Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
aDGx3jaI7i.exe

Overview

General Information

Sample name:aDGx3jaI7i.exe
renamed because original name is a hash value
Original sample name:87fca3267ca394e5bc414194c7c6dec142ae132921efaa2763c6d15f430d6c58.exe
Analysis ID:1567561
MD5:18df057d5952c7f5366335ff201849b5
SHA1:6c421f13a590822d583689221569ceff31f2dbae
SHA256:87fca3267ca394e5bc414194c7c6dec142ae132921efaa2763c6d15f430d6c58
Tags:exeRemcosRATuser-adrian__luca
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to bypass UAC (CMSTPLUA)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates autostart registry keys with suspicious names
Delayed program exit found
Drops executable to a common third party application directory
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evaded block containing many API calls
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • aDGx3jaI7i.exe (PID: 960 cmdline: "C:\Users\user\Desktop\aDGx3jaI7i.exe" MD5: 18DF057D5952C7F5366335FF201849B5)
    • aDGx3jaI7i.exe (PID: 7128 cmdline: "C:\Users\user\Desktop\aDGx3jaI7i.exe" MD5: 18DF057D5952C7F5366335FF201849B5)
      • Adobe.exe (PID: 7072 cmdline: "C:\ProgramData\Adobe\Adobe.exe" MD5: 18DF057D5952C7F5366335FF201849B5)
        • Adobe.exe (PID: 6768 cmdline: "C:\ProgramData\Adobe\Adobe.exe" MD5: 18DF057D5952C7F5366335FF201849B5)
  • Adobe.exe (PID: 5948 cmdline: "C:\ProgramData\Adobe\Adobe.exe" MD5: 18DF057D5952C7F5366335FF201849B5)
    • Adobe.exe (PID: 1920 cmdline: "C:\ProgramData\Adobe\Adobe.exe" MD5: 18DF057D5952C7F5366335FF201849B5)
  • Adobe.exe (PID: 2156 cmdline: "C:\ProgramData\Adobe\Adobe.exe" MD5: 18DF057D5952C7F5366335FF201849B5)
    • Adobe.exe (PID: 2060 cmdline: "C:\ProgramData\Adobe\Adobe.exe" MD5: 18DF057D5952C7F5366335FF201849B5)
    • Adobe.exe (PID: 2168 cmdline: "C:\ProgramData\Adobe\Adobe.exe" MD5: 18DF057D5952C7F5366335FF201849B5)
  • Adobe.exe (PID: 4008 cmdline: "C:\ProgramData\Adobe\Adobe.exe" MD5: 18DF057D5952C7F5366335FF201849B5)
    • Adobe.exe (PID: 7116 cmdline: "C:\ProgramData\Adobe\Adobe.exe" MD5: 18DF057D5952C7F5366335FF201849B5)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["104.250.180.178:7902:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "Adobe.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Adobe-7P3KE1", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Adobe", "Keylog folder": "remcos"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000D.00000002.1542202226.00000000012AA000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    00000006.00000002.3762484937.0000000001687000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      0000000F.00000002.1618135964.00000000014D7000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        00000009.00000002.1451161345.000000000125A000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          00000004.00000002.1327834572.00000000014BA000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
            Click to see the 28 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.aDGx3jaI7i.exe.3e80708.4.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
              0.2.aDGx3jaI7i.exe.3e80708.4.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                0.2.aDGx3jaI7i.exe.3e80708.4.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                  0.2.aDGx3jaI7i.exe.3e80708.4.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                  • 0x690b8:$a1: Remcos restarted by watchdog!
                  • 0x69630:$a3: %02i:%02i:%02i:%03i
                  0.2.aDGx3jaI7i.exe.3e80708.4.unpackREMCOS_RAT_variantsunknownunknown
                  • 0x6310c:$str_a1: C:\Windows\System32\cmd.exe
                  • 0x63088:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                  • 0x63088:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                  • 0x63588:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                  • 0x63db8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                  • 0x6317c:$str_b2: Executing file:
                  • 0x641fc:$str_b3: GetDirectListeningPort
                  • 0x63ba8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                  • 0x63d28:$str_b7: \update.vbs
                  • 0x631a4:$str_b9: Downloaded file:
                  • 0x63190:$str_b10: Downloading file:
                  • 0x63234:$str_b12: Failed to upload file:
                  • 0x641c4:$str_b13: StartForward
                  • 0x641e4:$str_b14: StopForward
                  • 0x63c80:$str_b15: fso.DeleteFile "
                  • 0x63c14:$str_b16: On Error Resume Next
                  • 0x63cb0:$str_b17: fso.DeleteFolder "
                  • 0x63224:$str_b18: Uploaded file:
                  • 0x631e4:$str_b19: Unable to delete:
                  • 0x63c48:$str_b20: while fso.FileExists("
                  • 0x636c1:$str_c0: [Firefox StoredLogins not found]
                  Click to see the 34 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: CurrentVersion Autorun Keys Modification
                  Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\ProgramData\Adobe\Adobe.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\aDGx3jaI7i.exe, ProcessId: 7128, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Adobe-7P3KE1
                  Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
                  Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\ProgramData\Adobe\Adobe.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\aDGx3jaI7i.exe, ProcessId: 7128, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe-7P3KE1

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-12-03T17:03:26.428421+010020365941Malware Command and Control Activity Detected192.168.2.749704104.250.180.1787902TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-12-03T17:03:30.988392+010028033043Unknown Traffic192.168.2.749713178.237.33.5080TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: aDGx3jaI7i.exeAvira: detected
                  Antivirus detection for dropped file
                  Source: C:\ProgramData\Adobe\Adobe.exeAvira: detection malicious, Label: TR/AVI.Remcos.ienxc
                  Found malware configuration
                  Source: 0000000D.00000002.1542202226.00000000012AA000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": ["104.250.180.178:7902:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "Adobe.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Adobe-7P3KE1", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Adobe", "Keylog folder": "remcos"}
                  Multi AV Scanner detection for dropped file
                  Source: C:\ProgramData\Adobe\Adobe.exeReversingLabs: Detection: 73%
                  Multi AV Scanner detection for submitted file
                  Source: aDGx3jaI7i.exeReversingLabs: Detection: 73%
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 0.2.aDGx3jaI7i.exe.3e80708.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.aDGx3jaI7i.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.aDGx3jaI7i.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.aDGx3jaI7i.exe.3ff5748.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.aDGx3jaI7i.exe.3ff5748.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.aDGx3jaI7i.exe.3f3af28.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.aDGx3jaI7i.exe.3e80708.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000D.00000002.1542202226.00000000012AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.3762484937.0000000001687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.1618135964.00000000014D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.1451161345.000000000125A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.1327834572.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1329927714.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: aDGx3jaI7i.exe PID: 960, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: aDGx3jaI7i.exe PID: 7128, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 6768, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 1920, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 2168, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 7116, type: MEMORYSTR
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for dropped file
                  Source: C:\ProgramData\Adobe\Adobe.exeJoe Sandbox ML: detected
                  Machine Learning detection for sample
                  Source: aDGx3jaI7i.exeJoe Sandbox ML: detected
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: 4_2_004338C8 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,4_2_004338C8
                  Source: aDGx3jaI7i.exe, 00000000.00000002.1329927714.0000000003DB9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_9792b9d6-7

