006a3d 7299->7302 7301 10006a2b GetACP 7300->7301 7300->7302 7301->7302 7302->7283 7303 100056d0 7302->7303 7304 1000570e 7303->7304 7308 100056de _abort 7303->7308 7305 10006368 _free 20 API calls 7304->7305 7307 1000570c 7305->7307 7306 100056f9 RtlAllocateHeap 7306->7307 7306->7308 7307->7286 7310 10006e20 7307->7310 7308->7304 7308->7306 7309 1000474f _abort 7 API calls 7308->7309 7309->7308 7311 100069f3 40 API calls 7310->7311 7312 10006e3f 7311->7312 7315 10006e90 IsValidCodePage 7312->7315 7317 10006e46 7312->7317 7319 10006eb5 ___scrt_fastfail 7312->7319 7313 10002ada _ValidateLocalCookies 5 API calls 7314 10006cc1 7313->7314 7314->7290 7314->7293 7316 10006ea2 GetCPInfo 7315->7316 7315->7317 7316->7317 7316->7319 7317->7313 7323 10006acb GetCPInfo 7319->7323 7396 10006886 7320->7396 7322 100068ed 7322->7286 7324 10006baf 7323->7324 7330 10006b05 7323->7330 7327 10002ada _ValidateLocalCookies 5 API calls 7324->7327 7329 10006c5b 7327->7329 7329->7317 7333 100086e4 7330->7333 7332 10008a3e 43 API calls 7332->7324 7334 100054a7 __fassign 38 API calls 7333->7334 7336 10008704 MultiByteToWideChar 7334->7336 7337 10008742 7336->7337 7338 100087da 7336->7338 7340 100056d0 21 API calls 7337->7340 7343 10008763 ___scrt_fastfail 7337->7343 7339 10002ada _ValidateLocalCookies 5 API calls 7338->7339 7341 10006b66 7339->7341 7340->7343 7347 10008a3e 7341->7347 7342 100087d4 7352 10008801 7342->7352 7343->7342 7345 100087a8 MultiByteToWideChar 7343->7345 7345->7342 7346 100087c4 GetStringTypeW 7345->7346 7346->7342 7348 100054a7 __fassign 38 API calls 7347->7348 7349 10008a51 7348->7349 7356 10008821 7349->7356 7353 1000880d 7352->7353 7354 1000881e 7352->7354 7353->7354 7355 1000571e _free 20 API calls 7353->7355 7354->7338 7355->7354 7358 1000883c 7356->7358 7357 10008862 MultiByteToWideChar 7359 1000888c 7357->7359 7370 10008a16 7357->7370 7358->7357 7364 100056d0 21 API calls 7359->7364 7366 100088ad 7359->7366 7360 10002ada _ValidateLocalCookies 5 API calls 7361 10006b87 7360->7361 7361->7332 7362 100088f6 MultiByteToWideChar 7363 10008962 7362->7363 7365 1000890f 7362->7365 7368 10008801 __freea 20 API calls 7363->7368 7364->7366 7383 10005f19 7365->7383 7366->7362 7366->7363 7368->7370 7370->7360 7371 10008971 7373 100056d0 21 API calls 7371->7373 7376 10008992 7371->7376 7372 10008939 7372->7363 7374 10005f19 11 API calls 7372->7374 7373->7376 7374->7363 7375 10008a07 7378 10008801 __freea 20 API calls 7375->7378 7376->7375 7377 10005f19 11 API calls 7376->7377 7379 100089e6 7377->7379 7378->7363 7379->7375 7380 100089f5 WideCharToMultiByte 7379->7380 7380->7375 7381 10008a35 7380->7381 7382 10008801 __freea 20 API calls 7381->7382 7382->7363 7384 10005c45 _abort 5 API calls 7383->7384 7385 10005f40 7384->7385 7388 10005f49 7385->7388 7391 10005fa1 7385->7391 7389 10002ada _ValidateLocalCookies 5 API calls 7388->7389 7390 10005f9b 7389->7390 7390->7363 7390->7371 7390->7372 7392 10005c45 _abort 5 API calls 7391->7392 7393 10005fc8 7392->7393 7394 10002ada _ValidateLocalCookies 5 API calls 7393->7394 7395 10005f89 LCMapStringW 7394->7395 7395->7388 7397 10006892 ___scrt_is_nonwritable_in_current_image 7396->7397 7404 10005671 RtlEnterCriticalSection 7397->7404 7399 1000689c 7405 100068f1 7399->7405 7403 100068b5 _abort 7403->7322 7404->7399 7417 10007011 7405->7417 7407 1000693f 7408 10007011 26 API calls 7407->7408 7409 1000695b 7408->7409 7410 10007011 26 API calls 7409->7410 7411 10006979 7410->7411 7412 100068a9 7411->7412 7413 1000571e _free 20 API calls 7411->7413 7414 100068bd 7412->7414 7413->7412 7431 100056b9 RtlLeaveCriticalSection 7414->7431 7416 100068c7 7416->7403 7418 10007022 7417->7418 7427 1000701e 7417->7427 7419 10007029 7418->7419 7423 1000703c ___scrt_fastfail 7418->7423 7420 10006368 _free 20 API calls 7419->7420 7421 1000702e 7420->7421 7422 100062ac _abort 26 API calls 7421->7422 7422->7427 7424 10007073 7423->7424 7425 1000706a 7423->7425 7423->7427 7424->7427 7429 10006368 _free 20 API calls 7424->7429 7426 10006368 _free 20 API calls 7425->7426 7428 1000706f 7426->7428 7427->7407 7430 100062ac _abort 26 API calls 7428->7430 7429->7428 7430->7427 7431->7416 6105 1000220c 6106 10002215 6105->6106 6107 1000221a dllmain_dispatch 6105->6107 6109 100022b1 6106->6109 6110 100022c7 6109->6110 6112 100022d0 6110->6112 6113 10002264 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 6110->6113 6112->6107 6113->6112 7136 1000724e GetProcessHeap 7137 1000284f 7138 10002882 std::exception::exception 27 API calls 7137->7138 7139 1000285d 7138->7139 7436 10003c90 RtlUnwind 7534 100036d0 7535 100036e2 7534->7535 7537 100036f0 @_EH4_CallFilterFunc@8 7534->7537 7536 10002ada _ValidateLocalCookies 5 API calls 7535->7536 7536->7537 7140 10005351 7141 10005360 7140->7141 7142 10005374 7140->7142 7141->7142 7145 1000571e _free 20 API calls 7141->7145 7143 1000571e _free 20 API calls 7142->7143 7144 10005386 7143->7144 7146 1000571e _free 20 API calls 7144->7146 7145->7142 7147 10005399 7146->7147 7148 1000571e _free 20 API calls 7147->7148 7149 100053aa 7148->7149 7150 1000571e _free 20 API calls 7149->7150 7151 100053bb 7150->7151 7538 100073d5 7539 100073e1 ___scrt_is_nonwritable_in_current_image 7538->7539 7550 10005671 RtlEnterCriticalSection 7539->7550 7541 100073e8 7542 10008be3 27 API calls 7541->7542 7543 100073f7 7542->7543 7548 10007406 7543->7548 7551 10007269 GetStartupInfoW 7543->7551 7562 10007422 7548->7562 7549 10007417 _abort 7550->7541 7552 10007286 7551->7552 7553 10007318 7551->7553 7552->7553 7554 10008be3 27 API calls 7552->7554 7557 1000731f 7553->7557 7555 100072af 7554->7555 7555->7553 7556 100072dd GetFileType 7555->7556 7556->7555 7559 10007326 7557->7559 7558 10007369 GetStdHandle 7558->7559 7559->7558 7560 100073d1 7559->7560 7561 1000737c GetFileType 7559->7561 7560->7548 7561->7559 7565 100056b9 RtlLeaveCriticalSection 7562->7565 7564 10007429 7564->7549 7565->7564 7566 10004ed7 7567 10006d60 51 API calls 7566->7567 7568 10004ee9 7567->7568 7577 10007153 GetEnvironmentStringsW 7568->7577 7571 10004ef4 7573 1000571e _free 20 API calls 7571->7573 7574 10004f29 7573->7574 7575 10004eff 7576 1000571e _free 20 API calls 7575->7576 7576->7571 7578 1000716a 7577->7578 7588 100071bd 7577->7588 7579 10007170 WideCharToMultiByte 7578->7579 7582 1000718c 7579->7582 7579->7588 7580 100071c6 FreeEnvironmentStringsW 7581 10004eee 7580->7581 7581->7571 7589 10004f2f 7581->7589 7583 100056d0 21 API calls 7582->7583 7584 10007192 7583->7584 7585 100071af 7584->7585 7586 10007199 WideCharToMultiByte 7584->7586 7587 1000571e _free 20 API calls 7585->7587 7586->7585 7587->7588 7588->7580 7588->7581 7590 10004f44 7589->7590 7591 1000637b _abort 20 API calls 7590->7591 7593 10004f6b 7591->7593 7592 1000571e _free 20 API calls 7595 10004fe9 7592->7595 7594 10004fcf 7593->7594 7596 1000637b _abort 20 API calls 7593->7596 7597 10004fd1 7593->7597 7598 1000544d ___std_exception_copy 26 API calls 7593->7598 7601 10004ff3 7593->7601 7604 1000571e _free 20 API calls 7593->7604 7594->7592 7595->7575 7596->7593 7599 10005000 20 API calls 7597->7599 7598->7593 7600 10004fd7 7599->7600 7602 1000571e _free 20 API calls 7600->7602 7603 100062bc _abort 11 API calls 7601->7603 7602->7594 7605 10004fff 7603->7605 7604->7593 6114 10002418 6115 10002420 ___scrt_release_startup_lock 6114->6115 6118 100047f5 6115->6118 6117 10002448 6119 10004804 6118->6119 6120 10004808 6118->6120 6119->6117 6123 10004815 6120->6123 6124 10005b7a _abort 20 API calls 6123->6124 6127 1000482c 6124->6127 6125 10002ada _ValidateLocalCookies 5 API calls 6126 10004811 6125->6126 6126->6117 6127->6125 7437 10004a9a 7440 10005411 7437->7440 7441 1000541d _abort 7440->7441 7442 10005af6 _abort 38 API calls 7441->7442 7445 10005422 7442->7445 7443 100055a8 _abort 38 API calls 7444 1000544c 7443->7444 7445->7443 5856 10001c5b 5857 10001c6b ___scrt_fastfail 5856->5857 5860 100012ee 5857->5860 5859 10001c87 5861 10001324 ___scrt_fastfail 5860->5861 5862 100013b7 GetEnvironmentVariableW 5861->5862 5886 100010f1 5862->5886 5865 100010f1 57 API calls 5866 10001465 5865->5866 5867 100010f1 57 API calls 5866->5867 5868 10001479 5867->5868 5869 100010f1 57 API calls 5868->5869 5870 1000148d 5869->5870 5871 100010f1 57 API calls 5870->5871 5872 100014a1 5871->5872 5873 100010f1 57 API calls 5872->5873 5874 100014b5 lstrlenW 5873->5874 5875 100014d2 5874->5875 5876 100014d9 lstrlenW 5874->5876 5875->5859 5877 100010f1 57 API calls 5876->5877 5878 10001501 lstrlenW lstrcatW 5877->5878 5879 100010f1 57 API calls 5878->5879 5880 10001539 lstrlenW lstrcatW 5879->5880 5881 100010f1 57 API calls 5880->5881 5882 1000156b lstrlenW lstrcatW 5881->5882 5883 100010f1 57 API calls 5882->5883 5884 1000159d lstrlenW lstrcatW 5883->5884 5885 100010f1 57 API calls 5884->5885 5885->5875 5887 10001118 ___scrt_fastfail 5886->5887 5888 10001129 lstrlenW 5887->5888 5899 10002c40 5888->5899 5890 10001148 lstrcatW lstrlenW 5891 10001177 lstrlenW FindFirstFileW 5890->5891 5892 10001168 lstrlenW 5890->5892 5893 100011a0 5891->5893 5894 100011e1 5891->5894 5892->5891 5895 100011c7 FindNextFileW 5893->5895 5898 100011aa 5893->5898 5894->5865 5895->5893 5896 100011da FindClose 5895->5896 5896->5894 5898->5895 5901 10001000 5898->5901 5900 10002c57 5899->5900 5900->5890 5900->5900 5902 10001022 ___scrt_fastfail 5901->5902 5903 100010af 5902->5903 5904 1000102f lstrcatW lstrlenW 5902->5904 5905 100010b5 lstrlenW 5903->5905 5906 100010ad 5903->5906 5907 1000105a lstrlenW 5904->5907 5908 1000106b lstrlenW 5904->5908 5932 10001e16 5905->5932 5906->5898 5907->5908 5918 10001e89 lstrlenW 5908->5918 5911 10001088 GetFileAttributesW 5911->5906 5913 1000109c 5911->5913 5912 100010ca 5912->5906 5914 10001e89 5 API calls 5912->5914 5913->5906 5924 1000173a 5913->5924 5916 100010df 5914->5916 5937 100011ea 5916->5937 5919 10002c40 ___scrt_fastfail 5918->5919 5920 10001ea7 lstrcatW lstrlenW 5919->5920 5921 10001ed1 lstrcatW 5920->5921 5922 10001ec2 5920->5922 5921->5911 5922->5921 5923 10001ec7 lstrlenW 5922->5923 5923->5921 5925 10001747 ___scrt_fastfail 5924->5925 5952 10001cca 5925->5952 5929 1000199f 5929->5906 5930 10001824 ___scrt_fastfail _strlen 5930->5929 5972 100015da 5930->5972 5933 10001e29 5932->5933 5936 10001e4c 5932->5936 5934 10001e2d lstrlenW 5933->5934 5933->5936 5935 10001e3f lstrlenW 5934->5935 5934->5936 5935->5936 5936->5912 5938 1000120e ___scrt_fastfail 5937->5938 5939 10001e89 5 API calls 5938->5939 5940 10001220 GetFileAttributesW 5939->5940 5941 10001235 5940->5941 5942 10001246 5940->5942 5941->5942 5944 1000173a 35 API calls 5941->5944 5943 10001e89 5 API calls 5942->5943 5945 10001258 5943->5945 5944->5942 5946 100010f1 56 API calls 5945->5946 5947 1000126d 5946->5947 5948 10001e89 5 API calls 5947->5948 5949 1000127f ___scrt_fastfail 5948->5949 5950 100010f1 56 API calls 5949->5950 5951 100012e6 5950->5951 5951->5906 5953 10001cf1 ___scrt_fastfail 5952->5953 5954 10001d0f CopyFileW CreateFileW 5953->5954 5955 10001d44 DeleteFileW 5954->5955 5956 10001d55 GetFileSize 5954->5956 5961 10001808 5955->5961 5957 10001ede 22 API calls 5956->5957 5958 10001d66 ReadFile 5957->5958 5959 10001d94 CloseHandle DeleteFileW 5958->5959 5960 10001d7d CloseHandle DeleteFileW 5958->5960 5959->5961 5960->5961 5961->5929 5962 10001ede 5961->5962 5964 1000222f 5962->5964 5965 1000224e 5964->5965 5968 10002250 5964->5968 5980 1000474f 5964->5980 5985 100047e5 5964->5985 5965->5930 5967 10002908 5969 100035d2 __CxxThrowException@8 RaiseException 5967->5969 5968->5967 5992 100035d2 5968->5992 5970 10002925 5969->5970 5970->5930 5973 1000160c _strcat _strlen 5972->5973 5974 1000163c lstrlenW 5973->5974 6080 10001c9d 5974->6080 5976 10001655 lstrcatW lstrlenW 5977 10001678 5976->5977 5978 10001693 ___scrt_fastfail 5977->5978 5979 1000167e lstrcatW 5977->5979 5978->5930 5979->5978 5995 10004793 5980->5995 5982 10004765 6001 10002ada 5982->6001 5984 1000478f 5984->5964 5990 100056d0 _abort 5985->5990 5986 1000570e 6014 10006368 5986->6014 5988 100056f9 RtlAllocateHeap 5989 1000570c 5988->5989 5988->5990 5989->5964 5990->5986 5990->5988 5991 1000474f _abort 7 API calls 5990->5991 5991->5990 5994 100035f2 RaiseException 5992->5994 5994->5967 5996 1000479f ___scrt_is_nonwritable_in_current_image 5995->5996 6008 10005671 RtlEnterCriticalSection 5996->6008 5998 100047aa 6009 100047dc 5998->6009 6000 100047d1 _abort 6000->5982 6002 10002ae3 6001->6002 6003 10002ae5 IsProcessorFeaturePresent 6001->6003 6002->5984 6005 10002b58 6003->6005 6013 10002b1c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 6005->6013 6007 10002c3b 6007->5984 6008->5998 6012 100056b9 RtlLeaveCriticalSection 6009->6012 6011 100047e3 6011->6000 6012->6011 6013->6007 6017 10005b7a GetLastError 6014->6017 6018 10005b93 6017->6018 6019 10005b99 6017->6019 6036 10005e08 6018->6036 6024 10005bf0 SetLastError 6019->6024 6043 1000637b 6019->6043 6023 10005bb3 6050 1000571e 6023->6050 6025 10005bf9 6024->6025 6025->5989 6029 10005bb9 6031 10005be7 SetLastError 6029->6031 6030 10005bcf 6063 1000593c 6030->6063 6031->6025 6034 1000571e _free 17 API calls 6035 10005be0 6034->6035 6035->6024 6035->6031 6068 10005c45 6036->6068 6038 10005e2f 6039 10005e47 TlsGetValue 6038->6039 6040 10005e3b 6038->6040 6039->6040 6041 10002ada _ValidateLocalCookies 5 API calls 6040->6041 6042 10005e58 6041->6042 6042->6019 6048 10006388 _abort 6043->6048 6044 100063c8 6047 10006368 _free 19 API calls 6044->6047 6045 100063b3 RtlAllocateHeap 6046 10005bab 6045->6046 6045->6048 6046->6023 6056 10005e5e 6046->6056 6047->6046 6048->6044 6048->6045 6049 1000474f _abort 7 API calls 6048->6049 6049->6048 6051 10005752 _free 6050->6051 6052 10005729 HeapFree 6050->6052 6051->6029 6052->6051 6053 1000573e 6052->6053 6054 10006368 _free 18 API calls 6053->6054 6055 10005744 GetLastError 6054->6055 6055->6051 6057 10005c45 _abort 5 API calls 6056->6057 6058 10005e85 6057->6058 6059 10005ea0 TlsSetValue 6058->6059 6060 10005e94 6058->6060 6059->6060 6061 10002ada _ValidateLocalCookies 5 API calls 6060->6061 6062 10005bc8 6061->6062 6062->6023 6062->6030 6074 10005914 6063->6074 6069 10005c71 6068->6069 6070 10005c75 __crt_fast_encode_pointer 6068->6070 6069->6070 6071 10005ce1 _abort LoadLibraryExW GetLastError LoadLibraryExW FreeLibrary 6069->6071 6073 10005c95 6069->6073 6070->6038 6071->6069 6072 10005ca1 GetProcAddress 6072->6070 6073->6070 6073->6072 6075 10005854 _abort RtlEnterCriticalSection RtlLeaveCriticalSection 6074->6075 6076 10005938 6075->6076 6077 100058c4 6076->6077 6078 10005758 _abort 20 API calls 6077->6078 6079 100058e8 6078->6079 6079->6034 6081 10001ca6 _strlen 6080->6081 6081->5976 7606 100020db 7609 100020e7 ___scrt_is_nonwritable_in_current_image 7606->7609 7607 100020f6 7608 10002110 dllmain_raw 7608->7607 7610 1000212a 7608->7610 7609->7607 7609->7608 7614 1000210b 7609->7614 7619 10001eec 7610->7619 7612 10002177 7612->7607 7613 10001eec 31 API calls 7612->7613 7615 1000218a 7613->7615 7614->7607 7614->7612 7617 10001eec 31 API calls 7614->7617 7615->7607 7616 10002193 dllmain_raw 7615->7616 7616->7607 7618 1000216d dllmain_raw 7617->7618 7618->7612 7620 10001ef7 7619->7620 7621 10001f2a dllmain_crt_process_detach 7619->7621 7622 10001f1c dllmain_crt_process_attach 7620->7622 7623 10001efc 7620->7623 7628 10001f06 7621->7628 7622->7628 7624 10001f01 7623->7624 7625 10001f12 7623->7625 7624->7628 7629 1000240b 7624->7629 7634 100023ec 7625->7634 7628->7614 7642 100053e5 7629->7642 7735 10003513 7634->7735 7637 100023f5 7637->7628 7640 10002408 7640->7628 7641 1000351e 7 API calls 7641->7637 7648 10005aca 7642->7648 7645 1000351e 7724 10003820 7645->7724 7647 10002415 7647->7628 7649 10005ad4 7648->7649 7650 10002410 7648->7650 7651 10005e08 _abort 11 API calls 7649->7651 7650->7645 7652 10005adb 7651->7652 7652->7650 7653 10005e5e _abort 11 API calls 7652->7653 7654 10005aee 7653->7654 7656 100059b5 7654->7656 7657 100059c0 7656->7657 7661 100059d0 7656->7661 7662 100059d6 7657->7662 7660 1000571e _free 20 API calls 7660->7661 7661->7650 7663 100059e9 7662->7663 7666 100059ef 7662->7666 7664 1000571e _free 20 API calls 7663->7664 7664->7666 7665 1000571e _free 20 API calls 7667 100059fb 7665->7667 7666->7665 7668 1000571e _free 20 API calls 7667->7668 7669 10005a06 7668->7669 7670 1000571e _free 20 API calls 7669->7670 7671 10005a11 7670->7671 7672 1000571e _free 20 API calls 7671->7672 7673 10005a1c 7672->7673 7674 1000571e _free 20 API calls 7673->7674 7675 10005a27 7674->7675 7676 1000571e _free 20 API calls 7675->7676 7677 10005a32 7676->7677 7678 1000571e _free 20 API calls 7677->7678 7679 10005a3d 7678->7679 7680 1000571e _free 20 API calls 7679->7680 7681 10005a48 7680->7681 7682 1000571e _free 20 API calls 7681->7682 7683 10005a56 7682->7683 7688 1000589c 7683->7688 7694 100057a8 7688->7694 7690 100058c0 7691 100058ec 7690->7691 7707 10005809 7691->7707 7693 10005910 7693->7660 7695 100057b4 ___scrt_is_nonwritable_in_current_image 7694->7695 7702 10005671 RtlEnterCriticalSection 7695->7702 7698 100057be 7699 1000571e _free 20 API calls 7698->7699 7700 100057e8 7698->7700 7699->7700 7703 100057fd 7700->7703 7701 100057f5 _abort 7701->7690 7702->7698 7706 100056b9 RtlLeaveCriticalSection 7703->7706 7705 10005807 7705->7701 7706->7705 7708 10005815 ___scrt_is_nonwritable_in_current_image 7707->7708 7715 10005671 RtlEnterCriticalSection 7708->7715 7710 1000581f 7716 10005a7f 7710->7716 7712 10005832 7720 10005848 7712->7720 7714 10005840 _abort 7714->7693 7715->7710 7717 10005ab5 __fassign 7716->7717 7718 10005a8e __fassign 7716->7718 7717->7712 7718->7717 7719 10007cc2 __fassign 20 API calls 7718->7719 7719->7717 7723 100056b9 RtlLeaveCriticalSection 7720->7723 7722 10005852 7722->7714 7723->7722 7725 1000384b ___vcrt_freefls@4 7724->7725 7727 1000382d 7724->7727 7725->7647 7726 1000383b 7729 10003ba2 ___vcrt_FlsSetValue 6 API calls 7726->7729 7727->7726 7730 10003b67 7727->7730 7729->7725 7731 10003a82 try_get_function 5 API calls 7730->7731 7732 10003b81 7731->7732 7733 10003b99 TlsGetValue 7732->7733 7734 10003b8d 7732->7734 7733->7734 7734->7726 7741 10003856 7735->7741 7737 100023f1 7737->7637 7738 100053da 7737->7738 7739 10005b7a _abort 20 API calls 7738->7739 7740 100023fd 7739->7740 7740->7640 7740->7641 7742 10003862 GetLastError 7741->7742 7743 1000385f 7741->7743 7744 10003b67 ___vcrt_FlsGetValue 6 API calls 7742->7744 7743->7737 7745 10003877 7744->7745 7746 100038dc SetLastError 7745->7746 7747 10003ba2 ___vcrt_FlsSetValue 6 API calls 7745->7747 7752 10003896 7745->7752 7746->7737 7748 10003890 7747->7748 7749 100038b8 7748->7749 7750 10003ba2 ___vcrt_FlsSetValue 6 API calls 7748->7750 7748->7752 7751 10003ba2 ___vcrt_FlsSetValue 6 API calls 7749->7751 7749->7752 7750->7749 7751->7752 7752->7746 6128 1000281c 6131 10002882 6128->6131 6134 10003550 6131->6134 6133 1000282a 6135 1000358a 6134->6135 6136 1000355d 6134->6136 6135->6133 6136->6135 6137 100047e5 ___std_exception_copy 21 API calls 6136->6137 6138 1000357a 6137->6138 6138->6135 6140 1000544d 6138->6140 6141 1000545a 6140->6141 6143 10005468 6140->6143 6141->6143 6147 1000547f 6141->6147 6142 10006368 _free 20 API calls 6144 10005470 6142->6144 6143->6142 6149 100062ac 6144->6149 6146 1000547a 6146->6135 6147->6146 6148 10006368 _free 20 API calls 6147->6148 6148->6144 6152 10006231 6149->6152 6151 100062b8 6151->6146 6153 10005b7a _abort 20 API calls 6152->6153 6154 10006247 6153->6154 6155 100062a6 6154->6155 6158 10006255 6154->6158 6163 100062bc IsProcessorFeaturePresent 6155->6163 6157 100062ab 6159 10006231 _abort 26 API calls 6157->6159 6160 10002ada _ValidateLocalCookies 5 API calls 6158->6160 6161 100062b8 6159->6161 6162 1000627c 6160->6162 6161->6151 6162->6151 6164 100062c7 6163->6164 6167 100060e2 6164->6167 6168 100060fe ___scrt_fastfail 6167->6168 6169 1000612a IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 6168->6169 6172 100061fb ___scrt_fastfail 6169->6172 6170 10002ada _ValidateLocalCookies 5 API calls 6171 10006219 GetCurrentProcess TerminateProcess 6170->6171 6171->6157 6172->6170 7753 10004bdd 7754 10004c08 7753->7754 7755 10004bec 7753->7755 7757 10006d60 51 API calls 7754->7757 7755->7754 7756 10004bf2 7755->7756 7758 10006368 _free 20 API calls 7756->7758 7759 10004c0f GetModuleFileNameA 7757->7759 7760 10004bf7 7758->7760 7761 10004c33 7759->7761 7762 100062ac _abort 26 API calls 7760->7762 7776 10004d01 7761->7776 7763 10004c01 7762->7763 7768 10004c72 7771 10004d01 38 API calls 7768->7771 7769 10004c66 7770 10006368 _free 20 API calls 7769->7770 7775 10004c6b 7770->7775 7773 10004c88 7771->7773 7772 1000571e _free 20 API calls 7772->7763 7774 1000571e _free 20 API calls 7773->7774 7773->7775 7774->7775 7775->7772 7778 10004d26 7776->7778 7780 10004d86 7778->7780 7788 100070eb 7778->7788 7779 10004c50 7782 10004e76 7779->7782 7780->7779 7781 100070eb 38 API calls 7780->7781 7781->7780 7783 10004e8b 7782->7783 7784 10004c5d 7782->7784 7783->7784 7785 1000637b _abort 20 API calls 7783->7785 7784->7768 7784->7769 7786 10004eb9 7785->7786 7787 1000571e _free 20 API calls 7786->7787 7787->7784 7791 10007092 7788->7791 7792 100054a7 __fassign 38 API calls 7791->7792 7793 100070a6 7792->7793 7793->7778 7152 10007260 GetStartupInfoW 7153 10007286 7152->7153 7155 10007318 7152->7155 7153->7155 7158 10008be3 7153->7158 7156 100072af 7156->7155 7157 100072dd GetFileType 7156->7157 7157->7156 7159 10008bef ___scrt_is_nonwritable_in_current_image 7158->7159 7160 10008c13 7159->7160 7161 10008bfc 7159->7161 7171 10005671 RtlEnterCriticalSection 7160->7171 7162 10006368 _free 20 API calls 7161->7162 7164 10008c01 7162->7164 7165 100062ac _abort 26 API calls 7164->7165 7166 10008c0b _abort 7165->7166 7166->7156 7167 10008c4b 7179 10008c72 7167->7179 7169 10008c1f 7169->7167 7172 10008b34 7169->7172 7171->7169 7173 1000637b _abort 20 API calls 7172->7173 7174 10008b46 7173->7174 7177 10005eb7 11 API calls 7174->7177 7178 10008b53 7174->7178 7175 1000571e _free 20 API calls 7176 10008ba5 7175->7176 7176->7169 7177->7174 7178->7175 7182 100056b9 RtlLeaveCriticalSection 7179->7182 7181 10008c79 7181->7166 7182->7181 7446 100081a0 7447 100081d9 7446->7447 7448 100081dd 7447->7448 7459 10008205 7447->7459 7449 10006368 _free 20 API calls 7448->7449 7450 100081e2 7449->7450 7452 100062ac _abort 26 API calls 7450->7452 7451 10008529 7453 10002ada _ValidateLocalCookies 5 API calls 7451->7453 7454 100081ed 7452->7454 7455 10008536 7453->7455 7456 10002ada _ValidateLocalCookies 5 API calls 7454->7456 7458 100081f9 7456->7458 7459->7451 7460 100080c0 7459->7460 7461 100080db 7460->7461 7462 10002ada _ValidateLocalCookies 5 API calls 7461->7462 7463 10008152 7462->7463 7463->7459 7794 1000a1e0 7797 1000a1fe 7794->7797 7796 1000a1f6 7799 1000a203 7797->7799 7798 1000aa53 21 API calls 7801 1000a42f 7798->7801 7799->7798 7800 1000a298 7799->7800 7800->7796 7801->7796 7183 10009d61 7184 10009d81 7183->7184 7187 10009db8 7184->7187 7186 10009dab 7189 10009dbf 7187->7189 7188 10009e20 7190 1000a90e 7188->7190 7191 1000aa17 21 API calls 7188->7191 7189->7188 7193 10009ddf 7189->7193 7190->7186 7192 10009e6e 7191->7192 7192->7186 7193->7190 7194 1000aa17 21 API calls 7193->7194 7195 1000a93e 7194->7195 7195->7186 7464 100021a1 ___scrt_dllmain_exception_filter 5824 1000c7a7 5825 1000c7be 5824->5825 5831 1000c82c 5824->5831 5825->5831 5836 1000c7e6 GetModuleHandleA 5825->5836 5827 1000c835 GetModuleHandleA 5830 1000c83f 5827->5830 5828 1000c872 5829 1000c7dd 5829->5830 5829->5831 5833 1000c800 GetProcAddress 5829->5833 5830->5831 5832 1000c85f GetProcAddress 5830->5832 5831->5827 5831->5828 5831->5830 5832->5831 5833->5831 5834 1000c80d VirtualProtect 5833->5834 5834->5831 5835 1000c81c VirtualProtect 5834->5835 5835->5831 5837 1000c7ef 5836->5837 5845 1000c82c 5836->5845 5848 1000c803 GetProcAddress 5837->5848 5839 1000c7f4 5842 1000c800 GetProcAddress 5839->5842 5839->5845 5840 1000c872 5841 1000c835 GetModuleHandleA 5844 1000c83f 5841->5844 5843 1000c80d VirtualProtect 5842->5843 5842->5845 5843->5845 5846 1000c81c VirtualProtect 5843->5846 5844->5845 5847 1000c85f GetProcAddress 5844->5847 5845->5840 5845->5841 5845->5844 5846->5845 5847->5845 5849 1000c82c 5848->5849 5850 1000c80d VirtualProtect 5848->5850 5852 1000c872 5849->5852 5853 1000c835 GetModuleHandleA 5849->5853 5850->5849 5851 1000c81c VirtualProtect 5850->5851 5851->5849 5855 1000c83f 5853->5855 5854 1000c85f GetProcAddress 5854->5855 5855->5849 5855->5854 6173 1000742b 6174 10007430 6173->6174 6175 10007453 6174->6175 6177 10008bae 6174->6177 6178 10008bdd 6177->6178 6179 10008bbb 6177->6179 6178->6174 6180 10008bd7 6179->6180 6181 10008bc9 RtlDeleteCriticalSection 6179->6181 6182 1000571e _free 20 API calls 6180->6182 6181->6180 6181->6181 6182->6178 7196 1000ac6b 7197 1000ac84 __startOneArgErrorHandling 7196->7197 7199 1000acad __startOneArgErrorHandling 7197->7199 7200 1000b2f0 7197->7200 7201 1000b329 __startOneArgErrorHandling 7200->7201 7202 1000b5c1 __raise_exc RaiseException 7201->7202 7203 1000b350 __startOneArgErrorHandling 7201->7203 7202->7203 7204 1000b393 7203->7204 7205 1000b36e 7203->7205 7206 1000b8b2 __startOneArgErrorHandling 20 API calls 7204->7206 7211 1000b8e1 7205->7211 7208 1000b38e __startOneArgErrorHandling 7206->7208 7209 10002ada _ValidateLocalCookies 5 API calls 7208->7209 7210 1000b3b7 7209->7210 7210->7199 7212 1000b8f0 7211->7212 7213 1000b90f __startOneArgErrorHandling 7212->7213 7214 1000b964 __startOneArgErrorHandling 7212->7214 7215 100078a3 __startOneArgErrorHandling 5 API calls 7213->7215 7216 1000b8b2 __startOneArgErrorHandling 20 API calls 7214->7216 7217 1000b950 7215->7217 7219 1000b95d 7216->7219 7218 1000b8b2 __startOneArgErrorHandling 20 API calls 7217->7218 7217->7219 7218->7219 7219->7208 7465 100060ac 7466 100060b7 7465->7466 7468 100060dd 7465->7468 7467 100060c7 FreeLibrary 7466->7467 7466->7468 7467->7466 7220 1000506f 7221 10005081 7220->7221 7222 10005087 7220->7222 7223 10005000 20 API calls 7221->7223 7223->7222 6183 10005630 6184 1000563b 6183->6184 6186 10005664 6184->6186 6188 10005660 6184->6188 6189 10005eb7 6184->6189 6196 10005688 6186->6196 6190 10005c45 _abort 5 API calls 6189->6190 6191 10005ede 6190->6191 6192 10005efc InitializeCriticalSectionAndSpinCount 6191->6192 6195 10005ee7 6191->6195 6192->6195 6193 10002ada _ValidateLocalCookies 5 API calls 6194 10005f13 6193->6194 6194->6184 6195->6193 6197 100056b4 6196->6197 6198 10005695 6196->6198 6197->6188 6199 1000569f RtlDeleteCriticalSection 6198->6199 6199->6197 6199->6199 7224 10003370 7235 10003330 7224->7235 7236 10003342 7235->7236 7237 1000334f 7235->7237 7238 10002ada _ValidateLocalCookies 5 API calls 7236->7238 7238->7237 7802 100063f0 7803 10006400 7802->7803 7806 10006416 7802->7806 7804 10006368 _free 20 API calls 7803->7804 7805 10006405 7804->7805 7808 100062ac _abort 26 API calls 7805->7808 7809 10006480 7806->7809 7814 10006561 7806->7814 7821 10006580 7806->7821 7807 10004e76 20 API calls 7810 100064e5 7807->7810 7816 1000640f 7808->7816 7809->7807 7812 100064ee 7810->7812 7818 10006573 7810->7818 7832 100085eb 7810->7832 7813 1000571e _free 20 API calls 7812->7813 7813->7814 7841 1000679a 7814->7841 7819 100062bc _abort 11 API calls 7818->7819 7820 1000657f 7819->7820 7822 1000658c 7821->7822 7822->7822 7823 1000637b _abort 20 API calls 7822->7823 7824 100065ba 7823->7824 7825 100085eb 26 API calls 7824->7825 7826 100065e6 7825->7826 7827 100062bc _abort 11 API calls 7826->7827 7828 10006615 ___scrt_fastfail 7827->7828 7829 100066b6 FindFirstFileExA 7828->7829 7830 10006705 7829->7830 7831 10006580 26 API calls 7830->7831 7835 1000853a 7832->7835 7833 1000854f 7834 10006368 _free 20 API calls 7833->7834 7836 10008554 7833->7836 7840 1000857a 7834->7840 7835->7833 7835->7836 7838 1000858b 7835->7838 7836->7810 7837 100062ac _abort 26 API calls 7837->7836 7838->7836 7839 10006368 _free 20 API calls 7838->7839 7839->7840 7840->7837 7845 100067a4 7841->7845 7842 100067b4 7844 1000571e _free 20 API calls 7842->7844 7843 1000571e _free 20 API calls 7843->7845 7846 100067bb 7844->7846 7845->7842 7845->7843 7846->7816 7239 10009e71 7240 10009e95 7239->7240 7241 10009ee6 7240->7241 7243 10009f71 __startOneArgErrorHandling 7240->7243 7244 10009ef8 7241->7244 7247 1000aa53 7241->7247 7245 1000b2f0 21 API calls 7243->7245 7246 1000acad __startOneArgErrorHandling 7243->7246 7245->7246 7248 1000aa70 RtlDecodePointer 7247->7248 7249 1000aa80 7247->7249 7248->7249 7250 1000ab0d 7249->7250 7253 1000ab02 7249->7253 7255 1000aab7 7249->7255 7250->7253 7254 10006368 _free 20 API calls 7250->7254 7251 10002ada _ValidateLocalCookies 5 API calls 7252 1000ac67 7251->7252 7252->7244 7253->7251 7254->7253 7255->7253 7256 10006368 _free 20 API calls 7255->7256 7256->7253 7473 10003eb3 7474 10005411 38 API calls 7473->7474 7475 10003ebb 7474->7475 6200 1000543d 6201 10005440 6200->6201 6204 100055a8 6201->6204 6215 10007613 6204->6215 6207 100055b8 6209 100055c2 IsProcessorFeaturePresent 6207->6209 6214 100055e0 6207->6214 6211 100055cd 6209->6211 6212 100060e2 _abort 8 API calls 6211->6212 6212->6214 6245 10004bc1 6214->6245 6248 10007581 6215->6248 6218 1000766e 6219 1000767a _abort 6218->6219 6220 10005b7a _abort 20 API calls 6219->6220 6221 100076a1 _abort 6219->6221 6225 100076a7 _abort 6219->6225 6220->6221 6222 100076f3 6221->6222 6221->6225 6244 100076d6 6221->6244 6223 10006368 _free 20 API calls 6222->6223 6224 100076f8 6223->6224 6227 100062ac _abort 26 API calls 6224->6227 6230 1000771f 6225->6230 6262 10005671 RtlEnterCriticalSection 6225->6262 6227->6244 6231 1000777e 6230->6231 6233 10007776 6230->6233 6241 100077a9 6230->6241 6263 100056b9 RtlLeaveCriticalSection 6230->6263 6231->6241 6264 10007665 6231->6264 6236 10004bc1 _abort 28 API calls 6233->6236 6236->6231 6240 10007665 _abort 38 API calls 6240->6241 6267 1000782e 6241->6267 6242 1000780c 6243 10005af6 _abort 38 API calls 6242->6243 6242->6244 6243->6244 6291 1000bdc9 6244->6291 6295 1000499b 6245->6295 6251 10007527 6248->6251 6250 100055ad 6250->6207 6250->6218 6252 10007533 ___scrt_is_nonwritable_in_current_image 6251->6252 6257 10005671 RtlEnterCriticalSection 6252->6257 6254 10007541 6258 10007575 6254->6258 6256 10007568 _abort 6256->6250 6257->6254 6261 100056b9 RtlLeaveCriticalSection 6258->6261 6260 1000757f 6260->6256 6261->6260 6262->6230 6263->6233 6265 10005af6 _abort 38 API calls 6264->6265 6266 1000766a 6265->6266 6266->6240 6268 10007834 6267->6268 6269 100077fd 6267->6269 6294 100056b9 RtlLeaveCriticalSection 6268->6294 6269->6242 6269->6244 6271 10005af6 GetLastError 6269->6271 6272 10005b12 6271->6272 6273 10005b0c 6271->6273 6275 1000637b _abort 20 API calls 6272->6275 6277 10005b61 SetLastError 6272->6277 6274 10005e08 _abort 11 API calls 6273->6274 6274->6272 6276 10005b24 6275->6276 6278 10005b2c 6276->6278 6279 10005e5e _abort 11 API calls 6276->6279 6277->6242 6280 1000571e _free 20 API calls 6278->6280 6281 10005b41 6279->6281 6282 10005b32 6280->6282 6281->6278 6283 10005b48 6281->6283 6284 10005b6d SetLastError 6282->6284 6285 1000593c _abort 20 API calls 6283->6285 6287 100055a8 _abort 35 API calls 6284->6287 6286 10005b53 6285->6286 6288 1000571e _free 20 API calls 6286->6288 6289 10005b79 6287->6289 6290 10005b5a 6288->6290 6290->6277 6290->6284 6292 10002ada _ValidateLocalCookies 5 API calls 6291->6292 6293 1000bdd4 6292->6293 6293->6293 6294->6269 6296 100049a7 _abort 6295->6296 6303 100049bf 6296->6303 6317 10004af5 GetModuleHandleW 6296->6317 6300 10004a65 6334 10004aa5 6300->6334 6326 10005671 RtlEnterCriticalSection 6303->6326 6305 10004a3c 6307 10004a54 6305->6307 6330 10004669 6305->6330 6306 100049c7 6306->6300 6306->6305 6327 1000527a 6306->6327 6313 10004669 _abort 5 API calls 6307->6313 6308 10004a82 6337 10004ab4 6308->6337 6309 10004aae 6311 1000bdc9 _abort 5 API calls 6309->6311 6316 10004ab3 6311->6316 6313->6300 6318 100049b3 6317->6318 6318->6303 6319 10004b39 GetModuleHandleExW 6318->6319 6320 10004b63 GetProcAddress 6319->6320 6321 10004b78 6319->6321 6320->6321 6322 10004b95 6321->6322 6323 10004b8c FreeLibrary 6321->6323 6324 10002ada _ValidateLocalCookies 5 API calls 6322->6324 6323->6322 6325 10004b9f 6324->6325 6325->6303 6326->6306 6345 10005132 6327->6345 6331 10004698 6330->6331 6332 10002ada _ValidateLocalCookies 5 API calls 6331->6332 6333 100046c1 6332->6333 6333->6307 6367 100056b9 RtlLeaveCriticalSection 6334->6367 6336 10004a7e 6336->6308 6336->6309 6368 10006025 6337->6368 6340 10004ae2 6343 10004b39 _abort 8 API calls 6340->6343 6341 10004ac2 GetPEB 6341->6340 6342 10004ad2 GetCurrentProcess TerminateProcess 6341->6342 6342->6340 6344 10004aea ExitProcess 6343->6344 6348 100050e1 6345->6348 6347 10005156 6347->6305 6349 100050ed ___scrt_is_nonwritable_in_current_image 6348->6349 6356 10005671 RtlEnterCriticalSection 6349->6356 6351 100050fb 6357 1000515a 6351->6357 6355 10005119 _abort 6355->6347 6356->6351 6360 10005182 6357->6360 6361 1000517a 6357->6361 6358 10002ada _ValidateLocalCookies 5 API calls 6359 10005108 6358->6359 6363 10005126 6359->6363 6360->6361 6362 1000571e _free 20 API calls 6360->6362 6361->6358 6362->6361 6366 100056b9 RtlLeaveCriticalSection 6363->6366 6365 10005130 6365->6355 6366->6365 6367->6336 6369 10006040 6368->6369 6370 1000604a 6368->6370 6372 10002ada _ValidateLocalCookies 5 API calls 6369->6372 6371 10005c45 _abort 5 API calls 6370->6371 6371->6369 6373 10004abe 6372->6373 6373->6340 6373->6341 6374 10001f3f 6375 10001f4b ___scrt_is_nonwritable_in_current_image 6374->6375 6392 1000247c 6375->6392 6377 10001f52 6378 10002041 6377->6378 6379 10001f7c 6377->6379 6386 10001f57 ___scrt_is_nonwritable_in_current_image 6377->6386 6415 10002639 IsProcessorFeaturePresent 6378->6415 6403 100023de 6379->6403 6382 10002048 6383 10001f8b __RTC_Initialize 6383->6386 6406 100022fc RtlInitializeSListHead 6383->6406 6385 10001f99 ___scrt_initialize_default_local_stdio_options 6407 100046c5 6385->6407 6390 10001fb8 6390->6386 6391 10004669 _abort 5 API calls 6390->6391 6391->6386 6393 10002485 6392->6393 6419 10002933 IsProcessorFeaturePresent 6393->6419 6397 1000249a 6397->6377 6398 10002496 6398->6397 6430 100053c8 6398->6430 6401 100024b1 6401->6377 6504 100024b5 6403->6504 6405 100023e5 6405->6383 6406->6385 6408 100046dc 6407->6408 6409 10002ada _ValidateLocalCookies 5 API calls 6408->6409 6410 10001fad 6409->6410 6410->6386 6411 100023b3 6410->6411 6412 100023b8 ___scrt_release_startup_lock 6411->6412 6413 10002933 ___isa_available_init IsProcessorFeaturePresent 6412->6413 6414 100023c1 6412->6414 6413->6414 6414->6390 6416 1000264e ___scrt_fastfail 6415->6416 6417 100026f9 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 6416->6417 6418 10002744 ___scrt_fastfail 6417->6418 6418->6382 6420 10002491 6419->6420 6421 100034ea 6420->6421 6422 100034ef ___vcrt_initialize_winapi_thunks 6421->6422 6441 10003936 6422->6441 6426 10003505 6427 10003510 6426->6427 6455 10003972 6426->6455 6427->6398 6429 100034fd 6429->6398 6496 10007457 6430->6496 6433 10003529 6434 10003532 6433->6434 6435 10003543 6433->6435 6436 1000391b ___vcrt_uninitialize_ptd 6 API calls 6434->6436 6435->6397 6437 10003537 6436->6437 6438 10003972 ___vcrt_uninitialize_locks RtlDeleteCriticalSection 6437->6438 6439 1000353c 6438->6439 6500 10003c50 6439->6500 6442 1000393f 6441->6442 6444 10003968 6442->6444 6445 100034f9 6442->6445 6459 10003be0 6442->6459 6446 10003972 ___vcrt_uninitialize_locks RtlDeleteCriticalSection 6444->6446 6445->6429 6447 100038e8 6445->6447 6446->6445 6477 10003af1 6447->6477 6450 100038fd 6450->6426 6453 10003918 6453->6426 6456 1000399c 6455->6456 6457 1000397d 6455->6457 6456->6429 6458 10003987 RtlDeleteCriticalSection 6457->6458 6458->6456 6458->6458 6464 10003a82 6459->6464 6461 10003bfa 6462 10003c18 InitializeCriticalSectionAndSpinCount 6461->6462 6463 10003c03 6461->6463 6462->6463 6463->6442 6465 10003aa6 __crt_fast_encode_pointer 6464->6465 6466 10003aaa 6464->6466 6465->6461 6466->6465 6470 100039be 6466->6470 6469 10003ac4 GetProcAddress 6469->6465 6475 100039cd try_get_first_available_module 6470->6475 6471 10003a77 6471->6465 6471->6469 6472 100039ea LoadLibraryExW 6473 10003a05 GetLastError 6472->6473 6472->6475 6473->6475 6474 10003a60 FreeLibrary 6474->6475 6475->6471 6475->6472 6475->6474 6476 10003a38 LoadLibraryExW 6475->6476 6476->6475 6478 10003a82 try_get_function 5 API calls 6477->6478 6479 10003b0b 6478->6479 6480 10003b24 TlsAlloc 6479->6480 6481 100038f2 6479->6481 6481->6450 6482 10003ba2 6481->6482 6483 10003a82 try_get_function 5 API calls 6482->6483 6484 10003bbc 6483->6484 6485 10003bd7 TlsSetValue 6484->6485 6486 1000390b 6484->6486 6485->6486 6486->6453 6487 1000391b 6486->6487 6488 1000392b 6487->6488 6489 10003925 6487->6489 6488->6450 6491 10003b2c 6489->6491 6492 10003a82 try_get_function 5 API calls 6491->6492 6493 10003b46 6492->6493 6494 10003b5e TlsFree 6493->6494 6495 10003b52 6493->6495 6494->6495 6495->6488 6499 10007470 6496->6499 6497 10002ada _ValidateLocalCookies 5 API calls 6498 100024a3 6497->6498 6498->6401 6498->6433 6499->6497 6501 10003c7f 6500->6501 6502 10003c59 6500->6502 6501->6435 6502->6501 6503 10003c69 FreeLibrary 6502->6503 6503->6502 6505 100024c4 6504->6505 6506 100024c8 6504->6506 6505->6405 6507 10002639 ___scrt_fastfail 4 API calls 6506->6507 6509 100024d5 ___scrt_release_startup_lock 6506->6509 6508 10002559 6507->6508 6509->6405 7476 100067bf 7481 100067f4 7476->7481 7479 100067db 7480 1000571e _free 20 API calls 7480->7479 7482 10006806 7481->7482 7491 100067cd 7481->7491 7483 10006836 7482->7483 7484 1000680b 7482->7484 7483->7491 7492 100071d6 7483->7492 7485 1000637b _abort 20 API calls 7484->7485 7487 10006814 7485->7487 7488 1000571e _free 20 API calls 7487->7488 7488->7491 7489 10006851 7490 1000571e _free 20 API calls 7489->7490 7490->7491 7491->7479 7491->7480 7493 100071e1 7492->7493 7494 10007209 7493->7494 7495 100071fa 7493->7495 7498 10007218 7494->7498 7501 10008a98 7494->7501 7496 10006368 _free 20 API calls 7495->7496 7500 100071ff ___scrt_fastfail 7496->7500 7508 10008acb 7498->7508 7500->7489 7502 10008aa3 7501->7502 7503 10008ab8 RtlSizeHeap 7501->7503 7504 10006368 _free 20 API calls 7502->7504 7503->7498 7505 10008aa8 7504->7505 7506 100062ac _abort 26 API calls 7505->7506 7507 10008ab3 7506->7507 7507->7498 7509 10008ae3 7508->7509 7510 10008ad8 7508->7510 7512 10008aeb 7509->7512 7518 10008af4 _abort 7509->7518 7511 100056d0 21 API calls 7510->7511 7517 10008ae0 7511->7517 7515 1000571e _free 20 API calls 7512->7515 7513 10008af9 7516 10006368 _free 20 API calls 7513->7516 7514 10008b1e RtlReAllocateHeap 7514->7517 7514->7518 7515->7517 7516->7517 7517->7500 7518->7513 7518->7514 7519 1000474f _abort 7 API calls 7518->7519 7519->7518 7847 10005bff 7855 10005d5c 7847->7855 7850 10005c13 7851 10005b7a _abort 20 API calls 7852 10005c1b 7851->7852 7853 10005c28 7852->7853 7854 10005c2b 11 API calls 7852->7854 7854->7850 7856 10005c45 _abort 5 API calls 7855->7856 7857 10005d83 7856->7857 7858 10005d9b TlsAlloc 7857->7858 7859 10005d8c 7857->7859 7858->7859 7860 10002ada _ValidateLocalCookies 5 API calls 7859->7860 7861 10005c09 7860->7861 7861->7850 7861->7851