                  Exploits

                  barindex
                  Yara detected UAC Bypass using CMSTP
                  Source: Yara matchFile source: 0.2.aDGx3jaI7i.exe.3e80708.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.aDGx3jaI7i.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.aDGx3jaI7i.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.aDGx3jaI7i.exe.3ff5748.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.aDGx3jaI7i.exe.3ff5748.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.aDGx3jaI7i.exe.3f3af28.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.aDGx3jaI7i.exe.3e80708.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1329927714.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: aDGx3jaI7i.exe PID: 960, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: aDGx3jaI7i.exe PID: 7128, type: MEMORYSTR

                  Privilege Escalation

                  barindex
                  Contains functionality to bypass UAC (CMSTPLUA)
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: 4_2_00407538 _wcslen,CoGetObject,4_2_00407538
                  Source: aDGx3jaI7i.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: aDGx3jaI7i.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: uKP.pdb source: aDGx3jaI7i.exe, Adobe.exe.4.dr
                  Source: Binary string: uKP.pdbSHA256A source: aDGx3jaI7i.exe, Adobe.exe.4.dr
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: 4_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,4_2_0040928E
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: 4_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,4_2_0041C322
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: 4_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,4_2_0040C388
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: 4_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,4_2_004096A0
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: 4_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,4_2_00408847
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: 4_2_00407877 FindFirstFileW,FindNextFileW,4_2_00407877
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: 4_2_0044E8F9 FindFirstFileExA,4_2_0044E8F9
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: 4_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,4_2_0040BB6B
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: 4_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,4_2_00419B86
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: 4_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,4_2_0040BD72
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: 4_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,4_2_00407CD2

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49704 -> 104.250.180.178:7902
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorIPs: 104.250.180.178
                  Source: global trafficTCP traffic: 192.168.2.7:49704 -> 104.250.180.178:7902
                  Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                  Source: Joe Sandbox ViewIP Address: 104.250.180.178 104.250.180.178
                  Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                  Source: Joe Sandbox ViewASN Name: M247GB M247GB
                  Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.7:49713 -> 178.237.33.50:80
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: 4_2_0041B411 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,4_2_0041B411
                  Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                  Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                  Source: Adobe.exe, 00000006.00000002.3762484937.00000000016C3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/
                  Source: Adobe.exe, 00000006.00000002.3762484937.00000000016C3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/C
                  Source: Adobe.exe, 00000006.00000002.3762484937.00000000016C3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
                  Source: Adobe.exe, 00000006.00000002.3762484937.00000000016C3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp)
                  Source: aDGx3jaI7i.exe, 00000000.00000002.1329927714.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp, aDGx3jaI7i.exe, 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
                  Source: Adobe.exe, 00000006.00000002.3762484937.0000000001687000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpSystem32
                  Source: Adobe.exe, 00000006.00000002.3762484937.00000000016C3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpl
                  Source: aDGx3jaI7i.exe, Adobe.exe.4.drString found in binary or memory: http://tempuri.org/DataSet1.xsd

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Contains functionality to register a low level keyboard hook
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: 4_2_0040A2F3 SetWindowsHookExA 0000000D,0040A2DF,000000004_2_0040A2F3
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: 4_2_0040B749 OpenClipboard,GetClipboardData,CloseClipboard,4_2_0040B749
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: 4_2_004168FC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,4_2_004168FC
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: 4_2_0040B749 OpenClipboard,GetClipboardData,CloseClipboard,4_2_0040B749
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: 4_2_0040A41B GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,4_2_0040A41B
                  Source: Yara matchFile source: 0.2.aDGx3jaI7i.exe.3e80708.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.aDGx3jaI7i.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.aDGx3jaI7i.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.aDGx3jaI7i.exe.3ff5748.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.aDGx3jaI7i.exe.3ff5748.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.aDGx3jaI7i.exe.3f3af28.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.aDGx3jaI7i.exe.3e80708.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1329927714.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: aDGx3jaI7i.exe PID: 960, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: aDGx3jaI7i.exe PID: 7128, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 7072, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 5948, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 2156, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 4008, type: MEMORYSTR

                  E-Banking Fraud

                  barindex
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 0.2.aDGx3jaI7i.exe.3e80708.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.aDGx3jaI7i.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.aDGx3jaI7i.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.aDGx3jaI7i.exe.3ff5748.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.aDGx3jaI7i.exe.3ff5748.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.aDGx3jaI7i.exe.3f3af28.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.aDGx3jaI7i.exe.3e80708.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000D.00000002.1542202226.00000000012AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.3762484937.0000000001687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.1618135964.00000000014D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.1451161345.000000000125A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.1327834572.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1329927714.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: aDGx3jaI7i.exe PID: 960, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: aDGx3jaI7i.exe PID: 7128, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 6768, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 1920, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 2168, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 7116, type: MEMORYSTR

                  Spam, unwanted Advertisements and Ransom Demands

                  barindex
                  Contains functionalty to change the wallpaper
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: 4_2_0041CA73 SystemParametersInfoW,4_2_0041CA73

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 0.2.aDGx3jaI7i.exe.3e80708.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 0.2.aDGx3jaI7i.exe.3e80708.4.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 0.2.aDGx3jaI7i.exe.3e80708.4.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 4.2.aDGx3jaI7i.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 4.2.aDGx3jaI7i.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 4.2.aDGx3jaI7i.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 4.2.aDGx3jaI7i.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 4.2.aDGx3jaI7i.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 4.2.aDGx3jaI7i.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 0.2.aDGx3jaI7i.exe.3ff5748.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 0.2.aDGx3jaI7i.exe.3ff5748.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 0.2.aDGx3jaI7i.exe.3ff5748.3.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 0.2.aDGx3jaI7i.exe.3ff5748.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 0.2.aDGx3jaI7i.exe.3ff5748.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 0.2.aDGx3jaI7i.exe.3f3af28.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 0.2.aDGx3jaI7i.exe.3f3af28.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 0.2.aDGx3jaI7i.exe.3e80708.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 0.2.aDGx3jaI7i.exe.3e80708.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 00000000.00000002.1329927714.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: Process Memory Space: aDGx3jaI7i.exe PID: 960, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: Process Memory Space: aDGx3jaI7i.exe PID: 7128, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: 4_2_004167EF ExitWindowsEx,LoadLibraryA,GetProcAddress,4_2_004167EF
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: 0_2_011DE2740_2_011DE274
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: 4_2_0043706A4_2_0043706A
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: 4_2_004140054_2_00414005
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: 4_2_0043E11C4_2_0043E11C
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: 4_2_004541D94_2_004541D9
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: 4_2_004381E84_2_004381E8
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: 4_2_0041F18B4_2_0041F18B
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: 4_2_004462704_2_00446270
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: 4_2_0043E34B4_2_0043E34B
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: 4_2_004533AB4_2_004533AB
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: 4_2_0042742E4_2_0042742E
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: 4_2_004375664_2_00437566
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: 4_2_0043E5A84_2_0043E5A8
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: 4_2_004387F04_2_004387F0
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: 4_2_0043797E4_2_0043797E
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: 4_2_004339D74_2_004339D7
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: 4_2_0044DA494_2_0044DA49
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: 4_2_00427AD74_2_00427AD7
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: 4_2_0041DBF34_2_0041DBF3
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: 4_2_00427C404_2_00427C40
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: 4_2_00437DB34_2_00437DB3
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: 4_2_00435EEB4_2_00435EEB
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: 4_2_0043DEED4_2_0043DEED
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: 4_2_00426E9F4_2_00426E9F
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 5_2_0105E2745_2_0105E274
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 5_2_07317AC85_2_07317AC8
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 5_2_073135085_2_07313508
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 5_2_073134F85_2_073134F8
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 5_2_073113D05_2_073113D0
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 5_2_07310F985_2_07310F98
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 5_2_07312C305_2_07312C30
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 5_2_07310B605_2_07310B60
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 5_2_07317ABA5_2_07317ABA
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 5_2_074085505_2_07408550
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 5_2_074085415_2_07408541
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 8_2_00A2E2748_2_00A2E274
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 11_2_0507E27411_2_0507E274
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 11_2_05186CB011_2_05186CB0
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 11_2_0518029011_2_05180290
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 11_2_051802A011_2_051802A0
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 11_2_05186CA011_2_05186CA0
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 11_2_07487D5011_2_07487D50
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 11_2_0748350811_2_07483508
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 11_2_074834F811_2_074834F8
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 11_2_074813D011_2_074813D0
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 11_2_07480F9811_2_07480F98
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 11_2_07482C3011_2_07482C30
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 11_2_07480B6011_2_07480B60
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 14_2_016BE27414_2_016BE274
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 14_2_076F7AC814_2_076F7AC8
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 14_2_076F350814_2_076F3508
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 14_2_076F34F814_2_076F34F8
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 14_2_076F13D014_2_076F13D0
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 14_2_076F0F9814_2_076F0F98
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 14_2_076F2C3014_2_076F2C30
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 14_2_076F0B6014_2_076F0B60
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 14_2_077D855014_2_077D8550
                  Source: C:\ProgramData\Adobe\Adobe.exeCode function: 14_2_077D854114_2_077D8541
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: String function: 00402093 appears 50 times
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: String function: 00401E65 appears 34 times
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: String function: 00434E70 appears 54 times
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: String function: 00434801 appears 41 times
                  Source: aDGx3jaI7i.exe, 00000000.00000002.1333744366.00000000072E0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs aDGx3jaI7i.exe
                  Source: aDGx3jaI7i.exe, 00000000.00000000.1302957870.0000000000ABA000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameuKP.exeD vs aDGx3jaI7i.exe
                  Source: aDGx3jaI7i.exe, 00000000.00000002.1329927714.0000000003DB9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs aDGx3jaI7i.exe
                  Source: aDGx3jaI7i.exe, 00000000.00000002.1327904880.00000000011EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs aDGx3jaI7i.exe
                  Source: aDGx3jaI7i.exeBinary or memory string: OriginalFilenameuKP.exeD vs aDGx3jaI7i.exe
                  Source: aDGx3jaI7i.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 0.2.aDGx3jaI7i.exe.3e80708.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 0.2.aDGx3jaI7i.exe.3e80708.4.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 0.2.aDGx3jaI7i.exe.3e80708.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 4.2.aDGx3jaI7i.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 4.2.aDGx3jaI7i.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 4.2.aDGx3jaI7i.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 4.2.aDGx3jaI7i.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 4.2.aDGx3jaI7i.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 4.2.aDGx3jaI7i.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 0.2.aDGx3jaI7i.exe.3ff5748.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 0.2.aDGx3jaI7i.exe.3ff5748.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 0.2.aDGx3jaI7i.exe.3ff5748.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 0.2.aDGx3jaI7i.exe.3ff5748.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 0.2.aDGx3jaI7i.exe.3ff5748.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 0.2.aDGx3jaI7i.exe.3f3af28.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 0.2.aDGx3jaI7i.exe.3f3af28.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 0.2.aDGx3jaI7i.exe.3e80708.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 0.2.aDGx3jaI7i.exe.3e80708.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 00000000.00000002.1329927714.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: Process Memory Space: aDGx3jaI7i.exe PID: 960, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: Process Memory Space: aDGx3jaI7i.exe PID: 7128, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: aDGx3jaI7i.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: Adobe.exe.4.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: 0.2.aDGx3jaI7i.exe.72e0000.6.raw.unpack, SZN8XJwTwOr5f3mULm.csSecurity API names: _0020.SetAccessControl
                  Source: 0.2.aDGx3jaI7i.exe.72e0000.6.raw.unpack, SZN8XJwTwOr5f3mULm.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.aDGx3jaI7i.exe.72e0000.6.raw.unpack, SZN8XJwTwOr5f3mULm.csSecurity API names: _0020.AddAccessRule
                  Source: 0.2.aDGx3jaI7i.exe.3f3af28.2.raw.unpack, SZN8XJwTwOr5f3mULm.csSecurity API names: _0020.SetAccessControl
                  Source: 0.2.aDGx3jaI7i.exe.3f3af28.2.raw.unpack, SZN8XJwTwOr5f3mULm.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.aDGx3jaI7i.exe.3f3af28.2.raw.unpack, SZN8XJwTwOr5f3mULm.csSecurity API names: _0020.AddAccessRule
                  Source: 0.2.aDGx3jaI7i.exe.3f3af28.2.raw.unpack, Bcj42nGdqQQtbkwiPL.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.aDGx3jaI7i.exe.72e0000.6.raw.unpack, Bcj42nGdqQQtbkwiPL.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winEXE@18/5@1/2
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: 4_2_0041798D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,4_2_0041798D
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: 4_2_0040F4AF GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,4_2_0040F4AF
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: 4_2_0041B539 FindResourceA,LoadResource,LockResource,SizeofResource,4_2_0041B539
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: 4_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,4_2_0041AADB
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\aDGx3jaI7i.exe.logJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeMutant created: \Sessions\1\BaseNamedObjects\Adobe-7P3KE1
                  Source: C:\ProgramData\Adobe\Adobe.exeMutant created: NULL
                  Source: aDGx3jaI7i.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: aDGx3jaI7i.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: aDGx3jaI7i.exeReversingLabs: Detection: 73%
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeFile read: C:\Users\user\Desktop\aDGx3jaI7i.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\aDGx3jaI7i.exe "C:\Users\user\Desktop\aDGx3jaI7i.exe"
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeProcess created: C:\Users\user\Desktop\aDGx3jaI7i.exe "C:\Users\user\Desktop\aDGx3jaI7i.exe"
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
                  Source: unknownProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
                  Source: unknownProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
                  Source: unknownProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeProcess created: C:\Users\user\Desktop\aDGx3jaI7i.exe "C:\Users\user\Desktop\aDGx3jaI7i.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe" Jump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"Jump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"Jump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"Jump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"Jump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeSection loaded: textshaping.dllJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeSection loaded: rstrtmgr.dllJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: version.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: textshaping.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: rstrtmgr.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: version.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: textshaping.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: rstrtmgr.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: version.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: textshaping.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: rstrtmgr.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: version.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: textshaping.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: rstrtmgr.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: aDGx3jaI7i.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: aDGx3jaI7i.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: aDGx3jaI7i.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: uKP.pdb source: aDGx3jaI7i.exe, Adobe.exe.4.dr
                  Source: Binary string: uKP.pdbSHA256A source: aDGx3jaI7i.exe, Adobe.exe.4.dr