                                                                    Executed Functions

                                                                    Function 100010F1 Relevance: 12.1, APIs: 8, Instructions: 88stringfileCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 10001137
                                                                    • lstrcatW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001151
                                                                    • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000115C
                                                                    • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000116D
                                                                    • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000117C
                                                                    • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001193
                                                                    • FindNextFileW.KERNELBASE(00000000,00000010), ref: 100011D0
                                                                    • FindClose.KERNEL32(00000000), ref: 100011DB
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4490059860.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000006.00000002.4490027898.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000006.00000002.4490059860.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_10000000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: lstrlen$Find$File$CloseFirstNextlstrcat
                                                                    • String ID:
                                                                    • API String ID: 1083526818-0
                                                                    • Opcode ID: 27fd7685666e3c989c46effb07117df397b19369cc2c037b590c32d569d2463a
                                                                    • Instruction ID: 89aa6ca17049c9a574106098fd68ded4b08ae6dd255c3979a52dcbc6bb9ed716
                                                                    • Opcode Fuzzy Hash: 27fd7685666e3c989c46effb07117df397b19369cc2c037b590c32d569d2463a
                                                                    • Instruction Fuzzy Hash: D22193715043586BE714EB649C49FDF7BDCEF84394F00092AFA58D3190E770D64487A6
                                                                    Function 100012EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 243stringCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • GetEnvironmentVariableW.KERNEL32(ProgramFiles,?,00000104), ref: 10001434
                                                                      • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 10001137
                                                                      • Part of subcall function 100010F1: lstrcatW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001151
                                                                      • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000115C
                                                                      • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000116D
                                                                      • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000117C
                                                                      • Part of subcall function 100010F1: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001193
                                                                      • Part of subcall function 100010F1: FindNextFileW.KERNELBASE(00000000,00000010), ref: 100011D0
                                                                      • Part of subcall function 100010F1: FindClose.KERNEL32(00000000), ref: 100011DB
                                                                    • lstrlenW.KERNEL32(?), ref: 100014C5
                                                                    • lstrlenW.KERNEL32(?), ref: 100014E0
                                                                    • lstrlenW.KERNEL32(?,?), ref: 1000150F
                                                                    • lstrcatW.KERNEL32(00000000), ref: 10001521
                                                                    • lstrlenW.KERNEL32(?,?), ref: 10001547
                                                                    • lstrcatW.KERNEL32(00000000), ref: 10001553
                                                                    • lstrlenW.KERNEL32(?,?), ref: 10001579
                                                                    • lstrcatW.KERNEL32(00000000), ref: 10001585
                                                                    • lstrlenW.KERNEL32(?,?), ref: 100015AB
                                                                    • lstrcatW.KERNEL32(00000000), ref: 100015B7
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4490059860.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000006.00000002.4490027898.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000006.00000002.4490059860.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_10000000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: lstrlen$lstrcat$Find$File$CloseEnvironmentFirstNextVariable
                                                                    • String ID: )$Foxmail$ProgramFiles
                                                                    • API String ID: 672098462-2938083778
                                                                    • Opcode ID: 70009fe3950369d2bec9de66e6564922956a7fdd4521fcb7cc54e78474496dcb
                                                                    • Instruction ID: 44b728d421a24f1832cbc0053e0d9d9aefaca4d51113d01ad6b93c48f87fe4b0
                                                                    • Opcode Fuzzy Hash: 70009fe3950369d2bec9de66e6564922956a7fdd4521fcb7cc54e78474496dcb
                                                                    • Instruction Fuzzy Hash: 4081A475A40358A9EB30D7A0DC86FDE7379EF84740F00059AF608EB191EBB16AC5CB95
                                                                    Function 1000C7E6 Relevance: 9.1, APIs: 6, Instructions: 65libraryloaderCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • GetModuleHandleA.KERNEL32(1000C7DD), ref: 1000C7E6
                                                                    • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 1000C860
                                                                      • Part of subcall function 1000C803: GetProcAddress.KERNEL32(00000000,1000C7F4), ref: 1000C804
                                                                      • Part of subcall function 1000C803: VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                                                                      • Part of subcall function 1000C803: VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4490059860.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000006.00000002.4490027898.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000006.00000002.4490059860.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_10000000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: AddressHandleModuleProcProtectVirtual
                                                                    • String ID:
                                                                    • API String ID: 2099061454-0
                                                                    • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                    • Instruction ID: 210348daefc771ff09e919cc38fdfa0d839c8297c2798a32150270056baeab90
                                                                    • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                    • Instruction Fuzzy Hash: 0301D22094574A38BA51D7B40C06EBA5FD8DB176E0B24D756F1408619BDDA08906C3AE
                                                                    Function 1000C7A7 Relevance: 7.6, APIs: 5, Instructions: 100libraryloaderCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 79 1000c7a7-1000c7bc 80 1000c82d 79->80 81 1000c7be-1000c7c6 79->81 83 1000c82f-1000c833 80->83 81->80 82 1000c7c8-1000c7f6 call 1000c7e6 81->82 91 1000c7f8 82->91 92 1000c86c-1000c86e 82->92 85 1000c872 call 1000c877 83->85 86 1000c835-1000c83d GetModuleHandleA 83->86 89 1000c83f-1000c847 86->89 89->89 90 1000c849-1000c84c 89->90 90->83 93 1000c84e-1000c850 90->93 94 1000c7fa-1000c7fe 91->94 95 1000c85b-1000c85e 91->95 96 1000c870 92->96 97 1000c866-1000c86b 92->97 98 1000c852-1000c854 93->98 99 1000c856-1000c85a 93->99 102 1000c865 94->102 103 1000c800-1000c80b GetProcAddress 94->103 100 1000c85f-1000c860 GetProcAddress 95->100 96->90 97->92 98->100 99->95 100->102 102->97 103->80 104 1000c80d-1000c81a VirtualProtect 103->104 105 1000c82c 104->105 106 1000c81c-1000c82a VirtualProtect 104->106 105->80 106->105
                                                                    APIs
                                                                    • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 1000C860
                                                                      • Part of subcall function 1000C7E6: GetModuleHandleA.KERNEL32(1000C7DD), ref: 1000C7E6
                                                                      • Part of subcall function 1000C7E6: GetProcAddress.KERNEL32(00000000,1000C7F4), ref: 1000C804
                                                                      • Part of subcall function 1000C7E6: VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                                                                      • Part of subcall function 1000C7E6: VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4490059860.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000006.00000002.4490027898.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000006.00000002.4490059860.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_10000000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: AddressHandleModuleProcProtectVirtual
                                                                    • String ID:
                                                                    • API String ID: 2099061454-0
                                                                    • Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                    • Instruction ID: abaa11d5974e3e1b05dfd32ec0224f7ddc3d76465740e120717e363e7a178845
                                                                    • Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                    • Instruction Fuzzy Hash: A921382140838A6FF711CBB44C05FA67FD8DB172E0F198696E040CB147DDA89845C3AE
                                                                    Function 1000C803 Relevance: 7.6, APIs: 5, Instructions: 54librarymemoryloaderCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 107 1000c803-1000c80b GetProcAddress 108 1000c82d 107->108 109 1000c80d-1000c81a VirtualProtect 107->109 112 1000c82f-1000c833 108->112 110 1000c82c 109->110 111 1000c81c-1000c82a VirtualProtect 109->111 110->108 111->110 113 1000c872 call 1000c877 112->113 114 1000c835-1000c83d GetModuleHandleA 112->114 116 1000c83f-1000c847 114->116 116->116 117 1000c849-1000c84c 116->117 117->112 118 1000c84e-1000c850 117->118 119 1000c852-1000c854 118->119 120 1000c856-1000c85e 118->120 121 1000c85f-1000c865 GetProcAddress 119->121 120->121 124 1000c866-1000c86e 121->124 126 1000c870 124->126 126->117
                                                                    APIs
                                                                    • GetProcAddress.KERNEL32(00000000,1000C7F4), ref: 1000C804
                                                                    • VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                                                                    • VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                                                                    • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 1000C860
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4490059860.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000006.00000002.4490027898.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000006.00000002.4490059860.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_10000000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: AddressProcProtectVirtual$HandleModule
                                                                    • String ID:
                                                                    • API String ID: 2152742572-0
                                                                    • Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                    • Instruction ID: 9138b94afbcae90e12a8614b592989542e7cb6e8cba5f1d72008c399686a5f74
                                                                    • Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                    • Instruction Fuzzy Hash: B7F0C2619497893CFA21C7B40C45EBA5FCCCB276E0B249A56F600C718BDCA5890693FE

                                                                    Non-executed Functions

                                                                    Function 1000173A Relevance: 30.0, APIs: 5, Strings: 12, Instructions: 210COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 136 1000173a-100017fe call 1000c030 call 10002c40 * 2 143 10001803 call 10001cca 136->143 144 10001808-1000180c 143->144 145 10001812-10001816 144->145 146 100019ad-100019b1 144->146 145->146 147 1000181c-10001837 call 10001ede 145->147 150 1000183d-10001845 147->150 151 1000199f-100019ac call 10001ee7 * 2 147->151 153 10001982-10001985 150->153 154 1000184b-1000184e 150->154 151->146 156 10001995-10001999 153->156 157 10001987 153->157 154->153 158 10001854-10001881 call 100044b0 * 2 call 10001db7 154->158 156->150 156->151 160 1000198a-1000198d call 10002c40 157->160 170 10001887-1000189f call 100044b0 call 10001db7 158->170 171 1000193d-10001943 158->171 166 10001992 160->166 166->156 170->171 187 100018a5-100018a8 170->187 173 10001945-10001947 171->173 174 1000197e-10001980 171->174 173->174 175 10001949-1000194b 173->175 174->160 177 10001961-1000197c call 100016aa 175->177 178 1000194d-1000194f 175->178 177->166 180 10001951-10001953 178->180 181 10001955-10001957 178->181 180->177 180->181 184 10001959-1000195b 181->184 185 1000195d-1000195f 181->185 184->177 184->185 185->174 185->177 188 100018c4-100018dc call 100044b0 call 10001db7 187->188 189 100018aa-100018c2 call 100044b0 call 10001db7 187->189 188->156 198 100018e2-1000193b call 100016aa call 100015da call 10002c40 * 2 188->198 189->188 189->198 198->156
                                                                    APIs
                                                                      • Part of subcall function 10001CCA: CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D1B
                                                                      • Part of subcall function 10001CCA: CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 10001D37
                                                                      • Part of subcall function 10001CCA: DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D4B
                                                                    • _strlen.LIBCMT ref: 10001855
                                                                    • _strlen.LIBCMT ref: 10001869
                                                                    • _strlen.LIBCMT ref: 1000188B
                                                                    • _strlen.LIBCMT ref: 100018AE
                                                                    • _strlen.LIBCMT ref: 100018C8
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4490059860.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000006.00000002.4490027898.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000006.00000002.4490059860.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_10000000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: _strlen$File$CopyCreateDelete
                                                                    • String ID: Acco$Acco$POP3$POP3$Pass$Pass$t$t$un$un$word$word
                                                                    • API String ID: 3296212668-3023110444
                                                                    • Opcode ID: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                                                    • Instruction ID: bb93a2ec4ecc4c0c7ac40ef0fbf5621e946fdf476ba73097d2750e43d9e064ca
                                                                    • Opcode Fuzzy Hash: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                                                    • Instruction Fuzzy Hash: 69612475D04218ABFF11CBE4C851BDEB7F9EF45280F00409AE604A7299EF706A45CF96
                                                                    Function 100019B2 Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 218COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4490059860.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000006.00000002.4490027898.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000006.00000002.4490059860.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_10000000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: _strlen
                                                                    • String ID: %m$~$Gon~$~F@7$~dra
                                                                    • API String ID: 4218353326-230879103
                                                                    • Opcode ID: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                                                    • Instruction ID: 2a57ee3bda34e0ca62253b4f9cdd28a92c7aa5ebcaa9e167bfd7dd38749d7a78
                                                                    • Opcode Fuzzy Hash: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                                                    • Instruction Fuzzy Hash: 9371F5B5D002685BEF11DBB49895BDF7BFCDB05280F104096E644D7246EB74EB85CBA0
                                                                    Function 10007CC2 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 276 10007cc2-10007cd6 277 10007d44-10007d4c 276->277 278 10007cd8-10007cdd 276->278 280 10007d93-10007dab call 10007e35 277->280 281 10007d4e-10007d51 277->281 278->277 279 10007cdf-10007ce4 278->279 279->277 282 10007ce6-10007ce9 279->282 290 10007dae-10007db5 280->290 281->280 284 10007d53-10007d90 call 1000571e * 4 281->284 282->277 285 10007ceb-10007cf3 282->285 284->280 288 10007cf5-10007cf8 285->288 289 10007d0d-10007d15 285->289 288->289 292 10007cfa-10007d0c call 1000571e call 100090ba 288->292 295 10007d17-10007d1a 289->295 296 10007d2f-10007d43 call 1000571e * 2 289->296 293 10007dd4-10007dd8 290->293 294 10007db7-10007dbb 290->294 292->289 298 10007df0-10007dfc 293->298 299 10007dda-10007ddf 293->299 302 10007dd1 294->302 303 10007dbd-10007dc0 294->303 295->296 304 10007d1c-10007d2e call 1000571e call 100091b8 295->304 296->277 298->290 311 10007dfe-10007e0b call 1000571e 298->311 308 10007de1-10007de4 299->308 309 10007ded 299->309 302->293 303->302 313 10007dc2-10007dd0 call 1000571e * 2 303->313 304->296 308->309 316 10007de6-10007dec call 1000571e 308->316 309->298 313->302 316->309
                                                                    APIs
                                                                    • ___free_lconv_mon.LIBCMT ref: 10007D06
                                                                      • Part of subcall function 100090BA: _free.LIBCMT ref: 100090D7
                                                                      • Part of subcall function 100090BA: _free.LIBCMT ref: 100090E9
                                                                      • Part of subcall function 100090BA: _free.LIBCMT ref: 100090FB
                                                                      • Part of subcall function 100090BA: _free.LIBCMT ref: 1000910D
                                                                      • Part of subcall function 100090BA: _free.LIBCMT ref: 1000911F
                                                                      • Part of subcall function 100090BA: _free.LIBCMT ref: 10009131
                                                                      • Part of subcall function 100090BA: _free.LIBCMT ref: 10009143
                                                                      • Part of subcall function 100090BA: _free.LIBCMT ref: 10009155
                                                                      • Part of subcall function 100090BA: _free.LIBCMT ref: 10009167
                                                                      • Part of subcall function 100090BA: _free.LIBCMT ref: 10009179
                                                                      • Part of subcall function 100090BA: _free.LIBCMT ref: 1000918B
                                                                      • Part of subcall function 100090BA: _free.LIBCMT ref: 1000919D
                                                                      • Part of subcall function 100090BA: _free.LIBCMT ref: 100091AF
                                                                    • _free.LIBCMT ref: 10007CFB
                                                                      • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                                                      • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                    • _free.LIBCMT ref: 10007D1D
                                                                    • _free.LIBCMT ref: 10007D32
                                                                    • _free.LIBCMT ref: 10007D3D
                                                                    • _free.LIBCMT ref: 10007D5F
                                                                    • _free.LIBCMT ref: 10007D72
                                                                    • _free.LIBCMT ref: 10007D80
                                                                    • _free.LIBCMT ref: 10007D8B
                                                                    • _free.LIBCMT ref: 10007DC3
                                                                    • _free.LIBCMT ref: 10007DCA
                                                                    • _free.LIBCMT ref: 10007DE7
                                                                    • _free.LIBCMT ref: 10007DFF
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4490059860.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000006.00000002.4490027898.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000006.00000002.4490059860.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_10000000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                    • String ID:
                                                                    • API String ID: 161543041-0
                                                                    • Opcode ID: 04f87de51616aa77c632626b63215b7c3e2981daeb02be256c48a4a07a0be686
                                                                    • Instruction ID: 6de9b84f5b51ee4e35cbeb1ed48e08772f21b212059d2ac72beb9c863e9ed859
                                                                    • Opcode Fuzzy Hash: 04f87de51616aa77c632626b63215b7c3e2981daeb02be256c48a4a07a0be686
                                                                    • Instruction Fuzzy Hash: 90313931A04645EFFB21DA38E941B6A77FAFF002D1F11446AE84DDB159DE3ABC809B14
                                                                    Function 100059D6 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • _free.LIBCMT ref: 100059EA
                                                                      • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                                                      • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                    • _free.LIBCMT ref: 100059F6
                                                                    • _free.LIBCMT ref: 10005A01
                                                                    • _free.LIBCMT ref: 10005A0C
                                                                    • _free.LIBCMT ref: 10005A17
                                                                    • _free.LIBCMT ref: 10005A22
                                                                    • _free.LIBCMT ref: 10005A2D
                                                                    • _free.LIBCMT ref: 10005A38
                                                                    • _free.LIBCMT ref: 10005A43
                                                                    • _free.LIBCMT ref: 10005A51
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4490059860.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000006.00000002.4490027898.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000006.00000002.4490059860.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_10000000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                    • String ID:
                                                                    • API String ID: 776569668-0
                                                                    • Opcode ID: c98d8f3bae8e62c9802464aaca1a5f37d2e9bc397092d84fe88d11ffaa9aaf75
                                                                    • Instruction ID: 60753d52f1e9cb5801f9add085180c5dd3fc305f79823ad6bc57240ee419c635
                                                                    • Opcode Fuzzy Hash: c98d8f3bae8e62c9802464aaca1a5f37d2e9bc397092d84fe88d11ffaa9aaf75
                                                                    • Instruction Fuzzy Hash: BE11B97E514548FFEB11DF58D842CDE3FA9EF04291B4540A1BD088F12ADA32EE50AB84
                                                                    Function 10001CCA Relevance: 13.6, APIs: 9, Instructions: 84fileCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D1B
                                                                    • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 10001D37
                                                                    • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D4B
                                                                    • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D58
                                                                    • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D72
                                                                    • CloseHandle.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D7D
                                                                    • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D8A
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4490059860.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000006.00000002.4490027898.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000006.00000002.4490059860.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_10000000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: File$Delete$CloseCopyCreateHandleReadSize
                                                                    • String ID:
                                                                    • API String ID: 1454806937-0
                                                                    • Opcode ID: 95ffba8e0906de61fbf41533eef9bce15325b0b0370a179d90a4a5ca68fedbfa
                                                                    • Instruction ID: 3114db45d92e83daf92c47a85baf70c14dd0292bf94a6379629bf72341f68b19
                                                                    • Opcode Fuzzy Hash: 95ffba8e0906de61fbf41533eef9bce15325b0b0370a179d90a4a5ca68fedbfa
                                                                    • Instruction Fuzzy Hash: 2221FCB594122CAFF710EBA08CCCFEF76ACEB08395F010566F515D2154D6709E458A70
                                                                    Function 10009492 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 377 10009492-100094ef GetConsoleCP 378 10009632-10009644 call 10002ada 377->378 379 100094f5-10009511 377->379 381 10009513-1000952a 379->381 382 1000952c-1000953d call 10007c19 379->382 384 10009566-10009575 call 100079e6 381->384 389 10009563-10009565 382->389 390 1000953f-10009542 382->390 384->378 391 1000957b-1000959b WideCharToMultiByte 384->391 389->384 392 10009548-1000955a call 100079e6 390->392 393 10009609-10009628 390->393 391->378 394 100095a1-100095b7 WriteFile 391->394 392->378 399 10009560-10009561 392->399 393->378 396 100095b9-100095ca 394->396 397 1000962a-10009630 GetLastError 394->397 396->378 400 100095cc-100095d0 396->400 397->378 399->391 401 100095d2-100095f0 WriteFile 400->401 402 100095fe-10009601 400->402 401->397 403 100095f2-100095f6 401->403 402->379 404 10009607 402->404 403->378 405 100095f8-100095fb 403->405 404->378 405->402
                                                                    APIs
                                                                    • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,10009C07,?,00000000,?,00000000,00000000), ref: 100094D4
                                                                    • __fassign.LIBCMT ref: 1000954F
                                                                    • __fassign.LIBCMT ref: 1000956A
                                                                    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 10009590
                                                                    • WriteFile.KERNEL32(?,?,00000000,10009C07,00000000,?,?,?,?,?,?,?,?,?,10009C07,?), ref: 100095AF
                                                                    • WriteFile.KERNEL32(?,?,00000001,10009C07,00000000,?,?,?,?,?,?,?,?,?,10009C07,?), ref: 100095E8
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4490059860.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000006.00000002.4490027898.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000006.00000002.4490059860.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_10000000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                    • String ID:
                                                                    • API String ID: 1324828854-0
                                                                    • Opcode ID: c8cde1f94c5a3c187481f919a86e285046f284bf183baf255f965bcae4dd5098
                                                                    • Instruction ID: 7b1e32e7ca62d622bc6abd4954a79b3a1191cf35157f5551c2bc05612337e78d
                                                                    • Opcode Fuzzy Hash: c8cde1f94c5a3c187481f919a86e285046f284bf183baf255f965bcae4dd5098
                                                                    • Instruction Fuzzy Hash: D7519271D00249AFEB10CFA4CC95BDEBBF8EF09350F15811AE955E7295D731AA41CB60
                                                                    Function 10003370 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 406 10003370-100033b5 call 10003330 call 100037a7 411 10003416-10003419 406->411 412 100033b7-100033c9 406->412 413 10003439-10003442 411->413 414 1000341b-10003428 call 10003790 411->414 412->413 415 100033cb 412->415 418 1000342d-10003436 call 10003330 414->418 417 100033d0-100033e7 415->417 419 100033e9-100033f7 call 10003740 417->419 420 100033fd 417->420 418->413 428 100033f9 419->428 429 1000340d-10003414 419->429 421 10003400-10003405 420->421 421->417 424 10003407-10003409 421->424 424->413 427 1000340b 424->427 427->418 430 10003443-1000344c 428->430 431 100033fb 428->431 429->418 432 10003486-10003496 call 10003774 430->432 433 1000344e-10003455 430->433 431->421 439 10003498-100034a7 call 10003790 432->439 440 100034aa-100034c6 call 10003330 call 10003758 432->440 433->432 435 10003457-10003466 call 1000bbe0 433->435 441 10003483 435->441 442 10003468-10003480 435->442 439->440 441->432 442->441
                                                                    APIs
                                                                    • _ValidateLocalCookies.LIBCMT ref: 1000339B
                                                                    • ___except_validate_context_record.LIBVCRUNTIME ref: 100033A3
                                                                    • _ValidateLocalCookies.LIBCMT ref: 10003431
                                                                    • __IsNonwritableInCurrentImage.LIBCMT ref: 1000345C
                                                                    • _ValidateLocalCookies.LIBCMT ref: 100034B1
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4490059860.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000006.00000002.4490027898.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000006.00000002.4490059860.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_10000000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                    • String ID: csm
                                                                    • API String ID: 1170836740-1018135373
                                                                    • Opcode ID: 314e045d64bd9dff90e147ebc0021a06731dbc25050b3dab86f6a1545ce1a07e
                                                                    • Instruction ID: 0a936c430148d26a69835db3fa9f683d01d5328c1142e13f0191aacd949c771e
                                                                    • Opcode Fuzzy Hash: 314e045d64bd9dff90e147ebc0021a06731dbc25050b3dab86f6a1545ce1a07e
                                                                    • Instruction Fuzzy Hash: D141D678E042189BEB12CF68C880A9FBBF9EF453A4F10C155E9159F25AD731FA01CB91
                                                                    Function 1000925D Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                      • Part of subcall function 10009221: _free.LIBCMT ref: 1000924A
                                                                    • _free.LIBCMT ref: 100092AB
                                                                      • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                                                      • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                    • _free.LIBCMT ref: 100092B6
                                                                    • _free.LIBCMT ref: 100092C1
                                                                    • _free.LIBCMT ref: 10009315
                                                                    • _free.LIBCMT ref: 10009320
                                                                    • _free.LIBCMT ref: 1000932B
                                                                    • _free.LIBCMT ref: 10009336
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4490059860.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000006.00000002.4490027898.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000006.00000002.4490059860.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_10000000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                    • String ID:
                                                                    • API String ID: 776569668-0
                                                                    • Opcode ID: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                                                    • Instruction ID: 62dea9ede071ec04ae7e8d39c2d2a9b8d59ba4565e42afa4a1a73bd13a3591d1
                                                                    • Opcode Fuzzy Hash: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                                                    • Instruction Fuzzy Hash: 3E118E35548B08FAFA20EBB0EC47FCB7B9DEF04780F400824BA9DB6097DA25B5249751
                                                                    Function 10008821 Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 488 10008821-1000883a 489 10008850-10008855 488->489 490 1000883c-1000884c call 10009341 488->490 491 10008862-10008886 MultiByteToWideChar 489->491 492 10008857-1000885f 489->492 490->489 500 1000884e 490->500 494 10008a19-10008a2c call 10002ada 491->494 495 1000888c-10008898 491->495 492->491 497 1000889a-100088ab 495->497 498 100088ec 495->498 501 100088ca-100088db call 100056d0 497->501 502 100088ad-100088bc call 1000bf20 497->502 504 100088ee-100088f0 498->504 500->489 506 10008a0e 501->506 516 100088e1 501->516 502->506 515 100088c2-100088c8 502->515 505 100088f6-10008909 MultiByteToWideChar 504->505 504->506 505->506 509 1000890f-1000892a call 10005f19 505->509 510 10008a10-10008a17 call 10008801 506->510 509->506 520 10008930-10008937 509->520 510->494 519 100088e7-100088ea 515->519 516->519 519->504 521 10008971-1000897d 520->521 522 10008939-1000893e 520->522 524 100089c9 521->524 525 1000897f-10008990 521->525 522->510 523 10008944-10008946 522->523 523->506 526 1000894c-10008966 call 10005f19 523->526 527 100089cb-100089cd 524->527 528 10008992-100089a1 call 1000bf20 525->528 529 100089ab-100089bc call 100056d0 525->529 526->510 543 1000896c 526->543 532 10008a07-10008a0d call 10008801 527->532 533 100089cf-100089e8 call 10005f19 527->533 528->532 541 100089a3-100089a9 528->541 529->532 542 100089be 529->542 532->506 533->532 546 100089ea-100089f1 533->546 545 100089c4-100089c7 541->545 542->545 543->506 545->527 547 100089f3-100089f4 546->547 548 10008a2d-10008a33 546->548 549 100089f5-10008a05 WideCharToMultiByte 547->549 548->549 549->532 550 10008a35-10008a3c call 10008801 549->550 550->510
                                                                    APIs
                                                                    • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,10006FFD,00000000,?,?,?,10008A72,?,?,00000100), ref: 1000887B
                                                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,10008A72,?,?,00000100,5EFC4D8B,?,?), ref: 10008901
                                                                    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,5EFC4D8B,00000100,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 100089FB
                                                                    • __freea.LIBCMT ref: 10008A08
                                                                      • Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702
                                                                    • __freea.LIBCMT ref: 10008A11
                                                                    • __freea.LIBCMT ref: 10008A36
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4490059860.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000006.00000002.4490027898.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000006.00000002.4490059860.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_10000000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                    • String ID:
                                                                    • API String ID: 1414292761-0
                                                                    • Opcode ID: bbd44e65680a142b819532ff26adde273e0ccd3bd0c95f1520c1a5c0857fc469
                                                                    • Instruction ID: 3f57ce737592ef9202bcebfaa3f65c0582e3f3231b4dd00ae19a895c9b397c34
                                                                    • Opcode Fuzzy Hash: bbd44e65680a142b819532ff26adde273e0ccd3bd0c95f1520c1a5c0857fc469
                                                                    • Instruction Fuzzy Hash: 4F51CF72710216ABFB15CF60CC85EAB37A9FB417D0F11462AFC44D6148EB35EE509BA1
                                                                    Function 100015DA Relevance: 9.1, APIs: 6, Instructions: 84stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _strlen.LIBCMT ref: 10001607
                                                                    • _strcat.LIBCMT ref: 1000161D
                                                                    • lstrlenW.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,1000190E,?,?,00000000,?,00000000), ref: 10001643
                                                                    • lstrcatW.KERNEL32(?,?,?,?,?,?,1000190E,?,?,00000000,?,00000000,?,?,?,00000104), ref: 1000165A
                                                                    • lstrlenW.KERNEL32(?,?,?,?,?,1000190E,?,?,00000000,?,00000000,?,?,?,00000104,?), ref: 10001661
                                                                    • lstrcatW.KERNEL32(00001008,?,?,?,?,?,1000190E,?,?,00000000,?,00000000,?,?,?,00000104), ref: 10001686
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4490059860.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000006.00000002.4490027898.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000006.00000002.4490059860.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_10000000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: lstrcatlstrlen$_strcat_strlen
                                                                    • String ID:
                                                                    • API String ID: 1922816806-0
                                                                    • Opcode ID: 315c55c979a72bdf3ac51594b752bef976f460307e9923370b73d2b1bd80b905
                                                                    • Instruction ID: a267a6945d1554df97f4c8e17fbec8689bbb0548aac84132402ab8fad08d9bbc
                                                                    • Opcode Fuzzy Hash: 315c55c979a72bdf3ac51594b752bef976f460307e9923370b73d2b1bd80b905
                                                                    • Instruction Fuzzy Hash: 9821A776900204ABEB05DBA4DC85FEE77B8EF88750F24401BF604AB185DF34B94587A9
                                                                    Function 10001000 Relevance: 9.1, APIs: 6, Instructions: 76stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • lstrcatW.KERNEL32(?,?,?,?,?,00000000), ref: 10001038
                                                                    • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 1000104B
                                                                    • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 10001061
                                                                    • lstrlenW.KERNEL32(?,?,?,?,?,00000000), ref: 10001075
                                                                    • GetFileAttributesW.KERNEL32(?,?,?,00000000), ref: 10001090
                                                                    • lstrlenW.KERNEL32(?,?,?,00000000), ref: 100010B8
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4490059860.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000006.00000002.4490027898.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000006.00000002.4490059860.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_10000000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: lstrlen$AttributesFilelstrcat
                                                                    • String ID:
                                                                    • API String ID: 3594823470-0
                                                                    • Opcode ID: c62e9e5fa69f7526a4dcdb62aa87bf44082eca201cfcddb2e536fed9ba73336f
                                                                    • Instruction ID: f5da6160d3db499da992451a69b84f141dc83571de07cfa19ff2ab3d93a8fd2c
                                                                    • Opcode Fuzzy Hash: c62e9e5fa69f7526a4dcdb62aa87bf44082eca201cfcddb2e536fed9ba73336f
                                                                    • Instruction Fuzzy Hash: DB21E5359003289BEF10DBA0DC48EDF37B8EF44294F104556E999931A6DE709EC5CF50
                                                                    Function 10003856 Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetLastError.KERNEL32(?,?,10003518,100023F1,10001F17), ref: 10003864
                                                                    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 10003872
                                                                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 1000388B
                                                                    • SetLastError.KERNEL32(00000000,?,10003518,100023F1,10001F17), ref: 100038DD
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4490059860.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000006.00000002.4490027898.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000006.00000002.4490059860.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_10000000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLastValue___vcrt_
                                                                    • String ID:
                                                                    • API String ID: 3852720340-0
                                                                    • Opcode ID: 669731f2127195b9a905fed2c89c9d5b837464d933d8447bfa53086d9201cd33
                                                                    • Instruction ID: 2a33bd680f99e964f7cdf1ea0b0e713dcb61597015083b2077453114c578dac0
                                                                    • Opcode Fuzzy Hash: 669731f2127195b9a905fed2c89c9d5b837464d933d8447bfa53086d9201cd33
                                                                    • Instruction Fuzzy Hash: 0F012432608B225EF207D7796CCAA0B2BDDDB096F9B20C27AF510940E9EF219C009300
                                                                    Function 10005AF6 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetLastError.KERNEL32(?,?,10006C6C), ref: 10005AFA
                                                                    • _free.LIBCMT ref: 10005B2D
                                                                    • _free.LIBCMT ref: 10005B55
                                                                    • SetLastError.KERNEL32(00000000,?,?,10006C6C), ref: 10005B62
                                                                    • SetLastError.KERNEL32(00000000,?,?,10006C6C), ref: 10005B6E
                                                                    • _abort.LIBCMT ref: 10005B74
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4490059860.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000006.00000002.4490027898.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000006.00000002.4490059860.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_10000000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLast$_free$_abort
                                                                    • String ID:
                                                                    • API String ID: 3160817290-0
                                                                    • Opcode ID: c9cb188a03aa1811073f11ee06fa520bea6a831bfab7ff5292fc2b03e8e202de
                                                                    • Instruction ID: 6ab9c425fee0725613b21b3b36aaf5e4259b246f4cabca8c388d0d7fb541d563
                                                                    • Opcode Fuzzy Hash: c9cb188a03aa1811073f11ee06fa520bea6a831bfab7ff5292fc2b03e8e202de
                                                                    • Instruction Fuzzy Hash: 8FF0A47A508911AAF212E3346C4AF0F36AACBC55E3F264125F918A619DFF27B9024174
                                                                    Function 100011EA Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 90COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,?,?,?,100010DF,?,?,?,00000000), ref: 10001E9A
                                                                      • Part of subcall function 10001E89: lstrcatW.KERNEL32(?,?,?,100010DF,?,?,?,00000000), ref: 10001EAC
                                                                      • Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EB3
                                                                      • Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EC8
                                                                      • Part of subcall function 10001E89: lstrcatW.KERNEL32(?,100010DF,?,100010DF,?,?,?,00000000), ref: 10001ED3
                                                                    • GetFileAttributesW.KERNEL32(?,?,?,?), ref: 1000122A
                                                                      • Part of subcall function 1000173A: _strlen.LIBCMT ref: 10001855
                                                                      • Part of subcall function 1000173A: _strlen.LIBCMT ref: 10001869
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4490059860.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000006.00000002.4490027898.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000006.00000002.4490059860.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_10000000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: lstrlen$_strlenlstrcat$AttributesFile
                                                                    • String ID: \Accounts\Account.rec0$\Data\AccCfg\Accounts.tdat$\Mail\$\Storage\
                                                                    • API String ID: 4036392271-1520055953
                                                                    • Opcode ID: 09c536ecd907401b0aa489f333ca62d314ebad464b807bf11bf7235871964734
                                                                    • Instruction ID: e2b7c7e1c3038021adfe9ab266432482c710e64fc4cfb1bae4cfd9c1521b4980
                                                                    • Opcode Fuzzy Hash: 09c536ecd907401b0aa489f333ca62d314ebad464b807bf11bf7235871964734
                                                                    • Instruction Fuzzy Hash: 4B21D579E142486AFB14D7A0EC92FED7339EF80754F000556F604EB1D5EBB16E818758
                                                                    Function 10004B39 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,10004AEA,?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000), ref: 10004B59
                                                                    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 10004B6C
                                                                    • FreeLibrary.KERNEL32(00000000,?,?,?,10004AEA,?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000,00000001,10002082), ref: 10004B8F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4490059860.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000006.00000002.4490027898.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000006.00000002.4490059860.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_10000000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: AddressFreeHandleLibraryModuleProc
                                                                    • String ID: CorExitProcess$mscoree.dll
                                                                    • API String ID: 4061214504-1276376045
                                                                    • Opcode ID: 497ca4813dea5db040ed96ba3988917c23aad912c76c67efd82f8c60daebc881
                                                                    • Instruction ID: e6e2f78cdd7cd30bdf2d4d174718ae12991e9b6ae5ca6a82eaba56a43cf4d13d
                                                                    • Opcode Fuzzy Hash: 497ca4813dea5db040ed96ba3988917c23aad912c76c67efd82f8c60daebc881
                                                                    • Instruction Fuzzy Hash: C8F03C71900218BBEB11AB94CC48BAEBFB9EF043D1F01416AE909A6164DF309941CAA5
                                                                    Function 10007153 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetEnvironmentStringsW.KERNEL32 ref: 1000715C
                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1000717F
                                                                      • Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702
                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 100071A5
                                                                    • _free.LIBCMT ref: 100071B8
                                                                    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 100071C7
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4490059860.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000006.00000002.4490027898.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000006.00000002.4490059860.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_10000000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                    • String ID:
                                                                    • API String ID: 336800556-0
                                                                    • Opcode ID: dbf9df5b4a4e45fd59d7b0ba6c08b1d97dee470f846bf8241c04808ce4e83989
                                                                    • Instruction ID: fdf90bdbf822fabaf3dd9d310e80898d5fc59248e37e3ebe61ec6e18e74c85b1
                                                                    • Opcode Fuzzy Hash: dbf9df5b4a4e45fd59d7b0ba6c08b1d97dee470f846bf8241c04808ce4e83989
                                                                    • Instruction Fuzzy Hash: 6601D872A01225BB73129BBE5C8CDBF2A6DFBC69E0311012AFD0CC7288DB658C0181B0
                                                                    Function 10005B7A Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetLastError.KERNEL32(00000000,?,00000000,1000636D,10005713,00000000,?,10002249,?,?,10001D66,00000000,?,?,00000000), ref: 10005B7F
                                                                    • _free.LIBCMT ref: 10005BB4
                                                                    • _free.LIBCMT ref: 10005BDB
                                                                    • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10005BE8
                                                                    • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10005BF1
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4490059860.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000006.00000002.4490027898.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000006.00000002.4490059860.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_10000000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLast$_free
                                                                    • String ID:
                                                                    • API String ID: 3170660625-0
                                                                    • Opcode ID: 6445a1f563467e3e4669709244547b488691a64b9545451a4f80944232cffe94
                                                                    • Instruction ID: a404960836b3e2f032ab47abdd1028028b52a365ddf0c47563f665e512f3cffd
                                                                    • Opcode Fuzzy Hash: 6445a1f563467e3e4669709244547b488691a64b9545451a4f80944232cffe94
                                                                    • Instruction Fuzzy Hash: 5501F47A108A52A7F202E7345C85E1F3AAEDBC55F37220025FD19A615EEF73FD024164
                                                                    Function 10001E89 Relevance: 7.5, APIs: 5, Instructions: 41stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • lstrlenW.KERNEL32(?,?,?,?,?,100010DF,?,?,?,00000000), ref: 10001E9A
                                                                    • lstrcatW.KERNEL32(?,?,?,100010DF,?,?,?,00000000), ref: 10001EAC
                                                                    • lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EB3
                                                                    • lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EC8
                                                                    • lstrcatW.KERNEL32(?,100010DF,?,100010DF,?,?,?,00000000), ref: 10001ED3
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4490059860.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000006.00000002.4490027898.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000006.00000002.4490059860.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_10000000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: lstrlen$lstrcat
                                                                    • String ID:
                                                                    • API String ID: 493641738-0
                                                                    • Opcode ID: 15c5d9995ac510f09c0b88b7baf044722e7f40351600db373de5a6e0e33856fc
                                                                    • Instruction ID: f5d9027fafc921fe84ae6627056796c55de3fa1ad923a59450c5185d8ca5453c
                                                                    • Opcode Fuzzy Hash: 15c5d9995ac510f09c0b88b7baf044722e7f40351600db373de5a6e0e33856fc
                                                                    • Instruction Fuzzy Hash: D8F082261002207AF621772AECC5FBF7B7CEFC6AA0F04001AFA0C83194DB54684292B5
                                                                    Function 100091B8 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _free.LIBCMT ref: 100091D0
                                                                      • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                                                      • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                    • _free.LIBCMT ref: 100091E2
                                                                    • _free.LIBCMT ref: 100091F4
                                                                    • _free.LIBCMT ref: 10009206
                                                                    • _free.LIBCMT ref: 10009218
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4490059860.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000006.00000002.4490027898.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000006.00000002.4490059860.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_10000000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                    • String ID:
                                                                    • API String ID: 776569668-0
                                                                    • Opcode ID: 531e654f2f11120a5df636ecca0a5618a09e043c7f3cd6e1a71cca3ab3857efc
                                                                    • Instruction ID: a08e021c65853776c99c3fd86fadada58ae96d962e635c5153d22f52a77de1c5
                                                                    • Opcode Fuzzy Hash: 531e654f2f11120a5df636ecca0a5618a09e043c7f3cd6e1a71cca3ab3857efc
                                                                    • Instruction Fuzzy Hash: 77F06DB161C650ABE664DB58EAC6C4B7BEDFB003E13608805FC4DD7549CB31FC809A64
                                                                    Function 10005351 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _free.LIBCMT ref: 1000536F
                                                                      • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                                                      • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                    • _free.LIBCMT ref: 10005381
                                                                    • _free.LIBCMT ref: 10005394
                                                                    • _free.LIBCMT ref: 100053A5
                                                                    • _free.LIBCMT ref: 100053B6
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4490059860.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000006.00000002.4490027898.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000006.00000002.4490059860.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_10000000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                    • String ID:
                                                                    • API String ID: 776569668-0
                                                                    • Opcode ID: 77e2762e1a20340d72e45a4044f221924c2ac7473818ed27067cb432955df604
                                                                    • Instruction ID: ba906e9feca9bc6e71cd1aa5ebacb8f64a9f241ffe6b13fedf7f16c4e4854dfa
                                                                    • Opcode Fuzzy Hash: 77e2762e1a20340d72e45a4044f221924c2ac7473818ed27067cb432955df604
                                                                    • Instruction Fuzzy Hash: 38F0F478C18934EBF741DF28ADC140A3BB5F718A91342C15AFC1497279DB36D9429B84
                                                                    Function 10004BDD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleFileNameA.KERNEL32(00000000,C:\ProgramData\Adobe\Adobe.exe,00000104), ref: 10004C1D
                                                                    • _free.LIBCMT ref: 10004CE8
                                                                    • _free.LIBCMT ref: 10004CF2
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4490059860.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000006.00000002.4490027898.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000006.00000002.4490059860.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_10000000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: _free$FileModuleName
                                                                    • String ID: C:\ProgramData\Adobe\Adobe.exe
                                                                    • API String ID: 2506810119-1403210833
                                                                    • Opcode ID: f4d765c9bb58478f6d614cb19d249666f691a76f34bd4fd838862d42c91d6eee
                                                                    • Instruction ID: 12f2da1a58c9c923660241357757b5dddff340f6d61411cdc8d35d961f62cc7a
                                                                    • Opcode Fuzzy Hash: f4d765c9bb58478f6d614cb19d249666f691a76f34bd4fd838862d42c91d6eee
                                                                    • Instruction Fuzzy Hash: EB31A0B5A01258EFFB51CF99CC81D9EBBFCEB88390F12806AF80497215DA709E41CB54
                                                                    Function 100086E4 Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,00000100,00000020,00000000,00000000,5EFC4D8B,00000100,10006FFD,00000000,00000001,00000020,00000100,?,5EFC4D8B,00000000), ref: 10008731
                                                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 100087BA
                                                                    • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 100087CC
                                                                    • __freea.LIBCMT ref: 100087D5
                                                                      • Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4490059860.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000006.00000002.4490027898.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000006.00000002.4490059860.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_10000000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                                    • String ID:
                                                                    • API String ID: 2652629310-0
                                                                    • Opcode ID: 11ee239c82756698d200c57d0e0d3564a08309f574ce1b92975b0cd3435ea26e
                                                                    • Instruction ID: 5b9b35b0a4db414dac5c81271493033b4f2f0f3dd9b893eeefd60fa04c8ec889
                                                                    • Opcode Fuzzy Hash: 11ee239c82756698d200c57d0e0d3564a08309f574ce1b92975b0cd3435ea26e
                                                                    • Instruction Fuzzy Hash: 2731AE32A0021AABEF15CF64CC85EAF7BA5EF44290F214129FC48D7158EB35DE50CBA0
                                                                    Function 10005CE1 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,10001D66,00000000,00000000,?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue), ref: 10005D13
                                                                    • GetLastError.KERNEL32(?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue,1000E190,FlsSetValue,00000000,00000364,?,10005BC8), ref: 10005D1F
                                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue,1000E190,FlsSetValue,00000000), ref: 10005D2D
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4490059860.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000006.00000002.4490027898.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000006.00000002.4490059860.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_10000000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: LibraryLoad$ErrorLast
                                                                    • String ID:
                                                                    • API String ID: 3177248105-0
                                                                    • Opcode ID: 803c5c09655bb12e7a00387565e20d3af286ada8f732c439529cecb726329beb
                                                                    • Instruction ID: ab8c2af688280ff547417c348c7c3430721907d0b6a0cc88e9d35c15e8af339b
                                                                    • Opcode Fuzzy Hash: 803c5c09655bb12e7a00387565e20d3af286ada8f732c439529cecb726329beb
                                                                    • Instruction Fuzzy Hash: 59018436615732ABE7319B689C8CB4B7798EF056E2B214623F909D7158D731D801CAE0
                                                                    Function 100063F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _free.LIBCMT ref: 1000655C
                                                                      • Part of subcall function 100062BC: IsProcessorFeaturePresent.KERNEL32(00000017,100062AB,00000000,?,?,?,?,00000016,?,?,100062B8,00000000,00000000,00000000,00000000,00000000), ref: 100062BE
                                                                      • Part of subcall function 100062BC: GetCurrentProcess.KERNEL32(C0000417), ref: 100062E0
                                                                      • Part of subcall function 100062BC: TerminateProcess.KERNEL32(00000000), ref: 100062E7
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4490059860.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000006.00000002.4490027898.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000006.00000002.4490059860.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_10000000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
                                                                    • String ID: *?$.
                                                                    • API String ID: 2667617558-3972193922
                                                                    • Opcode ID: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
                                                                    • Instruction ID: 55016225c6cf3c2ad74d5bf99958d96f24b8fe448c0df4d83e2be8db5664878a
                                                                    • Opcode Fuzzy Hash: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
                                                                    • Instruction Fuzzy Hash: 2D519475E0060A9FEB14CFA8CC81AADB7F6FF4C394F258169E854E7349D635AE018B50
                                                                    Function 100016AA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4490059860.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000006.00000002.4490027898.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000006.00000002.4490059860.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_10000000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: _strlen
                                                                    • String ID: : $Se.
                                                                    • API String ID: 4218353326-4089948878
                                                                    • Opcode ID: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                                                    • Instruction ID: 66f447a9efa091531784e06c0e565222335d100d85517175c1dac28435e0d9bb
                                                                    • Opcode Fuzzy Hash: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                                                    • Instruction Fuzzy Hash: 2F11E7B5904249AEDB11DFA8D841BDEFBFCEF09244F104056E545E7252E6706B02C765
                                                                    Function 10001EDE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 10002903
                                                                      • Part of subcall function 100035D2: RaiseException.KERNEL32(?,?,?,10002925,00000000,00000000,00000000,?,?,?,?,?,10002925,?,100121B8), ref: 10003632
                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 10002920
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.4490059860.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                    • Associated: 00000006.00000002.4490027898.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000006.00000002.4490059860.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_10000000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: Exception@8Throw$ExceptionRaise
                                                                    • String ID: Unknown exception
                                                                    • API String ID: 3476068407-410509341
                                                                    • Opcode ID: 00f05d2547b3034e4c7bbe2eae49a616f435d37e9c126e5e725cfb9fdfb6d2bb
                                                                    • Instruction ID: 696891806b75a506f07e96a947ab79166ff1ea0d2f17bc9dac180a151cc952bd
                                                                    • Opcode Fuzzy Hash: 00f05d2547b3034e4c7bbe2eae49a616f435d37e9c126e5e725cfb9fdfb6d2bb
                                                                    • Instruction Fuzzy Hash: 2BF0A47890420D77AB04E6E5EC4599D77ACDB006D0F508161FD1496499EF31FA658690

                                                                    Execution Graph

                                                                    Execution Coverage:7.6%
                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                    Signature Coverage:0%
                                                                    Total number of Nodes:215
                                                                    Total number of Limit Nodes:9
                                                                    execution_graph 39207 740d3d0 39208 740d55b 39207->39208 39210 740d3f6 39207->39210 39210->39208 39211 7409dd8 39210->39211 39212 740d650 PostMessageW 39211->39212 39213 740d6bc 39212->39213 39213->39210 39228 740ba38 39229 740b844 39228->39229 39230 740b88f 39229->39230 39234 740c208 39229->39234 39249 740c266 39229->39249 39265 740c1f9 39229->39265 39235 740c222 39234->39235 39280 740cd8f 39235->39280 39284 740c8ce 39235->39284 39289 740ca3b 39235->39289 39294 740c65a 39235->39294 39299 740cc89 39235->39299 39304 740c7e9 39235->39304 39309 740cab8 39235->39309 39314 740c706 39235->39314 39319 740cce5 39235->39319 39325 740c985 39235->39325 39329 740c795 39235->39329 39334 740cf21 39235->39334 39236 740c246 39236->39229 39250 740c1f4 39249->39250 39252 740c269 39249->39252 39253 740cf21 2 API calls 39250->39253 39254 740c795 2 API calls 39250->39254 39255 740c985 2 API calls 39250->39255 39256 740cce5 2 API calls 39250->39256 39257 740c706 2 API calls 39250->39257 39258 740cab8 2 API calls 39250->39258 39259 740c7e9 2 API calls 39250->39259 39260 740cc89 2 API calls 39250->39260 39261 740c65a 2 API calls 39250->39261 39262 740ca3b 2 API calls 39250->39262 39263 740c8ce 2 API calls 39250->39263 39264 740cd8f 2 API calls 39250->39264 39251 740c246 39251->39229 39252->39229 39253->39251 39254->39251 39255->39251 39256->39251 39257->39251 39258->39251 39259->39251 39260->39251 39261->39251 39262->39251 39263->39251 39264->39251 39266 740c208 39265->39266 39268 740cf21 2 API calls 39266->39268 39269 740c795 2 API calls 39266->39269 39270 740c985 2 API calls 39266->39270 39271 740cce5 2 API calls 39266->39271 39272 740c706 2 API calls 39266->39272 39273 740cab8 2 API calls 39266->39273 39274 740c7e9 2 API calls 39266->39274 39275 740cc89 2 API calls 39266->39275 39276 740c65a 2 API calls 39266->39276 39277 740ca3b 2 API calls 39266->39277 39278 740c8ce 2 API calls 39266->39278 39279 740cd8f 2 API calls 39266->39279 39267 740c246 39267->39229 39268->39267 39269->39267 39270->39267 39271->39267 39272->39267 39273->39267 39274->39267 39275->39267 39276->39267 39277->39267 39278->39267 39279->39267 39339 740b001 39280->39339 39343 740b008 39280->39343 39281 740cda9 39285 740c8d4 39284->39285 39347 740b290 39285->39347 39351 740b289 39285->39351 39286 740c776 39286->39236 39290 740ca54 39289->39290 39355 740b0e0 39290->39355 39359 740b0d8 39290->39359 39291 740ca59 39295 740c668 39294->39295 39363 740b428 39295->39363 39367 740b41c 39295->39367 39300 740ce41 39299->39300 39371 740d298 39300->39371 39376 740d289 39300->39376 39301 740ccb2 39301->39236 39305 740c801 39304->39305 39381 740b1a0 39305->39381 39385 740b198 39305->39385 39306 740c822 39306->39236 39310 740ca54 39309->39310 39311 740ca59 39309->39311 39312 740b0e0 VirtualAllocEx 39310->39312 39313 740b0d8 VirtualAllocEx 39310->39313 39312->39311 39313->39311 39315 740c65e 39314->39315 39317 740b428 CreateProcessA 39315->39317 39318 740b41c CreateProcessA 39315->39318 39316 740c74e 39316->39236 39317->39316 39318->39316 39320 740ccf9 39319->39320 39321 740d087 39320->39321 39389 740af51 39320->39389 39393 740af58 39320->39393 39322 740cf4d 39327 740b1a0 WriteProcessMemory 39325->39327 39328 740b198 WriteProcessMemory 39325->39328 39326 740c9b3 39326->39236 39327->39326 39328->39326 39330 740c7a7 39329->39330 39332 740b1a0 WriteProcessMemory 39330->39332 39333 740b198 WriteProcessMemory 39330->39333 39331 740c822 39331->39236 39332->39331 39333->39331 39335 740cf27 39334->39335 39337 740af51 ResumeThread 39335->39337 39338 740af58 ResumeThread 39335->39338 39336 740cf4d 39337->39336 39338->39336 39340 740b008 Wow64SetThreadContext 39339->39340 39342 740b095 39340->39342 39342->39281 39344 740b04d Wow64SetThreadContext 39343->39344 39346 740b095 39344->39346 39346->39281 39348 740b2db ReadProcessMemory 39347->39348 39350 740b31f 39348->39350 39350->39286 39352 740b290 ReadProcessMemory 39351->39352 39354 740b31f 39352->39354 39354->39286 39356 740b120 VirtualAllocEx 39355->39356 39358 740b15d 39356->39358 39358->39291 39360 740b0e0 VirtualAllocEx 39359->39360 39362 740b15d 39360->39362 39362->39291 39364 740b4b1 CreateProcessA 39363->39364 39366 740b673 39364->39366 39368 740b4b1 CreateProcessA 39367->39368 39370 740b673 39368->39370 39372 740d2ad 39371->39372 39374 740b001 Wow64SetThreadContext 39372->39374 39375 740b008 Wow64SetThreadContext 39372->39375 39373 740d2c3 39373->39301 39374->39373 39375->39373 39377 740d298 39376->39377 39379 740b001 Wow64SetThreadContext 39377->39379 39380 740b008 Wow64SetThreadContext 39377->39380 39378 740d2c3 39378->39301 39379->39378 39380->39378 39382 740b1e8 WriteProcessMemory 39381->39382 39384 740b23f 39382->39384 39384->39306 39386 740b1a0 WriteProcessMemory 39385->39386 39388 740b23f 39386->39388 39388->39306 39390 740af98 ResumeThread 39389->39390 39392 740afc9 39390->39392 39392->39322 39394 740af98 ResumeThread 39393->39394 39396 740afc9 39394->39396 39396->39322 39113 2e44668 39114 2e4467a 39113->39114 39115 2e44686 39114->39115 39119 2e44778 39114->39119 39124 2e43e34 39115->39124 39117 2e446a5 39120 2e4479d 39119->39120 39128 2e44888 39120->39128 39132 2e44878 39120->39132 39125 2e43e3f 39124->39125 39140 2e45c7c 39125->39140 39127 2e46ff1 39127->39117 39130 2e448af 39128->39130 39129 2e4498c 39129->39129 39130->39129 39136 2e444b4 39130->39136 39134 2e44888 39132->39134 39133 2e4498c 39133->39133 39134->39133 39135 2e444b4 CreateActCtxA 39134->39135 39135->39133 39137 2e45918 CreateActCtxA 39136->39137 39139 2e459db 39137->39139 39141 2e45c87 39140->39141 39144 2e45c9c 39141->39144 39143 2e4712d 39143->39127 39145 2e45ca7 39144->39145 39148 2e45ccc 39145->39148 39147 2e47202 39147->39143 39149 2e45cd7 39148->39149 39152 2e45cfc 39149->39152 39151 2e47305 39151->39147 39153 2e45d07 39152->39153 39155 2e4860b 39153->39155 39159 2e4acb8 39153->39159 39154 2e48649 39154->39151 39155->39154 39163 2e4cda0 39155->39163 39169 2e4cdb0 39155->39169 39175 2e4acf0 39159->39175 39178 2e4acdf 39159->39178 39160 2e4acce 39160->39155 39164 2e4cdb0 39163->39164 39165 2e4cdf5 39164->39165 39187 2e4cf4f 39164->39187 39191 2e4cf1d 39164->39191 39195 2e4cf60 39164->39195 39165->39154 39170 2e4cdd1 39169->39170 39171 2e4cdf5 39170->39171 39172 2e4cf60 GetModuleHandleW 39170->39172 39173 2e4cf1d GetModuleHandleW 39170->39173 39174 2e4cf4f GetModuleHandleW 39170->39174 39171->39154 39172->39171 39173->39171 39174->39171 39182 2e4ade8 39175->39182 39176 2e4acff 39176->39160 39179 2e4acf0 39178->39179 39181 2e4ade8 GetModuleHandleW 39179->39181 39180 2e4acff 39180->39160 39181->39180 39183 2e4ae1c 39182->39183 39184 2e4adf9 39182->39184 39183->39176 39184->39183 39185 2e4b020 GetModuleHandleW 39184->39185 39186 2e4b04d 39185->39186 39186->39176 39188 2e4cf60 39187->39188 39189 2e4cfa7 39188->39189 39199 2e4b7c0 39188->39199 39189->39165 39192 2e4cf7c 39191->39192 39193 2e4b7c0 GetModuleHandleW 39192->39193 39194 2e4cfa7 39192->39194 39193->39194 39194->39165 39196 2e4cf6d 39195->39196 39197 2e4cfa7 39196->39197 39198 2e4b7c0 GetModuleHandleW 39196->39198 39197->39165 39198->39197 39200 2e4b7cb 39199->39200 39202 2e4dcb8 39200->39202 39203 2e4d0c4 39200->39203 39202->39202 39204 2e4d0cf 39203->39204 39205 2e45cfc GetModuleHandleW 39204->39205 39206 2e4dd27 39205->39206 39206->39202 39214 2e4d478 39215 2e4d4be 39214->39215 39219 2e4d647 39215->39219 39222 2e4d658 39215->39222 39216 2e4d5ab 39225 2e4b7d0 39219->39225 39223 2e4d686 39222->39223 39224 2e4b7d0 DuplicateHandle 39222->39224 39223->39216 39224->39223 39226 2e4d6c0 DuplicateHandle 39225->39226 39227 2e4d686 39226->39227 39227->39216