                  Data Obfuscation

                  barindex
                  .NET source code contains potential unpacker
                  Source: aDGx3jaI7i.exe, Form1.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
                  Source: 0.2.aDGx3jaI7i.exe.3f3af28.2.raw.unpack, SZN8XJwTwOr5f3mULm.cs.Net Code: mWtruojQO9 System.Reflection.Assembly.Load(byte[])
                  Source: 0.2.aDGx3jaI7i.exe.72e0000.6.raw.unpack, SZN8XJwTwOr5f3mULm.cs.Net Code: mWtruojQO9 System.Reflection.Assembly.Load(byte[])
                  Source: Adobe.exe.4.dr, Form1.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
                  Source: aDGx3jaI7i.exeStatic PE information: 0xF5C52262 [Mon Aug 30 19:28:34 2100 UTC]
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: 4_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,4_2_0041CBE1
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: 4_2_00457186 push ecx; ret 4_2_00457199
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: 4_2_0045E55D push esi; ret 4_2_0045E566
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: 4_2_00457AA8 push eax; ret 4_2_00457AC6
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: 4_2_00434EB6 push ecx; ret 4_2_00434EC9
                  Source: aDGx3jaI7i.exeStatic PE information: section name: .text entropy: 7.837102538187458
                  Source: Adobe.exe.4.drStatic PE information: section name: .text entropy: 7.837102538187458
                  Source: 0.2.aDGx3jaI7i.exe.3f3af28.2.raw.unpack, LbRd0Pd0v4GVTEnvmR.csHigh entropy of concatenated method names: 'bhBcSguPL9', 'xXMc9C4wb8', 'qW6cOX1Jjx', 'YV2OIBtMKk', 'llDOz1cmvX', 'CxRcXWtsDj', 'Aixc44wAX8', 'aQpcKVEYZF', 'Ei3ceHTNZv', 'jC8crvTY9o'
                  Source: 0.2.aDGx3jaI7i.exe.3f3af28.2.raw.unpack, WysQ0vBCiatQVCwKSc.csHigh entropy of concatenated method names: 'BiOCG9XYeO', 'J0FCZ8edPI', 't0SC7ek2LF', 'xUWCD1bWbG', 'GrdCnA3oKv', 'nALCyPKPPA', 'PyiCd3vBmA', 'wSYCaEpGhI', 'oEDC14X5tc', 'mrvCEsGU7X'
                  Source: 0.2.aDGx3jaI7i.exe.3f3af28.2.raw.unpack, Bcj42nGdqQQtbkwiPL.csHigh entropy of concatenated method names: 'EBnYvtrPcr', 'jJNYh1DtPi', 'cBQYx8Ss0Y', 's7HY0BGanJ', 'swcYlqgJSn', 'IMdYmh7yP3', 'IHKYA7xT5g', 'GhMYFkq7FD', 'QQUY8aoetS', 'Hw1YIwSj7P'
                  Source: 0.2.aDGx3jaI7i.exe.3f3af28.2.raw.unpack, SxjW48Z841mC5ErqbD.csHigh entropy of concatenated method names: 'qq792s1Eea', 'i139Mmafvk', 'efN9GirYZv', 'nsO9ZY3HeI', 'MAj9tYE3sL', 'Xx79WNn6dc', 'BF495V7moQ', 'jRh9sMUqeF', 'SIw9gwniyE', 'BSm9QYUdkT'
                  Source: 0.2.aDGx3jaI7i.exe.3f3af28.2.raw.unpack, f6mhXj8A96o2lBSAM2.csHigh entropy of concatenated method names: 'cbis7O8ER6', 'U2KsDMelai', 'cX8sbJI1vP', 'B8Nsn3VPoU', 'urosvep9sG', 'nsisyep6NK', 'Next', 'Next', 'Next', 'NextBytes'
                  Source: 0.2.aDGx3jaI7i.exe.3f3af28.2.raw.unpack, yCMtrP4eBsVW107pSJ7.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'TqBQvRxWjM', 'E2jQhlKmqA', 'pUrQxgg6FY', 'Dx9Q073FeU', 'WHOQlhif4h', 'M1dQmAOKvU', 'R35QAT5EHh'
                  Source: 0.2.aDGx3jaI7i.exe.3f3af28.2.raw.unpack, FTmVcsIXxmKSGgypQV.csHigh entropy of concatenated method names: 'n4Wg4fC8rV', 'WI2geTY7i8', 'imIgrTQ9Ho', 'WxOgSMSaKi', 'eWngYRSe4p', 'J5xg6IUsZR', 'xiagOo1ldg', 'V09sAIENSt', 'DPSsF8dBh4', 'fycs8sh1QU'
                  Source: 0.2.aDGx3jaI7i.exe.3f3af28.2.raw.unpack, B37FbD4XJNxYZk99arK.csHigh entropy of concatenated method names: 'KDwgPbQfjZ', 'skTgNQl9SL', 'tH8guAAaj1', 'E4fg26Q3V3', 'B89gJGMKT7', 'YgLgMytMEu', 'XS9gHMN08x', 'xlogGZuoGr', 'yhYgZQh02h', 'FEtgpeCl8i'
                  Source: 0.2.aDGx3jaI7i.exe.3f3af28.2.raw.unpack, VpXrIgi21xqJWAy0Mw.csHigh entropy of concatenated method names: 'OXwcPVTFXt', 'iAIcNCScPN', 'ifvcuTqOXQ', 'CBTc2etXhO', 'x9jcJ9GRwM', 'eZacMCDO0d', 'rKccHRfxN7', 'ANlcG9asls', 'W0icZohFpg', 'wYBcp3qWum'
                  Source: 0.2.aDGx3jaI7i.exe.3f3af28.2.raw.unpack, hithiBrIQeUNNSP2PR.csHigh entropy of concatenated method names: 'DiJ4ccj42n', 'LqQ4wQtbkw', 'X844f1mC5E', 'dqb4UD0Vsg', 'kZA4t0OZXg', 'tje4WdQFtX', 'DkU58QFtSSriCZgUxE', 'O33infxBNaK2oaeQuN', 'J0m44gipTQ', 'dqq4eNmw2d'