                                                                    Executed Functions

                                                                    Function 05A2EC60 Relevance: 8.9, Strings: 7, Instructions: 110COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 294 5a2ec60-5a2ec7f 296 5a2eca1-5a2eca8 294->296 297 5a2ecb3-5a2ecf6 296->297 302 5a2edc3-5a2eddb 297->302 303 5a2ecfc-5a2ed10 297->303 303->302 304 5a2ed16-5a2ed21 303->304 304->302 305 5a2ed27-5a2ed37 304->305 305->302 307 5a2ed3d-5a2ed4c 305->307 308 5a2ec81-5a2ec84 307->308 309 5a2ec86 308->309 310 5a2ec8d-5a2ec9f 308->310 309->296 309->310 311 5a2ed93-5a2ed97 309->311 312 5a2ed51-5a2ed57 309->312 310->308 313 5a2edb8 311->313 314 5a2ed99-5a2eda2 311->314 316 5a2ed5b-5a2ed67 312->316 317 5a2ed59 312->317 321 5a2edbb-5a2edc2 313->321 318 5a2eda4-5a2eda7 314->318 319 5a2eda9-5a2edac 314->319 320 5a2ed69-5a2ed78 316->320 317->320 322 5a2edb6 318->322 319->322 325 5a2ed90 320->325 326 5a2ed7a-5a2ed80 320->326 322->321 325->311 327 5a2ed82 326->327 328 5a2ed84-5a2ed86 326->328 327->325 328->325
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2296199806.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_5a20000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 8iq$8iq$LReq$$eq$$eq$$eq$$eq
                                                                    • API String ID: 0-3442170425
                                                                    • Opcode ID: b5f2ecc442893f1c9a79b67197cd2cf544673fb7b5c4395e6b5244b34e71192c
                                                                    • Instruction ID: b5512b9d843a815d1f96ccb24c159f6d9f6f89f0296d79923e7fec7439b51d74
                                                                    • Opcode Fuzzy Hash: b5f2ecc442893f1c9a79b67197cd2cf544673fb7b5c4395e6b5244b34e71192c
                                                                    • Instruction Fuzzy Hash: C941C230A08225DFDB14CBADC946EBE7BBAFF85300F64446AD515DB391DB748881CBA1
                                                                    Function 05A2E108 Relevance: 7.6, Strings: 6, Instructions: 140COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 329 5a2e108-5a2e128 331 5a2e161-5a2e179 329->331 333 5a2e184-5a2e186 331->333 334 5a2e18b-5a2e195 333->334 335 5a2e188 333->335 336 5a2e197-5a2e19c 334->336 337 5a2e19e-5a2e1a1 334->337 335->334 338 5a2e1a4-5a2e1b6 336->338 337->338 340 5a2e12a-5a2e12d 338->340 341 5a2e136-5a2e14d 340->341 342 5a2e12f 340->342 366 5a2e153-5a2e15f 341->366 367 5a2e2c7-5a2e2d7 341->367 342->331 342->341 343 5a2e2a2-5a2e2a6 342->343 344 5a2e223-5a2e229 342->344 345 5a2e260-5a2e267 342->345 346 5a2e256-5a2e25b 342->346 347 5a2e1c5-5a2e1e2 342->347 348 5a2e28a-5a2e290 342->348 349 5a2e1bb-5a2e1c0 342->349 350 5a2e26c-5a2e277 342->350 357 5a2e2a8-5a2e2b1 343->357 358 5a2e2bc 343->358 355 5a2e22b-5a2e22d 344->355 356 5a2e22f-5a2e23b 344->356 345->340 346->340 371 5a2e1e4-5a2e1ea 347->371 372 5a2e1fa-5a2e21e 347->372 353 5a2e292 348->353 354 5a2e294 348->354 349->340 351 5a2e283-5a2e288 350->351 352 5a2e279 350->352 360 5a2e27e 351->360 352->360 361 5a2e296-5a2e29f 353->361 354->361 362 5a2e23d-5a2e24c 355->362 356->362 363 5a2e2b3-5a2e2b6 357->363 364 5a2e2b8 357->364 368 5a2e2bf-5a2e2c6 358->368 360->340 361->343 362->346 370 5a2e2ba 363->370 364->370 366->340 370->368 373 5a2e1ee-5a2e1f0 371->373 374 5a2e1ec 371->374 372->340 373->372 374->372
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2296199806.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_5a20000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: LReq$LReq$LReq$$eq$$eq$$eq
                                                                    • API String ID: 0-2733907079
                                                                    • Opcode ID: 470efa2971b90be1862e9a416736950b6023b5c051f749bf3660b4ec894dca95
                                                                    • Instruction ID: a0271658a98ec83bac48eb0e217584a1668808c4f53d6e0dc52f6342fcdad650
                                                                    • Opcode Fuzzy Hash: 470efa2971b90be1862e9a416736950b6023b5c051f749bf3660b4ec894dca95
                                                                    • Instruction Fuzzy Hash: E8416C70B04226DBDF148FAED846F7AB7FABB54300F10843AE116EB2D1D77499818B51
                                                                    Function 05A2E0F8 Relevance: 5.1, Strings: 4, Instructions: 129COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 378 5a2e0f8-5a2e106 380 5a2e108-5a2e10c 378->380 381 5a2e10d-5a2e128 378->381 380->381 382 5a2e161 381->382 383 5a2e16b-5a2e179 382->383 384 5a2e184-5a2e186 383->384 385 5a2e18b-5a2e195 384->385 386 5a2e188 384->386 387 5a2e197-5a2e19c 385->387 388 5a2e19e-5a2e1a1 385->388 386->385 389 5a2e1a4-5a2e1b6 387->389 388->389 391 5a2e12a-5a2e12d 389->391 392 5a2e136-5a2e14d 391->392 393 5a2e12f 391->393 417 5a2e153-5a2e15f 392->417 418 5a2e2c7-5a2e2d7 392->418 393->382 393->392 394 5a2e2a2-5a2e2a6 393->394 395 5a2e223-5a2e229 393->395 396 5a2e260-5a2e267 393->396 397 5a2e256-5a2e25b 393->397 398 5a2e1c5-5a2e1e2 393->398 399 5a2e28a-5a2e290 393->399 400 5a2e1bb-5a2e1c0 393->400 401 5a2e26c-5a2e277 393->401 408 5a2e2a8-5a2e2b1 394->408 409 5a2e2bc 394->409 406 5a2e22b-5a2e22d 395->406 407 5a2e22f-5a2e23b 395->407 396->391 397->391 422 5a2e1e4-5a2e1ea 398->422 423 5a2e1fa-5a2e21e 398->423 404 5a2e292 399->404 405 5a2e294 399->405 400->391 402 5a2e283-5a2e288 401->402 403 5a2e279 401->403 411 5a2e27e 402->411 403->411 412 5a2e296-5a2e29f 404->412 405->412 413 5a2e23d-5a2e24c 406->413 407->413 414 5a2e2b3-5a2e2b6 408->414 415 5a2e2b8 408->415 419 5a2e2bf-5a2e2c6 409->419 411->391 412->394 413->397 421 5a2e2ba 414->421 415->421 417->391 421->419 424 5a2e1ee-5a2e1f0 422->424 425 5a2e1ec 422->425 423->391 424->423 425->423
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2296199806.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_5a20000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: LReq$LReq$$eq$$eq
                                                                    • API String ID: 0-731573373
                                                                    • Opcode ID: ec9297cdf603b572f2c500954a0c9eed2936e75557989672f08a02a20c131b99
                                                                    • Instruction ID: 3ff2ad409d2b5d786bbef39b64fbf23d7cd0df01feb5e2fa95e303e1112779c5
                                                                    • Opcode Fuzzy Hash: ec9297cdf603b572f2c500954a0c9eed2936e75557989672f08a02a20c131b99
                                                                    • Instruction Fuzzy Hash: 52418D30B04226DBEF208FAED942F7AB7FABB55700F10403AE116EB2D1D77499808B55
                                                                    Function 05A25EAC Relevance: 2.7, Strings: 2, Instructions: 218COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 513 5a25eac-5a25f22 call 5a25560 519 5a25f24-5a25f26 513->519 520 5a25f88-5a25fb4 513->520 521 5a25fbb-5a25fc3 519->521 522 5a25f2c-5a25f38 519->522 520->521 527 5a25fca-5a26032 521->527 522->527 528 5a25f3e-5a25f87 call 5a2556c 522->528 544 5a26034-5a26038 527->544 545 5a26039-5a26105 527->545 544->545 548 5a2610b-5a26119 545->548 549 5a26122-5a26168 548->549 550 5a2611b-5a26121 548->550 555 5a26175 549->555 556 5a2616a-5a2616d 549->556 550->549 557 5a26176 555->557 556->555 557->557
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2296199806.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_5a20000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: Hiq$Hiq
                                                                    • API String ID: 0-2624443307
                                                                    • Opcode ID: 9b8a9bde1c00334054efb6195211d2b5419ba1d838084c31d96c9097c97f0a81
                                                                    • Instruction ID: bc5aaa06f431bbb5d2e0d411328fff79254252d6147d7eea26dc4588e166a5ec
                                                                    • Opcode Fuzzy Hash: 9b8a9bde1c00334054efb6195211d2b5419ba1d838084c31d96c9097c97f0a81
                                                                    • Instruction Fuzzy Hash: F0817E70E002599FCF04DFA9C895AAEBFF6FF89300F14856AE409AB355DB345941CB91
                                                                    Function 05A265F0 Relevance: 2.6, Strings: 2, Instructions: 142COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 558 5a265f0-5a265f2 559 5a265f4-5a265f8 558->559 560 5a265f9-5a265fa 558->560 559->560 561 5a265b7-5a265ef 559->561 562 5a26601-5a26612 560->562 563 5a265fc-5a26600 560->563 564 5a26614-5a266ef 562->564 565 5a2661b-5a2662b 562->565 563->562 570 5a266f6-5a267c8 564->570 569 5a26631-5a26641 565->569 565->570 569->570 571 5a26647-5a2664b 569->571 594 5a267cf-5a267ed 570->594 574 5a26653-5a26672 571->574 575 5a2664d 571->575 577 5a26674-5a26694 call 5a2562c call 5a255bc call 5a255cc 574->577 578 5a26699-5a2669e 574->578 575->570 575->574 577->578 581 5a266a0-5a266a2 call 5a2563c 578->581 582 5a266a7-5a266ba call 5a25598 578->582 581->582 593 5a266c0-5a266c7 582->593 582->594
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2296199806.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_5a20000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: (iq$Hiq
                                                                    • API String ID: 0-2459830773
                                                                    • Opcode ID: 240f8d1347a47b86874401e3be55e4ade5324351c65913a409db1bcb4c623617
                                                                    • Instruction ID: 09832c52569a842876fb230ec98d9d0c2d4b29fef356797c610334cbef1e5dc8
                                                                    • Opcode Fuzzy Hash: 240f8d1347a47b86874401e3be55e4ade5324351c65913a409db1bcb4c623617
                                                                    • Instruction Fuzzy Hash: A541F5B0B0011A9FCB09AFA8C41A97F7FA7EFD5340B2584AAD5459B3A5DF308C42C795
                                                                    Function 0740B41C Relevance: 1.7, APIs: 1, Instructions: 249processCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 613 740b41c-740b4bd 615 740b4f6-740b516 613->615 616 740b4bf-740b4c9 613->616 623 740b518-740b522 615->623 624 740b54f-740b57e 615->624 616->615 617 740b4cb-740b4cd 616->617 618 740b4f0-740b4f3 617->618 619 740b4cf-740b4d9 617->619 618->615 621 740b4db 619->621 622 740b4dd-740b4ec 619->622 621->622 622->622 625 740b4ee 622->625 623->624 626 740b524-740b526 623->626 630 740b580-740b58a 624->630 631 740b5b7-740b671 CreateProcessA 624->631 625->618 628 740b528-740b532 626->628 629 740b549-740b54c 626->629 632 740b534 628->632 633 740b536-740b545 628->633 629->624 630->631 635 740b58c-740b58e 630->635 644 740b673-740b679 631->644 645 740b67a-740b700 631->645 632->633 633->633 634 740b547 633->634 634->629 636 740b590-740b59a 635->636 637 740b5b1-740b5b4 635->637 639 740b59c 636->639 640 740b59e-740b5ad 636->640 637->631 639->640 640->640 642 740b5af 640->642 642->637 644->645 655 740b710-740b714 645->655 656 740b702-740b706 645->656 658 740b724-740b728 655->658 659 740b716-740b71a 655->659 656->655 657 740b708 656->657 657->655 660 740b738-740b73c 658->660 661 740b72a-740b72e 658->661 659->658 662 740b71c 659->662 664 740b74e-740b755 660->664 665 740b73e-740b744 660->665 661->660 663 740b730 661->663 662->658 663->660 666 740b757-740b766 664->666 667 740b76c 664->667 665->664 666->667 669 740b76d 667->669 669->669
                                                                    APIs
                                                                    • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0740B65E
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2296713512.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: CreateProcess
                                                                    • String ID:
                                                                    • API String ID: 963392458-0
                                                                    • Opcode ID: a6332edfce1be07a2205b1b310f9f5ea7b30bb9580449748b9a7fc23842fb1d4
                                                                    • Instruction ID: 256529a7c60a9b2237c6f779a560cd00de16e9f44063ca6590c355da260cfcde
                                                                    • Opcode Fuzzy Hash: a6332edfce1be07a2205b1b310f9f5ea7b30bb9580449748b9a7fc23842fb1d4
                                                                    • Instruction Fuzzy Hash: 12A13BB1D0021ADFDB14CF68CD41BEEBBB2FB48314F1585AAD808A7290DB749985CF95
                                                                    Function 0740B428 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 670 740b428-740b4bd 672 740b4f6-740b516 670->672 673 740b4bf-740b4c9 670->673 680 740b518-740b522 672->680 681 740b54f-740b57e 672->681 673->672 674 740b4cb-740b4cd 673->674 675 740b4f0-740b4f3 674->675 676 740b4cf-740b4d9 674->676 675->672 678 740b4db 676->678 679 740b4dd-740b4ec 676->679 678->679 679->679 682 740b4ee 679->682 680->681 683 740b524-740b526 680->683 687 740b580-740b58a 681->687 688 740b5b7-740b671 CreateProcessA 681->688 682->675 685 740b528-740b532 683->685 686 740b549-740b54c 683->686 689 740b534 685->689 690 740b536-740b545 685->690 686->681 687->688 692 740b58c-740b58e 687->692 701 740b673-740b679 688->701 702 740b67a-740b700 688->702 689->690 690->690 691 740b547 690->691 691->686 693 740b590-740b59a 692->693 694 740b5b1-740b5b4 692->694 696 740b59c 693->696 697 740b59e-740b5ad 693->697 694->688 696->697 697->697 699 740b5af 697->699 699->694 701->702 712 740b710-740b714 702->712 713 740b702-740b706 702->713 715 740b724-740b728 712->715 716 740b716-740b71a 712->716 713->712 714 740b708 713->714 714->712 717 740b738-740b73c 715->717 718 740b72a-740b72e 715->718 716->715 719 740b71c 716->719 721 740b74e-740b755 717->721 722 740b73e-740b744 717->722 718->717 720 740b730 718->720 719->715 720->717 723 740b757-740b766 721->723 724 740b76c 721->724 722->721 723->724 726 740b76d 724->726 726->726
                                                                    APIs
                                                                    • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0740B65E
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2296713512.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: CreateProcess
                                                                    • String ID:
                                                                    • API String ID: 963392458-0
                                                                    • Opcode ID: 17b7b977ad681a66cc5e97629faeb938aa1c57ef89bde1227451fc9c65ab941e
                                                                    • Instruction ID: 1649302730ef659000b78f3de4848b1632d604cf0571db3bb946a89e39033621
                                                                    • Opcode Fuzzy Hash: 17b7b977ad681a66cc5e97629faeb938aa1c57ef89bde1227451fc9c65ab941e
                                                                    • Instruction Fuzzy Hash: C0914BB1D0021ADFDB14CF68CD41BDEBBB2FB48314F1585AAD808A7290DB749985CF95
                                                                    Function 02E4ADE8 Relevance: 1.7, APIs: 1, Instructions: 195COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 727 2e4ade8-2e4adf7 728 2e4ae23-2e4ae27 727->728 729 2e4adf9-2e4ae06 call 2e49414 727->729 730 2e4ae29-2e4ae33 728->730 731 2e4ae3b-2e4ae7c 728->731 734 2e4ae1c 729->734 735 2e4ae08 729->735 730->731 738 2e4ae7e-2e4ae86 731->738 739 2e4ae89-2e4ae97 731->739 734->728 782 2e4ae0e call 2e4b080 735->782 783 2e4ae0e call 2e4b070 735->783 738->739 741 2e4ae99-2e4ae9e 739->741 742 2e4aebb-2e4aebd 739->742 740 2e4ae14-2e4ae16 740->734 743 2e4af58-2e4b018 740->743 745 2e4aea0-2e4aea7 call 2e4a150 741->745 746 2e4aea9 741->746 744 2e4aec0-2e4aec7 742->744 777 2e4b020-2e4b04b GetModuleHandleW 743->777 778 2e4b01a-2e4b01d 743->778 749 2e4aed4-2e4aedb 744->749 750 2e4aec9-2e4aed1 744->750 748 2e4aeab-2e4aeb9 745->748 746->748 748->744 752 2e4aedd-2e4aee5 749->752 753 2e4aee8-2e4aef1 call 2e4a160 749->753 750->749 752->753 758 2e4aef3-2e4aefb 753->758 759 2e4aefe-2e4af03 753->759 758->759 760 2e4af05-2e4af0c 759->760 761 2e4af21-2e4af2e 759->761 760->761 763 2e4af0e-2e4af1e call 2e4a170 call 2e4a180 760->763 768 2e4af30-2e4af4e 761->768 769 2e4af51-2e4af57 761->769 763->761 768->769 779 2e4b054-2e4b068 777->779 780 2e4b04d-2e4b053 777->780 778->777 780->779 782->740 783->740
                                                                    APIs
                                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 02E4B03E
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2273029615.0000000002E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E40000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_2e40000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: HandleModule
                                                                    • String ID:
                                                                    • API String ID: 4139908857-0
                                                                    • Opcode ID: a8ec46b9e2edbfe8599c19670e4c9a38668275987aabd7355712e6a877ac10f3
                                                                    • Instruction ID: e545e3c2f6f22c332a63f800ccc706fa1c21075c42132f33d8b556903a26df90
                                                                    • Opcode Fuzzy Hash: a8ec46b9e2edbfe8599c19670e4c9a38668275987aabd7355712e6a877ac10f3
                                                                    • Instruction Fuzzy Hash: 477134B0A40B058FDB24DF6AE05575ABBF1FF88318F00892ED49A97B50DB34E945CB90
                                                                    Function 02E4590C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 892 2e4590c-2e45913 893 2e45918-2e459d9 CreateActCtxA 892->893 895 2e459e2-2e45a3c 893->895 896 2e459db-2e459e1 893->896 903 2e45a3e-2e45a41 895->903 904 2e45a4b-2e45a4f 895->904 896->895 903->904 905 2e45a60-2e45a90 904->905 906 2e45a51-2e45a5d 904->906 910 2e45a42-2e45a4a 905->910 911 2e45a92-2e45b14 905->911 906->905 910->904
                                                                    APIs
                                                                    • CreateActCtxA.KERNEL32(?), ref: 02E459C9
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2273029615.0000000002E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E40000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_2e40000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: Create
                                                                    • String ID:
                                                                    • API String ID: 2289755597-0
                                                                    • Opcode ID: 13fe093f9e3415ca0719ff73d2c322fd2f1587443a1146134a1e772e3306524a
                                                                    • Instruction ID: af0b40712ad8924cb477e30f1436f69616f857412976ba53ecf75fa976e60119
                                                                    • Opcode Fuzzy Hash: 13fe093f9e3415ca0719ff73d2c322fd2f1587443a1146134a1e772e3306524a
                                                                    • Instruction Fuzzy Hash: C741E0B1C00719CBDB24CFA9C884BDEBBF5BF49304F64816AD408AB251DB756949CF60
                                                                    Function 02E444B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 913 2e444b4-2e459d9 CreateActCtxA 916 2e459e2-2e45a3c 913->916 917 2e459db-2e459e1 913->917 924 2e45a3e-2e45a41 916->924 925 2e45a4b-2e45a4f 916->925 917->916 924->925 926 2e45a60-2e45a90 925->926 927 2e45a51-2e45a5d 925->927 931 2e45a42-2e45a4a 926->931 932 2e45a92-2e45b14 926->932 927->926 931->925
                                                                    APIs
                                                                    • CreateActCtxA.KERNEL32(?), ref: 02E459C9
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2273029615.0000000002E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E40000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_2e40000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: Create
                                                                    • String ID:
                                                                    • API String ID: 2289755597-0
                                                                    • Opcode ID: 5da7efa52592eacb6a2d7017a55c5dd88b34f131111b8a9c944690dafa32dbb7
                                                                    • Instruction ID: e595bafac144203a989ef7f6806876156b9580f6d8046be186eeb3f563f676ce
                                                                    • Opcode Fuzzy Hash: 5da7efa52592eacb6a2d7017a55c5dd88b34f131111b8a9c944690dafa32dbb7
                                                                    • Instruction Fuzzy Hash: E341DEB0C00719CBDB24CFA9C884BDEBBF5BF48304F60816AD408AB251DB756949CFA0
                                                                    Function 0740B198 Relevance: 1.6, APIs: 1, Instructions: 76injectionCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 934 740b198-740b1ee 937 740b1f0-740b1fc 934->937 938 740b1fe-740b23d WriteProcessMemory 934->938 937->938 940 740b246-740b276 938->940 941 740b23f-740b245 938->941 941->940
                                                                    APIs
                                                                    • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0740B230
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2296713512.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: MemoryProcessWrite
                                                                    • String ID:
                                                                    • API String ID: 3559483778-0
                                                                    • Opcode ID: c88c0709c2cd9281602e20d25d9f9c2fdcc2d79adde3cb4f4a0a9de0d169dde2
                                                                    • Instruction ID: 308bc1489b38708c01c1d4b0cf7c63e7f8dc7d205740201ff617688474aeeddc
                                                                    • Opcode Fuzzy Hash: c88c0709c2cd9281602e20d25d9f9c2fdcc2d79adde3cb4f4a0a9de0d169dde2
                                                                    • Instruction Fuzzy Hash: 2D215CB59003599FCB10CFA9D885BDEBFF5FF48320F10842AE918A7250C7759540DBA4
                                                                    Function 0740B1A0 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0740B230
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2296713512.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: MemoryProcessWrite
                                                                    • String ID:
                                                                    • API String ID: 3559483778-0
                                                                    • Opcode ID: 088cf1f9f419c1bd863169b98e13d1d51f034731ba12ba855666e9686248bcf6
                                                                    • Instruction ID: 2e9d44b222ff5d92a2c87bcc97d5101d40d7d35f7a7ac6ef986f463181bbaa8d
                                                                    • Opcode Fuzzy Hash: 088cf1f9f419c1bd863169b98e13d1d51f034731ba12ba855666e9686248bcf6
                                                                    • Instruction Fuzzy Hash: 2E2139B59003599FDF10CFA9C885BDEBBF5FF48310F10842AE918A7250C7789944DBA4
                                                                    Function 0740B001 Relevance: 1.6, APIs: 1, Instructions: 69threadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0740B086
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2296713512.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: ContextThreadWow64
                                                                    • String ID:
                                                                    • API String ID: 983334009-0
                                                                    • Opcode ID: 257fa65ecebe60c4b8ce6c6b5dff5a2e076528980f371de0d6b3a34e4505a61e
                                                                    • Instruction ID: e14814a9a3b8d4a92b4662e44b8d08080f8693176632f71ae218e047d5988569
                                                                    • Opcode Fuzzy Hash: 257fa65ecebe60c4b8ce6c6b5dff5a2e076528980f371de0d6b3a34e4505a61e
                                                                    • Instruction Fuzzy Hash: ED215CB1D003099FDB10DFAAC885BEEBFF4EF48320F14842AD559A7240CB789944CBA4
                                                                    Function 0740B289 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0740B310
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2296713512.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: MemoryProcessRead
                                                                    • String ID:
                                                                    • API String ID: 1726664587-0
                                                                    • Opcode ID: 6f7955987083dc36be42ef1fd3dd04435030cea79dacd04932cf787d459c94db
                                                                    • Instruction ID: 64013311ac68d90efca3980eb11cbcad2197ccf1ad44b6997efa43525d40f893
                                                                    • Opcode Fuzzy Hash: 6f7955987083dc36be42ef1fd3dd04435030cea79dacd04932cf787d459c94db
                                                                    • Instruction Fuzzy Hash: 08214AB1D003599FCB10CFA9D881AEEFBF5FF48320F10842AE918A7240CB349540DBA5
                                                                    Function 02E4B7D0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02E4D686,?,?,?,?,?), ref: 02E4D747
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2273029615.0000000002E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E40000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_2e40000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: DuplicateHandle
                                                                    • String ID:
                                                                    • API String ID: 3793708945-0
                                                                    • Opcode ID: 5b6f087f243c9a4dbf0dc1db1776dd350e60510fbdf8256b4d611c85b92e5919
                                                                    • Instruction ID: ba31d246b8e7b4b1085de8325f729c7414fd281420096b2dd3489a45caa90ecd
                                                                    • Opcode Fuzzy Hash: 5b6f087f243c9a4dbf0dc1db1776dd350e60510fbdf8256b4d611c85b92e5919
                                                                    • Instruction Fuzzy Hash: 5721E3B5900248AFDB10CF9AD984ADEBBF8EB48310F14845AE918A7310D774A940CFA5
                                                                    Function 0740B290 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0740B310
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2296713512.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: MemoryProcessRead
                                                                    • String ID:
                                                                    • API String ID: 1726664587-0
                                                                    • Opcode ID: 410631bd09d961cdbc9cafc81ea6853411c13a89bcdd899ddc47a3d67d29815f
                                                                    • Instruction ID: 2f91509c6785dad44de26b211c41fe64939a1c05b6a7f842c7e018445f2c7aa3
                                                                    • Opcode Fuzzy Hash: 410631bd09d961cdbc9cafc81ea6853411c13a89bcdd899ddc47a3d67d29815f
                                                                    • Instruction Fuzzy Hash: F72139B1C003599FDB10CFAAC881AEEFBF5FF48320F50842AE918A7240C7349940DBA4
                                                                    Function 0740B008 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0740B086
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2296713512.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: ContextThreadWow64
                                                                    • String ID:
                                                                    • API String ID: 983334009-0
                                                                    • Opcode ID: d3d1ec872ee0b8623bbf4889a761042f7c7c79982b05d3de586c7b9046758ac9
                                                                    • Instruction ID: 844b2b1bcfd22a37c779bd3ef1b2d6deb6eeb7a34acb5723837f67f964003836
                                                                    • Opcode Fuzzy Hash: d3d1ec872ee0b8623bbf4889a761042f7c7c79982b05d3de586c7b9046758ac9
                                                                    • Instruction Fuzzy Hash: 85213AB1D003098FDB10DFAAC885BEEBBF4EF48320F14842AD559A7241CB789944CFA4
                                                                    Function 02E4D6B9 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02E4D686,?,?,?,?,?), ref: 02E4D747
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2273029615.0000000002E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E40000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_2e40000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: DuplicateHandle
                                                                    • String ID:
                                                                    • API String ID: 3793708945-0
                                                                    • Opcode ID: f487497f945b66c6f2ce89fe0be4b0d5e580412230debcecdd70c743c662f1f6
                                                                    • Instruction ID: df48256d19decb49c10cc060f8c2ba99549877b2de9592270713822bd0f8afa0
                                                                    • Opcode Fuzzy Hash: f487497f945b66c6f2ce89fe0be4b0d5e580412230debcecdd70c743c662f1f6
                                                                    • Instruction Fuzzy Hash: FD21E0B59002099FDB10CFAAD984ADEBBF4FB48324F14841AE918B7210C374A940CF60
                                                                    Function 0740B0D8 Relevance: 1.6, APIs: 1, Instructions: 60memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0740B14E
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2296713512.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: AllocVirtual
                                                                    • String ID:
                                                                    • API String ID: 4275171209-0
                                                                    • Opcode ID: a5ad84cc13a0c2c29c17dcef17c0a5aab38e33a5087a33b0d6966481328d5649
                                                                    • Instruction ID: a49626be53eeaee40229d151eef5b9df5c3d3ea62165f8d3bac90fe84f439479
                                                                    • Opcode Fuzzy Hash: a5ad84cc13a0c2c29c17dcef17c0a5aab38e33a5087a33b0d6966481328d5649
                                                                    • Instruction Fuzzy Hash: 9E115CB69002499FDB10DFA9D8456DFBFF5EF48320F14841AD519A7250CB359940CFA4
                                                                    Function 0740B0E0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0740B14E
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2296713512.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: AllocVirtual
                                                                    • String ID:
                                                                    • API String ID: 4275171209-0
                                                                    • Opcode ID: e1aa0c2254cc285ff2f0d64010551cc47c29b6c33fd8fbd4423574e19228a1ba
                                                                    • Instruction ID: 4732697048e077980ae6068d22b53f284c475a1f7ffec8a8b4f77638590578b2
                                                                    • Opcode Fuzzy Hash: e1aa0c2254cc285ff2f0d64010551cc47c29b6c33fd8fbd4423574e19228a1ba
                                                                    • Instruction Fuzzy Hash: 6D113AB59002499FDB10DFA9C844ADFBFF5EF48320F14841AD519A7250CB759940DFA4
                                                                    Function 0740D648 Relevance: 1.6, APIs: 1, Instructions: 51windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • PostMessageW.USER32(?,00000010,00000000,?), ref: 0740D6AD
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2296713512.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: MessagePost
                                                                    • String ID:
                                                                    • API String ID: 410705778-0
                                                                    • Opcode ID: 431b0fa07e4c08fa2df9952c8ec80a6f9452f4572ecff850f55ae8bc1b3a46ca
                                                                    • Instruction ID: 50a7872ac514f92d8c59c77d102f0c581f6545d8e6b33cb7b15eeafedffa7902
                                                                    • Opcode Fuzzy Hash: 431b0fa07e4c08fa2df9952c8ec80a6f9452f4572ecff850f55ae8bc1b3a46ca
                                                                    • Instruction Fuzzy Hash: C41136BA8007499FCB20DF9AD944BDEFFF8EB48320F10881AE518A7200C375A544CFA1
                                                                    Function 0740AF51 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2296713512.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: ResumeThread
                                                                    • String ID:
                                                                    • API String ID: 947044025-0
                                                                    • Opcode ID: db7c422e12b0e0ef0c9951bb06deb406b0f9451dcb286d100d7550e1d1af0542
                                                                    • Instruction ID: 2fd81da2a2303324a69a04c831b1bdc1ff998b6cd0ce6d19ed191ea5dccff479
                                                                    • Opcode Fuzzy Hash: db7c422e12b0e0ef0c9951bb06deb406b0f9451dcb286d100d7550e1d1af0542
                                                                    • Instruction Fuzzy Hash: 071128B5D002498FDB20DFAAD8457DEFBF5EF88320F14842AD519A7240CB756944CB94
                                                                    Function 0740AF58 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2296713512.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: ResumeThread
                                                                    • String ID:
                                                                    • API String ID: 947044025-0
                                                                    • Opcode ID: 77e887c8b768e6913d6231e80d83ed099245f9e5a736e21da06d2c8e92b90b4a
                                                                    • Instruction ID: f64db966e86ad92a3fc05cc7242a33feae5fbeb0a00bf43d699278a2097bcb85
                                                                    • Opcode Fuzzy Hash: 77e887c8b768e6913d6231e80d83ed099245f9e5a736e21da06d2c8e92b90b4a
                                                                    • Instruction Fuzzy Hash: AF1128B19003498FDB20DFAAC8457DEFBF5EF88320F14842AD519A7240CB756944CBA4
                                                                    Function 07409DD8 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • PostMessageW.USER32(?,00000010,00000000,?), ref: 0740D6AD
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2296713512.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_7400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: MessagePost
                                                                    • String ID:
                                                                    • API String ID: 410705778-0
                                                                    • Opcode ID: fff74b34a751a86004315ecc0c374af2562f140630fbda6c6e8b0944141b49e5
                                                                    • Instruction ID: 6dd3413cf81378f08c909ef7453c43ee6849c47b4ab578389111cd77c43a8cf1
                                                                    • Opcode Fuzzy Hash: fff74b34a751a86004315ecc0c374af2562f140630fbda6c6e8b0944141b49e5
                                                                    • Instruction Fuzzy Hash: 5111F5B59007499FDB10DF99C984BDEBBF8EB48310F10881AE518A7240C375A944CFA5
                                                                    Function 02E4AFD8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 02E4B03E
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2273029615.0000000002E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E40000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_2e40000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: HandleModule
                                                                    • String ID:
                                                                    • API String ID: 4139908857-0
                                                                    • Opcode ID: b6608025767013ce441222f71df58fce2a8a2c54c406cbdfd4119175ba80084e
                                                                    • Instruction ID: 159e8e78d3bbb76f7b766e7a23842a72123e936bfeb853f66017b319cfbd4c2f
                                                                    • Opcode Fuzzy Hash: b6608025767013ce441222f71df58fce2a8a2c54c406cbdfd4119175ba80084e
                                                                    • Instruction Fuzzy Hash: 0B1102B6C00249CFDB10CF9AD544BDEFBF4EB88318F10841AD528A7200D375A545CFA1
                                                                    Function 05A2EC50 Relevance: 1.4, Strings: 1, Instructions: 101COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2296199806.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_5a20000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 8iq
                                                                    • API String ID: 0-3905279654
                                                                    • Opcode ID: a46109b13972d13055914b3ff5f6ace8c76eb6f3b3592556aea77f5f7b95ed9b
                                                                    • Instruction ID: 8e299b2199fb8c697383225752cbd399ec09a2cac1cf2c0cea22b225164c1dc5
                                                                    • Opcode Fuzzy Hash: a46109b13972d13055914b3ff5f6ace8c76eb6f3b3592556aea77f5f7b95ed9b
                                                                    • Instruction Fuzzy Hash: DC311230A08220DFDB14CFADC906EBE7BBAFB85300F54446AD116AB391D77589C1CBA1
                                                                    Function 05A2DF68 Relevance: 1.3, Strings: 1, Instructions: 87COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2296199806.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_5a20000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $eq
                                                                    • API String ID: 0-731066626
                                                                    • Opcode ID: d76b67c0af0d77bf1820c04ec4c67b9d892e4c45fc2f44eab11d88382a394a96
                                                                    • Instruction ID: 02b35788d043a6846a4700785bed51afff463c9f94dab0c75ae30229f696ec12
                                                                    • Opcode Fuzzy Hash: d76b67c0af0d77bf1820c04ec4c67b9d892e4c45fc2f44eab11d88382a394a96
                                                                    • Instruction Fuzzy Hash: D7319331A0D665CBC710CB2DCD42EBAB7B6FB41211F048167E5659A296D338D883C65B
                                                                    Function 05A2AAB0 Relevance: .5, Instructions: 523COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2296199806.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_5a20000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d517a456852c2ccfb3abcec5f9f2b4480cbb7c4c3410679c36af2ce2d92df0a2
                                                                    • Instruction ID: 0fc8e83f3043e192b8c124a51879ffd6697a7cbafac0b1c8b3c6733cb8d8a331
                                                                    • Opcode Fuzzy Hash: d517a456852c2ccfb3abcec5f9f2b4480cbb7c4c3410679c36af2ce2d92df0a2
                                                                    • Instruction Fuzzy Hash: C4420330D0062DCFCB15EFA8C845ADCBBB1BF49300F518699D5597B264EB30AA99CF91
                                                                    Function 05A2AAA0 Relevance: .5, Instructions: 521COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2296199806.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_5a20000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d4e6bcafc98ab0b5974ec828407fbc4bce01b77fa2f0895fa4ed69b4a11f3c78
                                                                    • Instruction ID: 6e29e31b27cf5a58b785e8fc86472e744e6c5b0e745f4e5768118cb6a4f7adfc
                                                                    • Opcode Fuzzy Hash: d4e6bcafc98ab0b5974ec828407fbc4bce01b77fa2f0895fa4ed69b4a11f3c78
                                                                    • Instruction Fuzzy Hash: 46420330D0062DCFCB15EFA8C845AECBBB1BF49300F518699D5597B264EB709A98CF91
                                                                    Function 05A27498 Relevance: .3, Instructions: 336COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2296199806.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_5a20000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: abce8efbaee20e03f7f63d82a901f5061b45af415fd1ed169535b8cd9314f4fb
                                                                    • Instruction ID: 0ed56acc045de8329107530ca2cede026118a96e35e17d1011475a8532ae2276
                                                                    • Opcode Fuzzy Hash: abce8efbaee20e03f7f63d82a901f5061b45af415fd1ed169535b8cd9314f4fb
                                                                    • Instruction Fuzzy Hash: A3B1CC70A01229CFCF20DFA9D945AAEBBF6FF88700F204169D50AA7241DB349891CF81
                                                                    Function 05A2A508 Relevance: .2, Instructions: 207COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2296199806.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_5a20000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5f07acdedb3545dc32cd33999fa12ee5ef4ba34661c4ea37766460ff1a640373
                                                                    • Instruction ID: 2714d465e86739724edf7167f77b411ddd5c54afffce75315eed9c8060933217
                                                                    • Opcode Fuzzy Hash: 5f07acdedb3545dc32cd33999fa12ee5ef4ba34661c4ea37766460ff1a640373
                                                                    • Instruction Fuzzy Hash: FA81B330A00629DFCF11DF6CD549AADBBB2FF45310F118469E056A7264EBB0D995CF40
                                                                    Function 05A2A4F8 Relevance: .2, Instructions: 201COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2296199806.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_5a20000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d485f5e32724f111d93eb40bc2e585e6f8bd9bb593c06c5c28affaf2c47d51f4
                                                                    • Instruction ID: eb0693aa247291a866319a6ae48937d11e4739dbbe06a50b684cb6c353cc81cb
                                                                    • Opcode Fuzzy Hash: d485f5e32724f111d93eb40bc2e585e6f8bd9bb593c06c5c28affaf2c47d51f4
                                                                    • Instruction Fuzzy Hash: 9771C570E00629DFCB15EF6CD549EADBBB2FF45310F10846AE416A7264EBB09955CF80
                                                                    Function 05A261B8 Relevance: .2, Instructions: 151COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2296199806.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_5a20000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ef59ca399483df6affa01a3593eac40d00cd9921e61682b916ab00c112cbdb21
                                                                    • Instruction ID: 8fae337ab8394ebb8be3eeac10b88b860963bc63f2d38a8083c0f3631cf26fc6
                                                                    • Opcode Fuzzy Hash: ef59ca399483df6affa01a3593eac40d00cd9921e61682b916ab00c112cbdb21
                                                                    • Instruction Fuzzy Hash: EC516071E002599FCB14DFADC909AAFBFFAEF88310F14846AE455E7250DB749901CBA0
                                                                    Function 05A2F6D1 Relevance: .1, Instructions: 144COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2296199806.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_5a20000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5558d51ec1950b6349a26ec3656f30ab859333b0bd2b5354940504e468368d77
                                                                    • Instruction ID: ea6878db0527039a2f5b1a563ab0d0e872573f52d793afbca1f4a784e6ec93c0
                                                                    • Opcode Fuzzy Hash: 5558d51ec1950b6349a26ec3656f30ab859333b0bd2b5354940504e468368d77
                                                                    • Instruction Fuzzy Hash: FC518C35A0422AEFDB10CFADD943EBEBBB2FF44700F108126E551A7291E7349995CB91
                                                                    Function 05A2DAC8 Relevance: .1, Instructions: 144COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2296199806.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_5a20000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 499f4242f38025b92b1bee28eb4a706c6157bd69b30213eda01942b92858f1c1
                                                                    • Instruction ID: 7d1a153ee47e2de6e7c954fd38472cc44833bd3ea7bc49546a9840d8e0754782
                                                                    • Opcode Fuzzy Hash: 499f4242f38025b92b1bee28eb4a706c6157bd69b30213eda01942b92858f1c1
                                                                    • Instruction Fuzzy Hash: E351F1317042019BC7057F39A4567AE3F62BF88700F5489A9E98A9F29ADF714C8AC391
                                                                    Function 05A2DAD8 Relevance: .1, Instructions: 135COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2296199806.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_5a20000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 444b9c621a0694f5836bd87e6cf10c4ce94550c75c894137596c5f34a4c63f9b
                                                                    • Instruction ID: b057f538aee50936b1aa0b62573a91f2e63405a6a8bb98c32f1ec6360f04a31f
                                                                    • Opcode Fuzzy Hash: 444b9c621a0694f5836bd87e6cf10c4ce94550c75c894137596c5f34a4c63f9b
                                                                    • Instruction Fuzzy Hash: D141EF307042019BD7057F79A84A7AE3E62BF88700F508968E98A9F29ADF71584A83D1
                                                                    Function 05A26AA8 Relevance: .1, Instructions: 129COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2296199806.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_5a20000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b827c17162a6dc0124c2dfb7d5c20cd4ad956c3abcacdf6c3032e645630e8f98
                                                                    • Instruction ID: 29f936767530386c92ccb473adb12721e0b604a7e9f584142b187f8e7b417737
                                                                    • Opcode Fuzzy Hash: b827c17162a6dc0124c2dfb7d5c20cd4ad956c3abcacdf6c3032e645630e8f98
                                                                    • Instruction Fuzzy Hash: F731E170E02228DFCB14DF64E65599DFBB2FF89301F158469E441A7660CB359860CF40
                                                                    Function 05A27F30 Relevance: .1, Instructions: 127COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2296199806.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_5a20000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a8efe863a5423da213990a2bde0648b0b70ddf07a15839b33a20a20687fcd117
                                                                    • Instruction ID: 1e3729ee86642a4ada14e274c70572d071aa37abdda63b5f760e79722d4337f5
                                                                    • Opcode Fuzzy Hash: a8efe863a5423da213990a2bde0648b0b70ddf07a15839b33a20a20687fcd117
                                                                    • Instruction Fuzzy Hash: 3B414530B182688FDB14DB69C895EADBBF6BF49700F1440A9F501EB3A1DA35D900CB50
                                                                    Function 05A29954 Relevance: .1, Instructions: 124COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2296199806.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_5a20000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3880f579cfa2f1b7bca3b1b4595e370d6895840278a20692a68e58370da9ba63
                                                                    • Instruction ID: 7ca19bd59db9083fe59eeef1165d934cf880844b082fba2d50dd60c03a0d7085
                                                                    • Opcode Fuzzy Hash: 3880f579cfa2f1b7bca3b1b4595e370d6895840278a20692a68e58370da9ba63
                                                                    • Instruction Fuzzy Hash: 12418170E042269FDB05EF6CC94AEBA7FF3BB44340F104426E406E7695FAB4C912CA91
                                                                    Function 05A2A780 Relevance: .1, Instructions: 123COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2296199806.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_5a20000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b863fb815184c360e02ab88ca93a100e9a30652c7c36b824de878495fd313591
                                                                    • Instruction ID: 00125cd3a333662c6c6ca6ae8331102944902c9b77c547b17fb5f8403ab6ac80
                                                                    • Opcode Fuzzy Hash: b863fb815184c360e02ab88ca93a100e9a30652c7c36b824de878495fd313591
                                                                    • Instruction Fuzzy Hash: 8B41D771E082369FCB01EF6CC94AEA97FF3BB45340F514066D442E7655F6B48912CB91
                                                                    Function 05A27264 Relevance: .1, Instructions: 119COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2296199806.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_5a20000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5583a98606176d60fa63bea9f423656ce03223c7f71d9266d21b876bd1a59c67
                                                                    • Instruction ID: 4c1227fa49cff27f7d87a46a699a17c469fd001d70621c0ad40854ae7c2326cc
                                                                    • Opcode Fuzzy Hash: 5583a98606176d60fa63bea9f423656ce03223c7f71d9266d21b876bd1a59c67
                                                                    • Instruction Fuzzy Hash: 12413730A002199FDB04DFACD955AADBBB2FF89310F148569F411AB3A0DB75ED40CB90
                                                                    Function 05A2858F Relevance: .1, Instructions: 118COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2296199806.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_5a20000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: efd073b42f5fb09e249e0dfd08b522a6ef2eab436589035b0a4cc8f84f908650
                                                                    • Instruction ID: 5d0fa974b099d005e2a61982e9de58f29cfa4e2e944c32fb48183151b02616fa
                                                                    • Opcode Fuzzy Hash: efd073b42f5fb09e249e0dfd08b522a6ef2eab436589035b0a4cc8f84f908650
                                                                    • Instruction Fuzzy Hash: 19413531A002199FDB04DFACD955AADBBB2FF89310F1485A9F411BB3A0DB75E941CB90
                                                                    Function 05A2DCCE Relevance: .1, Instructions: 118COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2296199806.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_5a20000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d7c4e9b332147f37e1dbb7c9a7754351a2431dafa486741fc94a5e28dd8f127b
                                                                    • Instruction ID: 73d2b94836b08ce46b78605a66fb788d4efe98c284d310da22dbe69b24880772
                                                                    • Opcode Fuzzy Hash: d7c4e9b332147f37e1dbb7c9a7754351a2431dafa486741fc94a5e28dd8f127b
                                                                    • Instruction Fuzzy Hash: 0541C271A19360CFC3219B39D81A9693FF1BB42211B19D0ABF456CB293DF388C46C7A1
                                                                    Function 05A2F714 Relevance: .1, Instructions: 117COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2296199806.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_5a20000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 435a46c90655d22662a072b4b15c1cd62368f3499f455a384d6aca1f3b3ff7bd
                                                                    • Instruction ID: fc4088e5234b7b988e09ccff0dfed94822b35e7275944207cce801d94a437df0
                                                                    • Opcode Fuzzy Hash: 435a46c90655d22662a072b4b15c1cd62368f3499f455a384d6aca1f3b3ff7bd
                                                                    • Instruction Fuzzy Hash: B1415C31A04226EFDF10CB9DD943EBEBBB2FF44701F108126E551A7291E734D9958B51
                                                                    Function 05A29178 Relevance: .1, Instructions: 116COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2296199806.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_5a20000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e3793debaac8b76ddb4db6c07325fc0fd4ac55c623d9391c0c5ee80aef1cb9c4
                                                                    • Instruction ID: 1d3af36b5ff42e8ea74c26316ead4dfe8b5fa4f810a30dee81b51a6cbc73c77b
                                                                    • Opcode Fuzzy Hash: e3793debaac8b76ddb4db6c07325fc0fd4ac55c623d9391c0c5ee80aef1cb9c4
                                                                    • Instruction Fuzzy Hash: 29416970A05229DFDF158FA9DA498AEFFB2FF88700F258169D4057B256CB3598A1CF40
                                                                    Function 05A2DD08 Relevance: .1, Instructions: 105COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2296199806.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_5a20000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6037c044fb344565e81883c81757a55c6047dc9c250bd8270bbbc12f1a250615
                                                                    • Instruction ID: 54b4e909cac0954b58af560cd38f6e3c8fde2f561330c2fa8c4afa20c17987c9
                                                                    • Opcode Fuzzy Hash: 6037c044fb344565e81883c81757a55c6047dc9c250bd8270bbbc12f1a250615
                                                                    • Instruction Fuzzy Hash: 12317875A15224CFC7609B6DD40AA2D3BF6FB85611B24D0AAF816CB286DF35CC42CB91
                                                                    Function 05A2CC20 Relevance: .1, Instructions: 95COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2296199806.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_5a20000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3268bcad59b7b280907f7972d287fc325481f519144faf1188f3a2a036d362c9
                                                                    • Instruction ID: f32fd805b6f532d09e5f4b290ea4b47d96efc4d6f72ebd415947349046a5777d
                                                                    • Opcode Fuzzy Hash: 3268bcad59b7b280907f7972d287fc325481f519144faf1188f3a2a036d362c9
                                                                    • Instruction Fuzzy Hash: 6F31F7B4E102199FCB08DFA9D955AEEBBB2EF88300F14802AE415A7364DB359D018F90
                                                                    Function 05A26038 Relevance: .1, Instructions: 92COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2296199806.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_5a20000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7a41e27059b9bec04781b039bb09e4e97f41df2925456b9f2cbb18db6e43fd37
                                                                    • Instruction ID: e722fa1010127c125cd9bbad07322a1d8f7bdeffd4af87ba42dc8a28958aa710
                                                                    • Opcode Fuzzy Hash: 7a41e27059b9bec04781b039bb09e4e97f41df2925456b9f2cbb18db6e43fd37
                                                                    • Instruction Fuzzy Hash: 4A41ADB0D103599FDB14CF9AC985A9EFBB5BF88310F60822AE418BB254DB746945CF90
                                                                    Function 05A2FB00 Relevance: .1, Instructions: 89COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2296199806.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_5a20000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: dc92970fd66856de269b1bd06ffa64e499e3ef65f98fbd27b87673be8019ab4b
                                                                    • Instruction ID: 42e29f4fff0c83b3a34c3fd898a4b9c44754faf3ef0c97c12e0da5c2bf7e7f10
                                                                    • Opcode Fuzzy Hash: dc92970fd66856de269b1bd06ffa64e499e3ef65f98fbd27b87673be8019ab4b
                                                                    • Instruction Fuzzy Hash: FDF09031714218AFCF08DF6CD85ADAE7FFAEF46250B0084AAE405D7351EA31D8418754
                                                                    Function 05A261A8 Relevance: .1, Instructions: 85COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2296199806.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_5a20000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: bc677ee7b678ae63d501617cd0e135655dba1b715e02abb52dbf9a3ff59b9cfe
                                                                    • Instruction ID: ff81bffd30b79a3ce1ba131bbaf061da76aec47ae39c26bb91a5f299ff21b595
                                                                    • Opcode Fuzzy Hash: bc677ee7b678ae63d501617cd0e135655dba1b715e02abb52dbf9a3ff59b9cfe
                                                                    • Instruction Fuzzy Hash: 73218071F001556FCB15DBAD8905EBFBBFAEFC8300F14856AA854E7250EA708E018BA1
                                                                    Function 05A2CC30 Relevance: .1, Instructions: 84COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2296199806.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_5a20000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e993253ccbada96117d4d2ba6370a69c7e5e4adfd5709d4c00c9d978f8404f0a
                                                                    • Instruction ID: b0cfaaffa1732897fd51620db594f246d2bc0f6c62ad24d87f789751c0b4e36d
                                                                    • Opcode Fuzzy Hash: e993253ccbada96117d4d2ba6370a69c7e5e4adfd5709d4c00c9d978f8404f0a
                                                                    • Instruction Fuzzy Hash: 0A31A4B4E112199FCB48DFA9D955AEEBBB2FF88300F14802AE415B7364DB3559418F90
                                                                    Function 05A2DF57 Relevance: .1, Instructions: 83COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2296199806.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_5a20000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 548463ab81ccb0f3dd46c7d9b261e37b655d7fc93214fc45cd098e559ad722df
                                                                    • Instruction ID: 0c5e5f5c75508bd0cd9a6e508afe30b774ef118b79f9f8e255354fd013fa1892
                                                                    • Opcode Fuzzy Hash: 548463ab81ccb0f3dd46c7d9b261e37b655d7fc93214fc45cd098e559ad722df
                                                                    • Instruction Fuzzy Hash: C831F531A4D761C7C711CF2DDD42EBABBB6FB81211F048127E5A196282D338D883C65B
                                                                    Function 05A267F0 Relevance: .1, Instructions: 82COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2296199806.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_5a20000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0fc9538ae342aeebad2bcc3893fc3e04f900bf7f1ca70d3fd9707f447778cb41
                                                                    • Instruction ID: b4d0b1fe1d99fefb694898d5b867787ae41c075d7556071fc2d9c4c0df79a096
                                                                    • Opcode Fuzzy Hash: 0fc9538ae342aeebad2bcc3893fc3e04f900bf7f1ca70d3fd9707f447778cb41
                                                                    • Instruction Fuzzy Hash: D9319F71E062689FCB05CF98D845E9DBFF2BF89310F0480AAE514AB261DB31D944CB51
                                                                    Function 05A27294 Relevance: .1, Instructions: 82COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2296199806.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_5a20000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8121b5113b1968a0525a44a3bfaa3fb24bae3e3e64f0f3b4e482a7682103b036
                                                                    • Instruction ID: c56cab29d92444485ba690bdf3f5d668415816afcf0ead58719bc4f0a74cc287
                                                                    • Opcode Fuzzy Hash: 8121b5113b1968a0525a44a3bfaa3fb24bae3e3e64f0f3b4e482a7682103b036
                                                                    • Instruction Fuzzy Hash: 9C212730E05327CBCB15BB6CC4468AEBB72FF41340B504966E54AA7248EB3DD9648BA0
                                                                    Function 05A29AB8 Relevance: .1, Instructions: 81COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2296199806.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_5a20000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9b7aba8f374b2ba108a51e14a58647cdeb0b7585d644789defdc5976ee3517bf
                                                                    • Instruction ID: f89f602dc57d7a61dd74b018428d74d09f5feb77fdf15c8005d1daedaccc46d7
                                                                    • Opcode Fuzzy Hash: 9b7aba8f374b2ba108a51e14a58647cdeb0b7585d644789defdc5976ee3517bf
                                                                    • Instruction Fuzzy Hash: 91210871B002249FCB14DF28D556DAEBBB6FFC9620F148469D505EB340DA359C41CB90
                                                                    Function 0149D4C4 Relevance: .1, Instructions: 75COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2272375558.000000000149D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0149D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_149d000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d250a00bb15c5bd39d9e5531406d24baa35064ed3e69a5966019b19c9e41bfb5
                                                                    • Instruction ID: f49c208f193c9a02cb416cee33262ddab6e3ce59eaf537978469690f8d962024
                                                                    • Opcode Fuzzy Hash: d250a00bb15c5bd39d9e5531406d24baa35064ed3e69a5966019b19c9e41bfb5
                                                                    • Instruction Fuzzy Hash: B021D371904240DFDF16DF58D9C0B27BF65FB88328F24C56AE9090B266C336E456CBA1
                                                                    Function 014AD01C Relevance: .1, Instructions: 72COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2272450128.00000000014AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014AD000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_14ad000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6cc913403b90ae7330dd57c6b7d80ef55276625f7cb1e295c5fdda354b071f5c
                                                                    • Instruction ID: 05a9dae65344070452e09f8830ca8008472c0e5eab78d8e8e60d22e700cfb018
                                                                    • Opcode Fuzzy Hash: 6cc913403b90ae7330dd57c6b7d80ef55276625f7cb1e295c5fdda354b071f5c
                                                                    • Instruction Fuzzy Hash: 612125B1948200DFCB15DF58D980B16BB65EB98318F60C56ED90A4B766C33AD407CA61
                                                                    Function 014AD1D4 Relevance: .1, Instructions: 72COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2272450128.00000000014AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014AD000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_14ad000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5ab93adf03fd35f9c245ef16eb8a2cd87439618af6b8dd0d536c3badce33a239
                                                                    • Instruction ID: f8be0012f21c62d392e13793d5846465581542e360b052328bd11299bfef2082
                                                                    • Opcode Fuzzy Hash: 5ab93adf03fd35f9c245ef16eb8a2cd87439618af6b8dd0d536c3badce33a239
                                                                    • Instruction Fuzzy Hash: 9F213B76904200DFDB06DF98D9C0F26BB65FB98324F64C96ED9094B766C33AD806CB61
                                                                    Function 05A2A1D0 Relevance: .1, Instructions: 66COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2296199806.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_5a20000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 20b664874d4cff74873ce15bcbadfaa3b9fce4c74e1cf31bdf451fe5498ba8fb
                                                                    • Instruction ID: 8f323433fbb610e2b2648431b2e7da4698f19c33ac726d39c61759903c046857
                                                                    • Opcode Fuzzy Hash: 20b664874d4cff74873ce15bcbadfaa3b9fce4c74e1cf31bdf451fe5498ba8fb
                                                                    • Instruction Fuzzy Hash: D8218CB6904219DFDB11CF99D845BEABBF4FF59314F28805AE419A7220C2729941CBA0
                                                                    Function 05A27284 Relevance: .1, Instructions: 65COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2296199806.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_5a20000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e51880d09907f86c9d2bbe9f1c3da66bf0b9d168eff015152a247b3b2aff40be
                                                                    • Instruction ID: e7809cb8a66d69365883eb6c24739bb4931f5aee9d03c733bcbdb11d65f933b4
                                                                    • Opcode Fuzzy Hash: e51880d09907f86c9d2bbe9f1c3da66bf0b9d168eff015152a247b3b2aff40be
                                                                    • Instruction Fuzzy Hash: 56119471F05227EBCB116B99D5459FE7FB1EB40390F604CA6E099B2544F6348534CB94
                                                                    Function 05A2A20B Relevance: .1, Instructions: 64COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2296199806.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_5a20000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 95e1cc2225d7037a77c858203da7e2996a2e03fc523e6d068a0f263c12b31324
                                                                    • Instruction ID: c926a5d3cd4a326ba937901c4caa846e41f0dcb481d3b6671bcf601da9752176
                                                                    • Opcode Fuzzy Hash: 95e1cc2225d7037a77c858203da7e2996a2e03fc523e6d068a0f263c12b31324
                                                                    • Instruction Fuzzy Hash: 0D21E0B59053599FDB10CF9AD985A9EFBF4FB48310F24842EE819A7310C375A944CFA4
                                                                    Function 05A2A210 Relevance: .1, Instructions: 63COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2296199806.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_5a20000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 817b410ad8928e8ce18b3af8d134921be6f4ff16a395c62a77370f88f67b0dc6
                                                                    • Instruction ID: 2c59774fb9d32014fde81c3b49dd4db3bc82463a975c3de82c0e3e69e50ed35c
                                                                    • Opcode Fuzzy Hash: 817b410ad8928e8ce18b3af8d134921be6f4ff16a395c62a77370f88f67b0dc6
                                                                    • Instruction Fuzzy Hash: 3821E0B59053599FDB10CF9AD984A9EFBF4FB48310F24842EE819A7210C375A944CFA4
                                                                    Function 014AD006 Relevance: .1, Instructions: 62COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2272450128.00000000014AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014AD000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_14ad000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5cb064329f2b773ac4950aebdd8e24717c918c985c21c91fad376fe33d12a404
                                                                    • Instruction ID: 6d8da7876e58c762884cc4428cbb6b9f093ee1f8ed061e17ffb94d96df473900
                                                                    • Opcode Fuzzy Hash: 5cb064329f2b773ac4950aebdd8e24717c918c985c21c91fad376fe33d12a404
                                                                    • Instruction Fuzzy Hash: 442180755493808FDB03CF24D594716BF71EB46214F29C5DBD8498F6A7C33A980ACB62
                                                                    Function 0149D4BF Relevance: .1, Instructions: 56COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2272375558.000000000149D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0149D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_149d000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
                                                                    • Instruction ID: 1d418499322e54c62dcd0b88101eb269a7f8dad6d2b23825c01c5b7bd41096e6
                                                                    • Opcode Fuzzy Hash: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
                                                                    • Instruction Fuzzy Hash: CC11E176804280CFCF02CF54D9C4B16BF71FB84324F24C6AAD8090B266C33AD45ACBA1
                                                                    Function 014AD1CF Relevance: .1, Instructions: 53COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2272450128.00000000014AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014AD000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_14ad000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
                                                                    • Instruction ID: b95fd7b5e48631be8509585d12915f88060604958b67ee35851222165dc593f1
                                                                    • Opcode Fuzzy Hash: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
                                                                    • Instruction Fuzzy Hash: 67118B76904280DFDB16CF54D5C4B16BBA1FB84324F24C6AED8494B7A6C33AD44ACB61
                                                                    Function 05A264C8 Relevance: .1, Instructions: 51COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2296199806.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_5a20000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d737263ed6d4ca38ede133e5f98637de5a1b6b0779decb8c5af15144550d6c30
                                                                    • Instruction ID: 02aaeef2037e9e81095fa7219d53ae3d2646cdd6ef0f369880a8fc4d416c0396
                                                                    • Opcode Fuzzy Hash: d737263ed6d4ca38ede133e5f98637de5a1b6b0779decb8c5af15144550d6c30
                                                                    • Instruction Fuzzy Hash: 9B11F3B5C042489FCB10DF9AD444B9EFBF4EF88320F14841AE858A7210D774A945CFA1
                                                                    Function 05A287E0 Relevance: .1, Instructions: 51COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2296199806.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_5a20000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: dd4d9a75c3f78632fd463f8f12e771206bb0a059ec0f009a3b3dcb77363f4e24
                                                                    • Instruction ID: fc5b8362dcc5cc456850bee0607925277a0e6c00382ce9dfe88d84d3e32d984b
                                                                    • Opcode Fuzzy Hash: dd4d9a75c3f78632fd463f8f12e771206bb0a059ec0f009a3b3dcb77363f4e24
                                                                    • Instruction Fuzzy Hash: 2A014771F08367AFC712AB6CD8068A97FB1EB412C0F1848A7E049E7281F23885148BD1
                                                                    Function 05A255B0 Relevance: .1, Instructions: 51COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2296199806.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_5a20000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e570f4fefc60f914efab50db633164ebe61ab3284c15aa3692d0e551b9da8885
                                                                    • Instruction ID: bfd7be22d7d5bd80d8b9e53418fd28c504d4d9e91b05731be3dab8d23cd16762
                                                                    • Opcode Fuzzy Hash: e570f4fefc60f914efab50db633164ebe61ab3284c15aa3692d0e551b9da8885
                                                                    • Instruction Fuzzy Hash: B31102B5C042589FCB10DF9AD944B9EFBF8EB88320F14842AE859A7310D774A905CFA5
                                                                    Function 05A25704 Relevance: .1, Instructions: 51COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2296199806.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_5a20000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1abb472652c3c020c32b2cec230ceb6bdd937776c7459437aab6cf6fee035638
                                                                    • Instruction ID: 0a0820bf80e076ce1e5f306f5967573056e0249c419f31e02898fadc7d47a469
                                                                    • Opcode Fuzzy Hash: 1abb472652c3c020c32b2cec230ceb6bdd937776c7459437aab6cf6fee035638
                                                                    • Instruction Fuzzy Hash: 9D1104B5C042589FCB10DF9AD544B9EFBF4EB88320F14842AE859B7310D774A905CFA5
                                                                    Function 05A26A08 Relevance: .0, Instructions: 50COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2296199806.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_5a20000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ed327cea050ed864d1cee7694ff222e392eec16db913c9c35da98adb2f968521
                                                                    • Instruction ID: 387b038d66065dd272162978cc45a983cd9f037c86054d4a26a5745010fc1eee
                                                                    • Opcode Fuzzy Hash: ed327cea050ed864d1cee7694ff222e392eec16db913c9c35da98adb2f968521
                                                                    • Instruction Fuzzy Hash: 1A01F2B1F042645FCF06A7AC9D56DBEBFBABF8D210F0840A9D605AF341CA240901C3E2
                                                                    Function 05A2A919 Relevance: .0, Instructions: 48COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2296199806.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_5a20000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6eee6ba9bb7d084605b69dda7eaa3920a10cc59971534759709e34943eb235e0
                                                                    • Instruction ID: c7b9fcdba1f4722d5999477fdafbd03a72cc52b29d82911e098d032c37df1ea4
                                                                    • Opcode Fuzzy Hash: 6eee6ba9bb7d084605b69dda7eaa3920a10cc59971534759709e34943eb235e0
                                                                    • Instruction Fuzzy Hash: 3911CE71E002199FDB04EF6DC842BAEBBB1EF48304F044629D916F3380E7B89A41CB90
                                                                    Function 05A2AA20 Relevance: .0, Instructions: 46COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2296199806.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_5a20000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 54c85b33532548413a882f8f5bf153429b3228f74ee60709c32c33105626fcc5
                                                                    • Instruction ID: c17b31f2ed14f063c12e9d8cfff7cd4273cf72f60373e5761b4101647f68e5bc
                                                                    • Opcode Fuzzy Hash: 54c85b33532548413a882f8f5bf153429b3228f74ee60709c32c33105626fcc5
                                                                    • Instruction Fuzzy Hash: E4012832A1034AAFCF01EFB4DC488DAFF35FF96304B00866AE04567111E771A595CBA0
                                                                    Function 0149D745 Relevance: .0, Instructions: 45COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2272375558.000000000149D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0149D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_149d000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2f83df165ecd3ca497540cb0c199daed7ed48c9bc7af929b528f9c6a180d7343
                                                                    • Instruction ID: 9262ab5db7c49dffdbdc4acceb3a80f865daacc8cbbbd0ac7263d0ff6dd699d2
                                                                    • Opcode Fuzzy Hash: 2f83df165ecd3ca497540cb0c199daed7ed48c9bc7af929b528f9c6a180d7343
                                                                    • Instruction Fuzzy Hash: 3A012B754043809AEB119E99CDC4B2BBF98DF41330F18C5ABED080F297D6399841C671
                                                                    Function 05A2A928 Relevance: .0, Instructions: 43COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2296199806.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_5a20000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 69bfb96ac82e559762088ba9d0b683794a30d1a4531e1d1cf48577945d46f48f
                                                                    • Instruction ID: a540e460691301dc0a6b30ecd3165c98f12775da85b91a7e98e28d040168a194
                                                                    • Opcode Fuzzy Hash: 69bfb96ac82e559762088ba9d0b683794a30d1a4531e1d1cf48577945d46f48f
                                                                    • Instruction Fuzzy Hash: 82018074E002199FDB04EF69C902BAEBBB1EF48304F044529D915F7390DBB89A41CB90
                                                                    Function 05A27F23 Relevance: .0, Instructions: 42COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2296199806.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_5a20000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: bf14a759edd1638aa6a7f4d22832becdd99bb165e4a1f9423ec732ed52c410b4
                                                                    • Instruction ID: da5f7cac5bb354bdf21e31f2cf426d1b7c5590ec00f875148daff316adfa1425
                                                                    • Opcode Fuzzy Hash: bf14a759edd1638aa6a7f4d22832becdd99bb165e4a1f9423ec732ed52c410b4
                                                                    • Instruction Fuzzy Hash: D1017C30E1C2A8AFCB15DB69D985EEEBBF6EF49200F14406AF811E7361D6319901CB90
                                                                    Function 05A2CD3C Relevance: .0, Instructions: 40COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2296199806.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_5a20000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3b7469f805b95f67909c5f36beccc1b14dd953c89ac60fe1bf339b69704dc350
                                                                    • Instruction ID: db24d4c2cfecf9b54592598dbf27147ce3a1e78214621dd66352ce0923d69f35
                                                                    • Opcode Fuzzy Hash: 3b7469f805b95f67909c5f36beccc1b14dd953c89ac60fe1bf339b69704dc350
                                                                    • Instruction Fuzzy Hash: 25014B79E08229EFCF06CBA8E8529FEBB72FF85310F408056E515B7265DB349952CB50
                                                                    Function 05A26C30 Relevance: .0, Instructions: 39COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2296199806.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_5a20000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 41f41c408312163db0633b855649a92a32f95336ea4ff786064c90fecc0743b5
                                                                    • Instruction ID: f50672cb4d0ce8c1ee4cb5815c69d6785e1d14923a9a9f3c59df57ea9a358c45
                                                                    • Opcode Fuzzy Hash: 41f41c408312163db0633b855649a92a32f95336ea4ff786064c90fecc0743b5
                                                                    • Instruction Fuzzy Hash: EBF09071B042549FCB09EB7988599AFBFFAEB95200F05C5BAD409DB292EE3099418790
                                                                    Function 05A256E4 Relevance: .0, Instructions: 39COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2296199806.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_5a20000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a7aa1cdbaa6a6c6c3f843ab1364f03ed7b9ad61cd7f4cb7f77256db6cfbb1f8c
                                                                    • Instruction ID: f07a9023d39666275b30f8c8b115c81069331934ed29a37841e8e136dbebeecf
                                                                    • Opcode Fuzzy Hash: a7aa1cdbaa6a6c6c3f843ab1364f03ed7b9ad61cd7f4cb7f77256db6cfbb1f8c
                                                                    • Instruction Fuzzy Hash: 1BF0A731F44214AFCF04DB7D88498AE7FFBEF84350B04C8A5A409D7241EE309D414250
                                                                    Function 0149D744 Relevance: .0, Instructions: 36COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2272375558.000000000149D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0149D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_149d000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1c0e3af19b5710de02de6c101652b9529393cebc01c909d67bdd28f77b61f92c
                                                                    • Instruction ID: 4dd7aae306dd5808743b365c38bf6c04aab78a2d16933303295e6a048aad9ce6
                                                                    • Opcode Fuzzy Hash: 1c0e3af19b5710de02de6c101652b9529393cebc01c909d67bdd28f77b61f92c
                                                                    • Instruction Fuzzy Hash: F6F062764043849EEB118E59C9C8B67FF98EF51734F18C45AED085E296C2799844CAB1
                                                                    Function 05A295F0 Relevance: .0, Instructions: 36COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2296199806.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_5a20000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 36a1c1067a4591a40e5f678deabd2fd24a135e6f24506281b0c530b4c8724738
                                                                    • Instruction ID: 07cd9b03b2fe87f597421f87959283e157934c072c198adb270807895e9caaab
                                                                    • Opcode Fuzzy Hash: 36a1c1067a4591a40e5f678deabd2fd24a135e6f24506281b0c530b4c8724738
                                                                    • Instruction Fuzzy Hash: 24F0F6307083A08FC3269B7CA465495BFF5AF1B224B1C85AFD4988B662D231D8C1CB80
                                                                    Function 05A2FF28 Relevance: .0, Instructions: 31COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2296199806.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_5a20000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: af4c8321210560625ebd7d5b1ffc8677402c0c33c475a67aa9a214d83e4f6d65
                                                                    • Instruction ID: 78c3baab9299b5525c5b2605c659225f98f5fd9748bca0406feda2e087f46396
                                                                    • Opcode Fuzzy Hash: af4c8321210560625ebd7d5b1ffc8677402c0c33c475a67aa9a214d83e4f6d65
                                                                    • Instruction Fuzzy Hash: 13F08972A04105AFDF48CF58D956EDE7FB9EF44210F05807AE404DB220E63599519710
                                                                    Function 05A295A0 Relevance: .0, Instructions: 30COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2296199806.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_5a20000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: df85cefbea937e78e467098b5fcbf321a2434fad93cab0f8bcc3afa1264fddaa
                                                                    • Instruction ID: c908fac86afe56363f2baab24caff302947a3fa38a484c8a6434fd58c19f80a1
                                                                    • Opcode Fuzzy Hash: df85cefbea937e78e467098b5fcbf321a2434fad93cab0f8bcc3afa1264fddaa
                                                                    • Instruction Fuzzy Hash: BDE0E53830D3204FC3029B6CE11296A77A2EBD5910F004576D508D7602D639CC8A8B91
                                                                    Function 05A28ED8 Relevance: .0, Instructions: 29COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2296199806.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_5a20000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e4446e7e0b11f89a9fa8a79362faf7c2e31f5a8a0744fe1294af7fe9626073ca
                                                                    • Instruction ID: b01b229a9f6e67a1568b4ae11dcb2602809af08c9205f011b896fd75b7d29989
                                                                    • Opcode Fuzzy Hash: e4446e7e0b11f89a9fa8a79362faf7c2e31f5a8a0744fe1294af7fe9626073ca
                                                                    • Instruction Fuzzy Hash: ABF0307070D3628FC31A9B3C9854826BBE5EF46310764C8ABE065CB662DA39EC94CB45
                                                                    Function 05A26F4B Relevance: .0, Instructions: 28COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2296199806.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_5a20000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3f395953c234c9db5159be44f6727e478258eb2b5c44ce402f7451c11a745a99
                                                                    • Instruction ID: f347779d508fbb28aeacc9efb80edf8a7d35a3915e7be52f26f517e1c907ef45
                                                                    • Opcode Fuzzy Hash: 3f395953c234c9db5159be44f6727e478258eb2b5c44ce402f7451c11a745a99
                                                                    • Instruction Fuzzy Hash: 32E09232A042146FDB04CAA9C942ADABFFBDF89264F1880A9EC48D7200EA319941C790
                                                                    Function 05A26BDE Relevance: .0, Instructions: 23COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2296199806.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_5a20000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7e0e705ca2d3cfb3173bfbce69992960f19fe19a3bb8be63326a0901467bd072
                                                                    • Instruction ID: 42b1f5ab11b91ad77601265436e2a0ab17b0e18396ce65c5681a2b779bfaa4b6
                                                                    • Opcode Fuzzy Hash: 7e0e705ca2d3cfb3173bfbce69992960f19fe19a3bb8be63326a0901467bd072
                                                                    • Instruction Fuzzy Hash: 4FE01A7599212DDACF14AB95E65ABFDBB71FB45316F200426E122B2590CB350990CB90
                                                                    Function 05A27254 Relevance: .0, Instructions: 21COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2296199806.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_5a20000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1e08b2b67f25e084449ee6c2d3289235d5db675f13cf6851c3a37532132389bf
                                                                    • Instruction ID: 2ec1f37fc53a4be54da46e9237883be5187107e74a9d274816570e1ccf4528f1
                                                                    • Opcode Fuzzy Hash: 1e08b2b67f25e084449ee6c2d3289235d5db675f13cf6851c3a37532132389bf
                                                                    • Instruction Fuzzy Hash: 08D05E3768923046D520D61DBC97FEA3352FFD4305F2DCD5AF086D7148C42EDA868A91
                                                                    Function 05A28553 Relevance: .0, Instructions: 18COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2296199806.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_5a20000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e66234d3d72cdf1b8fef08f3a48716400458dd5f7b9a5d79b70c61aceccd2595
                                                                    • Instruction ID: 673c6426cdbba6c8e03425b13222695499fb8f9bd163cbbae70d1da59bcc2d25
                                                                    • Opcode Fuzzy Hash: e66234d3d72cdf1b8fef08f3a48716400458dd5f7b9a5d79b70c61aceccd2595
                                                                    • Instruction Fuzzy Hash: 26D0A73768823006D520D515FC83FD93342FBD4205F1DC95AF085D7248C42EDA828A90
                                                                    Function 05A2F691 Relevance: .0, Instructions: 18COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2296199806.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_5a20000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d7108aac1313908a41f9b09dee238119efcd2744bb212553d24725ec20277627
                                                                    • Instruction ID: 24ba92ab2548a67da3fa4cc3128d59afdedf1cc736fc6c810254f861e20fe8b5
                                                                    • Opcode Fuzzy Hash: d7108aac1313908a41f9b09dee238119efcd2744bb212553d24725ec20277627
                                                                    • Instruction Fuzzy Hash: 11E0C25061C3C44FE30563B5841E3267EA4EB96211F0490EAA4498B3C3ED255C00C713
                                                                    Function 05A27093 Relevance: .0, Instructions: 17COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2296199806.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_5a20000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 036b044b9e7970df06d644a025d9fe5bb8847a78e3af61f3b2c4e53b2da5f637
                                                                    • Instruction ID: d3a6b5f965ad347ddabf972a5769c270280229b369caa7ae211e911ffc5bebd7
                                                                    • Opcode Fuzzy Hash: 036b044b9e7970df06d644a025d9fe5bb8847a78e3af61f3b2c4e53b2da5f637
                                                                    • Instruction Fuzzy Hash: E0C01227B548300BE60821DCB627BAD1649CB86631F460867D2199B795C8958C8102C6
                                                                    Function 05A2F6A0 Relevance: .0, Instructions: 12COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2296199806.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_5a20000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b5e28803a28052a941a4feea8b8b22b05fe2f125f92f9f2f3dd1927613be8e42
                                                                    • Instruction ID: 44939a050e65847e34aff9cc1d566ef5952265da534e789972e2c3536023e2ae
                                                                    • Opcode Fuzzy Hash: b5e28803a28052a941a4feea8b8b22b05fe2f125f92f9f2f3dd1927613be8e42
                                                                    • Instruction Fuzzy Hash: 70C08C283203088BC70026F6A00E32B7ECABB84221F20A024B80A873C5EE32A8008611
                                                                    Function 05A270A0 Relevance: .0, Instructions: 12COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2296199806.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_5a20000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3d8dc6a11cefb5e5fbcb919336e093d5771e890640d97cd80c2a5aaf8c903bc5
                                                                    • Instruction ID: 6078ef1ba48e0e449844ed16246d371f81ffae041ca17457cb0ccfcb4a7feb74
                                                                    • Opcode Fuzzy Hash: 3d8dc6a11cefb5e5fbcb919336e093d5771e890640d97cd80c2a5aaf8c903bc5
                                                                    • Instruction Fuzzy Hash: ECB0923275463917DA0831DD7525AAE72CE8B8AA70F40046BA60E9B785DCD69C4203EA
                                                                    Function 05A2FF01 Relevance: .0, Instructions: 9COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2296199806.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_5a20000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 56bdef1a065eec54c0dc737c6f8cb96e915a5f1599f1232fdb7352653b2177d4
                                                                    • Instruction ID: 630ca421834564f8ad85b28f72cfabb68d3158b72ab9da01a5d66b481b48a04c
                                                                    • Opcode Fuzzy Hash: 56bdef1a065eec54c0dc737c6f8cb96e915a5f1599f1232fdb7352653b2177d4
                                                                    • Instruction Fuzzy Hash: 07C02B6A5042C58FE3108A30CC337C43A10D7A0B00F10801E8909CE501C4355047E232
                                                                    Function 05A2D76C Relevance: .0, Instructions: 8COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2296199806.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_5a20000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d9fd4ae484bfe815b6f4b67639891c2fc97738f47ee1836fb233a565be42c9e0
                                                                    • Instruction ID: b5ad0d47b0d418a34acfc6c941cf262e6e6e2b769a0c3a4fd6595b64ac564859
                                                                    • Opcode Fuzzy Hash: d9fd4ae484bfe815b6f4b67639891c2fc97738f47ee1836fb233a565be42c9e0
                                                                    • Instruction Fuzzy Hash: 71B0127525C250EE4501636C8DE7D6BB531FFA3F00BC0CC06B3445040285214438D32B
                                                                    Function 05A2DF31 Relevance: .0, Instructions: 8COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2296199806.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_5a20000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: bc9e4e9fa5c9ce6a86d0d471bd5b6b0a097186bb08761c312a7edb74ded39b1c
                                                                    • Instruction ID: 802f8dbbe26848207b0baa916383ce782ce483cdc9f410d5871312b972b85c02
                                                                    • Opcode Fuzzy Hash: bc9e4e9fa5c9ce6a86d0d471bd5b6b0a097186bb08761c312a7edb74ded39b1c
                                                                    • Instruction Fuzzy Hash: B3C08C38808388CFCF21EF18DC8CB943B10EF13308F2841B8C0489A443C6362022CB13

                                                                    Non-executed Functions

                                                                    Function 05A20940 Relevance: 7.8, Strings: 6, Instructions: 331COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2296199806.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_5a20000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: (oeq$(oeq$,iq$,iq$Hiq$d8jq
                                                                    • API String ID: 0-112418110
                                                                    • Opcode ID: 658d797b96291be05f092dc0760888c17d95de015c3afb6abf8c28c0de9ed351
                                                                    • Instruction ID: fbe9409be50308b73c721c2d83766dfd98a2b3f6737c5e76d7987e35aa7967ec
                                                                    • Opcode Fuzzy Hash: 658d797b96291be05f092dc0760888c17d95de015c3afb6abf8c28c0de9ed351
                                                                    • Instruction Fuzzy Hash: 0CC13874B102289FCB149F69D859EAE7BF6BF88710F148069E916E73A1DB30DC41CB91
                                                                    Function 05A24248 Relevance: 6.6, Strings: 5, Instructions: 334COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.2296199806.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_5a20000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: Hiq$Hiq$Hiq$Hiq$Hiq
                                                                    • API String ID: 0-1376665358
                                                                    • Opcode ID: 75b882bab0b6d1ece8c265b4913eeffc15a92418df668fb4f8cd0ac65a593635
                                                                    • Instruction ID: 90ca8c06c547b379c77b4b5a36c98c56e66691afe6ca9f68e97a25684cb97be5
                                                                    • Opcode Fuzzy Hash: 75b882bab0b6d1ece8c265b4913eeffc15a92418df668fb4f8cd0ac65a593635
                                                                    • Instruction Fuzzy Hash: B3C17A74B002148FCB18EFB9C5599AE77F2BF89250B6448AAD506EB3A0DF35DC01CB61