                  Source: 0.2.aDGx3jaI7i.exe.3f3af28.2.raw.unpack, YjPoHhvBW4PvVbl47G.csHigh entropy of concatenated method names: 'bTot1GCjM6', 'WmctLFpggG', 'w54tvaAfRy', 'zVqthG3qOs', 'MKXtD3kCMw', 'hhrtbYjIwb', 'K6Otn91Xsx', 'jGTtyoaeLc', 'tuvtoWYW13', 'V4OtdkiKvg'
                  Source: 0.2.aDGx3jaI7i.exe.3f3af28.2.raw.unpack, EXgRje7dQFtXMxrdQZ.csHigh entropy of concatenated method names: 'nKlOkVZn5P', 'EZkOYOgHJl', 'CEqO6CYFBt', 'geeOcQ1tu7', 'xXUOw8Qr0M', 'y6X6lkBQ7p', 'z8L6mXEAm4', 'he46A9dbi5', 'lGr6FFNVOf', 'RgE688SMd0'
                  Source: 0.2.aDGx3jaI7i.exe.3f3af28.2.raw.unpack, iEiGUlxkYLPeTmtAXL.csHigh entropy of concatenated method names: 'ToString', 'Cu6WEl93LL', 'eKlWDqKEcH', 'ASQWbLMyCh', 'FAlWn4iX7c', 'qtHWyxo38J', 'dVKWo4Gd9W', 'zBmWdUekfZ', 'zIuWaY3bbr', 'DVnWi1BcUA'
                  Source: 0.2.aDGx3jaI7i.exe.3f3af28.2.raw.unpack, MRoX6IF9ysBJnn5hVX.csHigh entropy of concatenated method names: 'BrgsSfZ90S', 'W1ksY1BLxF', 'k5Ks9WI9yU', 'GpMs6HiVG6', 'cJVsO67Ia8', 'AYAscgaF6t', 'YWPswOOddn', 'G84sqcjk9E', 'JXKsf4dNvP', 'RWfsUJPoj5'
                  Source: 0.2.aDGx3jaI7i.exe.3f3af28.2.raw.unpack, YVcsqNmG1uc9f3mTiR.csHigh entropy of concatenated method names: 'U0t5FRUYfp', 'VBa5IA27ic', 'Th5sXwFJyU', 'FhRs4CKDGm', 'qB15ELaQqA', 'VDy5L81TTl', 'viP5ByqtBN', 'zXh5vfwXCl', 'PVf5hKMH0c', 'WGH5xkBcFQ'
                  Source: 0.2.aDGx3jaI7i.exe.3f3af28.2.raw.unpack, CjvFW7YdtIypUVuEiP.csHigh entropy of concatenated method names: 'Dispose', 'VDA48xTarw', 'qKyKDhQkeu', 'SU1RReD9DB', 'SaR4IoX6I9', 'JsB4zJnn5h', 'ProcessDialogKey', 'wXSKX6mhXj', 'V96K4o2lBS', 'VM2KKpTmVc'
                  Source: 0.2.aDGx3jaI7i.exe.3f3af28.2.raw.unpack, SZN8XJwTwOr5f3mULm.csHigh entropy of concatenated method names: 'rkFekUGwvb', 'WPHeSk9v9a', 'ys7eYOZDci', 'xkZe9GkixO', 'L5Ae6r8V8h', 'kFUeOgfOYw', 'SgvecrDCg3', 'NAnew2Z7WL', 'ExveqEI4cf', 'ReQefvCsQk'
                  Source: 0.2.aDGx3jaI7i.exe.3f3af28.2.raw.unpack, nNJj670OKtIx4gNKk0.csHigh entropy of concatenated method names: 'LbM5f89cRi', 'vPH5UoDi7Z', 'ToString', 'smt5Sf0D4N', 'YVN5YDdggv', 'LP159aEAMO', 'pW456oilaV', 'qMv5O8lFhY', 'OdM5cFuBBG', 'Tk15wbeN51'
                  Source: 0.2.aDGx3jaI7i.exe.3f3af28.2.raw.unpack, cEIx5Vz74VC9xD8Bbs.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'xTtgCiatRR', 'O4sgtcAlqh', 'Y9VgWyVjor', 'YHjg5Lg26P', 'HdAgsf0f5v', 'vCYgg89RQD', 'TVRgQ61LHk'
                  Source: 0.2.aDGx3jaI7i.exe.3f3af28.2.raw.unpack, TVsgP1pjBttx9wZA0O.csHigh entropy of concatenated method names: 'AQF6J7NGMu', 'Okj6HinFgo', 'X7v9bpNCTU', 'uC39nXVWRC', 'yiJ9yGNyhO', 'P2o9oplEDn', 'zlJ9dHCFYU', 'NfS9aZsEHd', 'F849iQTyGL', 'U5Z91XXF17'
                  Source: 0.2.aDGx3jaI7i.exe.3f3af28.2.raw.unpack, w9JOigKenxy9JDeXnh.csHigh entropy of concatenated method names: 'd5uuoeZ0i', 'eba2IggJg', 'wcXMgkluR', 'eXKH0PArf', 'Xq7ZKPFEZ', 'Jh6pQBoI7', 'WCUrTZLupU6DQo1ARC', 'nBLMZHaCAD7TxeqGZb', 'RNTs9h0D4', 'OqjQnBFtR'
                  Source: 0.2.aDGx3jaI7i.exe.72e0000.6.raw.unpack, LbRd0Pd0v4GVTEnvmR.csHigh entropy of concatenated method names: 'bhBcSguPL9', 'xXMc9C4wb8', 'qW6cOX1Jjx', 'YV2OIBtMKk', 'llDOz1cmvX', 'CxRcXWtsDj', 'Aixc44wAX8', 'aQpcKVEYZF', 'Ei3ceHTNZv', 'jC8crvTY9o'
                  Source: 0.2.aDGx3jaI7i.exe.72e0000.6.raw.unpack, WysQ0vBCiatQVCwKSc.csHigh entropy of concatenated method names: 'BiOCG9XYeO', 'J0FCZ8edPI', 't0SC7ek2LF', 'xUWCD1bWbG', 'GrdCnA3oKv', 'nALCyPKPPA', 'PyiCd3vBmA', 'wSYCaEpGhI', 'oEDC14X5tc', 'mrvCEsGU7X'
                  Source: 0.2.aDGx3jaI7i.exe.72e0000.6.raw.unpack, Bcj42nGdqQQtbkwiPL.csHigh entropy of concatenated method names: 'EBnYvtrPcr', 'jJNYh1DtPi', 'cBQYx8Ss0Y', 's7HY0BGanJ', 'swcYlqgJSn', 'IMdYmh7yP3', 'IHKYA7xT5g', 'GhMYFkq7FD', 'QQUY8aoetS', 'Hw1YIwSj7P'
                  Source: 0.2.aDGx3jaI7i.exe.72e0000.6.raw.unpack, SxjW48Z841mC5ErqbD.csHigh entropy of concatenated method names: 'qq792s1Eea', 'i139Mmafvk', 'efN9GirYZv', 'nsO9ZY3HeI', 'MAj9tYE3sL', 'Xx79WNn6dc', 'BF495V7moQ', 'jRh9sMUqeF', 'SIw9gwniyE', 'BSm9QYUdkT'
                  Source: 0.2.aDGx3jaI7i.exe.72e0000.6.raw.unpack, f6mhXj8A96o2lBSAM2.csHigh entropy of concatenated method names: 'cbis7O8ER6', 'U2KsDMelai', 'cX8sbJI1vP', 'B8Nsn3VPoU', 'urosvep9sG', 'nsisyep6NK', 'Next', 'Next', 'Next', 'NextBytes'