                                                                    Execution Graph

                                                                    Execution Coverage:6.3%
                                                                    Dynamic/Decrypted Code Coverage:9.2%
                                                                    Signature Coverage:0%
                                                                    Total number of Nodes:2000
                                                                    Total number of Limit Nodes:85
                                                                    execution_graph 40390 441819 40393 430737 40390->40393 40392 441825 40394 430756 40393->40394 40406 43076d 40393->40406 40395 430774 40394->40395 40396 43075f 40394->40396 40407 43034a 40395->40407 40418 4169a7 11 API calls 40396->40418 40399 4307ce 40400 430819 memset 40399->40400 40411 415b2c 40399->40411 40400->40406 40401 43077e 40401->40399 40404 4307fa 40401->40404 40401->40406 40403 4307e9 40403->40400 40403->40406 40419 4169a7 11 API calls 40404->40419 40406->40392 40408 430359 40407->40408 40409 43034e 40407->40409 40408->40401 40420 415c23 memcpy 40409->40420 40412 415b46 40411->40412 40413 415b42 40411->40413 40412->40403 40413->40412 40414 415b94 40413->40414 40415 415b5a 40413->40415 40416 4438b5 10 API calls 40414->40416 40415->40412 40417 415b79 memcpy 40415->40417 40416->40412 40417->40412 40418->40406 40419->40406 40420->40408 37671 442ec6 19 API calls 37848 4152c6 malloc 37849 4152e2 37848->37849 37850 4152ef 37848->37850 37852 416760 11 API calls 37850->37852 37852->37849 37853 4466f4 37872 446904 37853->37872 37855 446700 GetModuleHandleA 37858 446710 __set_app_type __p__fmode __p__commode 37855->37858 37857 4467a4 37859 4467ac __setusermatherr 37857->37859 37860 4467b8 37857->37860 37858->37857 37859->37860 37873 4468f0 _controlfp 37860->37873 37862 4467bd _initterm __wgetmainargs _initterm 37864 44681e GetStartupInfoW 37862->37864 37865 446810 37862->37865 37866 446866 GetModuleHandleA 37864->37866 37874 41276d 37866->37874 37870 446896 exit 37871 44689d _cexit 37870->37871 37871->37865 37872->37855 37873->37862 37875 41277d 37874->37875 37917 4044a4 LoadLibraryW 37875->37917 37877 412785 37908 412789 37877->37908 37925 414b81 37877->37925 37880 4127c8 37931 412465 memset ??2@YAPAXI 37880->37931 37882 4127ea 37943 40ac21 37882->37943 37887 412813 37961 40dd07 memset 37887->37961 37888 412827 37966 40db69 memset 37888->37966 37892 412822 37987 4125b6 ??3@YAXPAX 37892->37987 37893 40ada2 _wcsicmp 37894 41283d 37893->37894 37894->37892 37897 412863 CoInitialize 37894->37897 37971 41268e 37894->37971 37991 4123e2 GetModuleHandleW RegisterClassW GetModuleHandleW CreateWindowExW 37897->37991 37901 41296f 37993 40b633 37901->37993 37903 412873 ShowWindow UpdateWindow GetModuleHandleW LoadAcceleratorsW GetMessageW 37909 412957 CoUninitialize 37903->37909 37914 4128ca 37903->37914 37908->37870 37908->37871 37909->37892 37910 4128d0 TranslateAcceleratorW 37911 412941 GetMessageW 37910->37911 37910->37914 37911->37909 37911->37910 37912 412909 IsDialogMessageW 37912->37911 37912->37914 37913 4128fd IsDialogMessageW 37913->37911 37913->37912 37914->37910 37914->37912 37914->37913 37915 41292b TranslateMessage DispatchMessageW 37914->37915 37916 41291f IsDialogMessageW 37914->37916 37915->37911 37916->37911 37916->37915 37918 4044cf GetProcAddress 37917->37918 37921 4044f7 37917->37921 37919 4044e8 FreeLibrary 37918->37919 37922 4044df 37918->37922 37920 4044f3 37919->37920 37919->37921 37920->37921 37923 404507 MessageBoxW 37921->37923 37924 40451e 37921->37924 37922->37919 37923->37877 37924->37877 37926 414b8a 37925->37926 37927 412794 SetErrorMode GetModuleHandleW EnumResourceTypesW 37925->37927 37997 40a804 memset 37926->37997 37927->37880 37930 414b9e GetProcAddress 37930->37927 37932 4124e0 37931->37932 37933 412505 ??2@YAPAXI 37932->37933 37934 41251c 37933->37934 37936 412521 37933->37936 38019 40e820 memset ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI 37934->38019 38008 444722 37936->38008 37942 41259b wcscpy 37942->37882 38024 40b1ab free free 37943->38024 37947 40a9ce malloc memcpy free free 37954 40ac5c 37947->37954 37948 40ad4b 37956 40ad76 37948->37956 38048 40a9ce 37948->38048 37950 40ace7 free 37950->37954 37954->37947 37954->37948 37954->37950 37954->37956 38028 40a8d0 37954->38028 38040 4099f4 37954->38040 37955 40a8d0 7 API calls 37955->37956 38025 40aa04 37956->38025 37957 40ada2 37958 40adc9 37957->37958 37959 40adaa 37957->37959 37958->37887 37958->37888 37959->37958 37960 40adb3 _wcsicmp 37959->37960 37960->37958 37960->37959 38053 40dce0 37961->38053 37963 40dd3a GetModuleHandleW 38058 40dba7 37963->38058 37967 40dce0 3 API calls 37966->37967 37968 40db99 37967->37968 38130 40dae1 37968->38130 38144 402f3a 37971->38144 37973 412766 37973->37892 37973->37897 37974 4126d3 _wcsicmp 37975 4126a8 37974->37975 37975->37973 37975->37974 37977 41270a 37975->37977 38178 4125f8 7 API calls 37975->38178 37977->37973 38147 411ac5 37977->38147 37988 4125da 37987->37988 37989 4125f0 37988->37989 37990 4125e6 DeleteObject 37988->37990 37992 40b1ab free free 37989->37992 37990->37989 37991->37903 37992->37901 37994 40b640 37993->37994 37995 40b639 free 37993->37995 37996 40b1ab free free 37994->37996 37995->37994 37996->37908 37998 40a83b GetSystemDirectoryW 37997->37998 37999 40a84c wcscpy 37997->37999 37998->37999 38004 409719 wcslen 37999->38004 38002 40a881 LoadLibraryW 38003 40a886 38002->38003 38003->37927 38003->37930 38005 409724 38004->38005 38006 409739 wcscat LoadLibraryW 38004->38006 38005->38006 38007 40972c wcscat 38005->38007 38006->38002 38006->38003 38007->38006 38009 444732 38008->38009 38010 444728 DeleteObject 38008->38010 38020 409cc3 38009->38020 38010->38009 38012 412551 38013 4010f9 38012->38013 38014 401130 38013->38014 38015 401134 GetModuleHandleW LoadIconW 38014->38015 38016 401107 wcsncat 38014->38016 38017 40a7be 38015->38017 38016->38014 38018 40a7d2 38017->38018 38018->37942 38018->38018 38019->37936 38023 409bfd memset wcscpy 38020->38023 38022 409cdb CreateFontIndirectW 38022->38012 38023->38022 38024->37954 38026 40aa14 38025->38026 38027 40aa0a free 38025->38027 38026->37957 38027->38026 38029 40a8eb 38028->38029 38030 40a8df wcslen 38028->38030 38031 40a906 free 38029->38031 38032 40a90f 38029->38032 38030->38029 38033 40a919 38031->38033 38034 4099f4 3 API calls 38032->38034 38035 40a932 38033->38035 38036 40a929 free 38033->38036 38034->38033 38038 4099f4 3 API calls 38035->38038 38037 40a93e memcpy 38036->38037 38037->37954 38039 40a93d 38038->38039 38039->38037 38041 409a41 38040->38041 38042 4099fb malloc 38040->38042 38041->37954 38044 409a37 38042->38044 38045 409a1c 38042->38045 38044->37954 38046 409a30 free 38045->38046 38047 409a20 memcpy 38045->38047 38046->38044 38047->38046 38049 40a9e7 38048->38049 38050 40a9dc free 38048->38050 38052 4099f4 3 API calls 38049->38052 38051 40a9f2 38050->38051 38051->37955 38052->38051 38077 409bca GetModuleFileNameW 38053->38077 38055 40dce6 wcsrchr 38056 40dcf5 38055->38056 38057 40dcf9 wcscat 38055->38057 38056->38057 38057->37963 38078 44db70 38058->38078 38062 40dbfd 38081 4447d9 38062->38081 38065 40dc34 wcscpy wcscpy 38107 40d6f5 38065->38107 38066 40dc1f wcscpy 38066->38065 38069 40d6f5 3 API calls 38070 40dc73 38069->38070 38071 40d6f5 3 API calls 38070->38071 38072 40dc89 38071->38072 38073 40d6f5 3 API calls 38072->38073 38074 40dc9c EnumResourceNamesW EnumResourceNamesW wcscpy 38073->38074 38113 40da80 38074->38113 38077->38055 38079 40dbb4 memset memset 38078->38079 38080 409bca GetModuleFileNameW 38079->38080 38080->38062 38083 4447f4 38081->38083 38082 40dc1b 38082->38065 38082->38066 38083->38082 38084 444807 ??2@YAPAXI 38083->38084 38085 44481f 38084->38085 38086 444873 _snwprintf 38085->38086 38087 4448ab wcscpy 38085->38087 38120 44474a 8 API calls 38086->38120 38089 4448bb 38087->38089 38121 44474a 8 API calls 38089->38121 38090 4448a7 38090->38087 38090->38089 38092 4448cd 38122 44474a 8 API calls 38092->38122 38094 4448e2 38123 44474a 8 API calls 38094->38123 38096 4448f7 38124 44474a 8 API calls 38096->38124 38098 44490c 38125 44474a 8 API calls 38098->38125 38100 444921 38126 44474a 8 API calls 38100->38126 38102 444936 38127 44474a 8 API calls 38102->38127 38104 44494b 38128 44474a 8 API calls 38104->38128 38106 444960 ??3@YAXPAX 38106->38082 38108 44db70 38107->38108 38109 40d702 memset GetPrivateProfileStringW 38108->38109 38110 40d752 38109->38110 38111 40d75c WritePrivateProfileStringW 38109->38111 38110->38111 38112 40d758 38110->38112 38111->38112 38112->38069 38114 44db70 38113->38114 38115 40da8d memset 38114->38115 38116 40daac LoadStringW 38115->38116 38117 40dac6 38116->38117 38117->38116 38119 40dade 38117->38119 38129 40d76e memset GetPrivateProfileStringW WritePrivateProfileStringW memset _itow 38117->38129 38119->37892 38120->38090 38121->38092 38122->38094 38123->38096 38124->38098 38125->38100 38126->38102 38127->38104 38128->38106 38129->38117 38140 409b98 GetFileAttributesW 38130->38140 38132 40daea 38133 40db63 38132->38133 38134 40daef wcscpy wcscpy GetPrivateProfileIntW 38132->38134 38133->37893 38141 40d65d GetPrivateProfileStringW 38134->38141 38136 40db3e 38142 40d65d GetPrivateProfileStringW 38136->38142 38138 40db4f 38143 40d65d GetPrivateProfileStringW 38138->38143 38140->38132 38141->38136 38142->38138 38143->38133 38179 40eaff 38144->38179 38148 411ae2 memset 38147->38148 38149 411b8f 38147->38149 38219 409bca GetModuleFileNameW 38148->38219 38161 411a8b 38149->38161 38151 411b0a wcsrchr 38152 411b22 wcscat 38151->38152 38153 411b1f 38151->38153 38220 414770 wcscpy wcscpy wcscpy CreateFileW CloseHandle 38152->38220 38153->38152 38155 411b67 38221 402afb 38155->38221 38159 411b7f 38277 40ea13 SendMessageW memset SendMessageW 38159->38277 38162 402afb 27 API calls 38161->38162 38163 411ac0 38162->38163 38164 4110dc 38163->38164 38165 41113e 38164->38165 38170 4110f0 38164->38170 38302 40969c LoadCursorW SetCursor 38165->38302 38167 411143 38303 4032b4 38167->38303 38321 444a54 38167->38321 38168 4110f7 _wcsicmp 38168->38170 38169 411157 38171 40ada2 _wcsicmp 38169->38171 38170->38165 38170->38168 38324 410c46 10 API calls 38170->38324 38174 411167 38171->38174 38172 4111af 38174->38172 38175 4111a6 qsort 38174->38175 38175->38172 38178->37975 38180 40eb10 38179->38180 38192 40e8e0 38180->38192 38183 40eb6c memcpy memcpy 38184 40ebb7 38183->38184 38184->38183 38185 40ebf2 ??2@YAPAXI ??2@YAPAXI 38184->38185 38188 40d134 16 API calls 38184->38188 38186 40ec2e ??2@YAPAXI 38185->38186 38189 40ec65 38185->38189 38186->38189 38188->38184 38189->38189 38202 40ea7f 38189->38202 38191 402f49 38191->37975 38193 40e8f2 38192->38193 38194 40e8eb ??3@YAXPAX 38192->38194 38195 40e900 38193->38195 38196 40e8f9 ??3@YAXPAX 38193->38196 38194->38193 38197 40e911 38195->38197 38198 40e90a ??3@YAXPAX 38195->38198 38196->38195 38199 40e931 ??2@YAPAXI ??2@YAPAXI 38197->38199 38200 40e921 ??3@YAXPAX 38197->38200 38201 40e92a ??3@YAXPAX 38197->38201 38198->38197 38199->38183 38200->38201 38201->38199 38203 40aa04 free 38202->38203 38204 40ea88 38203->38204 38205 40aa04 free 38204->38205 38206 40ea90 38205->38206 38207 40aa04 free 38206->38207 38208 40ea98 38207->38208 38209 40aa04 free 38208->38209 38210 40eaa0 38209->38210 38211 40a9ce 4 API calls 38210->38211 38212 40eab3 38211->38212 38213 40a9ce 4 API calls 38212->38213 38214 40eabd 38213->38214 38215 40a9ce 4 API calls 38214->38215 38216 40eac7 38215->38216 38217 40a9ce 4 API calls 38216->38217 38218 40ead1 38217->38218 38218->38191 38219->38151 38220->38155 38278 40b2cc 38221->38278 38223 402b0a 38224 40b2cc 27 API calls 38223->38224 38225 402b23 38224->38225 38226 40b2cc 27 API calls 38225->38226 38227 402b3a 38226->38227 38228 40b2cc 27 API calls 38227->38228 38229 402b54 38228->38229 38230 40b2cc 27 API calls 38229->38230 38231 402b6b 38230->38231 38232 40b2cc 27 API calls 38231->38232 38233 402b82 38232->38233 38234 40b2cc 27 API calls 38233->38234 38235 402b99 38234->38235 38236 40b2cc 27 API calls 38235->38236 38237 402bb0 38236->38237 38238 40b2cc 27 API calls 38237->38238 38239 402bc7 38238->38239 38240 40b2cc 27 API calls 38239->38240 38241 402bde 38240->38241 38242 40b2cc 27 API calls 38241->38242 38243 402bf5 38242->38243 38244 40b2cc 27 API calls 38243->38244 38245 402c0c 38244->38245 38246 40b2cc 27 API calls 38245->38246 38247 402c23 38246->38247 38248 40b2cc 27 API calls 38247->38248 38249 402c3a 38248->38249 38250 40b2cc 27 API calls 38249->38250 38251 402c51 38250->38251 38252 40b2cc 27 API calls 38251->38252 38253 402c68 38252->38253 38254 40b2cc 27 API calls 38253->38254 38255 402c7f 38254->38255 38256 40b2cc 27 API calls 38255->38256 38257 402c99 38256->38257 38258 40b2cc 27 API calls 38257->38258 38259 402cb3 38258->38259 38260 40b2cc 27 API calls 38259->38260 38261 402cd5 38260->38261 38262 40b2cc 27 API calls 38261->38262 38263 402cf0 38262->38263 38264 40b2cc 27 API calls 38263->38264 38265 402d0b 38264->38265 38266 40b2cc 27 API calls 38265->38266 38267 402d26 38266->38267 38268 40b2cc 27 API calls 38267->38268 38269 402d3e 38268->38269 38270 40b2cc 27 API calls 38269->38270 38271 402d59 38270->38271 38272 40b2cc 27 API calls 38271->38272 38273 402d78 38272->38273 38274 40b2cc 27 API calls 38273->38274 38275 402d93 38274->38275 38276 4018db GetWindowPlacement memset GetSystemMetrics GetSystemMetrics SetWindowPlacement 38275->38276 38276->38159 38277->38149 38281 40b58d 38278->38281 38280 40b2d1 38280->38223 38282 40b5a4 GetModuleHandleW FindResourceW 38281->38282 38283 40b62e 38281->38283 38284 40b5c2 LoadResource 38282->38284 38286 40b5e7 38282->38286 38283->38280 38285 40b5d0 SizeofResource LockResource 38284->38285 38284->38286 38285->38286 38286->38283 38294 40afcf 38286->38294 38288 40b608 memcpy 38297 40b4d3 memcpy 38288->38297 38290 40b61e 38298 40b3c1 18 API calls 38290->38298 38292 40b626 38299 40b04b 38292->38299 38295 40b04b ??3@YAXPAX 38294->38295 38296 40afd7 ??2@YAPAXI 38295->38296 38296->38288 38297->38290 38298->38292 38300 40b051 ??3@YAXPAX 38299->38300 38301 40b05f 38299->38301 38300->38301 38301->38283 38302->38167 38304 4032c4 38303->38304 38305 40b633 free 38304->38305 38306 403316 38305->38306 38325 44553b 38306->38325 38310 403480 38523 40368c 15 API calls 38310->38523 38312 403489 38313 40b633 free 38312->38313 38314 403495 38313->38314 38314->38169 38315 4033a9 memset memcpy 38316 4033ec wcscmp 38315->38316 38317 40333c 38315->38317 38316->38317 38317->38310 38317->38315 38317->38316 38521 4028e7 11 API calls 38317->38521 38522 40f508 6 API calls 38317->38522 38319 403421 _wcsicmp 38319->38317 38322 444a64 FreeLibrary 38321->38322 38323 444a83 38321->38323 38322->38323 38323->38169 38324->38170 38326 445548 38325->38326 38327 445599 38326->38327 38524 40c768 38326->38524 38328 4455a8 memset 38327->38328 38335 4457f2 38327->38335 38607 403988 38328->38607 38339 445854 38335->38339 38709 403e2d memset memset memset memset memset 38335->38709 38336 445672 38618 403fbe memset memset memset memset memset 38336->38618 38337 4458bb memset memset 38344 414c2e 16 API calls 38337->38344 38390 4458aa 38339->38390 38732 403c9c memset memset memset memset memset 38339->38732 38340 44557a 38387 44558c 38340->38387 38804 4136c0 CoTaskMemFree 38340->38804 38342 44595e memset memset 38349 414c2e 16 API calls 38342->38349 38343 4455e5 38343->38336 38352 44560f 38343->38352 38345 4458f9 38344->38345 38350 40b2cc 27 API calls 38345->38350 38347 445a00 memset memset 38755 414c2e 38347->38755 38348 445b22 38354 445bca 38348->38354 38355 445b38 memset memset memset 38348->38355 38359 44599c 38349->38359 38360 445909 38350->38360 38364 4087b3 338 API calls 38352->38364 38353 445849 38820 40b1ab free free 38353->38820 38361 445c8b memset memset 38354->38361 38429 445cf0 38354->38429 38365 445bd4 38355->38365 38366 445b98 38355->38366 38369 40b2cc 27 API calls 38359->38369 38370 409d1f 6 API calls 38360->38370 38373 414c2e 16 API calls 38361->38373 38362 445585 38805 41366b FreeLibrary 38362->38805 38363 44589f 38821 40b1ab free free 38363->38821 38371 445621 38364->38371 38379 414c2e 16 API calls 38365->38379 38366->38365 38375 445ba2 38366->38375 38372 4459ac 38369->38372 38383 445919 38370->38383 38806 4454bf 20 API calls 38371->38806 38385 409d1f 6 API calls 38372->38385 38386 445cc9 38373->38386 38893 4099c6 wcslen 38375->38893 38376 4456b2 38808 40b1ab free free 38376->38808 38378 40b2cc 27 API calls 38391 445a4f 38378->38391 38393 445be2 38379->38393 38380 403335 38520 4452e5 45 API calls 38380->38520 38381 445d3d 38413 40b2cc 27 API calls 38381->38413 38382 445d88 memset memset memset 38396 414c2e 16 API calls 38382->38396 38822 409b98 GetFileAttributesW 38383->38822 38384 445823 38384->38353 38395 4087b3 338 API calls 38384->38395 38397 4459bc 38385->38397 38398 409d1f 6 API calls 38386->38398 38591 444b06 38387->38591 38388 445879 38388->38363 38409 4087b3 338 API calls 38388->38409 38390->38337 38414 44594a 38390->38414 38770 409d1f wcslen wcslen 38391->38770 38402 40b2cc 27 API calls 38393->38402 38395->38384 38406 445dde 38396->38406 38889 409b98 GetFileAttributesW 38397->38889 38408 445ce1 38398->38408 38399 445bb3 38896 445403 memset 38399->38896 38400 445680 38400->38376 38641 4087b3 memset 38400->38641 38403 445bf3 38402->38403 38412 409d1f 6 API calls 38403->38412 38404 445928 38404->38414 38823 40b6ef 38404->38823 38415 40b2cc 27 API calls 38406->38415 38913 409b98 GetFileAttributesW 38408->38913 38409->38388 38423 445c07 38412->38423 38424 445d54 _wcsicmp 38413->38424 38414->38342 38428 4459ed 38414->38428 38427 445def 38415->38427 38416 4459cb 38416->38428 38437 40b6ef 252 API calls 38416->38437 38420 40b2cc 27 API calls 38421 445a94 38420->38421 38775 40ae18 38421->38775 38422 44566d 38422->38335 38692 413d4c 38422->38692 38433 445389 258 API calls 38423->38433 38434 445d71 38424->38434 38499 445d67 38424->38499 38426 445665 38807 40b1ab free free 38426->38807 38435 409d1f 6 API calls 38427->38435 38428->38347 38428->38348 38429->38380 38429->38381 38429->38382 38430 445389 258 API calls 38430->38354 38439 445c17 38433->38439 38914 445093 23 API calls 38434->38914 38442 445e03 38435->38442 38437->38428 38438 4456d8 38444 40b2cc 27 API calls 38438->38444 38445 40b2cc 27 API calls 38439->38445 38441 44563c 38441->38426 38447 4087b3 338 API calls 38441->38447 38915 409b98 GetFileAttributesW 38442->38915 38443 40b6ef 252 API calls 38443->38380 38449 4456e2 38444->38449 38450 445c23 38445->38450 38446 445d83 38446->38380 38447->38441 38809 413fa6 _wcsicmp _wcsicmp 38449->38809 38454 409d1f 6 API calls 38450->38454 38452 445e12 38459 445e6b 38452->38459 38465 40b2cc 27 API calls 38452->38465 38457 445c37 38454->38457 38455 445aa1 38458 445b17 38455->38458 38473 445ab2 memset 38455->38473 38486 409d1f 6 API calls 38455->38486 38782 40add4 38455->38782 38787 445389 38455->38787 38796 40ae51 38455->38796 38456 4456eb 38461 4456fd memset memset memset memset 38456->38461 38462 4457ea 38456->38462 38463 445389 258 API calls 38457->38463 38890 40aebe 38458->38890 38917 445093 23 API calls 38459->38917 38810 409c70 wcscpy wcsrchr 38461->38810 38813 413d29 38462->38813 38468 445c47 38463->38468 38469 445e33 38465->38469 38475 40b2cc 27 API calls 38468->38475 38476 409d1f 6 API calls 38469->38476 38471 445e7e 38472 445f67 38471->38472 38481 40b2cc 27 API calls 38472->38481 38477 40b2cc 27 API calls 38473->38477 38479 445c53 38475->38479 38480 445e47 38476->38480 38477->38455 38478 409c70 2 API calls 38482 44577e 38478->38482 38483 409d1f 6 API calls 38479->38483 38916 409b98 GetFileAttributesW 38480->38916 38485 445f73 38481->38485 38487 409c70 2 API calls 38482->38487 38488 445c67 38483->38488 38490 409d1f 6 API calls 38485->38490 38486->38455 38491 44578d 38487->38491 38492 445389 258 API calls 38488->38492 38489 445e56 38489->38459 38495 445e83 memset 38489->38495 38493 445f87 38490->38493 38491->38462 38498 40b2cc 27 API calls 38491->38498 38492->38354 38920 409b98 GetFileAttributesW 38493->38920 38497 40b2cc 27 API calls 38495->38497 38500 445eab 38497->38500 38501 4457a8 38498->38501 38499->38380 38499->38443 38502 409d1f 6 API calls 38500->38502 38503 409d1f 6 API calls 38501->38503 38504 445ebf 38502->38504 38505 4457b8 38503->38505 38506 40ae18 9 API calls 38504->38506 38812 409b98 GetFileAttributesW 38505->38812 38516 445ef5 38506->38516 38508 4457c7 38508->38462 38510 4087b3 338 API calls 38508->38510 38509 40ae51 9 API calls 38509->38516 38510->38462 38511 445f5c 38513 40aebe FindClose 38511->38513 38512 40add4 2 API calls 38512->38516 38513->38472 38514 40b2cc 27 API calls 38514->38516 38515 409d1f 6 API calls 38515->38516 38516->38509 38516->38511 38516->38512 38516->38514 38516->38515 38518 445f3a 38516->38518 38918 409b98 GetFileAttributesW 38516->38918 38919 445093 23 API calls 38518->38919 38520->38317 38521->38319 38522->38317 38523->38312 38525 40c775 38524->38525 38921 40b1ab free free 38525->38921 38527 40c788 38922 40b1ab free free 38527->38922 38529 40c790 38923 40b1ab free free 38529->38923 38531 40c798 38532 40aa04 free 38531->38532 38533 40c7a0 38532->38533 38924 40c274 memset 38533->38924 38538 40a8ab 9 API calls 38539 40c7c3 38538->38539 38540 40a8ab 9 API calls 38539->38540 38541 40c7d0 38540->38541 38953 40c3c3 38541->38953 38545 40c877 38554 40bdb0 38545->38554 38546 40c86c 38995 4053fe 39 API calls 38546->38995 38548 40c7e5 38548->38545 38548->38546 38553 40c634 49 API calls 38548->38553 38978 40a706 38548->38978 38553->38548 39163 404363 38554->39163 38557 40bf5d 39183 40440c 38557->39183 38559 40bdee 38559->38557 38562 40b2cc 27 API calls 38559->38562 38560 40bddf CredEnumerateW 38560->38559 38563 40be02 wcslen 38562->38563 38563->38557 38565 40be1e 38563->38565 38564 40be26 wcsncmp 38564->38565 38565->38557 38565->38564 38568 40be7d memset 38565->38568 38569 40bea7 memcpy 38565->38569 38570 40bf11 wcschr 38565->38570 38571 40b2cc 27 API calls 38565->38571 38573 40bf43 LocalFree 38565->38573 39186 40bd5d 28 API calls 38565->39186 39187 404423 38565->39187 38568->38565 38568->38569 38569->38565 38569->38570 38570->38565 38572 40bef6 _wcsnicmp 38571->38572 38572->38565 38572->38570 38573->38565 38574 4135f7 39200 4135e0 38574->39200 38577 40b2cc 27 API calls 38578 41360d 38577->38578 38579 40a804 8 API calls 38578->38579 38580 413613 38579->38580 38581 41361b 38580->38581 38582 41363e 38580->38582 38583 40b273 27 API calls 38581->38583 38584 4135e0 FreeLibrary 38582->38584 38585 413625 GetProcAddress 38583->38585 38586 413643 38584->38586 38585->38582 38587 413648 38585->38587 38586->38340 38588 413658 38587->38588 38589 4135e0 FreeLibrary 38587->38589 38588->38340 38590 413666 38589->38590 38590->38340 39203 4449b9 38591->39203 38594 444c1f 38594->38327 38595 4449b9 42 API calls 38597 444b4b 38595->38597 38596 444c15 38598 4449b9 42 API calls 38596->38598 38597->38596 39224 444972 GetVersionExW 38597->39224 38598->38594 38600 444b99 memcmp 38605 444b8c 38600->38605 38601 444c0b 39228 444a85 42 API calls 38601->39228 38605->38600 38605->38601 39225 444aa5 42 API calls 38605->39225 39226 40a7a0 GetVersionExW 38605->39226 39227 444a85 42 API calls 38605->39227 38608 40399d 38607->38608 39229 403a16 38608->39229 38610 403a09 39243 40b1ab free free 38610->39243 38612 4039a3 38612->38610 38616 4039f4 38612->38616 39240 40a02c CreateFileW 38612->39240 38613 403a12 wcsrchr 38613->38343 38616->38610 38617 4099c6 2 API calls 38616->38617 38617->38610 38619 414c2e 16 API calls 38618->38619 38620 404048 38619->38620 38621 414c2e 16 API calls 38620->38621 38622 404056 38621->38622 38623 409d1f 6 API calls 38622->38623 38624 404073 38623->38624 38625 409d1f 6 API calls 38624->38625 38626 40408e 38625->38626 38627 409d1f 6 API calls 38626->38627 38628 4040a6 38627->38628 38629 403af5 20 API calls 38628->38629 38630 4040ba 38629->38630 38631 403af5 20 API calls 38630->38631 38632 4040cb 38631->38632 39270 40414f memset 38632->39270 38634 404140 39284 40b1ab free free 38634->39284 38636 4040ec memset 38639 4040e0 38636->38639 38637 404148 38637->38400 38638 4099c6 2 API calls 38638->38639 38639->38634 38639->38636 38639->38638 38640 40a8ab 9 API calls 38639->38640 38640->38639 39297 40a6e6 WideCharToMultiByte 38641->39297 38643 4087ed 39298 4095d9 memset 38643->39298 38646 408953 38646->38400 38647 408809 memset memset memset memset memset 38648 40b2cc 27 API calls 38647->38648 38649 4088a1 38648->38649 38650 409d1f 6 API calls 38649->38650 38651 4088b1 38650->38651 38652 40b2cc 27 API calls 38651->38652 38653 4088c0 38652->38653 38654 409d1f 6 API calls 38653->38654 38655 4088d0 38654->38655 38656 40b2cc 27 API calls 38655->38656 38657 4088df 38656->38657 38658 409d1f 6 API calls 38657->38658 38659 4088ef 38658->38659 38660 40b2cc 27 API calls 38659->38660 38661 4088fe 38660->38661 38662 409d1f 6 API calls 38661->38662 38663 40890e 38662->38663 38664 40b2cc 27 API calls 38663->38664 38665 40891d 38664->38665 38666 409d1f 6 API calls 38665->38666 38667 40892d 38666->38667 39317 409b98 GetFileAttributesW 38667->39317 38669 40893e 38693 40b633 free 38692->38693 38694 413d65 CreateToolhelp32Snapshot memset Process32FirstW 38693->38694 38695 413f00 Process32NextW 38694->38695 38696 413da5 OpenProcess 38695->38696 38697 413f17 CloseHandle 38695->38697 38698 413df3 memset 38696->38698 38703 413eb0 38696->38703 38697->38438 39609 413f27 38698->39609 38700 413ebf free 38700->38703 38701 4099f4 3 API calls 38701->38703 38703->38695 38703->38700 38703->38701 38704 413e37 GetModuleHandleW 38705 413e1f 38704->38705 38706 413e46 GetProcAddress 38704->38706 38705->38704 39614 413959 38705->39614 39630 413ca4 38705->39630 38706->38705 38708 413ea2 CloseHandle 38708->38703 38710 414c2e 16 API calls 38709->38710 38711 403eb7 38710->38711 38712 414c2e 16 API calls 38711->38712 38713 403ec5 38712->38713 38714 409d1f 6 API calls 38713->38714 38715 403ee2 38714->38715 38716 409d1f 6 API calls 38715->38716 38717 403efd 38716->38717 38718 409d1f 6 API calls 38717->38718 38719 403f15 38718->38719 38720 403af5 20 API calls 38719->38720 38721 403f29 38720->38721 38722 403af5 20 API calls 38721->38722 38723 403f3a 38722->38723 38724 40414f 33 API calls 38723->38724 38725 403f4f 38724->38725 38726 403faf 38725->38726 38728 403f5b memset 38725->38728 38730 4099c6 2 API calls 38725->38730 38731 40a8ab 9 API calls 38725->38731 39644 40b1ab free free 38726->39644 38728->38725 38729 403fb7 38729->38384 38730->38725 38731->38725 38733 414c2e 16 API calls 38732->38733 38734 403d26 38733->38734 38735 414c2e 16 API calls 38734->38735 38736 403d34 38735->38736 38737 409d1f 6 API calls 38736->38737 38738 403d51 38737->38738 38739 409d1f 6 API calls 38738->38739 38740 403d6c 38739->38740 38741 409d1f 6 API calls 38740->38741 38742 403d84 38741->38742 38743 403af5 20 API calls 38742->38743 38744 403d98 38743->38744 38745 403af5 20 API calls 38744->38745 38746 403da9 38745->38746 38747 40414f 33 API calls 38746->38747 38748 403dbe 38747->38748 38749 403e1e 38748->38749 38750 403dca memset 38748->38750 38753 4099c6 2 API calls 38748->38753 38754 40a8ab 9 API calls 38748->38754 39645 40b1ab free free 38749->39645 38750->38748 38752 403e26 38752->38388 38753->38748 38754->38748 38756 414b81 9 API calls 38755->38756 38757 414c40 38756->38757 38758 414c73 memset 38757->38758 39646 409cea 38757->39646 38759 414c94 38758->38759 39649 414592 RegOpenKeyExW 38759->39649 38763 414c64 38763->38378 38764 414cc1 38765 414cf4 wcscpy 38764->38765 39650 414bb0 wcscpy 38764->39650 38765->38763 38767 414cd2 39651 4145ac RegQueryValueExW 38767->39651 38769 414ce9 RegCloseKey 38769->38765 38771 409d62 38770->38771 38772 409d43 wcscpy 38770->38772 38771->38420 38773 409719 2 API calls 38772->38773 38774 409d51 wcscat 38773->38774 38774->38771 38776 40aebe FindClose 38775->38776 38777 40ae21 38776->38777 38778 4099c6 2 API calls 38777->38778 38779 40ae35 38778->38779 38780 409d1f 6 API calls 38779->38780 38781 40ae49 38780->38781 38781->38455 38783 40ade0 38782->38783 38784 40ae0f 38782->38784 38783->38784 38785 40ade7 wcscmp 38783->38785 38784->38455 38785->38784 38786 40adfe wcscmp 38785->38786 38786->38784 38788 40ae18 9 API calls 38787->38788 38794 4453c4 38788->38794 38789 40ae51 9 API calls 38789->38794 38790 4453f3 38792 40aebe FindClose 38790->38792 38791 40add4 2 API calls 38791->38794 38793 4453fe 38792->38793 38793->38455 38794->38789 38794->38790 38794->38791 38795 445403 253 API calls 38794->38795 38795->38794 38797 40ae7b FindNextFileW 38796->38797 38798 40ae5c FindFirstFileW 38796->38798 38799 40ae94 38797->38799 38800 40ae8f 38797->38800 38798->38799 38802 40aeb6 38799->38802 38803 409d1f 6 API calls 38799->38803 38801 40aebe FindClose 38800->38801 38801->38799 38802->38455 38803->38802 38804->38362 38805->38387 38806->38441 38807->38422 38808->38422 38809->38456 38811 409c89 38810->38811 38811->38478 38812->38508 38814 413d39 38813->38814 38815 413d2f FreeLibrary 38813->38815 38816 40b633 free 38814->38816 38815->38814 38817 413d42 38816->38817 38818 40b633 free 38817->38818 38819 413d4a 38818->38819 38819->38335 38820->38339 38821->38390 38822->38404 38824 44db70 38823->38824 38825 40b6fc memset 38824->38825 38826 409c70 2 API calls 38825->38826 38827 40b732 wcsrchr 38826->38827 38828 40b743 38827->38828 38829 40b746 memset 38827->38829 38828->38829 38830 40b2cc 27 API calls 38829->38830 38831 40b76f 38830->38831 38832 409d1f 6 API calls 38831->38832 38833 40b783 38832->38833 39652 409b98 GetFileAttributesW 38833->39652 38835 40b792 38836 40b7c2 38835->38836 38837 409c70 2 API calls 38835->38837 39653 40bb98 38836->39653 38839 40b7a5 38837->38839 38841 40b2cc 27 API calls 38839->38841 38844 40b7b2 38841->38844 38842 40b837 CloseHandle 38846 40b83e memset 38842->38846 38843 40b817 39687 409a45 GetTempPathW 38843->39687 38848 409d1f 6 API calls 38844->38848 39686 40a6e6 WideCharToMultiByte 38846->39686 38848->38836 38849 40b827 CopyFileW 38849->38846 38850 40b866 38851 444432 121 API calls 38850->38851 38852 40b879 38851->38852 38853 40bad5 38852->38853 38854 40b273 27 API calls 38852->38854 38855 40baeb 38853->38855 38856 40bade DeleteFileW 38853->38856 38857 40b89a 38854->38857 38858 40b04b ??3@YAXPAX 38855->38858 38856->38855 38859 438552 134 API calls 38857->38859 38860 40baf3 38858->38860 38861 40b8a4 38859->38861 38860->38414 38862 40bacd 38861->38862 38864 4251c4 137 API calls 38861->38864 38863 443d90 111 API calls 38862->38863 38863->38853 38887 40b8b8 38864->38887 38865 40bac6 39699 424f26 123 API calls 38865->39699 38866 40b8bd memset 39690 425413 17 API calls 38866->39690 38869 425413 17 API calls 38869->38887 38872 40a71b MultiByteToWideChar 38872->38887 38873 40a734 MultiByteToWideChar 38873->38887 38876 40b9b5 memcmp 38876->38887 38877 4099c6 2 API calls 38877->38887 38878 404423 37 API calls 38878->38887 38880 40bb3e memset memcpy 39700 40a734 MultiByteToWideChar 38880->39700 38881 4251c4 137 API calls 38881->38887 38884 40bb88 LocalFree 38884->38887 38887->38865 38887->38866 38887->38869 38887->38872 38887->38873 38887->38876 38887->38877 38887->38878 38887->38880 38887->38881 38888 40ba5f memcmp 38887->38888 39691 4253ef 16 API calls 38887->39691 39692 40b64c SystemTimeToFileTime FileTimeToLocalFileTime 38887->39692 39693 4253af 17 API calls 38887->39693 39694 4253cf 17 API calls 38887->39694 39695 447280 memset 38887->39695 39696 447960 memset memcpy memcpy memcpy 38887->39696 39697 40afe8 ??2@YAPAXI memcpy ??3@YAXPAX 38887->39697 39698 447920 memcpy memcpy memcpy 38887->39698 38888->38887 38889->38416 38891 40aed1 38890->38891 38892 40aec7 FindClose 38890->38892 38891->38348 38892->38891 38894 4099d7 38893->38894 38895 4099da memcpy 38893->38895 38894->38895 38895->38399 38897 40b2cc 27 API calls 38896->38897 38898 44543f 38897->38898 38899 409d1f 6 API calls 38898->38899 38900 44544f 38899->38900 39792 409b98 GetFileAttributesW 38900->39792 38902 44545e 38903 445476 38902->38903 38904 40b6ef 252 API calls 38902->38904 38905 40b2cc 27 API calls 38903->38905 38904->38903 38906 445482 38905->38906 38907 409d1f 6 API calls 38906->38907 38908 445492 38907->38908 39793 409b98 GetFileAttributesW 38908->39793 38910 4454a1 38911 4454b9 38910->38911 38912 40b6ef 252 API calls 38910->38912 38911->38430 38912->38911 38913->38429 38914->38446 38915->38452 38916->38489 38917->38471 38918->38516 38919->38516 38920->38499 38921->38527 38922->38529 38923->38531 38925 414c2e 16 API calls 38924->38925 38926 40c2ae 38925->38926 38996 40c1d3 38926->38996 38931 40c3be 38948 40a8ab 38931->38948 38932 40afcf 2 API calls 38933 40c2fd FindFirstUrlCacheEntryW 38932->38933 38934 40c3b6 38933->38934 38935 40c31e wcschr 38933->38935 38936 40b04b ??3@YAXPAX 38934->38936 38937 40c331 38935->38937 38938 40c35e FindNextUrlCacheEntryW 38935->38938 38936->38931 38939 40a8ab 9 API calls 38937->38939 38938->38935 38940 40c373 GetLastError 38938->38940 38943 40c33e wcschr 38939->38943 38941 40c3ad FindCloseUrlCache 38940->38941 38942 40c37e 38940->38942 38941->38934 38944 40afcf 2 API calls 38942->38944 38943->38938 38945 40c34f 38943->38945 38946 40c391 FindNextUrlCacheEntryW 38944->38946 38947 40a8ab 9 API calls 38945->38947 38946->38935 38946->38941 38947->38938 39090 40a97a 38948->39090 38951 40a8cc 38951->38538 38952 40a8d0 7 API calls 38952->38951 39095 40b1ab free free 38953->39095 38955 40c3dd 38956 40b2cc 27 API calls 38955->38956 38957 40c3e7 38956->38957 39096 414592 RegOpenKeyExW 38957->39096 38959 40c3f4 38960 40c50e 38959->38960 38961 40c3ff 38959->38961 38975 405337 38960->38975 38962 40a9ce 4 API calls 38961->38962 38963 40c418 memset 38962->38963 39097 40aa1d 38963->39097 38966 40c471 38968 40c47a _wcsupr 38966->38968 38967 40c505 RegCloseKey 38967->38960 38969 40a8d0 7 API calls 38968->38969 38970 40c498 38969->38970 38971 40a8d0 7 API calls 38970->38971 38972 40c4ac memset 38971->38972 38973 40aa1d 38972->38973 38974 40c4e4 RegEnumValueW 38973->38974 38974->38967 38974->38968 39099 405220 38975->39099 38979 4099c6 2 API calls 38978->38979 38980 40a714 _wcslwr 38979->38980 38981 40c634 38980->38981 39156 405361 38981->39156 38984 40c65c wcslen 39159 4053b6 39 API calls 38984->39159 38985 40c71d wcslen 38985->38548 38987 40c713 39162 4053df 39 API calls 38987->39162 38988 40c677 38988->38987 39160 40538b 39 API calls 38988->39160 38991 40c6a5 38991->38987 38992 40c6a9 memset 38991->38992 38993 40c6d3 38992->38993 39161 40c589 43 API calls 38993->39161 38995->38545 38997 40ae18 9 API calls 38996->38997 39003 40c210 38997->39003 38998 40ae51 9 API calls 38998->39003 38999 40c264 39000 40aebe FindClose 38999->39000 39002 40c26f 39000->39002 39001 40add4 2 API calls 39001->39003 39008 40e5ed memset memset 39002->39008 39003->38998 39003->38999 39003->39001 39004 40c231 _wcsicmp 39003->39004 39005 40c1d3 35 API calls 39003->39005 39004->39003 39006 40c248 39004->39006 39005->39003 39021 40c084 22 API calls 39006->39021 39009 414c2e 16 API calls 39008->39009 39010 40e63f 39009->39010 39011 409d1f 6 API calls 39010->39011 39012 40e658 39011->39012 39022 409b98 GetFileAttributesW 39012->39022 39014 40e667 39015 40e680 39014->39015 39017 409d1f 6 API calls 39014->39017 39023 409b98 GetFileAttributesW 39015->39023 39017->39015 39018 40e68f 39019 40c2d8 39018->39019 39024 40e4b2 39018->39024 39019->38931 39019->38932 39021->39003 39022->39014 39023->39018 39045 40e01e 39024->39045 39026 40e593 39028 40e5b0 39026->39028 39029 40e59c DeleteFileW 39026->39029 39027 40e521 39027->39026 39068 40e175 39027->39068 39030 40b04b ??3@YAXPAX 39028->39030 39029->39028 39031 40e5bb 39030->39031 39033 40e5c4 CloseHandle 39031->39033 39034 40e5cc 39031->39034 39033->39034 39036 40b633 free 39034->39036 39035 40e573 39037 40e584 39035->39037 39038 40e57c CloseHandle 39035->39038 39039 40e5db 39036->39039 39089 40b1ab free free 39037->39089 39038->39037 39042 40b633 free 39039->39042 39041 40e540 39041->39035 39088 40e2ab 30 API calls 39041->39088 39043 40e5e3 39042->39043 39043->39019 39046 406214 22 API calls 39045->39046 39047 40e03c 39046->39047 39048 40e16b 39047->39048 39049 40dd85 74 API calls 39047->39049 39048->39027 39050 40e06b 39049->39050 39050->39048 39051 40afcf ??2@YAPAXI ??3@YAXPAX 39050->39051 39052 40e08d OpenProcess 39051->39052 39053 40e0a4 GetCurrentProcess DuplicateHandle 39052->39053 39057 40e152 39052->39057 39054 40e0d0 GetFileSize 39053->39054 39055 40e14a CloseHandle 39053->39055 39058 409a45 GetTempPathW GetWindowsDirectoryW GetTempFileNameW 39054->39058 39055->39057 39056 40e160 39060 40b04b ??3@YAXPAX 39056->39060 39057->39056 39059 406214 22 API calls 39057->39059 39061 40e0ea 39058->39061 39059->39056 39060->39048 39062 4096dc CreateFileW 39061->39062 39063 40e0f1 CreateFileMappingW 39062->39063 39064 40e140 CloseHandle CloseHandle 39063->39064 39065 40e10b MapViewOfFile 39063->39065 39064->39055 39066 40e13b CloseHandle 39065->39066 39067 40e11f WriteFile UnmapViewOfFile 39065->39067 39066->39064 39067->39066 39069 40e18c 39068->39069 39070 406b90 11 API calls 39069->39070 39071 40e19f 39070->39071 39072 40e1a7 memset 39071->39072 39073 40e299 39071->39073 39078 40e1e8 39072->39078 39074 4069a3 ??3@YAXPAX free 39073->39074 39075 40e2a4 39074->39075 39075->39041 39076 406e8f 13 API calls 39076->39078 39077 406b53 SetFilePointerEx ReadFile 39077->39078 39078->39076 39078->39077 39079 40e283 39078->39079 39080 40dd50 _wcsicmp 39078->39080 39084 40742e 8 API calls 39078->39084 39085 40aae3 wcslen wcslen _memicmp 39078->39085 39086 40e244 _snwprintf 39078->39086 39081 40e291 39079->39081 39082 40e288 free 39079->39082 39080->39078 39083 40aa04 free 39081->39083 39082->39081 39083->39073 39084->39078 39085->39078 39087 40a8d0 7 API calls 39086->39087 39087->39078 39088->39041 39089->39026 39092 40a980 39090->39092 39091 40a8bb 39091->38951 39091->38952 39092->39091 39093 40a995 _wcsicmp 39092->39093 39094 40a99c wcscmp 39092->39094 39093->39092 39094->39092 39095->38955 39096->38959 39098 40aa23 RegEnumValueW 39097->39098 39098->38966 39098->38967 39100 405335 39099->39100 39101 40522a 39099->39101 39100->38548 39102 40b2cc 27 API calls 39101->39102 39103 405234 39102->39103 39104 40a804 8 API calls 39103->39104 39105 40523a 39104->39105 39144 40b273 39105->39144 39107 405248 _mbscpy _mbscat GetProcAddress 39108 40b273 27 API calls 39107->39108 39109 405279 39108->39109 39147 405211 GetProcAddress 39109->39147 39111 405282 39112 40b273 27 API calls 39111->39112 39113 40528f 39112->39113 39148 405211 GetProcAddress 39113->39148 39115 405298 39116 40b273 27 API calls 39115->39116 39117 4052a5 39116->39117 39149 405211 GetProcAddress 39117->39149 39119 4052ae 39120 40b273 27 API calls 39119->39120 39121 4052bb 39120->39121 39150 405211 GetProcAddress 39121->39150 39123 4052c4 39124 40b273 27 API calls 39123->39124 39125 4052d1 39124->39125 39151 405211 GetProcAddress 39125->39151 39127 4052da 39128 40b273 27 API calls 39127->39128 39129 4052e7 39128->39129 39152 405211 GetProcAddress 39129->39152 39131 4052f0 39132 40b273 27 API calls 39131->39132 39133 4052fd 39132->39133 39153 405211 GetProcAddress 39133->39153 39135 405306 39136 40b273 27 API calls 39135->39136 39137 405313 39136->39137 39154 405211 GetProcAddress 39137->39154 39139 40531c 39140 40b273 27 API calls 39139->39140 39141 405329 39140->39141 39155 405211 GetProcAddress 39141->39155 39143 405332 39143->39100 39145 40b58d 27 API calls 39144->39145 39146 40b18c 39145->39146 39146->39107 39147->39111 39148->39115 39149->39119 39150->39123 39151->39127 39152->39131 39153->39135 39154->39139 39155->39143 39157 405220 39 API calls 39156->39157 39158 405369 39157->39158 39158->38984 39158->38985 39159->38988 39160->38991 39161->38987 39162->38985 39164 40440c FreeLibrary 39163->39164 39165 40436d 39164->39165 39166 40a804 8 API calls 39165->39166 39167 404377 39166->39167 39168 404383 39167->39168 39169 404405 39167->39169 39170 40b273 27 API calls 39168->39170 39169->38557 39169->38559 39169->38560 39171 40438d GetProcAddress 39170->39171 39172 40b273 27 API calls 39171->39172 39173 4043a7 GetProcAddress 39172->39173 39174 40b273 27 API calls 39173->39174 39175 4043ba GetProcAddress 39174->39175 39176 40b273 27 API calls 39175->39176 39177 4043ce GetProcAddress 39176->39177 39178 40b273 27 API calls 39177->39178 39179 4043e2 GetProcAddress 39178->39179 39180 4043f1 39179->39180 39181 4043f7 39180->39181 39182 40440c FreeLibrary 39180->39182 39181->39169 39182->39169 39184 404413 FreeLibrary 39183->39184 39185 40441e 39183->39185 39184->39185 39185->38574 39186->38565 39188 40442e 39187->39188 39189 40447e 39187->39189 39190 40b2cc 27 API calls 39188->39190 39189->38565 39191 404438 39190->39191 39192 40a804 8 API calls 39191->39192 39193 40443e 39192->39193 39194 404445 39193->39194 39195 404467 39193->39195 39196 40b273 27 API calls 39194->39196 39195->39189 39197 404475 FreeLibrary 39195->39197 39198 40444f GetProcAddress 39196->39198 39197->39189 39198->39195 39199 404460 39198->39199 39199->39195 39201 4135f6 39200->39201 39202 4135eb FreeLibrary 39200->39202 39201->38577 39202->39201 39204 4449c4 39203->39204 39205 444a52 39203->39205 39206 40b2cc 27 API calls 39204->39206 39205->38594 39205->38595 39207 4449cb 39206->39207 39208 40a804 8 API calls 39207->39208 39209 4449d1 39208->39209 39210 40b273 27 API calls 39209->39210 39211 4449dc GetProcAddress 39210->39211 39212 40b273 27 API calls 39211->39212 39213 4449f3 GetProcAddress 39212->39213 39214 40b273 27 API calls 39213->39214 39215 444a04 GetProcAddress 39214->39215 39216 40b273 27 API calls 39215->39216 39217 444a15 GetProcAddress 39216->39217 39218 40b273 27 API calls 39217->39218 39219 444a26 GetProcAddress 39218->39219 39220 40b273 27 API calls 39219->39220 39221 444a37 GetProcAddress 39220->39221 39222 40b273 27 API calls 39221->39222 39224->38605 39225->38605 39226->38605 39227->38605 39228->38596 39230 403a29 39229->39230 39244 403bed memset memset 39230->39244 39232 403ae7 39257 40b1ab free free 39232->39257 39233 403a3f memset 39239 403a2f 39233->39239 39235 403aef 39235->38612 39236 409b98 GetFileAttributesW 39236->39239 39237 40a8d0 7 API calls 39237->39239 39238 409d1f 6 API calls 39238->39239 39239->39232 39239->39233 39239->39236 39239->39237 39239->39238 39241 40a051 GetFileTime CloseHandle 39240->39241 39242 4039ca CompareFileTime 39240->39242 39241->39242 39242->38612 39243->38613 39245 414c2e 16 API calls 39244->39245 39246 403c38 39245->39246 39247 409719 2 API calls 39246->39247 39248 403c3f wcscat 39247->39248 39249 414c2e 16 API calls 39248->39249 39250 403c61 39249->39250 39251 409719 2 API calls 39250->39251 39252 403c68 wcscat 39251->39252 39258 403af5 39252->39258 39255 403af5 20 API calls 39256 403c95 39255->39256 39256->39239 39257->39235 39259 403b02 39258->39259 39260 40ae18 9 API calls 39259->39260 39268 403b37 39260->39268 39261 403bdb 39263 40aebe FindClose 39261->39263 39262 40add4 wcscmp wcscmp 39262->39268 39264 403be6 39263->39264 39264->39255 39265 40ae18 9 API calls 39265->39268 39266 40ae51 9 API calls 39266->39268 39267 40aebe FindClose 39267->39268 39268->39261 39268->39262 39268->39265 39268->39266 39268->39267 39269 40a8d0 7 API calls 39268->39269 39269->39268 39271 409d1f 6 API calls 39270->39271 39272 404190 39271->39272 39285 409b98 GetFileAttributesW 39272->39285 39274 40419c 39275 4041a7 6 API calls 39274->39275 39276 40435c 39274->39276 39278 40424f 39275->39278 39276->38639 39278->39276 39279 40425e memset 39278->39279 39281 409d1f 6 API calls 39278->39281 39282 40a8ab 9 API calls 39278->39282 39286 414842 39278->39286 39279->39278 39280 404296 wcscpy 39279->39280 39280->39278 39281->39278 39283 4042b6 memset memset _snwprintf wcscpy 39282->39283 39283->39278 39284->38637 39285->39274 39289 41443e 39286->39289 39288 414866 39288->39278 39290 41444b 39289->39290 39291 414451 39290->39291 39292 4144a3 GetPrivateProfileStringW 39290->39292 39293 414491 39291->39293 39294 414455 wcschr 39291->39294 39292->39288 39295 414495 WritePrivateProfileStringW 39293->39295 39294->39293 39296 414463 _snwprintf 39294->39296 39295->39288 39296->39295 39297->38643 39299 40b2cc 27 API calls 39298->39299 39300 409615 39299->39300 39301 409d1f 6 API calls 39300->39301 39302 409625 39301->39302 39327 409b98 GetFileAttributesW 39302->39327 39304 409634 39305 409648 39304->39305 39328 4091b8 memset 39304->39328 39307 40b2cc 27 API calls 39305->39307 39309 408801 39305->39309 39308 40965d 39307->39308 39310 409d1f 6 API calls 39308->39310 39309->38646 39309->38647 39311 40966d 39310->39311 39380 409b98 GetFileAttributesW 39311->39380 39313 40967c 39313->39309 39314 409681 39313->39314 39381 409529 72 API calls 39314->39381 39316 409690 39316->39309 39317->38669 39327->39304 39382 40a6e6 WideCharToMultiByte 39328->39382 39330 409202 39383 444432 39330->39383 39333 40b273 27 API calls 39334 409236 39333->39334 39429 438552 39334->39429 39337 409383 39339 40b273 27 API calls 39337->39339 39341 409399 39339->39341 39343 438552 134 API calls 39341->39343 39361 4093a3 39343->39361 39347 4094ff 39458 443d90 39347->39458 39350 4251c4 137 API calls 39350->39361 39354 4093df 39457 424f26 123 API calls 39354->39457 39358 4253cf 17 API calls 39358->39361 39360 40951d 39360->39305 39361->39347 39361->39350 39361->39354 39361->39358 39363 4093e4 39361->39363 39455 4253af 17 API calls 39363->39455 39380->39313 39381->39316 39382->39330 39479 4438b5 39383->39479 39385 44444c 39391 409215 39385->39391 39493 415a6d 39385->39493 39387 4442e6 11 API calls 39389 44469e 39387->39389 39388 444486 39390 4444b9 memcpy 39388->39390 39428 4444a4 39388->39428 39389->39391 39393 443d90 111 API calls 39389->39393 39497 415258 39390->39497 39391->39333 39391->39360 39393->39391 39394 444524 39395 444541 39394->39395 39396 44452a 39394->39396 39500 444316 39395->39500 39397 416935 16 API calls 39396->39397 39397->39428 39400 444316 18 API calls 39401 444563 39400->39401 39402 444316 18 API calls 39401->39402 39428->39387 39567 438460 39429->39567 39431 409240 39431->39337 39432 4251c4 39431->39432 39579 424f07 39432->39579 39434 4251e4 39435 4251f7 39434->39435 39436 4251e8 39434->39436 39457->39347 39459 443da3 39458->39459 39480 4438d0 39479->39480 39491 4438c9 39479->39491 39481 415378 memcpy memcpy 39480->39481 39482 4438d5 39481->39482 39483 4154e2 10 API calls 39482->39483 39484 443906 39482->39484 39482->39491 39483->39484 39485 443970 memset 39484->39485 39484->39491 39487 44398b 39485->39487 39486 4439a0 39488 415700 10 API calls 39486->39488 39486->39491 39487->39486 39490 41975c 10 API calls 39487->39490 39489 4439c0 39488->39489 39489->39491 39492 418981 10 API calls 39489->39492 39490->39486 39491->39385 39492->39491 39494 415a77 39493->39494 39495 415a8d 39494->39495 39496 415a7e memset 39494->39496 39495->39388 39496->39495 39498 4438b5 11 API calls 39497->39498 39499 41525d 39498->39499 39499->39394 39501 444328 39500->39501 39502 444423 39501->39502 39503 44434e 39501->39503 39504 4446ea 11 API calls 39502->39504 39505 432d4e memset memset memcpy 39503->39505 39511 444381 39504->39511 39506 44435a 39505->39506 39508 444375 39506->39508 39513 44438b 39506->39513 39507 432d4e memset memset memcpy 39509 4443ec 39507->39509 39510 416935 16 API calls 39508->39510 39509->39511 39510->39511 39511->39400 39513->39507 39568 41703f 11 API calls 39567->39568 39569 43847a 39568->39569 39570 43848a 39569->39570 39571 43847e 39569->39571 39573 438270 134 API calls 39570->39573 39572 4446ea 11 API calls 39571->39572 39575 438488 39572->39575 39574 4384aa 39573->39574 39574->39575 39576 424f26 123 API calls 39574->39576 39575->39431 39577 4384bb 39576->39577 39578 438270 134 API calls 39577->39578 39578->39575 39580 424f1f 39579->39580 39581 424f0c 39579->39581 39583 424eea 11 API calls 39580->39583 39582 416760 11 API calls 39581->39582 39584 424f18 39582->39584 39585 424f24 39583->39585 39584->39434 39585->39434 39636 413f4f 39609->39636 39612 413f37 K32GetModuleFileNameExW 39613 413f4a 39612->39613 39613->38705 39615 413969 wcscpy 39614->39615 39616 41396c wcschr 39614->39616 39628 413a3a 39615->39628 39616->39615 39618 41398e 39616->39618 39641 4097f7 wcslen wcslen _memicmp 39618->39641 39620 41399a 39621 4139a4 memset 39620->39621 39622 4139e6 39620->39622 39642 409dd5 GetWindowsDirectoryW wcscpy 39621->39642 39624 413a31 wcscpy 39622->39624 39625 4139ec memset 39622->39625 39624->39628 39643 409dd5 GetWindowsDirectoryW wcscpy 39625->39643 39626 4139c9 wcscpy wcscat 39626->39628 39628->38705 39629 413a11 memcpy wcscat 39629->39628 39631 413cb0 GetModuleHandleW 39630->39631 39632 413cda 39630->39632 39631->39632 39633 413cbf GetProcAddress 39631->39633 39634 413ce3 GetProcessTimes 39632->39634 39635 413cf6 39632->39635 39633->39632 39634->38708 39635->38708 39637 413f2f 39636->39637 39638 413f54 39636->39638 39637->39612 39637->39613 39639 40a804 8 API calls 39638->39639 39640 413f5f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 39639->39640 39640->39637 39641->39620 39642->39626 39643->39629 39644->38729 39645->38752 39647 409cf9 GetVersionExW 39646->39647 39648 409d0a 39646->39648 39647->39648 39648->38758 39648->38763 39649->38764 39650->38767 39651->38769 39652->38835 39654 40bba5 39653->39654 39701 40cc26 39654->39701 39657 40bd4b 39722 40cc0c 39657->39722 39662 40b2cc 27 API calls 39663 40bbef 39662->39663 39729 40ccf0 _wcsicmp 39663->39729 39665 40bbf5 39665->39657 39730 40ccb4 6 API calls 39665->39730 39667 40bc26 39668 40cf04 17 API calls 39667->39668 39669 40bc2e 39668->39669 39670 40bd43 39669->39670 39671 40b2cc 27 API calls 39669->39671 39672 40cc0c 4 API calls 39670->39672 39673 40bc40 39671->39673 39672->39657 39731 40ccf0 _wcsicmp 39673->39731 39675 40bc46 39675->39670 39676 40bc61 memset memset WideCharToMultiByte 39675->39676 39732 40103c strlen 39676->39732 39678 40bcc0 39679 40b273 27 API calls 39678->39679 39680 40bcd0 memcmp 39679->39680 39680->39670 39681 40bce2 39680->39681 39682 404423 37 API calls 39681->39682 39683 40bd10 39682->39683 39683->39670 39684 40bd3a LocalFree 39683->39684 39685 40bd1f memcpy 39683->39685 39684->39670 39685->39684 39686->38850 39688 409a74 GetTempFileNameW 39687->39688 39689 409a66 GetWindowsDirectoryW 39687->39689 39688->38849 39689->39688 39690->38887 39691->38887 39692->38887 39693->38887 39694->38887 39695->38887 39696->38887 39697->38887 39698->38887 39699->38862 39700->38884 39733 4096c3 CreateFileW 39701->39733 39703 40cc34 39704 40cc3d GetFileSize 39703->39704 39712 40bbca 39703->39712 39705 40afcf 2 API calls 39704->39705 39706 40cc64 39705->39706 39734 40a2ef ReadFile 39706->39734 39708 40cc71 39735 40ab4a MultiByteToWideChar 39708->39735 39710 40cc95 CloseHandle 39711 40b04b ??3@YAXPAX 39710->39711 39711->39712 39712->39657 39713 40cf04 39712->39713 39714 40b633 free 39713->39714 39715 40cf14 39714->39715 39741 40b1ab free free 39715->39741 39717 40bbdd 39717->39657 39717->39662 39718 40cf1b 39718->39717 39720 40cfef 39718->39720 39742 40cd4b 39718->39742 39721 40cd4b 14 API calls 39720->39721 39721->39717 39723 40b633 free 39722->39723 39724 40cc15 39723->39724 39725 40aa04 free 39724->39725 39726 40cc1d 39725->39726 39791 40b1ab free free 39726->39791 39728 40b7d4 memset CreateFileW 39728->38842 39728->38843 39729->39665 39730->39667 39731->39675 39732->39678 39733->39703 39734->39708 39736 40ab93 39735->39736 39737 40ab6b 39735->39737 39736->39710 39738 40a9ce 4 API calls 39737->39738 39739 40ab74 39738->39739 39740 40ab7c MultiByteToWideChar 39739->39740 39740->39736 39741->39718 39743 40cd7b 39742->39743 39776 40aa29 39743->39776 39745 40cef5 39746 40aa04 free 39745->39746 39747 40cefd 39746->39747 39747->39718 39749 40aa29 6 API calls 39750 40ce1d 39749->39750 39751 40aa29 6 API calls 39750->39751 39752 40ce3e 39751->39752 39753 40ce6a 39752->39753 39784 40abb7 wcslen memmove 39752->39784 39754 40ce9f 39753->39754 39787 40abb7 wcslen memmove 39753->39787 39756 40a8d0 7 API calls 39754->39756 39759 40ceb5 39756->39759 39757 40ce56 39785 40aa71 wcslen 39757->39785 39765 40a8d0 7 API calls 39759->39765 39761 40ce8b 39788 40aa71 wcslen 39761->39788 39762 40ce5e 39786 40abb7 wcslen memmove 39762->39786 39768 40cecb 39765->39768 39766 40ce93 39789 40abb7 wcslen memmove 39766->39789 39790 40d00b malloc memcpy free free 39768->39790 39770 40cedd 39771 40aa04 free 39770->39771 39772 40cee5 39771->39772 39773 40aa04 free 39772->39773 39774 40ceed 39773->39774 39775 40aa04 free 39774->39775 39775->39745 39777 40aa33 39776->39777 39778 40aa63 39776->39778 39779 40aa44 39777->39779 39780 40aa38 wcslen 39777->39780 39778->39745 39778->39749 39781 40a9ce malloc memcpy free free 39779->39781 39780->39779 39782 40aa4d 39781->39782 39782->39778 39783 40aa51 memcpy 39782->39783 39783->39778 39784->39757 39785->39762 39786->39753 39787->39761 39788->39766 39789->39754 39790->39770 39791->39728 39792->38902 39793->38910 39870 44def7 39871 44df07 39870->39871 39872 44df00 ??3@YAXPAX 39870->39872 39873 44df17 39871->39873 39874 44df10 ??3@YAXPAX 39871->39874 39872->39871 39875 44df27 39873->39875 39876 44df20 ??3@YAXPAX 39873->39876 39874->39873 39877 44df37 39875->39877 39878 44df30 ??3@YAXPAX 39875->39878 39876->39875 39878->39877 37668 44dea5 37669 44deb5 FreeLibrary 37668->37669 37670 44dec3 37668->37670 37669->37670 39879 4148b6 FindResourceW 39880 4148cf SizeofResource 39879->39880 39883 4148f9 39879->39883 39881 4148e0 LoadResource 39880->39881 39880->39883 39882 4148ee LockResource 39881->39882 39881->39883 39882->39883 37847 415304 free 39794 427533 39798 427548 39794->39798 39807 425711 39794->39807 39795 4259da 39851 416760 11 API calls 39795->39851 39797 4275cb 39831 425506 39797->39831 39798->39797 39805 429b7a 39798->39805 39799 4260dd 39852 424251 120 API calls 39799->39852 39800 4259c2 39827 425ad6 39800->39827 39845 415c56 11 API calls 39800->39845 39857 4446ce 11 API calls 39805->39857 39807->39795 39807->39800 39810 429a4d 39807->39810 39813 422aeb memset memcpy memcpy 39807->39813 39815 4260a1 39807->39815 39821 429ac1 39807->39821 39830 425a38 39807->39830 39841 4227f0 memset memcpy 39807->39841 39842 422b84 15 API calls 39807->39842 39843 422b5d memset memcpy memcpy 39807->39843 39844 422640 13 API calls 39807->39844 39846 4241fc 11 API calls 39807->39846 39847 42413a 90 API calls 39807->39847 39811 429a66 39810->39811 39812 429a9b 39810->39812 39853 415c56 11 API calls 39811->39853 39817 429a96 39812->39817 39855 416760 11 API calls 39812->39855 39813->39807 39850 415c56 11 API calls 39815->39850 39856 424251 120 API calls 39817->39856 39819 429a7a 39854 416760 11 API calls 39819->39854 39821->39795 39821->39827 39858 415c56 11 API calls 39821->39858 39830->39800 39848 422640 13 API calls 39830->39848 39849 4226e0 12 API calls 39830->39849 39832 425554 39831->39832 39833 42554d 39831->39833 39860 422586 12 API calls 39832->39860 39859 423b34 103 API calls 39833->39859 39836 425567 39837 4255ba 39836->39837 39838 42556c memset 39836->39838 39837->39807 39839 425596 39838->39839 39839->39837 39840 4255a4 memset 39839->39840 39840->39837 39841->39807 39842->39807 39843->39807 39844->39807 39845->39795 39846->39807 39847->39807 39848->39830 39849->39830 39850->39795 39851->39799 39852->39827 39853->39819 39854->39817 39855->39817 39856->39821 39857->39821 39858->39795 39859->39832 39860->39836 39884 441b3f 39894 43a9f6 39884->39894 39886 441b61 40067 4386af memset 39886->40067 39888 44189a 39889 4418e2 39888->39889 39893 442bd4 39888->39893 39890 4418ea 39889->39890 40068 4414a9 12 API calls 39889->40068 39893->39890 40069 441409 memset 39893->40069 39895 43aa20 39894->39895 39896 43aadf 39894->39896 39895->39896 39897 43aa34 memset 39895->39897 39896->39886 39898 43aa56 39897->39898 39899 43aa4d 39897->39899 40070 43a6e7 39898->40070 40078 42c02e memset 39899->40078 39904 43aad3 40080 4169a7 11 API calls 39904->40080 39905 43aaae 39905->39896 39905->39904 39920 43aae5 39905->39920 39906 43ac18 39909 43ac47 39906->39909 40082 42bbd5 memcpy memcpy memcpy memset memcpy 39906->40082 39910 43aca8 39909->39910 40083 438eed 16 API calls 39909->40083 39913 43acd5 39910->39913 40085 4233ae 11 API calls 39910->40085 40086 423426 11 API calls 39913->40086 39914 43ac87 40084 4233c5 16 API calls 39914->40084 39918 43ace1 40087 439811 163 API calls 39918->40087 39919 43a9f6 161 API calls 39919->39920 39920->39896 39920->39906 39920->39919 40081 439bbb 22 API calls 39920->40081 39922 43acfd 39928 43ad2c 39922->39928 40088 438eed 16 API calls 39922->40088 39924 43ad19 40089 4233c5 16 API calls 39924->40089 39925 43ad58 40090 44081d 163 API calls 39925->40090 39928->39925 39931 43add9 39928->39931 39930 43ae3a memset 39932 43ae73 39930->39932 39931->39931 40094 423426 11 API calls 39931->40094 40095 42e1c0 147 API calls 39932->40095 39933 43adab 40092 438c4e 163 API calls 39933->40092 39936 43ad6c 39936->39896 39936->39933 40091 42370b memset memcpy memset 39936->40091 39937 43adcc 40093 440f84 12 API calls 39937->40093 39938 43ae96 40096 42e1c0 147 API calls 39938->40096 39942 43aea8 39943 43aec1 39942->39943 40097 42e199 147 API calls 39942->40097 39944 43af00 39943->39944 40098 42e1c0 147 API calls 39943->40098 39944->39896 39948 43af1a 39944->39948 39949 43b3d9 39944->39949 40099 438eed 16 API calls 39948->40099 39954 43b3f6 39949->39954 39958 43b4c8 39949->39958 39951 43b60f 39951->39896 40158 4393a5 17 API calls 39951->40158 39952 43af2f 40100 4233c5 16 API calls 39952->40100 40140 432878 12 API calls 39954->40140 39956 43af51 40101 423426 11 API calls 39956->40101 39964 43b4f2 39958->39964 40146 42bbd5 memcpy memcpy memcpy memset memcpy 39958->40146 39960 43af7d 40102 423426 11 API calls 39960->40102 40147 43a76c 21 API calls 39964->40147 39965 43b529 40148 44081d 163 API calls 39965->40148 39966 43b462 40142 423330 11 API calls 39966->40142 39967 43af94 40103 423330 11 API calls 39967->40103 39971 43b47e 39976 43b497 39971->39976 40143 42374a memcpy memset memcpy memcpy memcpy 39971->40143 39972 43b544 39977 43b55c 39972->39977 40149 42c02e memset 39972->40149 39973 43b428 39973->39966 40141 432b60 16 API calls 39973->40141 39974 43afca 40104 423330 11 API calls 39974->40104 40144 4233ae 11 API calls 39976->40144 40150 43a87a 163 API calls 39977->40150 39978 43afdb 40105 4233ae 11 API calls 39978->40105 39984 43b56c 39987 43b58a 39984->39987 40151 423330 11 API calls 39984->40151 39985 43b4b1 40145 423399 11 API calls 39985->40145 39986 43afee 40106 44081d 163 API calls 39986->40106 40152 440f84 12 API calls 39987->40152 39992 43b4c1 40154 42db80 163 API calls 39992->40154 39994 43b592 40153 43a82f 16 API calls 39994->40153 39997 43b5b4 40155 438c4e 163 API calls 39997->40155 39999 43b5cf 40156 42c02e memset 39999->40156 40001 43b005 40001->39896 40005 43b01f 40001->40005 40107 42d836 163 API calls 40001->40107 40002 43b1ef 40117 4233c5 16 API calls 40002->40117 40005->40002 40115 423330 11 API calls 40005->40115 40116 42d71d 163 API calls 40005->40116 40006 43b212 40118 423330 11 API calls 40006->40118 40007 43b087 40108 4233ae 11 API calls 40007->40108 40008 43add4 40008->39951 40157 438f86 16 API calls 40008->40157 40013 43b22a 40119 42ccb5 11 API calls 40013->40119 40015 43b23f 40120 4233ae 11 API calls 40015->40120 40016 43b10f 40111 423330 11 API calls 40016->40111 40018 43b257 40121 4233ae 11 API calls 40018->40121 40022 43b129 40112 4233ae 11 API calls 40022->40112 40023 43b26e 40122 4233ae 11 API calls 40023->40122 40026 43b09a 40026->40016 40109 42cc15 19 API calls 40026->40109 40110 4233ae 11 API calls 40026->40110 40027 43b282 40123 43a87a 163 API calls 40027->40123 40029 43b13c 40113 440f84 12 API calls 40029->40113 40031 43b29d 40124 423330 11 API calls 40031->40124 40034 43b15f 40114 4233ae 11 API calls 40034->40114 40035 43b2af 40037 43b2b8 40035->40037 40038 43b2ce 40035->40038 40125 4233ae 11 API calls 40037->40125 40126 440f84 12 API calls 40038->40126 40041 43b2c9 40128 4233ae 11 API calls 40041->40128 40042 43b2da 40127 42370b memset memcpy memset 40042->40127 40045 43b2f9 40129 423330 11 API calls 40045->40129 40047 43b30b 40130 423330 11 API calls 40047->40130 40049 43b325 40131 423399 11 API calls 40049->40131 40051 43b332 40132 4233ae 11 API calls 40051->40132 40053 43b354 40133 423399 11 API calls 40053->40133 40055 43b364 40134 43a82f 16 API calls 40055->40134 40057 43b370 40135 42db80 163 API calls 40057->40135 40059 43b380 40136 438c4e 163 API calls 40059->40136 40061 43b39e 40137 423399 11 API calls 40061->40137 40063 43b3ae 40138 43a76c 21 API calls 40063->40138 40065 43b3c3 40139 423399 11 API calls 40065->40139 40067->39888 40068->39890 40069->39893 40071 43a6f5 40070->40071 40072 43a765 40070->40072 40071->40072 40159 42a115 40071->40159 40072->39896 40079 4397fd memset 40072->40079 40076 43a73d 40076->40072 40077 42a115 147 API calls 40076->40077 40077->40072 40078->39898 40079->39905 40080->39896 40081->39920 40082->39909 40083->39914 40084->39910 40085->39913 40086->39918 40087->39922 40088->39924 40089->39928 40090->39936 40091->39933 40092->39937 40093->40008 40094->39930 40095->39938 40096->39942 40097->39943 40098->39943 40099->39952 40100->39956 40101->39960 40102->39967 40103->39974 40104->39978 40105->39986 40106->40001 40107->40007 40108->40026 40109->40026 40110->40026 40111->40022 40112->40029 40113->40034 40114->40005 40115->40005 40116->40005 40117->40006 40118->40013 40119->40015 40120->40018 40121->40023 40122->40027 40123->40031 40124->40035 40125->40041 40126->40042 40127->40041 40128->40045 40129->40047 40130->40049 40131->40051 40132->40053 40133->40055 40134->40057 40135->40059 40136->40061 40137->40063 40138->40065 40139->40008 40140->39973 40141->39966 40142->39971 40143->39976 40144->39985 40145->39992 40146->39964 40147->39965 40148->39972 40149->39977 40150->39984 40151->39987 40152->39994 40153->39992 40154->39997 40155->39999 40156->40008 40157->39951 40158->39896 40160 42a175 40159->40160 40162 42a122 40159->40162 40160->40072 40165 42b13b 147 API calls 40160->40165 40162->40160 40163 42a115 147 API calls 40162->40163 40166 43a174 40162->40166 40190 42a0a8 147 API calls 40162->40190 40163->40162 40165->40076 40180 43a196 40166->40180 40181 43a19e 40166->40181 40167 43a306 40167->40180 40210 4388c4 14 API calls 40167->40210 40170 42a115 147 API calls 40170->40181 40172 43a642 40172->40180 40214 4169a7 11 API calls 40172->40214 40176 43a635 40213 42c02e memset 40176->40213 40180->40162 40181->40167 40181->40170 40181->40180 40191 42ff8c 40181->40191 40199 415a91 40181->40199 40203 4165ff 40181->40203 40206 439504 13 API calls 40181->40206 40207 4312d0 147 API calls 40181->40207 40208 42be4c memcpy memcpy memcpy memset memcpy 40181->40208 40209 43a121 11 API calls 40181->40209 40183 4169a7 11 API calls 40184 43a325 40183->40184 40184->40172 40184->40176 40184->40180 40184->40183 40185 42b5b5 memset memcpy 40184->40185 40186 42bf4c 14 API calls 40184->40186 40189 4165ff 11 API calls 40184->40189 40211 42b63e 14 API calls 40184->40211 40212 42bfcf memcpy 40184->40212 40185->40184 40186->40184 40189->40184 40190->40162 40215 43817e 40191->40215 40193 42ff99 40194 42ffe3 40193->40194 40195 42ffd0 40193->40195 40198 42ff9d 40193->40198 40220 4169a7 11 API calls 40194->40220 40219 4169a7 11 API calls 40195->40219 40198->40181 40200 415a9d 40199->40200 40201 415ab3 40200->40201 40202 415aa4 memset 40200->40202 40201->40181 40202->40201 40369 4165a0 40203->40369 40206->40181 40207->40181 40208->40181 40209->40181 40210->40184 40211->40184 40212->40184 40213->40172 40214->40180 40216 438187 40215->40216 40218 438192 40215->40218 40221 4380f6 40216->40221 40218->40193 40219->40198 40220->40198 40223 43811f 40221->40223 40222 438164 40222->40218 40223->40222 40226 437e5e 40223->40226 40249 4300e8 memset memset memcpy 40223->40249 40250 437d3c 40226->40250 40228 437eb3 40228->40223 40229 437ea9 40229->40228 40234 437f22 40229->40234 40265 41f432 40229->40265 40232 437f06 40312 415c56 11 API calls 40232->40312 40236 432d4e 3 API calls 40234->40236 40237 437f7f 40234->40237 40235 437f95 40313 415c56 11 API calls 40235->40313 40236->40237 40237->40235 40238 43802b 40237->40238 40240 4165ff 11 API calls 40238->40240 40241 438054 40240->40241 40276 437371 40241->40276 40244 43806b 40245 438094 40244->40245 40314 42f50e 138 API calls 40244->40314 40248 437fa3 40245->40248 40315 4300e8 memset memset memcpy 40245->40315 40248->40228 40316 41f638 104 API calls 40248->40316 40249->40223 40251 437d69 40250->40251 40254 437d80 40250->40254 40317 437ccb 11 API calls 40251->40317 40253 437d76 40253->40229 40254->40253 40255 437da3 40254->40255 40257 437d90 40254->40257 40258 438460 134 API calls 40255->40258 40257->40253 40321 437ccb 11 API calls 40257->40321 40261 437dcb 40258->40261 40259 437de8 40320 424f26 123 API calls 40259->40320 40261->40259 40318 444283 13 API calls 40261->40318 40263 437dfc 40319 437ccb 11 API calls 40263->40319 40266 41f54d 40265->40266 40272 41f44f 40265->40272 40267 41f466 40266->40267 40351 41c635 memset memset 40266->40351 40267->40232 40267->40234 40272->40267 40274 41f50b 40272->40274 40322 41f1a5 40272->40322 40347 41c06f memcmp 40272->40347 40348 41f3b1 90 API calls 40272->40348 40349 41f398 86 API calls 40272->40349 40274->40266 40274->40267 40350 41c295 86 API calls 40274->40350 40352 41703f 40276->40352 40278 437399 40279 43739d 40278->40279 40281 4373ac 40278->40281 40359 4446ea 11 API calls 40279->40359 40282 416935 16 API calls 40281->40282 40283 4373ca 40282->40283 40284 438460 134 API calls 40283->40284 40289 4251c4 137 API calls 40283->40289 40293 415a91 memset 40283->40293 40296 43758f 40283->40296 40308 437584 40283->40308 40311 437d3c 135 API calls 40283->40311 40360 425433 13 API calls 40283->40360 40361 425413 17 API calls 40283->40361 40362 42533e 16 API calls 40283->40362 40363 42538f 16 API calls 40283->40363 40364 42453e 123 API calls 40283->40364 40284->40283 40285 4375bc 40287 415c7d 16 API calls 40285->40287 40288 4375d2 40287->40288 40290 4442e6 11 API calls 40288->40290 40310 4373a7 40288->40310 40289->40283 40291 4375e2 40290->40291 40291->40310 40367 444283 13 API calls 40291->40367 40293->40283 40365 42453e 123 API calls 40296->40365 40299 4375f4 40302 437620 40299->40302 40303 43760b 40299->40303 40301 43759f 40304 416935 16 API calls 40301->40304 40306 416935 16 API calls 40302->40306 40368 444283 13 API calls 40303->40368 40304->40308 40306->40310 40308->40285 40366 42453e 123 API calls 40308->40366 40309 437612 memcpy 40309->40310 40310->40244 40311->40283 40312->40228 40313->40248 40314->40245 40315->40248 40316->40228 40317->40253 40318->40263 40319->40259 40320->40253 40321->40253 40323 41bc3b 101 API calls 40322->40323 40324 41f1b4 40323->40324 40325 41edad 86 API calls 40324->40325 40332 41f282 40324->40332 40326 41f1cb 40325->40326 40327 41f1f5 memcmp 40326->40327 40328 41f20e 40326->40328 40326->40332 40327->40328 40329 41f21b memcmp 40328->40329 40328->40332 40330 41f326 40329->40330 40333 41f23d 40329->40333 40331 41ee6b 86 API calls 40330->40331 40330->40332 40331->40332 40332->40272 40333->40330 40334 41f28e memcmp 40333->40334 40336 41c8df 56 API calls 40333->40336 40334->40330 40335 41f2a9 40334->40335 40335->40330 40338 41f308 40335->40338 40339 41f2d8 40335->40339 40337 41f269 40336->40337 40337->40330 40340 41f287 40337->40340 40341 41f27a 40337->40341 40338->40330 40345 4446ce 11 API calls 40338->40345 40342 41ee6b 86 API calls 40339->40342 40340->40334 40343 41ee6b 86 API calls 40341->40343 40344 41f2e0 40342->40344 40343->40332 40346 41b1ca memset 40344->40346 40345->40330 40346->40332 40347->40272 40348->40272 40349->40272 40350->40266 40351->40267 40353 417044 40352->40353 40354 41705c 40352->40354 40356 416760 11 API calls 40353->40356 40358 417055 40353->40358 40355 417075 40354->40355 40357 41707a 11 API calls 40354->40357 40355->40278 40356->40358 40357->40353 40358->40278 40359->40310 40360->40283 40361->40283 40362->40283 40363->40283 40364->40283 40365->40301 40366->40285 40367->40299 40368->40309 40374 415cfe 40369->40374 40378 415d23 __aullrem __aulldvrm 40374->40378 40381 41628e 40374->40381 40375 4163ca 40388 416422 11 API calls 40375->40388 40377 416172 memset 40377->40378 40378->40375 40378->40377 40379 416422 10 API calls 40378->40379 40380 415cb9 10 API calls 40378->40380 40378->40381 40379->40378 40380->40378 40382 416520 40381->40382 40383 416527 40382->40383 40387 416574 40382->40387 40384 416544 40383->40384 40383->40387 40389 4156aa 11 API calls 40383->40389 40386 416561 memcpy 40384->40386 40384->40387 40386->40387 40387->40181 40388->40381 40389->40384 40421 41493c EnumResourceNamesW 37672 4287c1 37673 4287d2 37672->37673 37674 429ac1 37672->37674 37675 428818 37673->37675 37676 42881f 37673->37676 37691 425711 37673->37691 37686 425ad6 37674->37686 37742 415c56 11 API calls 37674->37742 37709 42013a 37675->37709 37737 420244 97 API calls 37676->37737 37681 4260dd 37736 424251 120 API calls 37681->37736 37683 4259da 37735 416760 11 API calls 37683->37735 37689 422aeb memset memcpy memcpy 37689->37691 37690 429a4d 37692 429a66 37690->37692 37696 429a9b 37690->37696 37691->37674 37691->37683 37691->37689 37691->37690 37694 4260a1 37691->37694 37705 4259c2 37691->37705 37708 425a38 37691->37708 37725 4227f0 memset memcpy 37691->37725 37726 422b84 15 API calls 37691->37726 37727 422b5d memset memcpy memcpy 37691->37727 37728 422640 13 API calls 37691->37728 37730 4241fc 11 API calls 37691->37730 37731 42413a 90 API calls 37691->37731 37738 415c56 11 API calls 37692->37738 37734 415c56 11 API calls 37694->37734 37697 429a96 37696->37697 37740 416760 11 API calls 37696->37740 37741 424251 120 API calls 37697->37741 37699 429a7a 37739 416760 11 API calls 37699->37739 37705->37686 37729 415c56 11 API calls 37705->37729 37708->37705 37732 422640 13 API calls 37708->37732 37733 4226e0 12 API calls 37708->37733 37710 42014c 37709->37710 37713 420151 37709->37713 37752 41e466 97 API calls 37710->37752 37712 420162 37712->37691 37713->37712 37714 4201b3 37713->37714 37715 420229 37713->37715 37716 4201b8 37714->37716 37717 4201dc 37714->37717 37715->37712 37718 41fd5e 86 API calls 37715->37718 37743 41fbdb 37716->37743 37717->37712 37721 4201ff 37717->37721 37749 41fc4c 37717->37749 37718->37712 37721->37712 37724 42013a 97 API calls 37721->37724 37724->37712 37725->37691 37726->37691 37727->37691 37728->37691 37729->37683 37730->37691 37731->37691 37732->37708 37733->37708 37734->37683 37735->37681 37736->37686 37737->37691 37738->37699 37739->37697 37740->37697 37741->37674 37742->37683 37744 41fbf1 37743->37744 37745 41fbf8 37743->37745 37748 41fc39 37744->37748 37767 4446ce 11 API calls 37744->37767 37757 41ee26 37745->37757 37748->37712 37753 41fd5e 37748->37753 37750 41ee6b 86 API calls 37749->37750 37751 41fc5d 37750->37751 37751->37717 37752->37713 37755 41fd65 37753->37755 37754 41fdab 37754->37712 37755->37754 37756 41fbdb 86 API calls 37755->37756 37756->37755 37758 41ee41 37757->37758 37759 41ee32 37757->37759 37768 41edad 37758->37768 37771 4446ce 11 API calls 37759->37771 37762 41ee3c 37762->37744 37765 41ee58 37765->37762 37773 41ee6b 37765->37773 37767->37748 37777 41be52 37768->37777 37771->37762 37772 41eb85 11 API calls 37772->37765 37774 41ee70 37773->37774 37775 41ee78 37773->37775 37833 41bf99 86 API calls 37774->37833 37775->37762 37778 41be6f 37777->37778 37779 41be5f 37777->37779 37785 41be8c 37778->37785 37798 418c63 37778->37798 37812 4446ce 11 API calls 37779->37812 37781 41be69 37781->37762 37781->37772 37783 41bee7 37783->37781 37816 41a453 86 API calls 37783->37816 37785->37781 37785->37783 37786 41bf3a 37785->37786 37787 41bed1 37785->37787 37815 4446ce 11 API calls 37786->37815 37789 41bef0 37787->37789 37792 41bee2 37787->37792 37789->37783 37790 41bf01 37789->37790 37791 41bf24 memset 37790->37791 37793 41bf14 37790->37793 37813 418a6d memset memcpy memset 37790->37813 37791->37781 37802 41ac13 37792->37802 37814 41a223 memset memcpy memset 37793->37814 37797 41bf20 37797->37791 37801 418c72 37798->37801 37799 418d51 memset memset 37800 418c94 37799->37800 37800->37785 37801->37799 37801->37800 37803 41ac52 37802->37803 37804 41ac3f memset 37802->37804 37807 41ac6a 37803->37807 37817 41dc14 19 API calls 37803->37817 37805 41acd9 37804->37805 37805->37783 37808 41aca1 37807->37808 37818 41519d 37807->37818 37808->37805 37810 41acc0 memset 37808->37810 37811 41accd memcpy 37808->37811 37810->37805 37811->37805 37812->37781 37813->37793 37814->37797 37815->37783 37817->37807 37821 4175ed 37818->37821 37829 417570 SetFilePointer 37821->37829 37824 41760a ReadFile 37825 417637 37824->37825 37826 417627 GetLastError 37824->37826 37827 4151b3 37825->37827 37828 41763e memset 37825->37828 37826->37827 37827->37808 37828->37827 37830 4175b2 37829->37830 37831 41759c GetLastError 37829->37831 37830->37824 37830->37827 37831->37830 37832 4175a8 GetLastError 37831->37832 37832->37830 37833->37775 37834 417bc5 37835 417c61 37834->37835 37840 417bda 37834->37840 37836 417bf6 UnmapViewOfFile CloseHandle 37836->37836 37836->37840 37838 417c2c 37838->37840 37846 41851e 20 API calls 37838->37846 37840->37835 37840->37836 37840->37838 37841 4175b7 37840->37841 37842 4175d6 CloseHandle 37841->37842 37843 4175c8 37842->37843 37844 4175df 37842->37844 37843->37844 37845 4175ce Sleep 37843->37845 37844->37840 37845->37842 37846->37838 39861 4147f3 39864 414561 39861->39864 39863 414813 39865 41456d 39864->39865 39866 41457f GetPrivateProfileIntW 39864->39866 39869 4143f1 memset _itow WritePrivateProfileStringW 39865->39869 39866->39863 39868 41457a 39868->39863 39869->39868