                  Source: 0.2.aDGx3jaI7i.exe.72e0000.6.raw.unpack, yCMtrP4eBsVW107pSJ7.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'TqBQvRxWjM', 'E2jQhlKmqA', 'pUrQxgg6FY', 'Dx9Q073FeU', 'WHOQlhif4h', 'M1dQmAOKvU', 'R35QAT5EHh'
                  Source: 0.2.aDGx3jaI7i.exe.72e0000.6.raw.unpack, FTmVcsIXxmKSGgypQV.csHigh entropy of concatenated method names: 'n4Wg4fC8rV', 'WI2geTY7i8', 'imIgrTQ9Ho', 'WxOgSMSaKi', 'eWngYRSe4p', 'J5xg6IUsZR', 'xiagOo1ldg', 'V09sAIENSt', 'DPSsF8dBh4', 'fycs8sh1QU'
                  Source: 0.2.aDGx3jaI7i.exe.72e0000.6.raw.unpack, B37FbD4XJNxYZk99arK.csHigh entropy of concatenated method names: 'KDwgPbQfjZ', 'skTgNQl9SL', 'tH8guAAaj1', 'E4fg26Q3V3', 'B89gJGMKT7', 'YgLgMytMEu', 'XS9gHMN08x', 'xlogGZuoGr', 'yhYgZQh02h', 'FEtgpeCl8i'
                  Source: 0.2.aDGx3jaI7i.exe.72e0000.6.raw.unpack, VpXrIgi21xqJWAy0Mw.csHigh entropy of concatenated method names: 'OXwcPVTFXt', 'iAIcNCScPN', 'ifvcuTqOXQ', 'CBTc2etXhO', 'x9jcJ9GRwM', 'eZacMCDO0d', 'rKccHRfxN7', 'ANlcG9asls', 'W0icZohFpg', 'wYBcp3qWum'
                  Source: 0.2.aDGx3jaI7i.exe.72e0000.6.raw.unpack, hithiBrIQeUNNSP2PR.csHigh entropy of concatenated method names: 'DiJ4ccj42n', 'LqQ4wQtbkw', 'X844f1mC5E', 'dqb4UD0Vsg', 'kZA4t0OZXg', 'tje4WdQFtX', 'DkU58QFtSSriCZgUxE', 'O33infxBNaK2oaeQuN', 'J0m44gipTQ', 'dqq4eNmw2d'
                  Source: 0.2.aDGx3jaI7i.exe.72e0000.6.raw.unpack, YjPoHhvBW4PvVbl47G.csHigh entropy of concatenated method names: 'bTot1GCjM6', 'WmctLFpggG', 'w54tvaAfRy', 'zVqthG3qOs', 'MKXtD3kCMw', 'hhrtbYjIwb', 'K6Otn91Xsx', 'jGTtyoaeLc', 'tuvtoWYW13', 'V4OtdkiKvg'
                  Source: 0.2.aDGx3jaI7i.exe.72e0000.6.raw.unpack, EXgRje7dQFtXMxrdQZ.csHigh entropy of concatenated method names: 'nKlOkVZn5P', 'EZkOYOgHJl', 'CEqO6CYFBt', 'geeOcQ1tu7', 'xXUOw8Qr0M', 'y6X6lkBQ7p', 'z8L6mXEAm4', 'he46A9dbi5', 'lGr6FFNVOf', 'RgE688SMd0'
                  Source: 0.2.aDGx3jaI7i.exe.72e0000.6.raw.unpack, iEiGUlxkYLPeTmtAXL.csHigh entropy of concatenated method names: 'ToString', 'Cu6WEl93LL', 'eKlWDqKEcH', 'ASQWbLMyCh', 'FAlWn4iX7c', 'qtHWyxo38J', 'dVKWo4Gd9W', 'zBmWdUekfZ', 'zIuWaY3bbr', 'DVnWi1BcUA'
                  Source: 0.2.aDGx3jaI7i.exe.72e0000.6.raw.unpack, MRoX6IF9ysBJnn5hVX.csHigh entropy of concatenated method names: 'BrgsSfZ90S', 'W1ksY1BLxF', 'k5Ks9WI9yU', 'GpMs6HiVG6', 'cJVsO67Ia8', 'AYAscgaF6t', 'YWPswOOddn', 'G84sqcjk9E', 'JXKsf4dNvP', 'RWfsUJPoj5'
                  Source: 0.2.aDGx3jaI7i.exe.72e0000.6.raw.unpack, YVcsqNmG1uc9f3mTiR.csHigh entropy of concatenated method names: 'U0t5FRUYfp', 'VBa5IA27ic', 'Th5sXwFJyU', 'FhRs4CKDGm', 'qB15ELaQqA', 'VDy5L81TTl', 'viP5ByqtBN', 'zXh5vfwXCl', 'PVf5hKMH0c', 'WGH5xkBcFQ'
                  Source: 0.2.aDGx3jaI7i.exe.72e0000.6.raw.unpack, CjvFW7YdtIypUVuEiP.csHigh entropy of concatenated method names: 'Dispose', 'VDA48xTarw', 'qKyKDhQkeu', 'SU1RReD9DB', 'SaR4IoX6I9', 'JsB4zJnn5h', 'ProcessDialogKey', 'wXSKX6mhXj', 'V96K4o2lBS', 'VM2KKpTmVc'
                  Source: 0.2.aDGx3jaI7i.exe.72e0000.6.raw.unpack, SZN8XJwTwOr5f3mULm.csHigh entropy of concatenated method names: 'rkFekUGwvb', 'WPHeSk9v9a', 'ys7eYOZDci', 'xkZe9GkixO', 'L5Ae6r8V8h', 'kFUeOgfOYw', 'SgvecrDCg3', 'NAnew2Z7WL', 'ExveqEI4cf', 'ReQefvCsQk'
                  Source: 0.2.aDGx3jaI7i.exe.72e0000.6.raw.unpack, nNJj670OKtIx4gNKk0.csHigh entropy of concatenated method names: 'LbM5f89cRi', 'vPH5UoDi7Z', 'ToString', 'smt5Sf0D4N', 'YVN5YDdggv', 'LP159aEAMO', 'pW456oilaV', 'qMv5O8lFhY', 'OdM5cFuBBG', 'Tk15wbeN51'
                  Source: 0.2.aDGx3jaI7i.exe.72e0000.6.raw.unpack, cEIx5Vz74VC9xD8Bbs.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'xTtgCiatRR', 'O4sgtcAlqh', 'Y9VgWyVjor', 'YHjg5Lg26P', 'HdAgsf0f5v', 'vCYgg89RQD', 'TVRgQ61LHk'
                  Source: 0.2.aDGx3jaI7i.exe.72e0000.6.raw.unpack, TVsgP1pjBttx9wZA0O.csHigh entropy of concatenated method names: 'AQF6J7NGMu', 'Okj6HinFgo', 'X7v9bpNCTU', 'uC39nXVWRC', 'yiJ9yGNyhO', 'P2o9oplEDn', 'zlJ9dHCFYU', 'NfS9aZsEHd', 'F849iQTyGL', 'U5Z91XXF17'
                  Source: 0.2.aDGx3jaI7i.exe.72e0000.6.raw.unpack, w9JOigKenxy9JDeXnh.csHigh entropy of concatenated method names: 'd5uuoeZ0i', 'eba2IggJg', 'wcXMgkluR', 'eXKH0PArf', 'Xq7ZKPFEZ', 'Jh6pQBoI7', 'WCUrTZLupU6DQo1ARC', 'nBLMZHaCAD7TxeqGZb', 'RNTs9h0D4', 'OqjQnBFtR'

                  Persistence and Installation Behavior

                  barindex
                  Drops executable to a common third party application directory
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeFile written: C:\ProgramData\Adobe\Adobe.exeJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: 4_2_00406EEB ShellExecuteW,URLDownloadToFileW,4_2_00406EEB
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeFile created: C:\ProgramData\Adobe\Adobe.exeJump to dropped file
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeFile created: C:\ProgramData\Adobe\Adobe.exeJump to dropped file

                  Boot Survival

                  barindex
                  Creates autostart registry keys with suspicious names
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Adobe-7P3KE1Jump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: 4_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,4_2_0041AADB
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Adobe-7P3KE1Jump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Adobe-7P3KE1Jump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Adobe-7P3KE1Jump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Adobe-7P3KE1Jump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: 4_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,4_2_0041CBE1
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Yara detected AntiVM3
                  Source: Yara matchFile source: Process Memory Space: aDGx3jaI7i.exe PID: 960, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 7072, type: MEMORYSTR
                  Delayed program exit found
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: 4_2_0040F7E2 Sleep,ExitProcess,4_2_0040F7E2
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeMemory allocated: 11D0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeMemory allocated: 2DB0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeMemory allocated: 4DB0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeMemory allocated: 8E10000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeMemory allocated: 74A0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeMemory allocated: 9E10000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeMemory allocated: AE10000 memory reserve | memory write watchJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: DD0000 memory reserve | memory write watchJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 2C00000 memory reserve | memory write watchJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 2930000 memory reserve | memory write watchJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 8B70000 memory reserve | memory write watchJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 7110000 memory reserve | memory write watchJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 9B70000 memory reserve | memory write watchJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: AB70000 memory reserve | memory write watchJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: A20000 memory reserve | memory write watchJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 25F0000 memory reserve | memory write watchJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: B50000 memory reserve | memory write watchJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 84C0000 memory reserve | memory write watchJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 6A90000 memory reserve | memory write watchJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 94C0000 memory reserve | memory write watchJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: A4C0000 memory reserve | memory write watchJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 1270000 memory reserve | memory write watchJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 2C10000 memory reserve | memory write watchJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 1270000 memory reserve | memory write watchJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 8BB0000 memory reserve | memory write watchJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 7280000 memory reserve | memory write watchJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 9BB0000 memory reserve | memory write watchJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: ABB0000 memory reserve | memory write watchJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 14B0000 memory reserve | memory write watchJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 2F80000 memory reserve | memory write watchJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 4F80000 memory reserve | memory write watchJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 8F30000 memory reserve | memory write watchJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 74F0000 memory reserve | memory write watchJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 9F30000 memory reserve | memory write watchJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: AF30000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,4_2_0041A7D9
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeWindow / User API: threadDelayed 4790Jump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeWindow / User API: threadDelayed 5203Jump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeEvaded block: after key decisiongraph_4-47698
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeEvaded block: after key decisiongraph_4-47674
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeAPI coverage: 6.3 %
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exe TID: 2000Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exe TID: 2012Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exe TID: 7096Thread sleep count: 4790 > 30Jump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exe TID: 7096Thread sleep time: -14370000s >= -30000sJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exe TID: 7096Thread sleep count: 5203 > 30Jump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exe TID: 7096Thread sleep time: -15609000s >= -30000sJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exe TID: 6428Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exe TID: 1268Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exe TID: 3896Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: 4_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,4_2_0040928E
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: 4_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,4_2_0041C322
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: 4_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,4_2_0040C388
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: 4_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,4_2_004096A0
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: 4_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,4_2_00408847
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: 4_2_00407877 FindFirstFileW,FindNextFileW,4_2_00407877
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: 4_2_0044E8F9 FindFirstFileExA,4_2_0044E8F9
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: 4_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,4_2_0040BB6B
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: 4_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,4_2_00419B86
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: 4_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,4_2_0040BD72
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: 4_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,4_2_00407CD2
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: Adobe.exe, 00000006.00000002.3762484937.0000000001687000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW`#q
                  Source: Adobe.exe, 00000006.00000002.3762484937.000000000170D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWF7B
                  Source: Adobe.exe, 00000006.00000002.3762484937.000000000170D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: 4_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_00434A8A
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: 4_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,4_2_0041CBE1
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: 4_2_00443355 mov eax, dword ptr fs:[00000030h]4_2_00443355
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: 4_2_004120B2 GetProcessHeap,HeapFree,4_2_004120B2
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: 4_2_0043503C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_0043503C
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: 4_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_00434A8A
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: 4_2_0043BB71 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_0043BB71
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: 4_2_00434BD8 SetUnhandledExceptionFilter,4_2_00434BD8
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Injects a PE file into a foreign processes
                  Source: C:\ProgramData\Adobe\Adobe.exeMemory written: C:\ProgramData\Adobe\Adobe.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeMemory written: C:\ProgramData\Adobe\Adobe.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeMemory written: C:\ProgramData\Adobe\Adobe.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe4_2_00412132
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: 4_2_00419662 mouse_event,4_2_00419662
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeProcess created: C:\Users\user\Desktop\aDGx3jaI7i.exe "C:\Users\user\Desktop\aDGx3jaI7i.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe" Jump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"Jump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"Jump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"Jump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"Jump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"Jump to behavior
                  Source: Adobe.exe, 00000006.00000002.3762484937.00000000016C3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                  Source: Adobe.exe, 00000006.00000002.3762484937.00000000016C3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager.
                  Source: Adobe.exe, 00000006.00000002.3762484937.0000000001687000.00000004.00000020.00020000.00000000.sdmp, Adobe.exe, 00000006.00000002.3762484937.00000000016C3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: 4_2_00434CB6 cpuid 4_2_00434CB6
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: EnumSystemLocalesW,4_2_0045201B
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: EnumSystemLocalesW,4_2_004520B6
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,4_2_00452143
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: GetLocaleInfoW,4_2_00452393
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: EnumSystemLocalesW,4_2_00448484
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,4_2_004524BC
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: GetLocaleInfoW,4_2_004525C3
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,4_2_00452690
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: GetLocaleInfoW,4_2_0044896D
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: GetLocaleInfoA,4_2_0040F90C
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,4_2_00451D58
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: EnumSystemLocalesW,4_2_00451FD0
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeQueries volume information: C:\Users\user\Desktop\aDGx3jaI7i.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\ProgramData\Adobe\Adobe.exe VolumeInformationJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\ProgramData\Adobe\Adobe.exe VolumeInformationJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\ProgramData\Adobe\Adobe.exe VolumeInformationJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\ProgramData\Adobe\Adobe.exe VolumeInformationJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: 4_2_0041A045 __EH_prolog,GdiplusStartup,CreateDirectoryW,Sleep,Sleep,GetLocalTime,Sleep,4_2_0041A045
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: 4_2_0041B69E GetUserNameW,4_2_0041B69E
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: 4_2_00449210 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,4_2_00449210
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 0.2.aDGx3jaI7i.exe.3e80708.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.aDGx3jaI7i.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.aDGx3jaI7i.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.aDGx3jaI7i.exe.3ff5748.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.aDGx3jaI7i.exe.3ff5748.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.aDGx3jaI7i.exe.3f3af28.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.aDGx3jaI7i.exe.3e80708.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000D.00000002.1542202226.00000000012AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.3762484937.0000000001687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.1618135964.00000000014D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.1451161345.000000000125A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.1327834572.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1329927714.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: aDGx3jaI7i.exe PID: 960, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: aDGx3jaI7i.exe PID: 7128, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 6768, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 1920, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 2168, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 7116, type: MEMORYSTR
                  Contains functionality to steal Chrome passwords or cookies
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data4_2_0040BA4D
                  Contains functionality to steal Firefox passwords or cookies
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\4_2_0040BB6B
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: \key3.db4_2_0040BB6B

                  Remote Access Functionality

                  barindex
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 0.2.aDGx3jaI7i.exe.3e80708.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.aDGx3jaI7i.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.aDGx3jaI7i.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.aDGx3jaI7i.exe.3ff5748.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.aDGx3jaI7i.exe.3ff5748.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.aDGx3jaI7i.exe.3f3af28.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.aDGx3jaI7i.exe.3e80708.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000D.00000002.1542202226.00000000012AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.3762484937.0000000001687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.1618135964.00000000014D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.1451161345.000000000125A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.1327834572.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1329927714.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: aDGx3jaI7i.exe PID: 960, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: aDGx3jaI7i.exe PID: 7128, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 6768, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 1920, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 2168, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 7116, type: MEMORYSTR
                  Source: C:\Users\user\Desktop\aDGx3jaI7i.exeCode function: cmd.exe4_2_0040569A