                                                                    Executed Functions

                                                                    Function 0040DD85 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 212filenativeCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 338 40dd85-40ddeb memset call 409bca CreateFileW 341 40ddf1-40de09 call 40afcf call 41352f 338->341 346 40de0b-40de1a NtQuerySystemInformation 341->346 347 40de1c 341->347 348 40de20-40de27 346->348 347->348 349 40de29-40de39 348->349 350 40de3b-40de52 CloseHandle GetCurrentProcessId 348->350 349->341 349->350 351 40de54-40de58 350->351 352 40de7a-40de8e call 413cfa call 413d4c 350->352 351->352 354 40de5a 351->354 362 40de94-40debb call 40e6ad call 409c52 _wcsicmp 352->362 363 40e00c-40e01b call 413d29 352->363 356 40de5d-40de63 354->356 358 40de74-40de78 356->358 359 40de65-40de6c 356->359 358->352 358->356 359->358 361 40de6e-40de71 359->361 361->358 370 40dee7-40def7 OpenProcess 362->370 371 40debd-40dece _wcsicmp 362->371 373 40dff8-40dffb 370->373 374 40defd-40df02 370->374 371->370 372 40ded0-40dee1 _wcsicmp 371->372 372->370 375 40dffd-40e006 372->375 373->363 373->375 376 40df08 374->376 377 40dfef-40dff2 CloseHandle 374->377 375->362 375->363 378 40df0b-40df10 376->378 377->373 379 40df16-40df1d 378->379 380 40dfbd-40dfcb 378->380 379->380 381 40df23-40df4a GetCurrentProcess DuplicateHandle 379->381 380->378 382 40dfd1-40dfd3 380->382 381->380 383 40df4c-40df76 memset call 41352f 381->383 382->377 386 40df78-40df8a 383->386 387 40df8f-40dfbb CloseHandle call 409c52 * 2 _wcsicmp 383->387 386->387 387->380 392 40dfd5-40dfed 387->392 392->377
                                                                    APIs
                                                                    • memset.MSVCRT ref: 0040DDAD
                                                                      • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                                    • CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                                      • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                      • Part of subcall function 0041352F: GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                                      • Part of subcall function 0041352F: GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                                                      • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                                                      • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                                                      • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                                                      • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                                                      • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                                                      • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                                                      • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                                                    • NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                                    • CloseHandle.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                                                    • GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                                    • _wcsicmp.MSVCRT ref: 0040DEB2
                                                                    • _wcsicmp.MSVCRT ref: 0040DEC5
                                                                    • _wcsicmp.MSVCRT ref: 0040DED8
                                                                    • OpenProcess.KERNEL32(00000040,00000000,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DEEC
                                                                    • GetCurrentProcess.KERNEL32(C0000004,80000000,00000000,00000002,?,000000FF,00000000,00000104), ref: 0040DF32
                                                                    • DuplicateHandle.KERNELBASE(00000104,?,00000000,?,000000FF,00000000,00000104), ref: 0040DF41
                                                                    • memset.MSVCRT ref: 0040DF5F
                                                                    • CloseHandle.KERNEL32(C0000004,?,?,?,?,000000FF,00000000,00000104), ref: 0040DF92
                                                                    • _wcsicmp.MSVCRT ref: 0040DFB2
                                                                    • CloseHandle.KERNEL32(00000104,?,000000FF,00000000,00000104), ref: 0040DFF2
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: AddressProc$Handle$_wcsicmp$CloseProcess$CurrentFileModulememset$??2@CreateDuplicateInformationNameOpenQuerySystem
                                                                    • String ID: dllhost.exe$taskhost.exe$taskhostex.exe
                                                                    • API String ID: 708747863-3398334509
                                                                    • Opcode ID: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                                                                    • Instruction ID: 75e999e9478e2cd8c236028a88c267773407d5e0538ee9298daa3020847ac7a6
                                                                    • Opcode Fuzzy Hash: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                                                                    • Instruction Fuzzy Hash: 57818F71D00209AFEB10EF95CC81AAEBBB5FF04345F20407AF915B6291DB399E95CB58
                                                                    Function 00418758 Relevance: 4.6, APIs: 3, Instructions: 79COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00418680: GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                                      • Part of subcall function 00418680: malloc.MSVCRT ref: 004186B7
                                                                      • Part of subcall function 00418680: free.MSVCRT ref: 004186C7
                                                                      • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                    • GetDiskFreeSpaceW.KERNELBASE(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187D2
                                                                    • GetDiskFreeSpaceA.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187FA
                                                                    • free.MSVCRT ref: 00418803
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: DiskFreeSpacefree$FullNamePathVersionmalloc
                                                                    • String ID:
                                                                    • API String ID: 1355100292-0
                                                                    • Opcode ID: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                                                                    • Instruction ID: 9f5aa8738ec5ca8fa6c7af21032fcab0d24b7c3e7281463e4f88d86f77cdc7da
                                                                    • Opcode Fuzzy Hash: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                                                                    • Instruction Fuzzy Hash: 2A218776904118AEEB11EBA4CC849EF77BCEF05704F2404AFE551D7181EB784EC58769
                                                                    Function 0040AE51 Relevance: 3.0, APIs: 2, Instructions: 39fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FindFirstFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE67
                                                                    • FindNextFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE83
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: FileFind$FirstNext
                                                                    • String ID:
                                                                    • API String ID: 1690352074-0
                                                                    • Opcode ID: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                                    • Instruction ID: bc213c2af839868520f9a45b85e911a0cf9bcc257b6b56acf9ba21b23a9e6198
                                                                    • Opcode Fuzzy Hash: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                                    • Instruction Fuzzy Hash: 34F0C877040B005BD761C774D8489C733D89F84320B20063EF56AD32C0EB3899098755
                                                                    Function 00418981 Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 0041898C
                                                                    • GetSystemInfo.KERNELBASE(004725C0,?,00000000,004439D6,?,00445FAE,?,?,?,?,?,?), ref: 00418995
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: InfoSystemmemset
                                                                    • String ID:
                                                                    • API String ID: 3558857096-0
                                                                    • Opcode ID: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                                                                    • Instruction ID: bf8bfd662ffca2911032058da6995c9eeb4a28626cb6ee34ade21af96d3a2c90
                                                                    • Opcode Fuzzy Hash: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                                                                    • Instruction Fuzzy Hash: C0E06531A0163097F22077766C067DF25949F41395F04407BB9049A186EBAC4D8546DE
                                                                    Function 0044553B Relevance: 44.5, APIs: 23, Strings: 2, Instructions: 758COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 0 44553b-445558 call 44db70 3 445599-4455a2 0->3 4 44555a-44557c call 40c768 call 40bdb0 call 4135f7 0->4 5 4455a8-4455e3 memset call 403988 wcsrchr 3->5 6 4457fb 3->6 38 44558e-445594 call 444b06 4->38 39 44557e-44558c call 4136c0 call 41366b 4->39 15 4455e5 5->15 16 4455e8-4455f9 5->16 10 445800-445809 6->10 13 445856-44585f 10->13 14 44580b-44581e call 40a889 call 403e2d 10->14 18 445861-445874 call 40a889 call 403c9c 13->18 19 4458ac-4458b5 13->19 42 445823-445826 14->42 15->16 22 445672-445683 call 40a889 call 403fbe 16->22 23 4455fb-445601 16->23 49 445879-44587c 18->49 24 44594f-445958 19->24 25 4458bb-44592b memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 19->25 82 445685 22->82 83 4456b2-4456b5 call 40b1ab 22->83 34 445605-445607 23->34 35 445603 23->35 32 4459f2-4459fa 24->32 33 44595e-4459ce memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 24->33 134 44592d-445945 call 40b6ef 25->134 135 44594a 25->135 44 445a00-445aa1 memset * 2 call 414c2e call 40b2cc call 409d1f call 40b2cc call 40ae18 32->44 45 445b29-445b32 32->45 153 4459d0-4459e8 call 40b6ef 33->153 154 4459ed 33->154 34->22 41 445609-44560d 34->41 35->34 38->3 39->38 41->22 50 44560f-445641 call 4087b3 call 40a889 call 4454bf 41->50 51 44584c-445854 call 40b1ab 42->51 52 445828 42->52 182 445b08-445b15 call 40ae51 44->182 53 445c7c-445c85 45->53 54 445b38-445b96 memset * 3 45->54 63 4458a2-4458aa call 40b1ab 49->63 64 44587e 49->64 150 445665-445670 call 40b1ab 50->150 151 445643-445663 call 40a9b5 call 4087b3 50->151 51->13 66 44582e-445847 call 40a9b5 call 4087b3 52->66 60 445d1c-445d25 53->60 61 445c8b-445cf3 memset * 2 call 414c2e call 409d1f call 409b98 53->61 67 445bd4-445c72 call 414c2e call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 54->67 68 445b98-445ba0 54->68 87 445fae-445fb2 60->87 88 445d2b-445d3b 60->88 168 445cf5 61->168 169 445cfc-445d03 61->169 63->19 80 445884-44589d call 40a9b5 call 4087b3 64->80 137 445849 66->137 247 445c77 67->247 68->67 81 445ba2-445bcf call 4099c6 call 445403 call 445389 68->81 156 44589f 80->156 81->53 99 44568b-4456a4 call 40a9b5 call 4087b3 82->99 115 4456ba-4456c4 83->115 89 445d3d-445d65 call 409c52 call 40b2cc _wcsicmp 88->89 90 445d88-445e15 memset * 3 call 414c2e call 40b2cc call 409d1f call 409b98 88->90 162 445d67-445d6c 89->162 163 445d71-445d83 call 445093 89->163 196 445e17 90->196 197 445e1e-445e25 90->197 158 4456a9-4456b0 99->158 129 4457f9 115->129 130 4456ca-4456d3 call 413cfa call 413d4c 115->130 129->6 172 4456d8-4456f7 call 40b2cc call 413fa6 130->172 134->135 135->24 137->51 150->115 151->150 153->154 154->32 156->63 158->83 158->99 174 445fa1-445fa9 call 40b6ef 162->174 163->87 168->169 179 445d05-445d13 169->179 180 445d17 169->180 205 4456fd-445796 memset * 4 call 409c70 * 3 172->205 206 4457ea-4457f7 call 413d29 172->206 174->87 179->180 180->60 200 445b17-445b27 call 40aebe 182->200 201 445aa3-445ab0 call 40add4 182->201 196->197 202 445e27-445e59 call 40b2cc call 409d1f call 409b98 197->202 203 445e6b-445e7e call 445093 197->203 200->45 201->182 219 445ab2-445b03 memset call 40b2cc call 409d1f call 445389 201->219 242 445e62-445e69 202->242 243 445e5b 202->243 218 445f67-445f99 call 40b2cc call 409d1f call 409b98 203->218 205->206 246 445798-4457ca call 40b2cc call 409d1f call 409b98 205->246 206->10 218->87 255 445f9b 218->255 219->182 242->203 248 445e83-445ef5 memset call 40b2cc call 409d1f call 40ae18 242->248 243->242 246->206 265 4457cc-4457e5 call 4087b3 246->265 247->53 264 445f4d-445f5a call 40ae51 248->264 255->174 269 445ef7-445f04 call 40add4 264->269 270 445f5c-445f62 call 40aebe 264->270 265->206 269->264 274 445f06-445f38 call 40b2cc call 409d1f call 409b98 269->274 270->218 274->264 281 445f3a-445f48 call 445093 274->281 281->264
                                                                    APIs
                                                                    • memset.MSVCRT ref: 004455C2
                                                                    • wcsrchr.MSVCRT ref: 004455DA
                                                                    • memset.MSVCRT ref: 0044570D
                                                                    • memset.MSVCRT ref: 00445725
                                                                      • Part of subcall function 0040C768: _wcslwr.MSVCRT ref: 0040C817
                                                                      • Part of subcall function 0040C768: wcslen.MSVCRT ref: 0040C82C
                                                                      • Part of subcall function 0040BDB0: CredEnumerateW.SECHOST(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                                                      • Part of subcall function 0040BDB0: wcslen.MSVCRT ref: 0040BE06
                                                                      • Part of subcall function 0040BDB0: wcsncmp.MSVCRT ref: 0040BE38
                                                                      • Part of subcall function 0040BDB0: memset.MSVCRT ref: 0040BE91
                                                                      • Part of subcall function 0040BDB0: memcpy.MSVCRT(?,?,?,00000001,?,?,?,00000000,?), ref: 0040BEB2
                                                                      • Part of subcall function 004135F7: GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                                                    • memset.MSVCRT ref: 0044573D
                                                                    • memset.MSVCRT ref: 00445755
                                                                    • memset.MSVCRT ref: 004458CB
                                                                    • memset.MSVCRT ref: 004458E3
                                                                    • memset.MSVCRT ref: 0044596E
                                                                    • memset.MSVCRT ref: 00445A10
                                                                    • memset.MSVCRT ref: 00445A28
                                                                    • memset.MSVCRT ref: 00445AC6
                                                                      • Part of subcall function 00445093: GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                                      • Part of subcall function 00445093: ??2@YAPAXI@Z.MSVCRT(0000000A,?,?,00000104), ref: 004450BE
                                                                      • Part of subcall function 00445093: memset.MSVCRT ref: 004450CD
                                                                      • Part of subcall function 00445093: ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004450F0
                                                                      • Part of subcall function 00445093: CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                                                    • memset.MSVCRT ref: 00445B52
                                                                    • memset.MSVCRT ref: 00445B6A
                                                                    • memset.MSVCRT ref: 00445C9B
                                                                    • memset.MSVCRT ref: 00445CB3
                                                                    • _wcsicmp.MSVCRT ref: 00445D56
                                                                    • memset.MSVCRT ref: 00445B82
                                                                      • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                      • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                      • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                      • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                      • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                      • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040ADF3
                                                                      • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040AE04
                                                                    • memset.MSVCRT ref: 00445986
                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                      • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: memset$wcslen$File$wcscmpwcsrchr$??2@??3@AddressAttributesCloseCreateCredEnumerateHandleProcSize_wcsicmp_wcslwrmemcpywcscatwcscpywcsncmp
                                                                    • String ID: *.*$Apple Computer\Preferences\keychain.plist
                                                                    • API String ID: 2263259095-3798722523
                                                                    • Opcode ID: 60142fc224ce82f33f024026baff3817031bc91c0ca8ee6e0e9eeeaa230f4715
                                                                    • Instruction ID: 0d822d17a5609fa1e1b699618fc72e24fb48bc28b5d87ede4d5502c71e25afa2
                                                                    • Opcode Fuzzy Hash: 60142fc224ce82f33f024026baff3817031bc91c0ca8ee6e0e9eeeaa230f4715
                                                                    • Instruction Fuzzy Hash: ED4278B29005196BEB10E761DD46EDFB37CEF45358F1001ABF508A2193EB385E948B9A
                                                                    Function 0041276D Relevance: 35.1, APIs: 17, Strings: 3, Instructions: 149COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                      • Part of subcall function 004044A4: LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                                                                      • Part of subcall function 004044A4: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                                                      • Part of subcall function 004044A4: FreeLibrary.KERNEL32(00000000), ref: 004044E9
                                                                      • Part of subcall function 004044A4: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                                    • SetErrorMode.KERNELBASE(00008001), ref: 00412799
                                                                    • GetModuleHandleW.KERNEL32(00000000,0041493C,00000000), ref: 004127B2
                                                                    • EnumResourceTypesW.KERNEL32(00000000), ref: 004127B9
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: Library$AddressEnumErrorFreeHandleLoadMessageModeModuleProcResourceTypes
                                                                    • String ID: $/deleteregkey$/savelangfile
                                                                    • API String ID: 2744995895-28296030
                                                                    • Opcode ID: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                                                                    • Instruction ID: bb1d383b9f388563dc7403a66819e695bb2bbb53a4e653fbe84b6d7681309d95
                                                                    • Opcode Fuzzy Hash: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                                                                    • Instruction Fuzzy Hash: FC51BEB1608346ABD710AFA6DD88A9F77ECFF81304F40092EF644D2161D778E8558B2A
                                                                    Function 0040B6EF Relevance: 30.1, APIs: 15, Strings: 2, Instructions: 388fileCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • memset.MSVCRT ref: 0040B71C
                                                                      • Part of subcall function 00409C70: wcscpy.MSVCRT ref: 00409C75
                                                                      • Part of subcall function 00409C70: wcsrchr.MSVCRT ref: 00409C7D
                                                                    • wcsrchr.MSVCRT ref: 0040B738
                                                                    • memset.MSVCRT ref: 0040B756
                                                                    • memset.MSVCRT ref: 0040B7F5
                                                                    • CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                    • CopyFileW.KERNEL32(00445FAE,?,00000000,?,?), ref: 0040B82D
                                                                    • CloseHandle.KERNELBASE(00000000,?,?), ref: 0040B838
                                                                    • memset.MSVCRT ref: 0040B851
                                                                    • memset.MSVCRT ref: 0040B8CA
                                                                    • memcmp.MSVCRT(?,v10,00000003), ref: 0040B9BF
                                                                      • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                      • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                    • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0040BAE5
                                                                    • memset.MSVCRT ref: 0040BB53
                                                                    • memcpy.MSVCRT(?,00000000,?,00000000,00000000,?), ref: 0040BB66
                                                                    • LocalFree.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 0040BB8D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: memset$File$Freewcsrchr$AddressCloseCopyCreateDeleteHandleLibraryLocalProcmemcmpmemcpywcscpy
                                                                    • String ID: chp$v10
                                                                    • API String ID: 4165125987-2783969131
                                                                    • Opcode ID: aa7ff03ddb8a60b54c19e14ecab6b10a2ad5bd81823861da0c4d13f19dc0bdfc
                                                                    • Instruction ID: 8b5aa87907ec6e815121f1c024adfc7170cbdef62e19f7af032d1a0a82a34a86
                                                                    • Opcode Fuzzy Hash: aa7ff03ddb8a60b54c19e14ecab6b10a2ad5bd81823861da0c4d13f19dc0bdfc
                                                                    • Instruction Fuzzy Hash: 32D17372900218AFEB11EB95DC41EEE77B8EF44304F1044BAF509B7191DB789F858B99
                                                                    Function 004091B8 Relevance: 25.8, APIs: 16, Strings: 1, Instructions: 272COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 504 4091b8-40921b memset call 40a6e6 call 444432 509 409520-409526 504->509 510 409221-40923b call 40b273 call 438552 504->510 514 409240-409248 510->514 515 409383-4093ab call 40b273 call 438552 514->515 516 40924e-409258 call 4251c4 514->516 528 4093b1 515->528 529 4094ff-40950b call 443d90 515->529 521 40937b-40937e call 424f26 516->521 522 40925e-409291 call 4253cf * 2 call 4253af * 2 516->522 521->515 522->521 552 409297-409299 522->552 532 4093d3-4093dd call 4251c4 528->532 529->509 538 40950d-409511 529->538 539 4093b3-4093cc call 4253cf * 2 532->539 540 4093df 532->540 538->509 542 409513-40951d call 408f2f 538->542 539->532 555 4093ce-4093d1 539->555 543 4094f7-4094fa call 424f26 540->543 542->509 543->529 552->521 554 40929f-4092a3 552->554 554->521 556 4092a9-4092ba 554->556 555->532 557 4093e4-4093fb call 4253af * 2 555->557 558 4092bc 556->558 559 4092be-4092e3 memcpy memcmp 556->559 557->543 569 409401-409403 557->569 558->559 560 409333-409345 memcmp 559->560 561 4092e5-4092ec 559->561 560->521 564 409347-40935f memcpy 560->564 561->521 563 4092f2-409331 memcpy * 2 561->563 566 409363-409378 memcpy 563->566 564->566 566->521 569->543 570 409409-40941b memcmp 569->570 570->543 571 409421-409433 memcmp 570->571 572 4094a4-4094b6 memcmp 571->572 573 409435-40943c 571->573 572->543 575 4094b8-4094ed memcpy * 2 572->575 573->543 574 409442-4094a2 memcpy * 3 573->574 576 4094f4 574->576 575->576 576->543
                                                                    APIs
                                                                    • memset.MSVCRT ref: 004091E2
                                                                      • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                    • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
                                                                    • memcmp.MSVCRT(00000000,0045A4F0,00000006,?,?,?,?,?,?,?,?,?,?,?,?,00000143), ref: 004092D9
                                                                    • memcpy.MSVCRT(?,00000023,?), ref: 0040930C
                                                                    • memcpy.MSVCRT(?,?,00000010), ref: 00409325
                                                                    • memcmp.MSVCRT(00000000,0045A4E8,00000006), ref: 0040933B
                                                                    • memcpy.MSVCRT(?,00000015,?), ref: 00409357
                                                                    • memcpy.MSVCRT(?,?,00000010), ref: 00409370
                                                                    • memcmp.MSVCRT(00000000,004599B8,00000010), ref: 00409411
                                                                    • memcmp.MSVCRT(00000000,0045A500,00000006), ref: 00409429
                                                                    • memcpy.MSVCRT(?,00000023,?), ref: 00409462
                                                                    • memcpy.MSVCRT(?,?,00000010), ref: 0040947E
                                                                    • memcpy.MSVCRT(?,?,00000020), ref: 0040949A
                                                                    • memcmp.MSVCRT(00000000,0045A4F8,00000006), ref: 004094AC
                                                                    • memcpy.MSVCRT(?,00000015,?), ref: 004094D0
                                                                    • memcpy.MSVCRT(?,?,00000020), ref: 004094E8
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: memcpy$memcmp$ByteCharMultiWidememset
                                                                    • String ID:
                                                                    • API String ID: 3715365532-3916222277
                                                                    • Opcode ID: 84d8fa7e2563b014b86416b64341180d82413736d9254b8658418cb4f91a0b1c
                                                                    • Instruction ID: d5c0d9b4f94ac501fd0f2fb5594fd033b2d13f4c98b4255323c8c53c7695c3f7
                                                                    • Opcode Fuzzy Hash: 84d8fa7e2563b014b86416b64341180d82413736d9254b8658418cb4f91a0b1c
                                                                    • Instruction Fuzzy Hash: DDA1BA71900605ABDB21EF65D885BAFB7BCAF44304F01043FF945E6282EB78EA458B59
                                                                    Function 00413D4C Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 142processlibraryloaderCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 577 413d4c-413da0 call 40b633 CreateToolhelp32Snapshot memset Process32FirstW 580 413f00-413f11 Process32NextW 577->580 581 413da5-413ded OpenProcess 580->581 582 413f17-413f24 CloseHandle 580->582 583 413eb0-413eb5 581->583 584 413df3-413e26 memset call 413f27 581->584 583->580 585 413eb7-413ebd 583->585 592 413e79-413e9d call 413959 call 413ca4 584->592 593 413e28-413e35 584->593 587 413ec8-413eda call 4099f4 585->587 588 413ebf-413ec6 free 585->588 590 413edb-413ee2 587->590 588->590 598 413ee4 590->598 599 413ee7-413efe 590->599 604 413ea2-413eae CloseHandle 592->604 596 413e61-413e68 593->596 597 413e37-413e44 GetModuleHandleW 593->597 596->592 602 413e6a-413e76 596->602 597->596 601 413e46-413e5c GetProcAddress 597->601 598->599 599->580 601->596 602->592 604->583
                                                                    APIs
                                                                      • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,?), ref: 00413D6A
                                                                    • memset.MSVCRT ref: 00413D7F
                                                                    • Process32FirstW.KERNEL32(00000000,?), ref: 00413D9B
                                                                    • OpenProcess.KERNEL32(00000410,00000000,?,?,?,?), ref: 00413DE0
                                                                    • memset.MSVCRT ref: 00413E07
                                                                    • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 00413E3C
                                                                    • GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameW), ref: 00413E56
                                                                    • CloseHandle.KERNEL32(?,?,?,?,00000000,?), ref: 00413EA8
                                                                    • free.MSVCRT ref: 00413EC1
                                                                    • Process32NextW.KERNEL32(00000000,0000022C), ref: 00413F0A
                                                                    • CloseHandle.KERNEL32(00000000,00000000,0000022C), ref: 00413F1A
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: Handle$CloseProcess32freememset$AddressCreateFirstModuleNextOpenProcProcessSnapshotToolhelp32
                                                                    • String ID: QueryFullProcessImageNameW$kernel32.dll
                                                                    • API String ID: 1344430650-1740548384
                                                                    • Opcode ID: d01459b62e4562fe598c3dda65fe2a12e31c3c57d7bea03f0a3dc75513a8eb61
                                                                    • Instruction ID: a891ebf292d3308fa7e32b9fbc5d589fb36fb38cf1b6cbdc37d41f3709903cdc
                                                                    • Opcode Fuzzy Hash: d01459b62e4562fe598c3dda65fe2a12e31c3c57d7bea03f0a3dc75513a8eb61
                                                                    • Instruction Fuzzy Hash: B4518FB2C00218ABDB10DF5ACC84ADEF7B9AF95305F1041ABE509A3251D7795F84CFA9
                                                                    Function 0040E01E Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 120fileCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                      • Part of subcall function 0040DD85: memset.MSVCRT ref: 0040DDAD
                                                                      • Part of subcall function 0040DD85: CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                                      • Part of subcall function 0040DD85: NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                                      • Part of subcall function 0040DD85: CloseHandle.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                                                      • Part of subcall function 0040DD85: GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                                      • Part of subcall function 0040DD85: _wcsicmp.MSVCRT ref: 0040DEB2
                                                                      • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                    • OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                                    • GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                                    • DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                                                    • GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                      • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                                      • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                      • Part of subcall function 00409A45: GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                                      • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                                    • CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                                    • MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                                    • WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                                    • UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                                    • CloseHandle.KERNELBASE(?), ref: 0040E13E
                                                                    • CloseHandle.KERNEL32(00000000), ref: 0040E143
                                                                    • CloseHandle.KERNEL32(?), ref: 0040E148
                                                                    • CloseHandle.KERNEL32(?), ref: 0040E14D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: File$Handle$Close$CreateProcess$CurrentTempView$??2@DirectoryDuplicateInformationMappingNameOpenPathQuerySizeSystemUnmapWindowsWrite_wcsicmpmemset
                                                                    • String ID: bhv
                                                                    • API String ID: 4234240956-2689659898
                                                                    • Opcode ID: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                                                                    • Instruction ID: 69536691d8562172d0558c987aea6dfe4ed17d6a9a6de0cf2c6621a9a97a0e87
                                                                    • Opcode Fuzzy Hash: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                                                                    • Instruction Fuzzy Hash: 15412775800218FBCF119FA6CC489DFBFB9FF09750F148466F504A6250D7748A50CBA8
                                                                    Function 00413F4F Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 29libraryloaderCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 633 413f4f-413f52 634 413fa5 633->634 635 413f54-413f5a call 40a804 633->635 637 413f5f-413fa4 GetProcAddress * 5 635->637 637->634
                                                                    APIs
                                                                      • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                      • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                      • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                      • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                    • GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                                                    • GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                                                    • GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                                                    • GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                                                    • GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                    • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                    • API String ID: 2941347001-70141382
                                                                    • Opcode ID: 39c22376907c33733211e363db3c4349312dc982ad78c4cc463d34b505bb12c7
                                                                    • Instruction ID: 7b3d606b7d389a8205b465373562f67d85acf78e859b2fe1c5436fc88fb80995
                                                                    • Opcode Fuzzy Hash: 39c22376907c33733211e363db3c4349312dc982ad78c4cc463d34b505bb12c7
                                                                    • Instruction Fuzzy Hash: BBF03470840340AECB706F769809E06BEF0EFD8B097318C2EE6C557291E3BD9098DE48
                                                                    Function 004466F4 Relevance: 18.1, APIs: 12, Instructions: 134COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 638 4466f4-44670e call 446904 GetModuleHandleA 641 446710-44671b 638->641 642 44672f-446732 638->642 641->642 643 44671d-446726 641->643 644 44675b-4467aa __set_app_type __p__fmode __p__commode call 4153f2 642->644 646 446747-44674b 643->646 647 446728-44672d 643->647 652 4467ac-4467b7 __setusermatherr 644->652 653 4467b8-44680e call 4468f0 _initterm __wgetmainargs _initterm 644->653 646->642 648 44674d-44674f 646->648 647->642 650 446734-44673b 647->650 651 446755-446758 648->651 650->642 654 44673d-446745 650->654 651->644 652->653 657 446810-446819 653->657 658 44681e-446825 653->658 654->651 659 4468d8-4468dd call 44693d 657->659 660 446827-446832 658->660 661 44686c-446870 658->661 664 446834-446838 660->664 665 44683a-44683e 660->665 662 446845-44684b 661->662 663 446872-446877 661->663 667 446853-446864 GetStartupInfoW 662->667 668 44684d-446851 662->668 663->661 664->660 664->665 665->662 669 446840-446842 665->669 671 446866-44686a 667->671 672 446879-44687b 667->672 668->667 668->669 669->662 673 44687c-446894 GetModuleHandleA call 41276d 671->673 672->673 676 446896-446897 exit 673->676 677 44689d-4468d6 _cexit 673->677 676->677 677->659
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: HandleModule_initterm$InfoStartup__p__commode__p__fmode__set_app_type__setusermatherr__wgetmainargs_cexitexit
                                                                    • String ID:
                                                                    • API String ID: 2827331108-0
                                                                    • Opcode ID: 7ba7b2652c13871cd0d5cae79e0f4a701fe2602556b2c3d333f15f3a91922bbb
                                                                    • Instruction ID: 0e3254bf032efe29fc581ce6ca9889a5a3d5d0d8e47fd2ea34fa35870f4f4cb9
                                                                    • Opcode Fuzzy Hash: 7ba7b2652c13871cd0d5cae79e0f4a701fe2602556b2c3d333f15f3a91922bbb
                                                                    • Instruction Fuzzy Hash: 9D51C474C41314DFEB21AF65D8499AD7BB0FB0A715F21452BE82197291D7788C82CF1E
                                                                    Function 0040C274 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • memset.MSVCRT ref: 0040C298
                                                                      • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E60F
                                                                      • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E629
                                                                      • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                    • FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                                    • wcschr.MSVCRT ref: 0040C324
                                                                    • wcschr.MSVCRT ref: 0040C344
                                                                    • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                                    • GetLastError.KERNEL32 ref: 0040C373
                                                                    • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C39F
                                                                    • FindCloseUrlCache.WININET(?), ref: 0040C3B0
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: CacheFind$Entrymemset$Nextwcschr$??2@CloseErrorFirstLast
                                                                    • String ID: visited:
                                                                    • API String ID: 1157525455-1702587658
                                                                    • Opcode ID: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                                                                    • Instruction ID: 6629d855392f08d41decd2a192e4b6579142cf3eaa95f33c860a05aa0b18639b
                                                                    • Opcode Fuzzy Hash: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                                                                    • Instruction Fuzzy Hash: DA417F71D00219ABDB10EF92DC85AEFBBB8FF45714F10416AE904F7281D7389A45CBA9
                                                                    Function 0040E175 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 91COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 704 40e175-40e1a1 call 40695d call 406b90 709 40e1a7-40e1e5 memset 704->709 710 40e299-40e2a8 call 4069a3 704->710 712 40e1e8-40e1fa call 406e8f 709->712 716 40e270-40e27d call 406b53 712->716 717 40e1fc-40e219 call 40dd50 * 2 712->717 716->712 722 40e283-40e286 716->722 717->716 728 40e21b-40e21d 717->728 725 40e291-40e294 call 40aa04 722->725 726 40e288-40e290 free 722->726 725->710 726->725 728->716 729 40e21f-40e235 call 40742e 728->729 729->716 732 40e237-40e242 call 40aae3 729->732 732->716 735 40e244-40e26b _snwprintf call 40a8d0 732->735 735->716
                                                                    APIs
                                                                      • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                                    • memset.MSVCRT ref: 0040E1BD
                                                                      • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                                    • free.MSVCRT ref: 0040E28B
                                                                      • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                                      • Part of subcall function 0040AAE3: wcslen.MSVCRT ref: 0040AAF2
                                                                      • Part of subcall function 0040AAE3: _memicmp.MSVCRT ref: 0040AB20
                                                                    • _snwprintf.MSVCRT ref: 0040E257
                                                                      • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                      • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                      • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                      • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: free$_wcsicmpmemsetwcslen$_memicmp_snwprintfmemcpy
                                                                    • String ID: $ContainerId$Container_%I64d$Containers$Name
                                                                    • API String ID: 2804212203-2982631422
                                                                    • Opcode ID: 3097c73213ec0a6a1db6d887d8be9a96c969786007a4d3e1c3bc36e7f6b4a6bd
                                                                    • Instruction ID: de93d03617a61f3aa6bbe184beafcfad76b4f566d35596b706efacabd7485ccb
                                                                    • Opcode Fuzzy Hash: 3097c73213ec0a6a1db6d887d8be9a96c969786007a4d3e1c3bc36e7f6b4a6bd
                                                                    • Instruction Fuzzy Hash: 74318272D002196ADF10EFA6DC45ADEB7B8AF04344F1105BFE508B3191DB38AE598F99
                                                                    Function 0040BB98 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 145COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                      • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                      • Part of subcall function 0040CC26: CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                      • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                                                    • memset.MSVCRT ref: 0040BC75
                                                                    • memset.MSVCRT ref: 0040BC8C
                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,0044E518,000000FF,?,00000FFF,00000000,00000000,?,?,?,0040B7D4,?,?), ref: 0040BCA8
                                                                    • memcmp.MSVCRT(?,00000000,00000005,?,?,?,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE), ref: 0040BCD6
                                                                    • memcpy.MSVCRT(00000024,?,00000020,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD2B
                                                                    • LocalFree.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD3D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: memset$ByteCharCloseFileFreeHandleLocalMultiSizeWide_wcsicmpmemcmpmemcpy
                                                                    • String ID:
                                                                    • API String ID: 115830560-3916222277
                                                                    • Opcode ID: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                                                                    • Instruction ID: 00a8249a540342db609c93f8c1f67c79963b4134db5221072d0e6ece1bb2d715
                                                                    • Opcode Fuzzy Hash: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                                                                    • Instruction Fuzzy Hash: 3F41B372900219ABDB10ABA5CC85ADEB7ACEF04314F01057BB509F7292D7789E45CA99
                                                                    Function 0041837F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 140fileCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 789 41837f-4183bf 790 4183c1-4183cc call 418197 789->790 791 4183dc-4183ec call 418160 789->791 796 4183d2-4183d8 790->796 797 418517-41851d 790->797 798 4183f6-41840b 791->798 799 4183ee-4183f1 791->799 796->791 800 418417-418423 798->800 801 41840d-418415 798->801 799->797 802 418427-418442 call 41739b 800->802 801->802 805 418444-41845d CreateFileW 802->805 806 41845f-418475 CreateFileA 802->806 807 418477-41847c 805->807 806->807 808 4184c2-4184c7 807->808 809 41847e-418495 GetLastError free 807->809 812 4184d5-418501 memset call 418758 808->812 813 4184c9-4184d3 808->813 810 4184b5-4184c0 call 444706 809->810 811 418497-4184b3 call 41837f 809->811 810->797 811->797 819 418506-418515 free 812->819 813->812 819->797
                                                                    APIs
                                                                    • CreateFileW.KERNELBASE(?,-7FBE829D,00000003,00000000,?,?,00000000), ref: 00418457
                                                                    • CreateFileA.KERNEL32(?,-7FBE829D,00000003,00000000,|A,00417CE3,00000000), ref: 0041846F
                                                                    • GetLastError.KERNEL32 ref: 0041847E
                                                                    • free.MSVCRT ref: 0041848B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: CreateFile$ErrorLastfree
                                                                    • String ID: |A
                                                                    • API String ID: 77810686-1717621600
                                                                    • Opcode ID: b73738cfafb11dafaf653c45b8d30767a4f0487cb759c2014a2d8a4f30590433
                                                                    • Instruction ID: 73005d91fce95ddd83c4435d1527c7398ec28b7193468e33704956b81d718a95
                                                                    • Opcode Fuzzy Hash: b73738cfafb11dafaf653c45b8d30767a4f0487cb759c2014a2d8a4f30590433
                                                                    • Instruction Fuzzy Hash: 50412472508306AFD710CF25DC4179BBBE5FF84328F14492EF8A492290EB78D9448B96
                                                                    Function 00412465 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88windowCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • memset.MSVCRT ref: 0041249C
                                                                    • ??2@YAPAXI@Z.MSVCRT(00002A88), ref: 004124D2
                                                                    • ??2@YAPAXI@Z.MSVCRT(00000350), ref: 00412510
                                                                    • GetModuleHandleW.KERNEL32(00000000,0000000E), ref: 00412582
                                                                    • LoadIconW.USER32(00000000,00000065), ref: 0041258B
                                                                    • wcscpy.MSVCRT ref: 004125A0
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: ??2@$HandleIconLoadModulememsetwcscpy
                                                                    • String ID: r!A
                                                                    • API String ID: 2791114272-628097481
                                                                    • Opcode ID: c8dffcb2de6473715ddac6d72e3c76979a49d8854762dd44dbb162fd21f04a95
                                                                    • Instruction ID: f2e108ad35b37ee9f58e8ef6409d1766b43f0b07df47584fb449e80907097569
                                                                    • Opcode Fuzzy Hash: c8dffcb2de6473715ddac6d72e3c76979a49d8854762dd44dbb162fd21f04a95
                                                                    • Instruction Fuzzy Hash: 0431A1B19013889FEB30EF669C896CAB7E8FF44314F00852FE90CCB241DBB946548B49
                                                                    Function 0040C768 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 87COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                      • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1AE
                                                                      • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1B6
                                                                      • Part of subcall function 0040AA04: free.MSVCRT ref: 0040AA0B
                                                                      • Part of subcall function 0040C274: memset.MSVCRT ref: 0040C298
                                                                      • Part of subcall function 0040C274: FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                                      • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C324
                                                                      • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C344
                                                                      • Part of subcall function 0040C274: FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                                      • Part of subcall function 0040C274: GetLastError.KERNEL32 ref: 0040C373
                                                                      • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C439
                                                                      • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                                      • Part of subcall function 0040C3C3: _wcsupr.MSVCRT ref: 0040C481
                                                                      • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C4D0
                                                                      • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                                    • _wcslwr.MSVCRT ref: 0040C817
                                                                      • Part of subcall function 0040C634: wcslen.MSVCRT ref: 0040C65F
                                                                      • Part of subcall function 0040C634: memset.MSVCRT ref: 0040C6BF
                                                                    • wcslen.MSVCRT ref: 0040C82C
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: memset$free$CacheEntryEnumFindValuewcschrwcslen$ErrorFirstLastNext_wcslwr_wcsupr
                                                                    • String ID: /$/$http://www.facebook.com/$https://login.yahoo.com/config/login$https://www.google.com/accounts/servicelogin
                                                                    • API String ID: 2936932814-4196376884
                                                                    • Opcode ID: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                                                                    • Instruction ID: 5b72bd72183a146cc5fb8da473a5bce975bbff0c760a192580a28ed18ba85502
                                                                    • Opcode Fuzzy Hash: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                                                                    • Instruction Fuzzy Hash: 42218272A00244A6CF10BB6A9C8589E7B68EF44744B10457BB804B7293D67CDE85DB9D
                                                                    Function 0040B58D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleW.KERNEL32(00000000,00000000,?,?), ref: 0040B5A5
                                                                    • FindResourceW.KERNELBASE(00000000,00000032,BIN), ref: 0040B5B6
                                                                    • LoadResource.KERNEL32(00000000,00000000), ref: 0040B5C4
                                                                    • SizeofResource.KERNEL32(?,00000000), ref: 0040B5D4
                                                                    • LockResource.KERNEL32(00000000), ref: 0040B5DD
                                                                    • memcpy.MSVCRT(00000000,00000000,00000000), ref: 0040B60D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: Resource$FindHandleLoadLockModuleSizeofmemcpy
                                                                    • String ID: BIN
                                                                    • API String ID: 1668488027-1015027815
                                                                    • Opcode ID: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                                                                    • Instruction ID: e905eb6dc449d61379ecdc49350c1a2f8866219970738eecada31b95dd052af9
                                                                    • Opcode Fuzzy Hash: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                                                                    • Instruction Fuzzy Hash: 5E11C636C00225BBD7116BE2DC09AAFBA78FF85755F010476F81072292DB794D018BED
                                                                    Function 0040BDB0 Relevance: 12.2, APIs: 8, Instructions: 151COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                                                      • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                                                      • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                                                      • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                                                      • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                                                    • CredEnumerateW.SECHOST(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                                                    • wcslen.MSVCRT ref: 0040BE06
                                                                    • wcsncmp.MSVCRT ref: 0040BE38
                                                                    • memset.MSVCRT ref: 0040BE91
                                                                    • memcpy.MSVCRT(?,?,?,00000001,?,?,?,00000000,?), ref: 0040BEB2
                                                                    • _wcsnicmp.MSVCRT ref: 0040BEFC
                                                                    • wcschr.MSVCRT ref: 0040BF24
                                                                    • LocalFree.KERNEL32(?,?,?,?,00000001,?,?,?,00000000,?), ref: 0040BF48
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: AddressProc$CredEnumerateFreeLocal_wcsnicmpmemcpymemsetwcschrwcslenwcsncmp
                                                                    • String ID:
                                                                    • API String ID: 697348961-0
                                                                    • Opcode ID: 4320d3521706fdf8c6ed48fb05be967b0956d3d4dbd01890db6896aba47bd834
                                                                    • Instruction ID: 79a9ca8399314c5bcb3e205da5602351372edcdcc58f79068602210d8f55f42f
                                                                    • Opcode Fuzzy Hash: 4320d3521706fdf8c6ed48fb05be967b0956d3d4dbd01890db6896aba47bd834
                                                                    • Instruction Fuzzy Hash: 1851E9B5D002099FCF20DFA5C8859AEBBF9FF48304F10452AE919F7251E734A9458F69
                                                                    Function 00403C9C Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 00403CBF
                                                                    • memset.MSVCRT ref: 00403CD4
                                                                    • memset.MSVCRT ref: 00403CE9
                                                                    • memset.MSVCRT ref: 00403CFE
                                                                    • memset.MSVCRT ref: 00403D13
                                                                      • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                      • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                      • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                      • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                      • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                      • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                      • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                      • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                      • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                      • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                    • memset.MSVCRT ref: 00403DDA
                                                                      • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                      • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: memset$wcscpy$wcslen$Close_snwprintfmemcpywcscat
                                                                    • String ID: Waterfox$Waterfox\Profiles
                                                                    • API String ID: 3527940856-11920434
                                                                    • Opcode ID: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                                                                    • Instruction ID: d72014143a293005b417e5222852f61d3cfc405123c5957a7e6d01a12b636873
                                                                    • Opcode Fuzzy Hash: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                                                                    • Instruction Fuzzy Hash: 1E4133B294012C7ADB20EB56DC85ECF777CEF85314F1180ABB509B2181DA745B948FAA
                                                                    Function 00403E2D Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 00403E50
                                                                    • memset.MSVCRT ref: 00403E65
                                                                    • memset.MSVCRT ref: 00403E7A
                                                                    • memset.MSVCRT ref: 00403E8F
                                                                    • memset.MSVCRT ref: 00403EA4
                                                                      • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                      • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                      • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                      • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                      • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                      • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                      • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                      • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                      • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                      • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                    • memset.MSVCRT ref: 00403F6B
                                                                      • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                      • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: memset$wcscpy$wcslen$Close_snwprintfmemcpywcscat
                                                                    • String ID: Mozilla\SeaMonkey$Mozilla\SeaMonkey\Profiles
                                                                    • API String ID: 3527940856-2068335096
                                                                    • Opcode ID: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                                                                    • Instruction ID: badb9319ce56d3a3e0b5d4601891faab39f88fc9b3936f94b46873e2979bc7df
                                                                    • Opcode Fuzzy Hash: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                                                                    • Instruction Fuzzy Hash: F94133B294012CBADB20EB56DC85FCF777CAF85314F1180A7B509F2181DA785B848F6A
                                                                    Function 00403FBE Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 00403FE1
                                                                    • memset.MSVCRT ref: 00403FF6
                                                                    • memset.MSVCRT ref: 0040400B
                                                                    • memset.MSVCRT ref: 00404020
                                                                    • memset.MSVCRT ref: 00404035
                                                                      • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                      • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                      • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                      • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                      • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                      • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                      • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                      • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                      • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                      • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                    • memset.MSVCRT ref: 004040FC
                                                                      • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                      • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: memset$wcscpy$wcslen$Close_snwprintfmemcpywcscat
                                                                    • String ID: Mozilla\Firefox$Mozilla\Firefox\Profiles
                                                                    • API String ID: 3527940856-3369679110
                                                                    • Opcode ID: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                                                                    • Instruction ID: a33c26704871042caa7cb74448a1974e70df039046fe21947f04a6d8cbe9f93a
                                                                    • Opcode Fuzzy Hash: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                                                                    • Instruction Fuzzy Hash: 354134B294012CBADB20EB56DC85ECF777CAF85314F1180A7B509B3181EA745B948F6A
                                                                    Function 00444432 Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 217COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memcpy.MSVCRT(00000048,00451D40,0000002C,000003FF,00445FAE,?,00000000,?,0040B879), ref: 004444E3
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: memcpy
                                                                    • String ID: BINARY$NOCASE$RTRIM$main$no such vfs: %s$temp
                                                                    • API String ID: 3510742995-2641926074
                                                                    • Opcode ID: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                                                    • Instruction ID: 565814064bb2237b40e40c3ad6633df45ffc5137317807aec9a32ad89077b3bf
                                                                    • Opcode Fuzzy Hash: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                                                    • Instruction Fuzzy Hash: BA7119B1600701BFE710AF16CC81B66B7A8BB85319F11452FF4189B742D7BDED908B99
                                                                    Function 004032B4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 119COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                                                      • Part of subcall function 0044553B: memset.MSVCRT ref: 004455C2
                                                                      • Part of subcall function 0044553B: wcsrchr.MSVCRT ref: 004455DA
                                                                    • memset.MSVCRT ref: 004033B7
                                                                    • memcpy.MSVCRT(?,00000000,0000121C), ref: 004033D0
                                                                    • wcscmp.MSVCRT ref: 004033FC
                                                                    • _wcsicmp.MSVCRT ref: 00403439
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: memset$_wcsicmpfreememcpywcscmpwcsrchr
                                                                    • String ID: $0.@
                                                                    • API String ID: 2758756878-1896041820
                                                                    • Opcode ID: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                                                                    • Instruction ID: ab192eb15c9642abc1a13bae453f9d52c7669558764b377fc560e22e349fc473
                                                                    • Opcode Fuzzy Hash: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                                                                    • Instruction Fuzzy Hash: 6B414A71A0C3819BD770EF65C885A8BB7E8AF86314F004D2FE48C97681DB3899458B5B
                                                                    Function 004449B9 Relevance: 10.6, APIs: 7, Instructions: 61libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                      • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                      • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                      • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                    • String ID:
                                                                    • API String ID: 2941347001-0
                                                                    • Opcode ID: 71f7015b8efbcabf0d8a3174310d871b9f234e636c99dab6741889365bf8ff35
                                                                    • Instruction ID: 45112ec7679d7541be2eaee67b01953ccf91f0241e5cd71b41190719d78dca83
                                                                    • Opcode Fuzzy Hash: 71f7015b8efbcabf0d8a3174310d871b9f234e636c99dab6741889365bf8ff35
                                                                    • Instruction Fuzzy Hash: 2E115871840700EDEA207F72DD0FF2B7AA5EF40B14F10882EF555594E1EBB6A8119E9C
                                                                    Function 00403BED Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 57COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 00403C09
                                                                    • memset.MSVCRT ref: 00403C1E
                                                                      • Part of subcall function 00409719: wcslen.MSVCRT ref: 0040971A
                                                                      • Part of subcall function 00409719: wcscat.MSVCRT ref: 00409732
                                                                    • wcscat.MSVCRT ref: 00403C47
                                                                      • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                      • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                      • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                    • wcscat.MSVCRT ref: 00403C70
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: memsetwcscat$Closewcscpywcslen
                                                                    • String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
                                                                    • API String ID: 3249829328-1174173950
                                                                    • Opcode ID: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                                                                    • Instruction ID: 5219a381a5be6f9fff484f4b9c8ff18b49dc44b18064e24db21ac924a7a96902
                                                                    • Opcode Fuzzy Hash: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                                                                    • Instruction Fuzzy Hash: 4401A9B294032C76DB207B669C86ECF672C9F45358F01447FB504B7182D9785E844AA9
                                                                    Function 0040A804 Relevance: 9.0, APIs: 6, Instructions: 40libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 0040A824
                                                                    • GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                    • wcscpy.MSVCRT ref: 0040A854
                                                                    • wcscat.MSVCRT ref: 0040A86A
                                                                    • LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                    • LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                    • String ID:
                                                                    • API String ID: 669240632-0
                                                                    • Opcode ID: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                                                                    • Instruction ID: 21688b76284891f368be2c5f4feed5723597baa153f24eadc702144372ba9d0b
                                                                    • Opcode Fuzzy Hash: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                                                                    • Instruction Fuzzy Hash: A6F0A472D0022467DF207B65AC46B8A3B6CBF01754F008072F908B71D2EB789A55CFDA
                                                                    Function 0041443E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • wcschr.MSVCRT ref: 00414458
                                                                    • _snwprintf.MSVCRT ref: 0041447D
                                                                    • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 0041449B
                                                                    • GetPrivateProfileStringW.KERNEL32(?,?,?,?,?,?), ref: 004144B3
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: PrivateProfileString$Write_snwprintfwcschr
                                                                    • String ID: "%s"
                                                                    • API String ID: 1343145685-3297466227
                                                                    • Opcode ID: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                                                                    • Instruction ID: 05c1b6e2b8d8aed92df8b5d38884bf02313f678dea9e3ece4dcd1a0b753c0483
                                                                    • Opcode Fuzzy Hash: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                                                                    • Instruction Fuzzy Hash: 7201AD3240421ABBEF219F81DC09FDB3F6AFF09305F14806ABA08501A1D339C5A5EB58
                                                                    Function 00413CA4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloadertimeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleW.KERNEL32(kernel32.dll,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CB5
                                                                    • GetProcAddress.KERNEL32(00000000,GetProcessTimes), ref: 00413CCF
                                                                    • GetProcessTimes.KERNELBASE(00000000,?,?,?,?,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CF2
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: AddressHandleModuleProcProcessTimes
                                                                    • String ID: GetProcessTimes$kernel32.dll
                                                                    • API String ID: 1714573020-3385500049
                                                                    • Opcode ID: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                                    • Instruction ID: 0a9fc9a7fb2a98cd878f934f387e3824ef844cc6c25aa3dbb33b58617c33e237
                                                                    • Opcode Fuzzy Hash: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                                    • Instruction Fuzzy Hash: F5F03036204309AFEF008FA6FD06B963BA8BB04742F044066FA0CD1561D7B5D6B0EF99
                                                                    Function 004087B3 Relevance: 7.7, APIs: 6, Instructions: 190COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 004087D6
                                                                      • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                      • Part of subcall function 004095D9: memset.MSVCRT ref: 004095FC
                                                                    • memset.MSVCRT ref: 00408828
                                                                    • memset.MSVCRT ref: 00408840
                                                                    • memset.MSVCRT ref: 00408858
                                                                    • memset.MSVCRT ref: 00408870
                                                                    • memset.MSVCRT ref: 00408888
                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                      • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: memset$wcslen$AttributesByteCharFileMultiWidewcscatwcscpy
                                                                    • String ID:
                                                                    • API String ID: 2911713577-0
                                                                    • Opcode ID: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                                                                    • Instruction ID: a7e5ca25de4111a2a05fe91eb9e7b9268c7acadad77a1a504b595fc773a76dc1
                                                                    • Opcode Fuzzy Hash: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                                                                    • Instruction Fuzzy Hash: BD5146B280011D7EEB50E751DC46EEF776CDF05318F0040BEB948B6182EA745F948BA9
                                                                    Function 0041F1A5 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 165COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memcmp.MSVCRT(?,?,00000004,?,00000065,004381DF,00000065,00000000,00000007,?,00000000), ref: 0041F202
                                                                    • memcmp.MSVCRT(?,SQLite format 3,00000010,?,00000065,004381DF,00000065,00000000), ref: 0041F22D
                                                                    • memcmp.MSVCRT(?,@ ,00000003,?,?,00000065,004381DF,00000065,00000000), ref: 0041F299
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: memcmp
                                                                    • String ID: @ $SQLite format 3
                                                                    • API String ID: 1475443563-3708268960
                                                                    • Opcode ID: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                                                    • Instruction ID: a5e199d7c3355b23248e204991ed7883f9cb1cefd3641e4a8180bf992d12f390
                                                                    • Opcode Fuzzy Hash: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                                                    • Instruction Fuzzy Hash: 9051C1719002199BDF10DFA9C4817DEB7F4AF44314F1541AAEC14EB246E778EA8ACB88
                                                                    Function 00414C2E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00414B81: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4
                                                                    • memset.MSVCRT ref: 00414C87
                                                                    • RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                    • wcscpy.MSVCRT ref: 00414CFC
                                                                      • Part of subcall function 00409CEA: GetVersionExW.KERNEL32(0045D340,0000001A,00414C4F,?,00000000), ref: 00409D04
                                                                    Strings
                                                                    • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00414CA2, 00414CB2
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: AddressCloseProcVersionmemsetwcscpy
                                                                    • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                                    • API String ID: 2705122986-2036018995
                                                                    • Opcode ID: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                                                                    • Instruction ID: cfba8ba70a3d5c5eb0df7add68d4968905301debfffe1ddd107e81ced3c7690c
                                                                    • Opcode Fuzzy Hash: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                                                                    • Instruction Fuzzy Hash: EE110B31802224ABDB24A7999C4E9EF736CDBD1315F2200A7F80562151F6685EC5C6DE
                                                                    Function 004110DC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: _wcsicmpqsort
                                                                    • String ID: /nosort$/sort
                                                                    • API String ID: 1579243037-1578091866
                                                                    • Opcode ID: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                                                                    • Instruction ID: 59a4a6edbc2c6816dd96362f3638b70d105e8990563e463c72bda517b6347aa4
                                                                    • Opcode Fuzzy Hash: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                                                                    • Instruction Fuzzy Hash: C8213770700201AFD714FB36C880E96F3AAFF58314F11012EE61897692DB39BC918B4A
                                                                    Function 0040E5ED Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 61COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 0040E60F
                                                                    • memset.MSVCRT ref: 0040E629
                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                      • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                    Strings
                                                                    • Microsoft\Windows\WebCache\WebCacheV24.dat, xrefs: 0040E66F
                                                                    • Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 0040E647
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: memsetwcslen$AttributesFilewcscatwcscpy
                                                                    • String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$Microsoft\Windows\WebCache\WebCacheV24.dat
                                                                    • API String ID: 3354267031-2114579845
                                                                    • Opcode ID: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                                                                    • Instruction ID: 2f29c334d396001d9fe1cebc89c879271eb53039ccc8e03d5a3365d75131e7c5
                                                                    • Opcode Fuzzy Hash: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                                                                    • Instruction Fuzzy Hash: 66118AB3D4012C66EB10E755EC85FDB73ACAF14319F1408B7B904F11C2E6B89F984998
                                                                    Function 004148B6 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FindResourceW.KERNELBASE(?,?,?), ref: 004148C3
                                                                    • SizeofResource.KERNEL32(?,00000000), ref: 004148D4
                                                                    • LoadResource.KERNEL32(?,00000000), ref: 004148E4
                                                                    • LockResource.KERNEL32(00000000), ref: 004148EF
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: Resource$FindLoadLockSizeof
                                                                    • String ID:
                                                                    • API String ID: 3473537107-0
                                                                    • Opcode ID: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                                    • Instruction ID: 8a72e2f5d7590eb6bb033c3ed88c96ec9d5eb8bcd973c23d1c6560583cb0a60d
                                                                    • Opcode Fuzzy Hash: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                                    • Instruction Fuzzy Hash: 0101D2727402156B8B294FB6DD4999BBFAEFFC6391308803AF809D6331DA31C851C688
                                                                    Function 0044DEF7 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: ??3@
                                                                    • String ID:
                                                                    • API String ID: 613200358-0
                                                                    • Opcode ID: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                                                    • Instruction ID: aa45652f999bbb0892b85dcd7393972dd4dfe4e89c7b59a5f1a68188070d07e1
                                                                    • Opcode Fuzzy Hash: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                                                    • Instruction Fuzzy Hash: 5EE08C60F0830052BA31EBBABD40E2723EC5E1AB4271A842FB905C3282CE2CC880C02D
                                                                    Function 0043A9F6 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 979COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    • only a single result allowed for a SELECT that is part of an expression, xrefs: 0043AAD3
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: memset
                                                                    • String ID: only a single result allowed for a SELECT that is part of an expression
                                                                    • API String ID: 2221118986-1725073988
                                                                    • Opcode ID: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                                                                    • Instruction ID: 0c5fbdb45af1b87466ede92b40025f4dfba1e1eb7e0419b48c64bc8603b8f36f
                                                                    • Opcode Fuzzy Hash: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                                                                    • Instruction Fuzzy Hash: 5D827A71608340AFD720DF15C881B1BBBE1FF88318F14491EFA9987262D779E954CB96
                                                                    Function 004125B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00412966,/deleteregkey,/savelangfile), ref: 004125C3
                                                                    • DeleteObject.GDI32(00000000), ref: 004125E7
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: ??3@DeleteObject
                                                                    • String ID: r!A
                                                                    • API String ID: 1103273653-628097481
                                                                    • Opcode ID: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                                                                    • Instruction ID: d381ae2e1f6c469d4091c7bd434485f036f098756071eb86a226830a39d2e28c
                                                                    • Opcode Fuzzy Hash: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                                                                    • Instruction Fuzzy Hash: 72E04F75000302DFD7115F26E400782B7F5FF85315F11455EE89497151EBB96164CE19
                                                                    Function 0040D092 Relevance: 5.1, APIs: 4, Instructions: 51COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,0040D142,00402E6F), ref: 0040D0CC
                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040D142,00402E6F), ref: 0040D0EA
                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,0040D142,00402E6F), ref: 0040D108
                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000,0040D142,00402E6F), ref: 0040D126
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: ??2@
                                                                    • String ID:
                                                                    • API String ID: 1033339047-0
                                                                    • Opcode ID: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                                                    • Instruction ID: 5f4fc1bc6a90e200713bb7744dd8ab6a017b0cf4e98027731d5581fdeff4b0c3
                                                                    • Opcode Fuzzy Hash: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                                                    • Instruction Fuzzy Hash: B00121B2A413005EEB7ADF38EE5772966A0AF4C351F01453EA246CD1F6EEF58480CB49
                                                                    Function 00444B06 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 108COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                                                      • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                                                      • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                                                      • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                                                      • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                                                      • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                                                      • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                                                    • memcmp.MSVCRT(?,0044EC68,00000010,?,00000000,?), ref: 00444BA5
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: AddressProc$memcmp
                                                                    • String ID: $$8
                                                                    • API String ID: 2808797137-435121686
                                                                    • Opcode ID: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                                    • Instruction ID: 2c4e4273d6b09173b98ec99ba1a72f96ebc6587eba5c15334d9e54441f883a66
                                                                    • Opcode Fuzzy Hash: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                                    • Instruction Fuzzy Hash: 04314171A00209ABEB10DFA6CDC1BAEB7B9FF88314F11055AE515A3241D778ED048B69
                                                                    Function 00430737 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 94COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • too many columns on %s, xrefs: 00430763
                                                                    • duplicate column name: %s, xrefs: 004307FE
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: duplicate column name: %s$too many columns on %s
                                                                    • API String ID: 0-1445880494
                                                                    • Opcode ID: d71f1f637ec18e5f8a62c501b2db333135d8de05f3daff8c641ff98159ef3fea
                                                                    • Instruction ID: 332525b9e829d337f3b342900587a6bcab00951879d739311f42b30c77ca79e1
                                                                    • Opcode Fuzzy Hash: d71f1f637ec18e5f8a62c501b2db333135d8de05f3daff8c641ff98159ef3fea
                                                                    • Instruction Fuzzy Hash: 5E314735500705AFCB109F55C891ABEB7B5EF88318F24815BE8969B342C738F841CB99
                                                                    Function 0040E4B2 Relevance: 4.6, APIs: 3, Instructions: 87fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0040E01E: OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                                      • Part of subcall function 0040E01E: GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                                      • Part of subcall function 0040E01E: DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                                                      • Part of subcall function 0040E01E: GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                      • Part of subcall function 0040E01E: CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                                      • Part of subcall function 0040E01E: MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                                      • Part of subcall function 0040E01E: WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                                      • Part of subcall function 0040E01E: UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                                      • Part of subcall function 0040E01E: CloseHandle.KERNELBASE(?), ref: 0040E13E
                                                                    • CloseHandle.KERNELBASE(000000FF,000000FF,00000000,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E582
                                                                      • Part of subcall function 0040E2AB: memset.MSVCRT ref: 0040E380
                                                                      • Part of subcall function 0040E2AB: wcschr.MSVCRT ref: 0040E3B8
                                                                      • Part of subcall function 0040E2AB: memcpy.MSVCRT(?,-00000121,00000008,0044E518,00000000,00000000,75922EE0), ref: 0040E3EC
                                                                    • DeleteFileW.KERNELBASE(?,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5A3
                                                                    • CloseHandle.KERNEL32(000000FF,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5CA
                                                                      • Part of subcall function 0040E175: memset.MSVCRT ref: 0040E1BD
                                                                      • Part of subcall function 0040E175: _snwprintf.MSVCRT ref: 0040E257
                                                                      • Part of subcall function 0040E175: free.MSVCRT ref: 0040E28B
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: File$Handle$Close$ProcessViewmemset$CreateCurrentDeleteDuplicateMappingOpenSizeUnmapWrite_snwprintffreememcpywcschr
                                                                    • String ID:
                                                                    • API String ID: 1979745280-0
                                                                    • Opcode ID: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                                                                    • Instruction ID: 90d235a97b45fa8760f9e747b2c38a4e83ddeae1161d8ec943a7631d31c9d9e7
                                                                    • Opcode Fuzzy Hash: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                                                                    • Instruction Fuzzy Hash: DA312CB1C00618ABCF60DF96CD456CEF7B8AF44318F1006AB9518B31A1DB755E95CF58
                                                                    Function 00403A16 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 67COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C09
                                                                      • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C1E
                                                                      • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C47
                                                                      • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C70
                                                                    • memset.MSVCRT ref: 00403A55
                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                      • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                      • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                      • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                      • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                      • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: memsetwcscatwcslen$free$AttributesFilememcpywcscpy
                                                                    • String ID: history.dat$places.sqlite
                                                                    • API String ID: 2641622041-467022611
                                                                    • Opcode ID: 05f9737078ef75c1c81c27231a8cbd2d8a2d76354893ce3757c3369515f6e8ef
                                                                    • Instruction ID: 4d52d99a2018a06e8b3479be55870673e402391ac5db5fe9af26a684ed702786
                                                                    • Opcode Fuzzy Hash: 05f9737078ef75c1c81c27231a8cbd2d8a2d76354893ce3757c3369515f6e8ef
                                                                    • Instruction Fuzzy Hash: CA112EB2A0111866DB10FA66CD4AACE77BCAF54354F1001B7B915B20C2EB3CAF45CA69
                                                                    Function 004175ED Relevance: 4.5, APIs: 3, Instructions: 49fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00417570: SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                                                      • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A2
                                                                      • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A8
                                                                    • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0041761D
                                                                    • GetLastError.KERNEL32 ref: 00417627
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLast$File$PointerRead
                                                                    • String ID:
                                                                    • API String ID: 839530781-0
                                                                    • Opcode ID: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                                                                    • Instruction ID: c9208e3d43fc8ff2949f7201360c8f82def2114e122364bdeb0a9035ecfb973e
                                                                    • Opcode Fuzzy Hash: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                                                                    • Instruction Fuzzy Hash: D001A236208204BBEB008F69DC45BDA3B78FB153B4F100427F908C6640E275D89096EA
                                                                    Function 0040C1D3 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: FileFindFirst
                                                                    • String ID: *.*$index.dat
                                                                    • API String ID: 1974802433-2863569691
                                                                    • Opcode ID: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                                                                    • Instruction ID: 5c3219b8572ff4376619b1de75d6d1d1b7443a793578eadcc31bed7d77429009
                                                                    • Opcode Fuzzy Hash: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                                                                    • Instruction Fuzzy Hash: 0E01257180125895EB20E761DC467DF766C9F04314F5002FB9818F21D6E7389F958F9A
                                                                    Function 00417570 Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                                                    • GetLastError.KERNEL32 ref: 004175A2
                                                                    • GetLastError.KERNEL32 ref: 004175A8
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLast$FilePointer
                                                                    • String ID:
                                                                    • API String ID: 1156039329-0
                                                                    • Opcode ID: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                                    • Instruction ID: d6bca62a971eeae6b8c8b5ba9af71e52dcee60bc35e592f51b1cb5e4efccb3e3
                                                                    • Opcode Fuzzy Hash: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                                    • Instruction Fuzzy Hash: 03F03071918115FBCB009B75DC009AA7ABAFB05360B104726E822D7690E730E9409AA8
                                                                    Function 0040A02C Relevance: 4.5, APIs: 3, Instructions: 26filetimeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                                    • GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                                    • CloseHandle.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: File$CloseCreateHandleTime
                                                                    • String ID:
                                                                    • API String ID: 3397143404-0
                                                                    • Opcode ID: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                                    • Instruction ID: 1a7e7c0172e67e076cb3c0c47f72e507911c66c01d2121fa3096849e88919459
                                                                    • Opcode Fuzzy Hash: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                                    • Instruction Fuzzy Hash: 23E04F3624036077E2311B2BAC0CF4B2E69FBCBB21F150639F565B21E086704915C665
                                                                    Function 00409A45 Relevance: 4.5, APIs: 3, Instructions: 26COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                                    • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                    • GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: Temp$DirectoryFileNamePathWindows
                                                                    • String ID:
                                                                    • API String ID: 1125800050-0
                                                                    • Opcode ID: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                                    • Instruction ID: b144c37017a21c6b5a3d1d2b3cfc872714830df517851edcd0bc871ed666fd71
                                                                    • Opcode Fuzzy Hash: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                                    • Instruction Fuzzy Hash: ACE0927A500218A7DB109B61DC4DFC777BCFB45304F0001B1B945E2161EB349A848BA8
                                                                    Function 004175B7 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 24sleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • Sleep.KERNEL32(00000064), ref: 004175D0
                                                                    • CloseHandle.KERNELBASE(?,00000000,?,0045DBC0,00417C24,?,00000000,00000000,?,00417DE1,?,00000000), ref: 004175D9
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: CloseHandleSleep
                                                                    • String ID: }A
                                                                    • API String ID: 252777609-2138825249
                                                                    • Opcode ID: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                                    • Instruction ID: 75b622f9be81829505acbf4f2e76dfbd2ea822dc2a3448742147a61f3b6dc806
                                                                    • Opcode Fuzzy Hash: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                                    • Instruction Fuzzy Hash: B7E0CD3B1045156ED500577DDCC099773E9EF892347144226F171C25D0C6759C828524
                                                                    Function 004099F4 Relevance: 3.8, APIs: 3, Instructions: 38COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • malloc.MSVCRT ref: 00409A10
                                                                    • memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                                                    • free.MSVCRT ref: 00409A31
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: freemallocmemcpy
                                                                    • String ID:
                                                                    • API String ID: 3056473165-0
                                                                    • Opcode ID: a8c2b4a2abbe370f156afd1ac3a64450955b5e367f985048e5f3f029e510ba1a
                                                                    • Instruction ID: 1240433d41d023da9ba75aa62d017d874606d7cfbee4c78203c9aa8101697722
                                                                    • Opcode Fuzzy Hash: a8c2b4a2abbe370f156afd1ac3a64450955b5e367f985048e5f3f029e510ba1a
                                                                    • Instruction Fuzzy Hash: 88F0E9727092219FC708AE75A98180BB79DAF55314B12482FF404E3282D7389C50CB58
                                                                    Function 00437371 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 243COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: d
                                                                    • API String ID: 0-2564639436
                                                                    • Opcode ID: b7bdb433cc21537495b9453c0ef7e1d4136cbb83a95eb0b3518e055101e122e1
                                                                    • Instruction ID: 98c7df9677761670a5e344a1c7628a8b006f0a2246df1cf6f5c5c4488f8f87fd
                                                                    • Opcode Fuzzy Hash: b7bdb433cc21537495b9453c0ef7e1d4136cbb83a95eb0b3518e055101e122e1
                                                                    • Instruction Fuzzy Hash: 4591ABB0508302AFDB20DF19D88196FBBE4BF88358F50192FF88497251D778D985CB9A
                                                                    Function 0041EED2 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 174COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: memset
                                                                    • String ID: BINARY
                                                                    • API String ID: 2221118986-907554435
                                                                    • Opcode ID: 791c3fd1504af4fac70d2b15fe323b793bb873d26b5eb9345bfe372344e0595c
                                                                    • Instruction ID: 089a0534c11c2c8a1092ab46fa13594887108ded84822111f9e073e703b485f9
                                                                    • Opcode Fuzzy Hash: 791c3fd1504af4fac70d2b15fe323b793bb873d26b5eb9345bfe372344e0595c
                                                                    • Instruction Fuzzy Hash: 41518B71A047059FDB21CF69C881BEA7BE4EF48350F14446AF849CB342E738D995CBA9
                                                                    Function 0041268E Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: _wcsicmp
                                                                    • String ID: /stext
                                                                    • API String ID: 2081463915-3817206916
                                                                    • Opcode ID: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                                                                    • Instruction ID: 10e6e7fbaeb1b3fbdbf907bfc38f809d5841ace5bac79d7196eddb000c1bc607
                                                                    • Opcode Fuzzy Hash: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                                                                    • Instruction Fuzzy Hash: 19218E30B00605AFD704EF6ACAC1AD9F7A9FF44304F10416AA419D7342DB79ADA18B95
                                                                    Function 0040CC26 Relevance: 3.1, APIs: 2, Instructions: 53COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                    • GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                      • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                      • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                      • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB63
                                                                      • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB88
                                                                    • CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                      • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT(00000000,00401B44,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040B052
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: File$ByteCharMultiWide$??2@??3@CloseCreateHandleReadSize
                                                                    • String ID:
                                                                    • API String ID: 2445788494-0
                                                                    • Opcode ID: 5551154f09d9ac0fe1cac7a20b9391cb02a4855cbb9d966ae120c46d578013b8
                                                                    • Instruction ID: dc8783d9a6c7baf78a377756874cfbd60b78407a6d3acdf6d1052ad5173bbb79
                                                                    • Opcode Fuzzy Hash: 5551154f09d9ac0fe1cac7a20b9391cb02a4855cbb9d966ae120c46d578013b8
                                                                    • Instruction Fuzzy Hash: 91118275804208AFDB10AF6ADC45C8A7F75FF01364711C27AF525A72A1D6349A18CBA5
                                                                    Function 00404423 Relevance: 3.1, APIs: 2, Instructions: 51libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                      • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                      • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                      • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                    • GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                    • FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                                    • String ID:
                                                                    • API String ID: 3150196962-0
                                                                    • Opcode ID: e13bd3a8970da8505fcd32bc3817dd57930a815364b2861f31204fc1a755a47e
                                                                    • Instruction ID: e973b1bd6c29085855c002f2d91bff7161adaf38cfdf5e3d51a6561f1cc66020
                                                                    • Opcode Fuzzy Hash: e13bd3a8970da8505fcd32bc3817dd57930a815364b2861f31204fc1a755a47e
                                                                    • Instruction Fuzzy Hash: D90192B1100211AAD6319FA6CC04D1BFAE9EFC0750B20883FF1D9E25A0D7B49881DB69
                                                                    Function 004152C6 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 27COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    • failed to allocate %u bytes of memory, xrefs: 004152F0
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: malloc
                                                                    • String ID: failed to allocate %u bytes of memory
                                                                    • API String ID: 2803490479-1168259600
                                                                    • Opcode ID: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                                                                    • Instruction ID: 101c51dc2fc609bd9d1e0073b1fda66f00508c6688545faad3e4fa21ce9dc4bd
                                                                    • Opcode Fuzzy Hash: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                                                                    • Instruction Fuzzy Hash: 11E0DFB7B02A12A3C200561AED01AC667959FC122572B013BF92CD3681E638D89687A9
                                                                    Function 0041BC3B Relevance: 2.7, APIs: 2, Instructions: 195COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 0041BDDF
                                                                    • memcmp.MSVCRT(00001388,?,00000010,?,00000065,00000065,?,?,?,?,?,0041F1B4,?,00000065,004381DF,00000065), ref: 0041BDF1
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: memcmpmemset
                                                                    • String ID:
                                                                    • API String ID: 1065087418-0
                                                                    • Opcode ID: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                                                                    • Instruction ID: cf105cae5e27f97c9cd1c3f46a8d5e16e2707a712041142e317bfb3d1f631299
                                                                    • Opcode Fuzzy Hash: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                                                                    • Instruction Fuzzy Hash: 2A615B71A01349EBDB14EFA495815EEB7B4EB04308F1440AFE609D3241E738AED4DB99
                                                                    Function 004104FB Relevance: 2.6, APIs: 2, Instructions: 140COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040ECF9
                                                                      • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 0040EDC0
                                                                    • GetStdHandle.KERNEL32(000000F5), ref: 00410530
                                                                    • CloseHandle.KERNELBASE(?), ref: 00410654
                                                                      • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                                      • Part of subcall function 0040973C: GetLastError.KERNEL32 ref: 00409750
                                                                      • Part of subcall function 0040973C: _snwprintf.MSVCRT ref: 0040977D
                                                                      • Part of subcall function 0040973C: MessageBoxW.USER32(?,?,Error,00000030), ref: 00409796
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: Handle$??2@??3@CloseCreateErrorFileLastMessage_snwprintf
                                                                    • String ID:
                                                                    • API String ID: 1381354015-0
                                                                    • Opcode ID: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
                                                                    • Instruction ID: c777e68e994987bb064ab7fb99de871126f79ef1b866bcb434911d427814d160
                                                                    • Opcode Fuzzy Hash: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
                                                                    • Instruction Fuzzy Hash: BE417231A00204EFCB25AF65C885A9E77B6EF84711F20446FF446A7291C7B99EC0DE59
                                                                    Function 00418C63 Relevance: 2.6, APIs: 2, Instructions: 132COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: memset
                                                                    • String ID:
                                                                    • API String ID: 2221118986-0
                                                                    • Opcode ID: 1314b8a525b96e130b2fbb6cbe3c7ee378288528e928e0e3fe9c348834c14d1c
                                                                    • Instruction ID: 1d54aaebfbdefc3985b5f7374fea00c82d73a4224d5df9dcd637b0600b3a95b1
                                                                    • Opcode Fuzzy Hash: 1314b8a525b96e130b2fbb6cbe3c7ee378288528e928e0e3fe9c348834c14d1c
                                                                    • Instruction Fuzzy Hash: B2415872500701EFDB349F60E8848AAB7F5FB18314720492FE54AC7690EB38E9C58B98
                                                                    Function 0040B1AB Relevance: 2.5, APIs: 2, Instructions: 14COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: free
                                                                    • String ID:
                                                                    • API String ID: 1294909896-0
                                                                    • Opcode ID: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                                                    • Instruction ID: 7f33cc2486ffea160e999b9abaf125df84647c5341351ad01334bd221cd3bada
                                                                    • Opcode Fuzzy Hash: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                                                    • Instruction Fuzzy Hash: 32D042B0404B008ED7B0DF39D401602BBF0AB093143118D2E90AAC2A50E775A0149F08
                                                                    Function 00403988 Relevance: 1.6, APIs: 1, Instructions: 56timeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00403A16: memset.MSVCRT ref: 00403A55
                                                                      • Part of subcall function 0040A02C: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                                      • Part of subcall function 0040A02C: GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                                      • Part of subcall function 0040A02C: CloseHandle.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                                                    • CompareFileTime.KERNEL32(?,?,00000000,?,00000000), ref: 004039D4
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: File$Time$CloseCompareCreateHandlememset
                                                                    • String ID:
                                                                    • API String ID: 2154303073-0
                                                                    • Opcode ID: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                                                                    • Instruction ID: d476be81a684c5cf971044fbd14bb177a9e73989d843208b34704cc982626f94
                                                                    • Opcode Fuzzy Hash: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                                                                    • Instruction Fuzzy Hash: 11111CB6D00218ABCB11EFA5D9415DEBBB9EF44315F20407BE841F7281DA389F45CB95
                                                                    Function 004135F7 Relevance: 1.5, APIs: 1, Instructions: 44libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 004135E0: FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                                      • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                      • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                      • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                      • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                    • GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                                    • String ID:
                                                                    • API String ID: 3150196962-0
                                                                    • Opcode ID: 102e9bd218bff8034664a90f9159d5d227e7736aeb8d0cece17e8d9bf5f2cb6a
                                                                    • Instruction ID: 35a9ad0fe6b4507ee66bae46934dcfd2e139bf0842d10804986ce3ee8b034d80
                                                                    • Opcode Fuzzy Hash: 102e9bd218bff8034664a90f9159d5d227e7736aeb8d0cece17e8d9bf5f2cb6a
                                                                    • Instruction Fuzzy Hash: BBF0A4311447126AE6306B7AAC02BE762849F00725F10862EB425D55D1EFA8D5C046AC
                                                                    Function 004062A6 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000,00000000,004068F9,00000000,00000000,?,00000000,0040627C), ref: 004062C2
                                                                      • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: File$PointerRead
                                                                    • String ID:
                                                                    • API String ID: 3154509469-0
                                                                    • Opcode ID: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                                    • Instruction ID: d794e9b43e5f56b2d2e2073d65b81241c22a9a75ad02cc9b2284f18e77a2fe0f
                                                                    • Opcode Fuzzy Hash: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                                    • Instruction Fuzzy Hash: 45E01276100100FFE6619B05DC06F57FBB9FBD4710F14883DB59596174C6326851CB25
                                                                    Function 00414561 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetPrivateProfileIntW.KERNEL32(?,?,?,?), ref: 00414588
                                                                      • Part of subcall function 004143F1: memset.MSVCRT ref: 00414410
                                                                      • Part of subcall function 004143F1: _itow.MSVCRT ref: 00414427
                                                                      • Part of subcall function 004143F1: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 00414436
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: PrivateProfile$StringWrite_itowmemset
                                                                    • String ID:
                                                                    • API String ID: 4232544981-0
                                                                    • Opcode ID: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                                    • Instruction ID: 104e910b762de94586eb11e4c264cf061db1895f8dce3fe8c281d71359574313
                                                                    • Opcode Fuzzy Hash: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                                    • Instruction Fuzzy Hash: 8EE09232000209ABDF125F91EC01AA93B66FF54315F548469F95C05520D33295B0AB59
                                                                    Function 00444A54 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FreeLibrary.KERNELBASE(?,?,004452FB,?,?,?,0040333C,?), ref: 00444A65
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: FreeLibrary
                                                                    • String ID:
                                                                    • API String ID: 3664257935-0
                                                                    • Opcode ID: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                                    • Instruction ID: 9043d1e372537a54137ae43dcd20834ee918eeaa55a47e8e1dedab4d47514996
                                                                    • Opcode Fuzzy Hash: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                                    • Instruction Fuzzy Hash: E2E0F6B5900B018FD3708F1BE944406FBF8BFE56113108A1FD4AAC2A24D7B4A1898F54
                                                                    Function 00413F27 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                                                      • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                                                      • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                                                      • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                                                      • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                                                    • K32GetModuleFileNameExW.KERNEL32(00000104,00000000,00413E1F,00000104,00413E1F,00000000,?), ref: 00413F46
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: AddressProc$FileModuleName
                                                                    • String ID:
                                                                    • API String ID: 3859505661-0
                                                                    • Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                    • Instruction ID: eb737a8a997ed41d0f7a348c178ce8d4b8225706e43eb580f21eee6dbde26bc7
                                                                    • Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                    • Instruction Fuzzy Hash: 6FD02231B083007BEA20EE70CC00FCBA2F47F40F12F008C5AB191D2080C374C9495305
                                                                    Function 0040A2EF Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: FileRead
                                                                    • String ID:
                                                                    • API String ID: 2738559852-0
                                                                    • Opcode ID: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                                    • Instruction ID: df780c2d30ec27a436fe2e8938b9b3026ee6fdf868a35847a3a0dbf755fefbc9
                                                                    • Opcode Fuzzy Hash: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                                    • Instruction Fuzzy Hash: 6DD0C97505020DFBDF01CF81DC06FDD7B7DFB05359F108054BA0095060C7759A15AB55
                                                                    Function 0040A30E Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • WriteFile.KERNELBASE(?,00000009,?,00000000,00000000,?,?,00402F9B,?,00000000,00000000,00000000,0000017E), ref: 0040A325
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: FileWrite
                                                                    • String ID:
                                                                    • API String ID: 3934441357-0
                                                                    • Opcode ID: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                                    • Instruction ID: 3280266517864b8de079c100525e5277478ec149926fcdeece843fe2c70d8c86
                                                                    • Opcode Fuzzy Hash: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                                    • Instruction Fuzzy Hash: CFD0C93501020DFBDF01CF81DC06FDD7BBDFB04359F108054BA1095060D7B59A20AB94
                                                                    Function 00413D29 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FreeLibrary.KERNELBASE(00000000,004457F2,00000000,000001F7,00000000), ref: 00413D30
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: FreeLibrary
                                                                    • String ID:
                                                                    • API String ID: 3664257935-0
                                                                    • Opcode ID: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                                                                    • Instruction ID: 8f6381f957debc367d4a0444659be52de1bfd3a154b3998764173f6a98a011bd
                                                                    • Opcode Fuzzy Hash: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                                                                    • Instruction Fuzzy Hash: 1DD0C9765002229BDB10AF26EC057857378FF00712B110425E810B7594D778BEE68ADC
                                                                    Function 004096C3 Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: CreateFile
                                                                    • String ID:
                                                                    • API String ID: 823142352-0
                                                                    • Opcode ID: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                                    • Instruction ID: 15e4bfb1af8ab284213ec8af4af1ca3ed9a3c322684c6da9746693c795416a08
                                                                    • Opcode Fuzzy Hash: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                                    • Instruction Fuzzy Hash: A8C092B0280200BEFE224B10EC15F36755CE744700F2008247E40F40E0C1605E108524
                                                                    Function 004096DC Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: CreateFile
                                                                    • String ID:
                                                                    • API String ID: 823142352-0
                                                                    • Opcode ID: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                                    • Instruction ID: 13aef0f41518da9c32968a96bed17b980f0e8f352a8d1793a660c4ee04e7d177
                                                                    • Opcode Fuzzy Hash: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                                    • Instruction Fuzzy Hash: B8C012F02903007EFF204B10AC0AF37755DF784700F2048207E40F40E1C2B15C008524
                                                                    Function 0040B04B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,00401B44,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040B052
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: ??3@
                                                                    • String ID:
                                                                    • API String ID: 613200358-0
                                                                    • Opcode ID: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                                    • Instruction ID: 6ff791ec813821c2e9e24527ebed0d702daabad41f6d5d50af9b89e3d4ad0470
                                                                    • Opcode Fuzzy Hash: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                                    • Instruction Fuzzy Hash: ADC09BB15117014BE7305F15D40471373D49F11727F318C1DA5D1914C2D77CD4408518
                                                                    Function 004135E0 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: FreeLibrary
                                                                    • String ID:
                                                                    • API String ID: 3664257935-0
                                                                    • Opcode ID: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                                    • Instruction ID: 97b2006ec1e2dd28fddd19cbcf35086f2a6b1d7d6d8af37d8808782836c913ed
                                                                    • Opcode Fuzzy Hash: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                                    • Instruction Fuzzy Hash: C1C04C355107129BE7318F22C849793B3E8BB00767F40C818A56A85454D7BCE594CE28
                                                                    Function 0041493C Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • EnumResourceNamesW.KERNELBASE(?,?,Function_000148B6,00000000), ref: 0041494B
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: EnumNamesResource
                                                                    • String ID:
                                                                    • API String ID: 3334572018-0
                                                                    • Opcode ID: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                                    • Instruction ID: 4cd0fc1a45efe5f4a77ff86a676eea9814a6d41529a344ef69fdb726e0e13cac
                                                                    • Opcode Fuzzy Hash: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                                    • Instruction Fuzzy Hash: 5CC09B355943819FD711DF108C05F1A76D5BF95705F104C397151940A0C7614014A60A
                                                                    Function 0044DEA5 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FreeLibrary.KERNELBASE(?), ref: 0044DEB6
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: FreeLibrary
                                                                    • String ID:
                                                                    • API String ID: 3664257935-0
                                                                    • Opcode ID: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                                    • Instruction ID: c12df66a07a312a107e4de7a98dbd39cb061029a89fa16cd2619b088cce9516a
                                                                    • Opcode Fuzzy Hash: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                                    • Instruction Fuzzy Hash: 95C04C35D10311ABFB31AB11ED4975232A5BB00717F52006494128D065D7B8E454CB2D
                                                                    Function 0040AEBE Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FindClose.KERNELBASE(?,0040AE21,?,00000000,00445EF5,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AEC8
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: CloseFind
                                                                    • String ID:
                                                                    • API String ID: 1863332320-0
                                                                    • Opcode ID: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                                    • Instruction ID: 0a5868f0c47a417661f40efe111cada53839b745ef6d73ffe26d621af3302058
                                                                    • Opcode Fuzzy Hash: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                                    • Instruction Fuzzy Hash: 06C092341506058BD62C5F38DC9A42A77A0BF4A3303B40F6CA0F3D24F0E73888538A04
                                                                    Function 00414592 Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: Open
                                                                    • String ID:
                                                                    • API String ID: 71445658-0
                                                                    • Opcode ID: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                                                    • Instruction ID: 4e31294bd56c0fd8f54a78566f459ab053e1b17b284f5820c9a90ca28514d216
                                                                    • Opcode Fuzzy Hash: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                                                    • Instruction Fuzzy Hash: C4C09B35544311BFDE114F40FD09F09BB61BB84B05F004414B254640B182714414EB17
                                                                    Function 00409B98 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: AttributesFile
                                                                    • String ID:
                                                                    • API String ID: 3188754299-0
                                                                    • Opcode ID: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                                    • Instruction ID: 3e515636d229e53f9e638efbf3d1d2cf0185fd636b5c9b7db17c068ea44c501e
                                                                    • Opcode Fuzzy Hash: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                                    • Instruction Fuzzy Hash: B9B012792104005BCB0807349C4904D35507F456317200B3CF033C00F0D730CC61BA00
                                                                    Function 0041BE52 Relevance: 1.3, APIs: 1, Instructions: 99COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f464ccbab3ddc34ea334660331f976908ef01721c951a33d0f0b075526a08e67
                                                                    • Instruction ID: 186a7b248be49691fb09735f75239c469d17650efe27a5986e87276cb9a2b443
                                                                    • Opcode Fuzzy Hash: f464ccbab3ddc34ea334660331f976908ef01721c951a33d0f0b075526a08e67
                                                                    • Instruction Fuzzy Hash: E8318B31901616EFDF24AF25D8417DA73A0FF04314F10416BF91497251DB38ADE18BDA
                                                                    Function 004095D9 Relevance: 1.3, APIs: 1, Instructions: 66COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 004095FC
                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                      • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                      • Part of subcall function 004091B8: memset.MSVCRT ref: 004091E2
                                                                      • Part of subcall function 004091B8: memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
                                                                      • Part of subcall function 004091B8: memcmp.MSVCRT(00000000,0045A4F0,00000006,?,?,?,?,?,?,?,?,?,?,?,?,00000143), ref: 004092D9
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: memsetwcslen$AttributesFilememcmpmemcpywcscatwcscpy
                                                                    • String ID:
                                                                    • API String ID: 3655998216-0
                                                                    • Opcode ID: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                                                                    • Instruction ID: 072a19641c33d96fdc78833b4ff670bebeeceb9371718ab52934a970b5968781
                                                                    • Opcode Fuzzy Hash: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                                                                    • Instruction Fuzzy Hash: F311607290021D6AEF20A662DC4AE9B376CEF41318F10047BB908E51D2EA79DE548659
                                                                    Function 00445403 Relevance: 1.3, APIs: 1, Instructions: 60COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 00445426
                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                      • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                      • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                      • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                      • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                      • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                      • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: memset$Filewcslen$AttributesCreatewcscatwcscpywcsrchr
                                                                    • String ID:
                                                                    • API String ID: 1828521557-0
                                                                    • Opcode ID: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                                                                    • Instruction ID: 9d1500c39017731ad640c46c84131142cb98d7893e2d711cbdbff08f65233ce4
                                                                    • Opcode Fuzzy Hash: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                                                                    • Instruction Fuzzy Hash: 4B1186B294011D7BEB10E751DC4AFDB776CEF51328F10047FB518A50C2E6B8AAC486A9
                                                                    Function 00406B90 Relevance: 1.3, APIs: 1, Instructions: 56COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: _wcsicmp
                                                                    • String ID:
                                                                    • API String ID: 2081463915-0
                                                                    • Opcode ID: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
                                                                    • Instruction ID: 44e68c08f8902dbc9d3bec9e3d7b81d72528a2b8c41660eeece459a1934edfa0
                                                                    • Opcode Fuzzy Hash: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
                                                                    • Instruction Fuzzy Hash: 0C118CB1600205AFD710DF65C8809AAB7F8FF44314F11843EE55AE7240EB34F9658B68
                                                                    Function 00406214 Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00406294: CloseHandle.KERNEL32(000000FF,00406224,00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF), ref: 0040629C
                                                                      • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                    • GetLastError.KERNEL32(00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF,?,00000104), ref: 00406281
                                                                      • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: File$CloseCreateErrorHandleLastRead
                                                                    • String ID:
                                                                    • API String ID: 2136311172-0
                                                                    • Opcode ID: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                                    • Instruction ID: 5eec059ee86d0bbb8aaa5289f200f29bbda103cdac5cb86a40c163b72aa3aa4c
                                                                    • Opcode Fuzzy Hash: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                                    • Instruction Fuzzy Hash: 3F01D6B14017018FD7206B70CD05BA273D8EF10319F11897EE55BE62D1EB3C9861866E
                                                                    Function 0040AFCF Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT(00000000,00401B44,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040B052
                                                                    • ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: ??2@??3@
                                                                    • String ID:
                                                                    • API String ID: 1936579350-0
                                                                    • Opcode ID: d9146978952df4032bb52ee1fc914549b8afd9994305f4c2f79ca13836f6df5d
                                                                    • Instruction ID: 89dc8af08517091935dcea8fd058adf4401913b4726dbdea6cb301b2924d739e
                                                                    • Opcode Fuzzy Hash: d9146978952df4032bb52ee1fc914549b8afd9994305f4c2f79ca13836f6df5d
                                                                    • Instruction Fuzzy Hash: 8FC02B7240C2100FD730FF74340205736D4CE422203028C2FE0E4D3101DB3C840103C8
                                                                    Function 0040B633 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: free
                                                                    • String ID:
                                                                    • API String ID: 1294909896-0
                                                                    • Opcode ID: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                                                                    • Instruction ID: 84c58710a9e867f17c2d1ed9f7495b278bdfae561cd9e9721482330d0bfefd66
                                                                    • Opcode Fuzzy Hash: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                                                                    • Instruction Fuzzy Hash: 48C00272510B018FEB209E16C405762B3E4AF5173BF928C1D949591481D77CE4448A1D
                                                                    Function 0040AA04 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: free
                                                                    • String ID:
                                                                    • API String ID: 1294909896-0
                                                                    • Opcode ID: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                                                                    • Instruction ID: 146ea39d6618054f0b1de7ea1636ea0e57db3b52e0d7afa8327ef8e2ad9437d0
                                                                    • Opcode Fuzzy Hash: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                                                                    • Instruction Fuzzy Hash: 18C012B29107018BFB308E15C409322B2E4AF0072BFA18C0D9090910C2C77CD080CA18
                                                                    Function 00415304 Relevance: 1.3, APIs: 1, Instructions: 6COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: free
                                                                    • String ID:
                                                                    • API String ID: 1294909896-0
                                                                    • Opcode ID: c64955702a5dc36c53a796a23ab56cc8adc6c768dfa77ba71ac51c435adf9ecd
                                                                    • Instruction ID: e7ff0dbf640816315c9486a8db62c76896ac9b8339bf6d895034c27267ad2de3
                                                                    • Opcode Fuzzy Hash: c64955702a5dc36c53a796a23ab56cc8adc6c768dfa77ba71ac51c435adf9ecd
                                                                    • Instruction Fuzzy Hash: A5A022A200820023CC00AB3CCC02A0A33880EE323EB320B0EB032C20C2CF38C830B00E

                                                                    Non-executed Functions

                                                                    Function 004182CE Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetLastError.KERNEL32 ref: 004182D7
                                                                      • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                    • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 004182FE
                                                                    • FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 00418327
                                                                    • LocalFree.KERNEL32(?), ref: 00418342
                                                                    • free.MSVCRT ref: 00418370
                                                                      • Part of subcall function 00417434: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,7591DF80,?,0041755F,?), ref: 00417452
                                                                      • Part of subcall function 00417434: malloc.MSVCRT ref: 00417459
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: FormatMessage$ByteCharErrorFreeLastLocalMultiVersionWidefreemalloc
                                                                    • String ID: OsError 0x%x (%u)
                                                                    • API String ID: 2360000266-2664311388
                                                                    • Opcode ID: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                                                                    • Instruction ID: 20f22e5b187e4483f2e635e74e626e0383ca95cf640bb4168ff376264581b0c9
                                                                    • Opcode Fuzzy Hash: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                                                                    • Instruction Fuzzy Hash: 6011B634901128FBCB11ABE2DC49CDF7F78FF85B54B10405AF811A2251DB754A81D7A9
                                                                    Function 0041739B Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: Version
                                                                    • String ID:
                                                                    • API String ID: 1889659487-0
                                                                    • Opcode ID: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
                                                                    • Instruction ID: 34334e4c1a53cba42546035453d5331cf18162d9798f59f763323439a3546438
                                                                    • Opcode Fuzzy Hash: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
                                                                    • Instruction Fuzzy Hash: BAE0463590131CCFEB24DB34DB0B7C676F5AB08B46F0104F4C20AC2092D3789688CA2A
                                                                    Function 00402279 Relevance: 110.5, APIs: 9, Strings: 54, Instructions: 285COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _wcsicmp.MSVCRT ref: 004022A6
                                                                    • _wcsicmp.MSVCRT ref: 004022D7
                                                                    • _wcsicmp.MSVCRT ref: 00402305
                                                                    • _wcsicmp.MSVCRT ref: 00402333
                                                                      • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                                      • Part of subcall function 0040AA29: memcpy.MSVCRT(?,?,00000000,00000001,00401B3C,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040AA5B
                                                                    • memset.MSVCRT ref: 0040265F
                                                                    • memcpy.MSVCRT(?,?,00000011), ref: 0040269B
                                                                      • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                      • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                    • memcpy.MSVCRT(?,?,0000001C,?,?,00000000,?), ref: 004026FF
                                                                    • LocalFree.KERNEL32(?,?,?,00000000,?,?,00000000,?), ref: 00402764
                                                                    • FreeLibrary.KERNEL32(00000000,?,?,00000000,?), ref: 00402775
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: _wcsicmp$Freememcpy$Library$AddressLocalProcmemsetwcslen
                                                                    • String ID: !$#$$$&$&$'$)$/$0$2$8$=$>$>$@$A$Account$Data$F$H$H$I$K$K$L$O$Path$S$X$\$^$`$a$b$com.apple.Safari$com.apple.WebKit2WebProcess$g$h$n$n$q$server$t$t$t$u$u$w$y$y$z${$}$~
                                                                    • API String ID: 577499730-1134094380
                                                                    • Opcode ID: 9397f4940cefbe0ceec442a857739dd93941f810d0ac8ce2dbc103f0b42f9f84
                                                                    • Instruction ID: 24bcbd005531c38afe4d7004bd238553ea51a424b60caac2517de9c8923e7683
                                                                    • Opcode Fuzzy Hash: 9397f4940cefbe0ceec442a857739dd93941f810d0ac8ce2dbc103f0b42f9f84
                                                                    • Instruction Fuzzy Hash: 8FE1F32010C7C19DD332D678884978BBFD45BA7328F484B9EF1E89A2D2D7B98509C767
                                                                    Function 00414002 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 265COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetDlgItem.USER32(?,000003E9), ref: 0041402F
                                                                    • GetDlgItem.USER32(?,000003E8), ref: 0041403B
                                                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 0041404A
                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00414056
                                                                    • GetWindowLongW.USER32(00000000,000000EC), ref: 0041405F
                                                                    • GetWindowLongW.USER32(?,000000EC), ref: 0041406B
                                                                    • GetWindowRect.USER32(00000000,?), ref: 0041407D
                                                                    • GetWindowRect.USER32(?,?), ref: 00414088
                                                                    • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041409C
                                                                    • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004140AA
                                                                    • GetDC.USER32 ref: 004140E3
                                                                    • wcslen.MSVCRT ref: 00414123
                                                                    • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00414134
                                                                    • ReleaseDC.USER32(?,?), ref: 00414181
                                                                    • _snwprintf.MSVCRT ref: 00414244
                                                                    • SetWindowTextW.USER32(?,?), ref: 00414258
                                                                    • SetWindowTextW.USER32(?,00000000), ref: 00414276
                                                                    • GetDlgItem.USER32(?,00000001), ref: 004142AC
                                                                    • GetWindowRect.USER32(00000000,?), ref: 004142BC
                                                                    • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004142CA
                                                                    • GetClientRect.USER32(?,?), ref: 004142E1
                                                                    • GetWindowRect.USER32(?,?), ref: 004142EB
                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 00414331
                                                                    • GetClientRect.USER32(?,?), ref: 0041433B
                                                                    • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 00414373
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Release_snwprintfwcslen
                                                                    • String ID: %s:$EDIT$STATIC
                                                                    • API String ID: 2080319088-3046471546
                                                                    • Opcode ID: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                                                                    • Instruction ID: eff71af8639f47ea0b7533f6321954d8b94ad3b67000e3ed03306cc56154d199
                                                                    • Opcode Fuzzy Hash: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                                                                    • Instruction Fuzzy Hash: F8B1DF71108301AFD721DFA9C985E6BBBF9FF88704F004A2DF69582261DB75E9448F16
                                                                    Function 004131DC Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 214windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • EndDialog.USER32(?,?), ref: 00413221
                                                                    • GetDlgItem.USER32(?,000003EA), ref: 00413239
                                                                    • SendMessageW.USER32(00000000,000000B1,00000000,0000FFFF), ref: 00413257
                                                                    • SendMessageW.USER32(?,00000301,00000000,00000000), ref: 00413263
                                                                    • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0041326B
                                                                    • memset.MSVCRT ref: 00413292
                                                                    • memset.MSVCRT ref: 004132B4
                                                                    • memset.MSVCRT ref: 004132CD
                                                                    • memset.MSVCRT ref: 004132E1
                                                                    • memset.MSVCRT ref: 004132FB
                                                                    • memset.MSVCRT ref: 00413310
                                                                    • GetCurrentProcess.KERNEL32 ref: 00413318
                                                                    • ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0041333B
                                                                    • ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0041336D
                                                                    • memset.MSVCRT ref: 004133C0
                                                                    • GetCurrentProcessId.KERNEL32 ref: 004133CE
                                                                    • memcpy.MSVCRT(?,0045AA90,0000021C), ref: 004133FC
                                                                    • wcscpy.MSVCRT ref: 0041341F
                                                                    • _snwprintf.MSVCRT ref: 0041348E
                                                                    • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004134A6
                                                                    • GetDlgItem.USER32(?,000003EA), ref: 004134B0
                                                                    • SetFocus.USER32(00000000), ref: 004134B7
                                                                    Strings
                                                                    • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 00413483
                                                                    • {Unknown}, xrefs: 004132A6
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
                                                                    • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
                                                                    • API String ID: 4111938811-1819279800
                                                                    • Opcode ID: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                                                                    • Instruction ID: fb691a4f2f0ee0f23db40d54bf7b3fb7beca904c55697b54c7815e943e903c38
                                                                    • Opcode Fuzzy Hash: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                                                                    • Instruction Fuzzy Hash: A97182B280021DBFEB219F51DC45EEA3B7CFB08355F0440B6F508A6161DB799E948F69
                                                                    Function 00401198 Relevance: 39.2, APIs: 26, Instructions: 185COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetDlgItem.USER32(?,000003EC), ref: 004011F0
                                                                    • ChildWindowFromPoint.USER32(?,?,?), ref: 00401202
                                                                    • GetDlgItem.USER32(?,000003EE), ref: 00401238
                                                                    • ChildWindowFromPoint.USER32(?,?,?), ref: 00401245
                                                                    • GetDlgItem.USER32(?,000003EC), ref: 00401273
                                                                    • ChildWindowFromPoint.USER32(?,?,?), ref: 00401285
                                                                    • GetModuleHandleW.KERNEL32(00000000,?,?), ref: 0040128E
                                                                    • LoadCursorW.USER32(00000000,00000067), ref: 00401297
                                                                    • SetCursor.USER32(00000000,?,?), ref: 0040129E
                                                                    • GetDlgItem.USER32(?,000003EE), ref: 004012BF
                                                                    • ChildWindowFromPoint.USER32(?,?,?), ref: 004012CC
                                                                    • GetDlgItem.USER32(?,000003EC), ref: 004012E6
                                                                    • SetBkMode.GDI32(?,00000001), ref: 004012F2
                                                                    • SetTextColor.GDI32(?,00C00000), ref: 00401300
                                                                    • GetSysColorBrush.USER32(0000000F), ref: 00401308
                                                                    • GetDlgItem.USER32(?,000003EE), ref: 00401329
                                                                    • EndDialog.USER32(?,?), ref: 0040135E
                                                                    • DeleteObject.GDI32(?), ref: 0040136A
                                                                    • GetDlgItem.USER32(?,000003ED), ref: 0040138F
                                                                    • ShowWindow.USER32(00000000), ref: 00401398
                                                                    • GetDlgItem.USER32(?,000003EE), ref: 004013A4
                                                                    • ShowWindow.USER32(00000000), ref: 004013A7
                                                                    • SetDlgItemTextW.USER32(?,000003EE,0045D778), ref: 004013B8
                                                                    • SetWindowTextW.USER32(?,00000000), ref: 004013CA
                                                                    • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004013E2
                                                                    • SetDlgItemTextW.USER32(?,000003EC,?), ref: 004013F3
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
                                                                    • String ID:
                                                                    • API String ID: 829165378-0
                                                                    • Opcode ID: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                                                                    • Instruction ID: caa3714a391556dce09a7e5fb0b25e31ef738818e6d8753142f97b5ec5ee2caf
                                                                    • Opcode Fuzzy Hash: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                                                                    • Instruction Fuzzy Hash: 0051B134500708AFEB32AF61DC85E6E7BB9FB44301F10093AF552A61F1C7B9A991DB19
                                                                    Function 0040414F Relevance: 35.1, APIs: 13, Strings: 7, Instructions: 145COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 00404172
                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                      • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                    • wcscpy.MSVCRT ref: 004041D6
                                                                    • wcscpy.MSVCRT ref: 004041E7
                                                                    • memset.MSVCRT ref: 00404200
                                                                    • memset.MSVCRT ref: 00404215
                                                                    • _snwprintf.MSVCRT ref: 0040422F
                                                                    • wcscpy.MSVCRT ref: 00404242
                                                                    • memset.MSVCRT ref: 0040426E
                                                                    • memset.MSVCRT ref: 004042CD
                                                                    • memset.MSVCRT ref: 004042E2
                                                                    • _snwprintf.MSVCRT ref: 004042FE
                                                                    • wcscpy.MSVCRT ref: 00404311
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: memset$wcscpy$_snwprintfwcslen$AttributesFilewcscat
                                                                    • String ID: AE$General$IsRelative$Path$Profile%d$profiles.ini$EA
                                                                    • API String ID: 2454223109-1580313836
                                                                    • Opcode ID: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                                                                    • Instruction ID: 5f54f20862f9259acc4f568515dc65a5c395277ecd0331c6beb9e3a358a2eb32
                                                                    • Opcode Fuzzy Hash: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                                                                    • Instruction Fuzzy Hash: 18512FB294012CBADB20EB55DC45ECFB7BCBF55744F0040E6B50CA2142EA795B84CFAA
                                                                    Function 00411346 Relevance: 31.8, APIs: 13, Strings: 5, Instructions: 263windowregistryclipboardCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0040D407: LoadMenuW.USER32(00000000), ref: 0040D40F
                                                                    • SetMenu.USER32(?,00000000), ref: 00411453
                                                                    • SendMessageW.USER32(00000000,00000404,00000001,?), ref: 00411486
                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 00411495
                                                                    • LoadImageW.USER32(00000000,00000068,00000000,00000000,00000000,00009060), ref: 004114A2
                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 004114D9
                                                                    • CreateWindowExW.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000,00000000), ref: 00411500
                                                                    • memcpy.MSVCRT(?,?,00002008,/nosaveload,00000000,00000001), ref: 004115C8
                                                                    • ShowWindow.USER32(?,?), ref: 004115FE
                                                                    • GetFileAttributesW.KERNEL32(0045E078), ref: 0041162F
                                                                    • GetTempPathW.KERNEL32(00000104,0045E078), ref: 0041163F
                                                                    • RegisterClipboardFormatW.USER32(commdlg_FindReplace), ref: 0041167A
                                                                    • SendMessageW.USER32(?,00000404,00000002,?), ref: 004116B4
                                                                    • SendMessageW.USER32(?,0000040B,00001001,00000000), ref: 004116C7
                                                                      • Part of subcall function 00404592: wcslen.MSVCRT ref: 004045AF
                                                                      • Part of subcall function 00404592: SendMessageW.USER32(?,00001061,?,?), ref: 004045D3
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$HandleLoadMenuModuleWindow$AttributesClipboardCreateFileFormatImagePathRegisterShowTempmemcpywcslen
                                                                    • String ID: /nosaveload$SysListView32$commdlg_FindReplace$report.html$xE
                                                                    • API String ID: 4054529287-3175352466
                                                                    • Opcode ID: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                                                                    • Instruction ID: 800f7bfcdfcb1fd3e7c20450dd8eb4425a557a8a4e928c852398501c1500280f
                                                                    • Opcode Fuzzy Hash: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                                                                    • Instruction Fuzzy Hash: CBA1A271640388AFEB11DF69CC89FCA3FA5AF55304F0404B9FE48AF292C6B59548CB65
                                                                    Function 0041352F Relevance: 31.5, APIs: 9, Strings: 9, Instructions: 41libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                                    • GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                                                    • GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                                                    • GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                                                    • GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                                                    • GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                                                    • GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                                                    • GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                                                    • GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: AddressProc$HandleModule
                                                                    • String ID: NtLoadDriver$NtOpenSymbolicLinkObject$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeProcess$NtSuspendProcess$NtUnloadDriver$ntdll.dll
                                                                    • API String ID: 667068680-2887671607
                                                                    • Opcode ID: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                                    • Instruction ID: 8dd6b0f06cc06780b82abcfa5335c49c30c65db347d43124f897848efd9f6b7c
                                                                    • Opcode Fuzzy Hash: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                                    • Instruction Fuzzy Hash: 8C015E75D48324AACB339F75AD09A053FB1EF04797B1004B7A80492266DAF9815CDE4C
                                                                    Function 0041019A Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 122COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: _snwprintf$memset$wcscpy
                                                                    • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                                    • API String ID: 2000436516-3842416460
                                                                    • Opcode ID: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                                                                    • Instruction ID: 0effb7443b15cd0e53e626898d2c9f551e6481245c02f09bcd1282082c9ffe88
                                                                    • Opcode Fuzzy Hash: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                                                                    • Instruction Fuzzy Hash: C74163B194021D7AEB20EF55DC46EEB73BCFF45304F0440ABB908A2141E7759B988F66
                                                                    Function 0040E2AB Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 165COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                                      • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                                    • free.MSVCRT ref: 0040E49A
                                                                      • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                                    • memset.MSVCRT ref: 0040E380
                                                                      • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                                      • Part of subcall function 0040AA29: memcpy.MSVCRT(?,?,00000000,00000001,00401B3C,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040AA5B
                                                                    • wcschr.MSVCRT ref: 0040E3B8
                                                                    • memcpy.MSVCRT(?,-00000121,00000008,0044E518,00000000,00000000,75922EE0), ref: 0040E3EC
                                                                    • memcpy.MSVCRT(?,-00000121,00000008,0044E518,00000000,00000000,75922EE0), ref: 0040E407
                                                                    • memcpy.MSVCRT(?,-00000220,00000008,0044E518,00000000,00000000,75922EE0), ref: 0040E422
                                                                    • memcpy.MSVCRT(?,-00000220,00000008,0044E518,00000000,00000000,75922EE0), ref: 0040E43D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: memcpy$_wcsicmpmemset$freewcschrwcslen
                                                                    • String ID: $AccessCount$AccessedTime$CreationTime$EntryID$ExpiryTime$ModifiedTime$Url
                                                                    • API String ID: 3849927982-2252543386
                                                                    • Opcode ID: c30480054a5ca474dc40abe6212bc187cfeb1b733cbf080f7a891c76daa1d321
                                                                    • Instruction ID: 3bb3cf654da2d90f893253d259683e8481abe175d229eeda5eb464894a91a1db
                                                                    • Opcode Fuzzy Hash: c30480054a5ca474dc40abe6212bc187cfeb1b733cbf080f7a891c76daa1d321
                                                                    • Instruction Fuzzy Hash: DA512071E00309ABDF10EFA6DC45B9EB7B8AF54305F15443BA904F7291E678AA14CB58
                                                                    Function 00408560 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 182stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                    • GetFileSize.KERNEL32(00000000,00000000,?,00000001,00000000,?,004089ED,?,?,?,0000001E,?,?,00000104), ref: 00408589
                                                                    • ??2@YAPAXI@Z.MSVCRT(00000001,?,004089ED,?,?,?,0000001E,?,?,00000104,?,?,00000104,?,?,00000104), ref: 0040859D
                                                                      • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                    • memset.MSVCRT ref: 004085CF
                                                                    • memset.MSVCRT ref: 004085F1
                                                                    • memset.MSVCRT ref: 00408606
                                                                    • strcmp.MSVCRT ref: 00408645
                                                                    • _mbscpy.MSVCRT(?,?,?,?,?,?), ref: 004086DB
                                                                    • _mbscpy.MSVCRT(?,?,?,?,?,?), ref: 004086FA
                                                                    • memset.MSVCRT ref: 0040870E
                                                                    • strcmp.MSVCRT ref: 0040876B
                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000001E), ref: 0040879D
                                                                    • CloseHandle.KERNEL32(?,?,004089ED,?,?,?,0000001E,?,?,00000104,?,?,00000104,?,?,00000104), ref: 004087A6
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: memset$File$_mbscpystrcmp$??2@??3@CloseCreateHandleReadSize
                                                                    • String ID: ---
                                                                    • API String ID: 3437578500-2854292027
                                                                    • Opcode ID: c5c02c04611bcd29229c4833ebed6afde2d02892c84083fd30bc2caee93791c4
                                                                    • Instruction ID: 4c5fbc017ddd4a43d5b0f69e9578b2b0908928dff5e121bfcb53d45818d158f6
                                                                    • Opcode Fuzzy Hash: c5c02c04611bcd29229c4833ebed6afde2d02892c84083fd30bc2caee93791c4
                                                                    • Instruction Fuzzy Hash: 256191B2C0421DAADF20DB948D819DEBBBCAB15314F1140FFE558B3141DA399BC4CBA9
                                                                    Function 00412172 Relevance: 19.7, APIs: 13, Instructions: 189windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetDC.USER32(00000000), ref: 004121FF
                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041220A
                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 0041221F
                                                                    • SetBkMode.GDI32(?,00000001), ref: 00412232
                                                                    • SetTextColor.GDI32(?,00FF0000), ref: 00412240
                                                                    • SelectObject.GDI32(?,?), ref: 00412251
                                                                    • DrawTextExW.USER32(?,?,000000FF,?,00000024,?), ref: 00412285
                                                                    • SelectObject.GDI32(00000014,00000005), ref: 00412291
                                                                      • Part of subcall function 00411FC6: GetCursorPos.USER32(?), ref: 00411FD0
                                                                      • Part of subcall function 00411FC6: GetSubMenu.USER32(?,00000000), ref: 00411FDE
                                                                      • Part of subcall function 00411FC6: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0041200F
                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 004122AC
                                                                    • LoadCursorW.USER32(00000000,00000067), ref: 004122B5
                                                                    • SetCursor.USER32(00000000), ref: 004122BC
                                                                    • PostMessageW.USER32(?,00000428,00000000,00000000), ref: 00412304
                                                                    • memcpy.MSVCRT(?,?,00002008), ref: 0041234D
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: Cursor$MenuObjectSelectText$CapsColorDeviceDrawHandleLoadMessageModeModulePopupPostReleaseTrackmemcpy
                                                                    • String ID:
                                                                    • API String ID: 1700100422-0
                                                                    • Opcode ID: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                                                                    • Instruction ID: eb413d4c014922f01c1be241ee45634b3e5b5e29cfe5fc1015c733cb557b7a75
                                                                    • Opcode Fuzzy Hash: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                                                                    • Instruction Fuzzy Hash: 0F61D331600109AFDB149F74CE89BEA77A5BB45300F10052AFA25D7291DBBC9CB1DB59
                                                                    Function 004111C1 Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetClientRect.USER32(?,?), ref: 004111E0
                                                                    • GetWindowRect.USER32(?,?), ref: 004111F6
                                                                    • GetWindowRect.USER32(?,?), ref: 0041120C
                                                                    • GetDlgItem.USER32(00000000,0000040D), ref: 00411246
                                                                    • GetWindowRect.USER32(00000000), ref: 0041124D
                                                                    • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0041125D
                                                                    • BeginDeferWindowPos.USER32(00000004), ref: 00411281
                                                                    • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 004112A4
                                                                    • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 004112C3
                                                                    • DeferWindowPos.USER32(?,?,00000000,00000000,000000DC,?,?,00000004), ref: 004112EE
                                                                    • DeferWindowPos.USER32(?,00000000,00000000,00000000,?,?,000000DC,00000004), ref: 00411306
                                                                    • EndDeferWindowPos.USER32(?), ref: 0041130B
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: Window$Defer$Rect$BeginClientItemPoints
                                                                    • String ID:
                                                                    • API String ID: 552707033-0
                                                                    • Opcode ID: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                                    • Instruction ID: 1a89c9de14f4e003cb1acc22e2fe5cfe68aec74c13575a54a2aa846d798aa5ff
                                                                    • Opcode Fuzzy Hash: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                                    • Instruction Fuzzy Hash: 3B41D375900209FFEB11DFA8DD89FEEBBBAFB48300F104469F655A61A0C771AA50DB14
                                                                    Function 0040C084 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 110stringfileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,?,?,?,0040C255,?,?,*.*,0040C2BF,00000000), ref: 0040C0A4
                                                                      • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                                                    • GetFileSize.KERNEL32(00000000,00000000), ref: 0040C0D4
                                                                      • Part of subcall function 0040BFF3: _memicmp.MSVCRT ref: 0040C00D
                                                                      • Part of subcall function 0040BFF3: memcpy.MSVCRT(?,?,00000004,00000000,?,?,?,?,?,?,?,?,*.*,0040C2BF,00000000), ref: 0040C024
                                                                    • memcpy.MSVCRT(00000000,?,00000004,00000000,?,?,?,?), ref: 0040C11B
                                                                    • strchr.MSVCRT ref: 0040C140
                                                                    • strchr.MSVCRT ref: 0040C151
                                                                    • _strlwr.MSVCRT ref: 0040C15F
                                                                    • memset.MSVCRT ref: 0040C17A
                                                                    • CloseHandle.KERNEL32(00000000), ref: 0040C1C7
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: File$memcpystrchr$CloseCreateHandlePointerSize_memicmp_strlwrmemset
                                                                    • String ID: 4$h
                                                                    • API String ID: 4066021378-1856150674
                                                                    • Opcode ID: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                                                                    • Instruction ID: ad7b68c589633d756b108d453181f98220e50dbf4ed18f1a1dc8c2c6e1bbf79d
                                                                    • Opcode Fuzzy Hash: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                                                                    • Instruction Fuzzy Hash: F531C2B2800218FEEB20EB54CC85EEE73BCEF05354F14416AF508A6181D7389F558FA9
                                                                    Function 004060A4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97timewindowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetTimer.USER32(?,00000041,00000064,00000000), ref: 004060C7
                                                                    • KillTimer.USER32(?,00000041), ref: 004060D7
                                                                    • KillTimer.USER32(?,00000041), ref: 004060E8
                                                                    • GetTickCount.KERNEL32 ref: 0040610B
                                                                    • GetParent.USER32(?), ref: 00406136
                                                                    • SendMessageW.USER32(00000000), ref: 0040613D
                                                                    • BeginDeferWindowPos.USER32(00000004), ref: 0040614B
                                                                    • EndDeferWindowPos.USER32(00000000), ref: 0040619B
                                                                    • InvalidateRect.USER32(?,?,00000001), ref: 004061A7
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: Timer$DeferKillWindow$BeginCountInvalidateMessageParentRectSendTick
                                                                    • String ID: A
                                                                    • API String ID: 2892645895-3554254475
                                                                    • Opcode ID: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                                    • Instruction ID: 3d646c34c65c30a23a549f03b0efc12359fcfb722ff8df3f2fd47db5f06942f8
                                                                    • Opcode Fuzzy Hash: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                                    • Instruction Fuzzy Hash: 67318F75240304BBEB205F62DC85F6A7B6ABB44742F018539F3067A5E1C7F998A18B58
                                                                    Function 0040D2AB Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: Menu$Itemmemset$CountInfoModifywcscatwcschr
                                                                    • String ID: 0$6
                                                                    • API String ID: 4066108131-3849865405
                                                                    • Opcode ID: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                                                                    • Instruction ID: 23fd2219eb4cf2a86962fa47610fb6a66e7712bfbd77636794901fa2ff6d3352
                                                                    • Opcode Fuzzy Hash: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                                                                    • Instruction Fuzzy Hash: 1C317C72808344AFDB209F95D84499FB7E8FF84314F00493EFA48A2291D775D949CB5B
                                                                    Function 004082C7 Relevance: 15.2, APIs: 10, Instructions: 229COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 004082EF
                                                                      • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                    • memset.MSVCRT ref: 00408362
                                                                    • memset.MSVCRT ref: 00408377
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: memset$ByteCharMultiWide
                                                                    • String ID:
                                                                    • API String ID: 290601579-0
                                                                    • Opcode ID: 0f4830a1bd5c139c57c95e775b3a7e0dd93a0ba2de61a1ec6096e44496360a03
                                                                    • Instruction ID: eff1c4cb9ad8ed09cf65616da307521f953f8cb6273bc8e87bbfe44e88666a06
                                                                    • Opcode Fuzzy Hash: 0f4830a1bd5c139c57c95e775b3a7e0dd93a0ba2de61a1ec6096e44496360a03
                                                                    • Instruction Fuzzy Hash: E1716C72E0421DAFEF10EFA1EC82AEDB7B9EF04314F14406FE104B6191EB795A458B59
                                                                    Function 0040A45A Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 0040A47B
                                                                    • _snwprintf.MSVCRT ref: 0040A4AE
                                                                    • wcslen.MSVCRT ref: 0040A4BA
                                                                    • memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                    • wcslen.MSVCRT ref: 0040A4E0
                                                                    • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: memcpywcslen$_snwprintfmemset
                                                                    • String ID: %s (%s)$YV@
                                                                    • API String ID: 3979103747-598926743
                                                                    • Opcode ID: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                                                                    • Instruction ID: 06bfc13611ed198a4270a5cd43788582667178ba612a9453d6f3368808cd6753
                                                                    • Opcode Fuzzy Hash: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                                                                    • Instruction Fuzzy Hash: 31216F72900219BBDF21DF55CC45D8BB7B8BF04318F018466E948AB106DB74EA188BD9
                                                                    Function 004044A4 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                                                                    • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                                                    • FreeLibrary.KERNEL32(00000000), ref: 004044E9
                                                                    • MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: Library$AddressFreeLoadMessageProc
                                                                    • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                                                    • API String ID: 2780580303-317687271
                                                                    • Opcode ID: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                                    • Instruction ID: 703d86131c3dcb59aab6256491fb2853d543806c906e0642a055f98632e98cc8
                                                                    • Opcode Fuzzy Hash: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                                    • Instruction Fuzzy Hash: B201D6757502217BE7112FB69C49F7B7A9CFF82749B000035E601E2180EAB8D901926D
                                                                    Function 0041851E Relevance: 13.6, APIs: 9, Instructions: 67sleepfileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • DeleteFileW.KERNEL32(00000000,?,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 00418548
                                                                    • GetFileAttributesW.KERNEL32(00000000), ref: 0041854F
                                                                    • GetLastError.KERNEL32 ref: 0041855C
                                                                    • Sleep.KERNEL32(00000064), ref: 00418571
                                                                    • DeleteFileA.KERNEL32(00000000,?,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 0041857A
                                                                    • GetFileAttributesA.KERNEL32(00000000), ref: 00418581
                                                                    • GetLastError.KERNEL32 ref: 0041858E
                                                                    • Sleep.KERNEL32(00000064), ref: 004185A3
                                                                    • free.MSVCRT ref: 004185AC
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: File$AttributesDeleteErrorLastSleep$free
                                                                    • String ID:
                                                                    • API String ID: 2802642348-0
                                                                    • Opcode ID: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                                                                    • Instruction ID: d61f765991b085217c17e58d7c3851c8d0f597f546fc635256e60a728691d00d
                                                                    • Opcode Fuzzy Hash: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                                                                    • Instruction Fuzzy Hash: A011C639540624BBC61027716CC89BE3676E75B335B210A2EFA22912D0DF6C4CC2557E
                                                                    Function 0040D134 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                    • wcscpy.MSVCRT ref: 0040D1B5
                                                                      • Part of subcall function 0040D626: memset.MSVCRT ref: 0040D639
                                                                      • Part of subcall function 0040D626: _itow.MSVCRT ref: 0040D647
                                                                    • wcslen.MSVCRT ref: 0040D1D3
                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                    • LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                    • memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                                                      • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,0040D142,00402E6F), ref: 0040D0CC
                                                                      • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040D142,00402E6F), ref: 0040D0EA
                                                                      • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,0040D142,00402E6F), ref: 0040D108
                                                                      • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000,0040D142,00402E6F), ref: 0040D126
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
                                                                    • String ID: strings
                                                                    • API String ID: 3166385802-3030018805
                                                                    • Opcode ID: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                                                                    • Instruction ID: f4589d763452722e7ce024d248fd6f149fceb83749f413ad0df853fa0cd60d20
                                                                    • Opcode Fuzzy Hash: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                                                                    • Instruction Fuzzy Hash: 78418D75D003109BD7369FA8ED809263365FF48306700047EE942972A7DEB9E886CB5D
                                                                    Function 0040541F Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 78COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 004055A4: GetLastError.KERNEL32(?,00000000,00405522,?,?,?,00000000,00000000,?,00408E1C,?,?,00000060,00000000), ref: 004055B9
                                                                    • memset.MSVCRT ref: 00405455
                                                                    • memset.MSVCRT ref: 0040546C
                                                                    • memset.MSVCRT ref: 00405483
                                                                    • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00405498
                                                                    • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004054AD
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: memset$memcpy$ErrorLast
                                                                    • String ID: 6$\
                                                                    • API String ID: 404372293-1284684873
                                                                    • Opcode ID: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                                                                    • Instruction ID: af38dfd20ac5a94c77b7ead9800c7a3089711b207e9f3183cf3669ed78e53beb
                                                                    • Opcode Fuzzy Hash: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                                                                    • Instruction Fuzzy Hash: 572141B280112CBBDF11AF99DC45EDF7BACDF15304F0080A6B509E2156E6398B988F65
                                                                    Function 0040A06C Relevance: 10.6, APIs: 7, Instructions: 63timeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A088
                                                                    • GetDateFormatW.KERNEL32(00000400,00000001,000007C1,00000000,?,00000080), ref: 0040A0B4
                                                                    • GetTimeFormatW.KERNEL32(00000400,00000000,000007C1,00000000,?,00000080), ref: 0040A0C9
                                                                    • wcscpy.MSVCRT ref: 0040A0D9
                                                                    • wcscat.MSVCRT ref: 0040A0E6
                                                                    • wcscat.MSVCRT ref: 0040A0F5
                                                                    • wcscpy.MSVCRT ref: 0040A107
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: Time$Formatwcscatwcscpy$DateFileSystem
                                                                    • String ID:
                                                                    • API String ID: 1331804452-0
                                                                    • Opcode ID: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                                                                    • Instruction ID: 70f18838178cd2dbc623065d80ced1a8b0c5b1489d8a310e1ceaee9f81d034e1
                                                                    • Opcode Fuzzy Hash: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                                                                    • Instruction Fuzzy Hash: 321191B284011DBFEB10AF95DC45DEF777CEB01745F104076B904B6091E6399E858B7A
                                                                    Function 00404363 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0040440C: FreeLibrary.KERNEL32(?,0040436D,00000000,00000000,?,0040BDCC,?,00000000,?), ref: 00404414
                                                                      • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                      • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                      • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                      • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                    • GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                                                    • GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                                                    • GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                                                    • GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                                                    • GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                                                    • String ID: advapi32.dll
                                                                    • API String ID: 2012295524-4050573280
                                                                    • Opcode ID: 65f3d33700ac9d510cc5e5eb6f652d35bee5e6265e8d5a0c26d000a27f9b730c
                                                                    • Instruction ID: 6b6c0a27b71384d3bff991c3c7ca7c9b0301c8735f49a3ee57333cb8f9a5f734
                                                                    • Opcode Fuzzy Hash: 65f3d33700ac9d510cc5e5eb6f652d35bee5e6265e8d5a0c26d000a27f9b730c
                                                                    • Instruction Fuzzy Hash: 5F119470440700DDE6307F62EC0AF2777A4DF80714F104A3FE541565E1DBB8A8519AAD
                                                                    Function 00410030 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 54COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 00410083
                                                                    • <%s>, xrefs: 004100A6
                                                                    • <?xml version="1.0" ?>, xrefs: 0041007C
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: memset$_snwprintf
                                                                    • String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                                                    • API String ID: 3473751417-2880344631
                                                                    • Opcode ID: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                                                                    • Instruction ID: 2862698e7f89dc449948c814091faf4507903f68b21858a7dbdf66e33a92e1a6
                                                                    • Opcode Fuzzy Hash: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                                                                    • Instruction Fuzzy Hash: F501C8F2E402197BD720AA559C41FEAB6ACEF48345F0040B7B608B3151D6389F494B99
                                                                    Function 0040A178 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: wcscat$_snwprintfmemset
                                                                    • String ID: %2.2X
                                                                    • API String ID: 2521778956-791839006
                                                                    • Opcode ID: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                                                                    • Instruction ID: 672bbb69153a15f1984629f72f86def8939f314c78adde6f8276b735d3b02408
                                                                    • Opcode Fuzzy Hash: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                                                                    • Instruction Fuzzy Hash: 2101D472A403297AF7206756AC46BBA33ACAB41714F11407BFC14AA1C2EA7C9A54469A
                                                                    Function 0040C3C3 Relevance: 9.1, APIs: 6, Instructions: 109registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1AE
                                                                      • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1B6
                                                                      • Part of subcall function 00414592: RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                                                      • Part of subcall function 0040A9CE: free.MSVCRT ref: 0040A9DD
                                                                    • memset.MSVCRT ref: 0040C439
                                                                    • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                                    • _wcsupr.MSVCRT ref: 0040C481
                                                                      • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                      • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                      • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                      • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                                                    • memset.MSVCRT ref: 0040C4D0
                                                                    • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                                    • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,?), ref: 0040C508
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: free$EnumValuememset$CloseOpen_wcsuprmemcpywcslen
                                                                    • String ID:
                                                                    • API String ID: 4131475296-0
                                                                    • Opcode ID: 82fa03ba5326a94bf532841c06629f00165d9272e62604655f27a07229e6f7ea
                                                                    • Instruction ID: d2440758a7fd93b52fc88bd6111275bc9aa4df1ffeb01c53d5483546710cd2f3
                                                                    • Opcode Fuzzy Hash: 82fa03ba5326a94bf532841c06629f00165d9272e62604655f27a07229e6f7ea
                                                                    • Instruction Fuzzy Hash: A4411CB2900219BBDB00EF95DC85EEFB7BCAF48304F10417AB505F6191D7749A44CBA5
                                                                    Function 004174F5 Relevance: 9.1, APIs: 6, Instructions: 61COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • AreFileApisANSI.KERNEL32 ref: 004174FC
                                                                    • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041751A
                                                                    • malloc.MSVCRT ref: 00417524
                                                                    • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041753B
                                                                    • free.MSVCRT ref: 00417544
                                                                    • free.MSVCRT ref: 00417562
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharMultiWidefree$ApisFilemalloc
                                                                    • String ID:
                                                                    • API String ID: 4131324427-0
                                                                    • Opcode ID: 5d21432bc65b929392c7d49bf17a02b877e07d349bc8417fbf8b7ee350a515ff
                                                                    • Instruction ID: 8d188238c5fd2fb6163cec5331830b967abe0ebba74b79ef9884251e0929a2bc
                                                                    • Opcode Fuzzy Hash: 5d21432bc65b929392c7d49bf17a02b877e07d349bc8417fbf8b7ee350a515ff
                                                                    • Instruction Fuzzy Hash: 9701D4726081257BEB215B7A9C41DEF3AAEDF463B47210226FC14E3280EA38DD4141BD
                                                                    Function 00418197 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetTempPathW.KERNEL32(000000E6,?,?,00417D63), ref: 004181DB
                                                                    • GetTempPathA.KERNEL32(000000E6,?,?,00417D63), ref: 00418203
                                                                    • free.MSVCRT ref: 0041822B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: PathTemp$free
                                                                    • String ID: %s\etilqs_$etilqs_
                                                                    • API String ID: 924794160-1420421710
                                                                    • Opcode ID: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                                                                    • Instruction ID: b359b55a6514fc6c55a0405950767d5f88b37029f74eadb26d8a0dc7501745d5
                                                                    • Opcode Fuzzy Hash: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                                                                    • Instruction Fuzzy Hash: 43313931A046169BE725A3669C41BFB735C9B64308F2004AFE881C2283EF7CDEC54A5D
                                                                    Function 0041748F Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • AreFileApisANSI.KERNEL32 ref: 00417497
                                                                    • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 004174B7
                                                                    • malloc.MSVCRT ref: 004174BD
                                                                    • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 004174DB
                                                                    • free.MSVCRT ref: 004174E4
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharMultiWide$ApisFilefreemalloc
                                                                    • String ID:
                                                                    • API String ID: 4053608372-0
                                                                    • Opcode ID: 26b6d0d827bb447631a2da2f7ad9fad7d37cc7249bf214c4621a9d0d58d44de2
                                                                    • Instruction ID: 68224c9aa4b31b20fa5037399352f9c2f04b40a845063e8f60522cdb36b448b3
                                                                    • Opcode Fuzzy Hash: 26b6d0d827bb447631a2da2f7ad9fad7d37cc7249bf214c4621a9d0d58d44de2
                                                                    • Instruction Fuzzy Hash: DE01A4B150412DBEAF115FA99C80CAF7E7CEA463FC721422AF514E2290DA345E405AB9
                                                                    Function 0040D441 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetParent.USER32(?), ref: 0040D453
                                                                    • GetWindowRect.USER32(?,?), ref: 0040D460
                                                                    • GetClientRect.USER32(00000000,?), ref: 0040D46B
                                                                    • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0040D47B
                                                                    • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 0040D497
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: Window$Rect$ClientParentPoints
                                                                    • String ID:
                                                                    • API String ID: 4247780290-0
                                                                    • Opcode ID: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                                    • Instruction ID: 8744084584fea1eb3916f9079d499296a2dd08f7759f51c0708cf8f54c9212ed
                                                                    • Opcode Fuzzy Hash: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                                    • Instruction Fuzzy Hash: 62018836801129BBDB11EBA6CC49EFFBFBCFF06310F048069F901A2180D778A5018BA5
                                                                    Function 00445093 Relevance: 7.5, APIs: 5, Instructions: 46COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                    • GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                                    • ??2@YAPAXI@Z.MSVCRT(0000000A,?,?,00000104), ref: 004450BE
                                                                    • memset.MSVCRT ref: 004450CD
                                                                      • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004450F0
                                                                      • Part of subcall function 00444E84: memchr.MSVCRT ref: 00444EBF
                                                                      • Part of subcall function 00444E84: memcpy.MSVCRT(?,0044EB0C,0000000B,?,?,?,00000000,00000000,00000000), ref: 00444F63
                                                                      • Part of subcall function 00444E84: memcpy.MSVCRT(?,00000001,00000008,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00444F75
                                                                      • Part of subcall function 00444E84: memcpy.MSVCRT(?,?,00000010,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00444F9D
                                                                    • CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: Filememcpy$??2@??3@CloseCreateHandleReadSizememchrmemset
                                                                    • String ID:
                                                                    • API String ID: 1471605966-0
                                                                    • Opcode ID: 2aed10359402c50519c1c236b6adb34ede6eedef97d485569bed8d1556fc9971
                                                                    • Instruction ID: af7e2442fb2a0afe256a59df9b01c6fa6c67666c78107f96d02934f32f814c95
                                                                    • Opcode Fuzzy Hash: 2aed10359402c50519c1c236b6adb34ede6eedef97d485569bed8d1556fc9971
                                                                    • Instruction Fuzzy Hash: D8F0C2765002107BE5207736AC8AEAB3A5CDF96771F11893FF416921D2EE698814C1BD
                                                                    Function 004100D7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 004100FB
                                                                    • memset.MSVCRT ref: 00410112
                                                                      • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                                                      • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                                                    • _snwprintf.MSVCRT ref: 00410141
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: memset$_snwprintf_wcslwrwcscpy
                                                                    • String ID: </%s>
                                                                    • API String ID: 3400436232-259020660
                                                                    • Opcode ID: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                                                                    • Instruction ID: d6b380c41b5e3e458bf6abeca455f552dea24a705517b0a2e3702c553642f250
                                                                    • Opcode Fuzzy Hash: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                                                                    • Instruction Fuzzy Hash: 9B01DBF3D0012977D730A755CC46FEA76ACEF45304F0000B6BB08B3186DB78DA458A99
                                                                    Function 0040D553 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 0040D58D
                                                                    • SetWindowTextW.USER32(?,?), ref: 0040D5BD
                                                                    • EnumChildWindows.USER32(?,Function_0000D4F5,00000000), ref: 0040D5CD
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: ChildEnumTextWindowWindowsmemset
                                                                    • String ID: caption
                                                                    • API String ID: 1523050162-4135340389
                                                                    • Opcode ID: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                                                                    • Instruction ID: dcfab03f3ae0740f4c11e1fd8af26e22289cdce227bdcda27870e2dbaf68b2c3
                                                                    • Opcode Fuzzy Hash: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                                                                    • Instruction Fuzzy Hash: 50F08131D0031876FB206B95CC4EB8A3268AB04744F000076BE04B61D2DBB8EA44C69D
                                                                    Function 00401137 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00409BFD: memset.MSVCRT ref: 00409C07
                                                                      • Part of subcall function 00409BFD: wcscpy.MSVCRT ref: 00409C47
                                                                    • CreateFontIndirectW.GDI32(?), ref: 00401156
                                                                    • SendDlgItemMessageW.USER32(?,000003EC,00000030,00000000,00000000), ref: 00401175
                                                                    • SendDlgItemMessageW.USER32(?,000003EE,00000030,?,00000000), ref: 00401193
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: ItemMessageSend$CreateFontIndirectmemsetwcscpy
                                                                    • String ID: MS Sans Serif
                                                                    • API String ID: 210187428-168460110
                                                                    • Opcode ID: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                                                                    • Instruction ID: 44e142790c58e2983bb51e892a2c7280827b5342727586ee11fe1c2be2fb852b
                                                                    • Opcode Fuzzy Hash: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                                                                    • Instruction Fuzzy Hash: 7CF082B5A4030877EB326BA1DC46F9A77BDBB44B01F040935F721B91D1D3F4A585C658
                                                                    Function 004055C5 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 122COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 0040560C
                                                                      • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                      • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                      • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                                                      • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                      • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                      • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                      • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                                      • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                                      • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                                      • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                      • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                                      • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                      • Part of subcall function 0040A212: wcscpy.MSVCRT ref: 0040A269
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                                    • String ID: *.*$dat$wand.dat
                                                                    • API String ID: 2618321458-1828844352
                                                                    • Opcode ID: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                                                                    • Instruction ID: e27ea46a2f82f1f177a07810d763c9ecc86b2647b265d762bc330c580f82b585
                                                                    • Opcode Fuzzy Hash: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                                                                    • Instruction Fuzzy Hash: BF419B71600205AFDB10AF65DC85EAEB7B9FF40314F10802BF909AB1D1EF7999958F89
                                                                    Function 00412018 Relevance: 6.1, APIs: 4, Instructions: 99windowkeyboardCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 00412057
                                                                      • Part of subcall function 0040A116: ShellExecuteW.SHELL32(?,open,?,0044E518,0044E518,00000005), ref: 0040A12C
                                                                    • SendMessageW.USER32(00000000,00000423,00000000,00000000), ref: 004120C7
                                                                    • GetMenuStringW.USER32(?,00000103,?,0000004F,00000000), ref: 004120E1
                                                                    • GetKeyState.USER32(00000010), ref: 0041210D
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: ExecuteMenuMessageSendShellStateStringmemset
                                                                    • String ID:
                                                                    • API String ID: 3550944819-0
                                                                    • Opcode ID: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                                                                    • Instruction ID: 97bad96470fefb965444fbd8e179d7ef3b872eae7f66eff2ef5a186de824ffeb
                                                                    • Opcode Fuzzy Hash: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                                                                    • Instruction Fuzzy Hash: 5341C330600305EBDB209F15CD88B9677A8AB54324F10817AEA699B2E2D7B89DD1CB14
                                                                    Function 0040F508 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • free.MSVCRT ref: 0040F561
                                                                    • memcpy.MSVCRT(00000000,?,00000001,g4@,00000000,0000121C,?,?,?,00403467), ref: 0040F573
                                                                    • memcpy.MSVCRT(00000000,?,?,00000000), ref: 0040F5A6
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: memcpy$free
                                                                    • String ID: g4@
                                                                    • API String ID: 2888793982-2133833424
                                                                    • Opcode ID: 37ff6d91120af751e53e18efb23c18060f8529393ff4323a563ff9c980eac345
                                                                    • Instruction ID: 6372a4083673351870aa2a156e9431cadfa41d37230e9e7fabcd635cb7c3c96e
                                                                    • Opcode Fuzzy Hash: 37ff6d91120af751e53e18efb23c18060f8529393ff4323a563ff9c980eac345
                                                                    • Instruction Fuzzy Hash: D2217A30900604EFCB20DF29C94182ABBF5FF447247204A7EE852A3B91E735EE119B04
                                                                    Function 004144BB Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memset.MSVCRT ref: 004144E7
                                                                      • Part of subcall function 0040A353: _snwprintf.MSVCRT ref: 0040A398
                                                                      • Part of subcall function 0040A353: memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 0040A3A8
                                                                    • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00414510
                                                                    • memset.MSVCRT ref: 0041451A
                                                                    • GetPrivateProfileStringW.KERNEL32(?,?,0044E518,?,00002000,?), ref: 0041453C
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
                                                                    • String ID:
                                                                    • API String ID: 1127616056-0
                                                                    • Opcode ID: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                                                                    • Instruction ID: e03fcf36bb778615f94f946172f2cadce4c7e53e7889dedf6030812535802df7
                                                                    • Opcode Fuzzy Hash: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                                                                    • Instruction Fuzzy Hash: 9A1170B1500119BFEF115F65EC02EDA7B69EF04714F100066FB09B2060E6319A60DB9D
                                                                    Function 00417434 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,7591DF80,?,0041755F,?), ref: 00417452
                                                                    • malloc.MSVCRT ref: 00417459
                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000,?,7591DF80,?,0041755F,?), ref: 00417478
                                                                    • free.MSVCRT ref: 0041747F
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharMultiWide$freemalloc
                                                                    • String ID:
                                                                    • API String ID: 2605342592-0
                                                                    • Opcode ID: 393c83f8647a4e4e905b151b9ea1406947fc62e9018515f0e7f821d7fee9a8df
                                                                    • Instruction ID: 8389f0226c663b3c6d8c6253af8546a3d73aba679155ae8f7c82d0c1376384d0
                                                                    • Opcode Fuzzy Hash: 393c83f8647a4e4e905b151b9ea1406947fc62e9018515f0e7f821d7fee9a8df
                                                                    • Instruction Fuzzy Hash: 1DF0E9B620D21E3F7B006AB55CC0C7B7B9CD7862FCB11072FF51091180E9594C1116B6
                                                                    Function 004123E2 Relevance: 6.0, APIs: 4, Instructions: 47registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 00412403
                                                                    • RegisterClassW.USER32(?), ref: 00412428
                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 0041242F
                                                                    • CreateWindowExW.USER32(00000000,00000000,0044E518,00CF0000,00000000,00000000,00000280,000001E0,00000000,00000000,00000000), ref: 00412455
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: HandleModule$ClassCreateRegisterWindow
                                                                    • String ID:
                                                                    • API String ID: 2678498856-0
                                                                    • Opcode ID: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                                                                    • Instruction ID: 2742b6e08e64d4f702ac0bdc031c2178a10537c5a2141806c9029dd5a11ba4c1
                                                                    • Opcode Fuzzy Hash: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                                                                    • Instruction Fuzzy Hash: E601E5B1941228ABD7119FA68C89ADFBEBCFF09B14F10411AF514A2240D7B456408BE9
                                                                    Function 0041437B Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00409D7F: memset.MSVCRT ref: 00409D9E
                                                                      • Part of subcall function 00409D7F: GetClassNameW.USER32(?,00000000,000000FF), ref: 00409DB5
                                                                      • Part of subcall function 00409D7F: _wcsicmp.MSVCRT ref: 00409DC7
                                                                    • SetBkMode.GDI32(?,00000001), ref: 004143A2
                                                                    • SetBkColor.GDI32(?,00FFFFFF), ref: 004143B0
                                                                    • SetTextColor.GDI32(?,00C00000), ref: 004143BE
                                                                    • GetStockObject.GDI32(00000000), ref: 004143C6
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: Color$ClassModeNameObjectStockText_wcsicmpmemset
                                                                    • String ID:
                                                                    • API String ID: 764393265-0
                                                                    • Opcode ID: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                                    • Instruction ID: 55a1794077c12dabf0ba6e1c8d3319674f3f2ba5a0574a39bcd6537ad23d1771
                                                                    • Opcode Fuzzy Hash: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                                    • Instruction Fuzzy Hash: 3AF06835200219BBCF112FA5EC06EDD3F25BF05321F104536FA25A45F1CBB59D609759
                                                                    Function 004134C6 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • memcpy.MSVCRT(0045A808,?,00000050,?,0040155D,?), ref: 004134E0
                                                                    • memcpy.MSVCRT(0045A538,?,000002CC,0045A808,?,00000050,?,0040155D,?), ref: 004134F2
                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 00413505
                                                                    • DialogBoxParamW.USER32(00000000,0000006B,?,Function_000131DC,00000000), ref: 00413519
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: memcpy$DialogHandleModuleParam
                                                                    • String ID:
                                                                    • API String ID: 1386444988-0
                                                                    • Opcode ID: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                                    • Instruction ID: 364e94b7bdcda47f4d7f1f8d7aeee0d56301a77e6e21c3ce81869cca2c347424
                                                                    • Opcode Fuzzy Hash: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                                    • Instruction Fuzzy Hash: 80F0E272A843207BF7207FA5AC0AB477E94FB05B03F114826F600E50D2C2B988518F8D
                                                                    Function 0040A353 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _snwprintf.MSVCRT ref: 0040A398
                                                                    • memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 0040A3A8
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: _snwprintfmemcpy
                                                                    • String ID: %2.2X
                                                                    • API String ID: 2789212964-323797159
                                                                    • Opcode ID: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                                                                    • Instruction ID: 802357eb4f50a043e47c8b78e7782d62930b20b04af67ea92e1f933aeb07fc5a
                                                                    • Opcode Fuzzy Hash: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                                                                    • Instruction Fuzzy Hash: 71118E32900309BFEB10DFE8D8829AFB3B9FB05314F108476ED11E7141D6789A258B96
                                                                    Function 0040B1D1 Relevance: 5.1, APIs: 4, Instructions: 67COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • wcslen.MSVCRT ref: 0040B1DE
                                                                    • free.MSVCRT ref: 0040B201
                                                                      • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                      • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                                                      • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                                    • free.MSVCRT ref: 0040B224
                                                                    • memcpy.MSVCRT(?,00000000,-00000002,00000000,00000000,?,?,?,?,0040B319,0040B432,00000000,?,?,0040B432,00000000), ref: 0040B248
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: free$memcpy$mallocwcslen
                                                                    • String ID:
                                                                    • API String ID: 726966127-0
                                                                    • Opcode ID: 6421ea3f553dae7d25363b5bd64276aec0fbe05fa0d8b4b2605bf4838246495e
                                                                    • Instruction ID: 71128cbd9221161776fa816c6212d75478d488e0bdd8d9cf72ea7cd81dda7be0
                                                                    • Opcode Fuzzy Hash: 6421ea3f553dae7d25363b5bd64276aec0fbe05fa0d8b4b2605bf4838246495e
                                                                    • Instruction Fuzzy Hash: 02215BB2500604EFD720DF18D881CAAB7F9EF49324B114A6EE452976A1CB35B9158B98
                                                                    Function 0040B0D1 Relevance: 5.1, APIs: 4, Instructions: 55stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • strlen.MSVCRT ref: 0040B0D8
                                                                    • free.MSVCRT ref: 0040B0FB
                                                                      • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                      • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                                                      • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                                    • free.MSVCRT ref: 0040B12C
                                                                    • memcpy.MSVCRT(?,?,00000000,00000000,0040B35A,?), ref: 0040B159
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: free$memcpy$mallocstrlen
                                                                    • String ID:
                                                                    • API String ID: 3669619086-0
                                                                    • Opcode ID: 1049280fa2475c497c1b628b605c6dc2082e028c9e0fefa85919baabf6481477
                                                                    • Instruction ID: 61abf4b4d63bdfee40e3433ef4540d9b033b11d4199be086b3082c0bee804e2f
                                                                    • Opcode Fuzzy Hash: 1049280fa2475c497c1b628b605c6dc2082e028c9e0fefa85919baabf6481477
                                                                    • Instruction Fuzzy Hash: CA113A712042019FD711DB98FC499267B66EB8733AB25833BF4045A2A3CBB99834865F
                                                                    Function 004173E4 Relevance: 5.0, APIs: 4, Instructions: 41COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,00417D63,?,?,00417D63,00418178,00000000,?,004183E5,?,00000000), ref: 004173FF
                                                                    • malloc.MSVCRT ref: 00417407
                                                                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,?,00417D63,00418178,00000000,?,004183E5,?,00000000,00000000,?), ref: 0041741E
                                                                    • free.MSVCRT ref: 00417425
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.2267597132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_400000_Adobe.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharMultiWide$freemalloc
                                                                    • String ID:
                                                                    • API String ID: 2605342592-0
                                                                    • Opcode ID: c62e76641e050cafa551b594d013d2ba0ec055e9779dbb9c6b02089c0e2d57f7
                                                                    • Instruction ID: cad4d062c051d68cf548c6c9b5623cfc012c7edadb1d539185634ca375d1558c
                                                                    • Opcode Fuzzy Hash: c62e76641e050cafa551b594d013d2ba0ec055e9779dbb9c6b02089c0e2d57f7
                                                                    • Instruction Fuzzy Hash: E7F0377620921E7BDA1029655C40D77779CEB8B675B11072BBA10D21C1ED59D81005B5