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                  Native API                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		1
                  Disable or Modify Tools                  		1
                  OS Credential Dumping                  		2
                  System Time Discovery                  		Remote Services11
                  Archive Collected Data                  		12
                  Ingress Tool Transfer                  		Exfiltration Over Other Network Medium1
                  System Shutdown/Reboot
                  CredentialsDomainsDefault Accounts1
                  Command and Scripting Interpreter                  		1
                  Windows Service                  		1
                  Bypass User Account Control                  		1
                  Deobfuscate/Decode Files or Information                  		111
                  Input Capture                  		1
                  Account Discovery                  		Remote Desktop Protocol111
                  Input Capture                  		2
                  Encrypted Channel                  		Exfiltration Over Bluetooth1
                  Defacement
                  Email AddressesDNS ServerDomain Accounts2
                  Service Execution                  		11
                  Registry Run Keys / Startup Folder                  		1
                  Access Token Manipulation                  		3
                  Obfuscated Files or Information                  		2
                  Credentials In Files                  		1
                  System Service Discovery                  		SMB/Windows Admin Shares3
                  Clipboard Data                  		1
                  Non-Standard Port                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                  Windows Service                  		12
                  Software Packing                  		NTDS3
                  File and Directory Discovery                  		Distributed Component Object ModelInput Capture2
                  Non-Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script122
                  Process Injection                  		1
                  Timestomp                  		LSA Secrets33
                  System Information Discovery                  		SSHKeylogging12
                  Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts11
                  Registry Run Keys / Startup Folder                  		1
                  DLL Side-Loading                  		Cached Domain Credentials121
                  Security Software Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                  Bypass User Account Control                  		DCSync31
                  Virtualization/Sandbox Evasion                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
                  Masquerading                  		Proc Filesystem3
                  Process Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt31
                  Virtualization/Sandbox Evasion                  		/etc/passwd and /etc/shadow1
                  Application Window Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                  Access Token Manipulation                  		Network Sniffing1
                  System Owner/User Discovery                  		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                  Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd122
                  Process Injection                  		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1567561 Sample: aDGx3jaI7i.exe Startdate: 03/12/2024 Architecture: WINDOWS Score: 100 43 geoplugin.net 2->43 49 Suricata IDS alerts for network traffic 2->49 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 9 other signatures 2->55 9 aDGx3jaI7i.exe 3 2->9         started        13 Adobe.exe 2 2->13         started        15 Adobe.exe 2 2->15         started        17 Adobe.exe 2 2->17         started        signatures3 process4 file5 41 C:\Users\user\AppData\...\aDGx3jaI7i.exe.log, ASCII 9->41 dropped 61 Contains functionality to bypass UAC (CMSTPLUA) 9->61 63 Contains functionalty to change the wallpaper 9->63 65 Contains functionality to steal Chrome passwords or cookies 9->65 69 3 other signatures 9->69 19 aDGx3jaI7i.exe 2 4 9->19         started        67 Injects a PE file into a foreign processes 13->67 23 Adobe.exe 13->23         started        25 Adobe.exe 13->25         started        27 Adobe.exe 15->27         started        29 Adobe.exe 17->29         started        signatures6 process7 file8 37 C:\ProgramData\Adobe\Adobe.exe, PE32 19->37 dropped 39 C:\ProgramData\...\Adobe.exe:Zone.Identifier, ASCII 19->39 dropped 57 Creates autostart registry keys with suspicious names 19->57 59 Drops executable to a common third party application directory 19->59 31 Adobe.exe 3 19->31         started        signatures9 process10 signatures11 71 Antivirus detection for dropped file 31->71 73 Multi AV Scanner detection for dropped file 31->73 75 Machine Learning detection for dropped file 31->75 77 Injects a PE file into a foreign processes 31->77 34 Adobe.exe 3 14 31->34         started        process12 dnsIp13 45 104.250.180.178, 49704, 7902 M247GB United States 34->45 47 geoplugin.net 178.237.33.50, 49713, 80 ATOM86-ASATOM86NL Netherlands 34->47

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  aDGx3jaI7i.exe74%ReversingLabsByteCode-MSIL.Backdoor.Remcos
                  aDGx3jaI7i.exe100%AviraTR/AVI.Remcos.ienxc
                  aDGx3jaI7i.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\ProgramData\Adobe\Adobe.exe100%AviraTR/AVI.Remcos.ienxc
                  C:\ProgramData\Adobe\Adobe.exe100%Joe Sandbox ML
                  C:\ProgramData\Adobe\Adobe.exe74%ReversingLabsByteCode-MSIL.Backdoor.Remcos

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  No Antivirus matches

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  geoplugin.net
                  		178.237.33.50
                  		truefalse
                    		high

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://geoplugin.net/json.gpfalse
                      		high

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://geoplugin.net/Adobe.exe, 00000006.00000002.3762484937.00000000016C3000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        http://geoplugin.net/CAdobe.exe, 00000006.00000002.3762484937.00000000016C3000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          http://geoplugin.net/json.gp/CaDGx3jaI7i.exe, 00000000.00000002.1329927714.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp, aDGx3jaI7i.exe, 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                            		high
                            http://geoplugin.net/json.gplAdobe.exe, 00000006.00000002.3762484937.00000000016C3000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://geoplugin.net/json.gp)Adobe.exe, 00000006.00000002.3762484937.00000000016C3000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                http://geoplugin.net/json.gpSystem32Adobe.exe, 00000006.00000002.3762484937.0000000001687000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  http://tempuri.org/DataSet1.xsdaDGx3jaI7i.exe, Adobe.exe.4.drfalse
                                    		high

                                    World Map of Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public IPs

                                    IPDomainCountryFlagASNASN NameMalicious
                                    104.250.180.178
                                    		unknownUnited States
                                    		9009M247GBtrue
                                    178.237.33.50
                                    		geoplugin.netNetherlands
                                    		8455ATOM86-ASATOM86NLfalse

                                    General Information

                                    Joe Sandbox version:41.0.0 Charoite
                                    Analysis ID:1567561
                                    Start date and time:2024-12-03 17:02:21 +01:00
                                    Joe Sandbox product:CloudBasic
                                    Overall analysis duration:0h 10m 9s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                    Number of analysed new started processes analysed:20
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Sample name:aDGx3jaI7i.exe
                                    renamed because original name is a hash value
                                    Original Sample Name:87fca3267ca394e5bc414194c7c6dec142ae132921efaa2763c6d15f430d6c58.exe
                                    Detection:MAL
                                    Classification:mal100.rans.troj.spyw.expl.evad.winEXE@18/5@1/2
                                    EGA Information:
                                    • Successful, ratio: 100%
                                    HCA Information:
                                    • Successful, ratio: 98%
                                    • Number of executed functions: 139
                                    • Number of non-executed functions: 209
                                    Cookbook Comments:
                                    • Found application associated with file extension: .exe
                                    • Override analysis time to 240000 for current running targets taking high CPU consumption

                                    Warnings

                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                                    • Excluded domains from analysis (whitelisted): fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                    • Not all processes where analyzed, report is missing behavior information
                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                    • VT rate limit hit for: aDGx3jaI7i.exe

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    11:03:19API Interceptor2x Sleep call for process: aDGx3jaI7i.exe modified
                                    11:03:22API Interceptor4326699x Sleep call for process: Adobe.exe modified
                                    17:03:24AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Adobe-7P3KE1 "C:\ProgramData\Adobe\Adobe.exe"
                                    17:03:33AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Adobe-7P3KE1 "C:\ProgramData\Adobe\Adobe.exe"
                                    18:32:24AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Adobe-7P3KE1 "C:\ProgramData\Adobe\Adobe.exe"

                                    Joe Sandbox View / Context

                                    IPs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    104.250.180.178ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeGet hashmaliciousRemcosBrowse
                                      THITWNSEI24112908089786756456545346568789-00010.scr.exeGet hashmaliciousXWormBrowse
                                        SKM_BH450i2411261138090453854974574748668683985857435.scr.exeGet hashmaliciousPureLog Stealer, XWormBrowse
                                          #U4f73#U5ddd#U7acb 20241202 KAOHSIUNG-MANILA NORTH PORT 1x20' SO.scr.exeGet hashmaliciousPureLog Stealer, RemcosBrowse
                                            Draft - HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeGet hashmaliciousPureLog Stealer, RemcosBrowse
                                              CI-PL- HBL# WSPAE1311198 VSL# COSCO NETHERLANDS V-067E.scr.exeGet hashmaliciousPureLog Stealer, XWormBrowse
                                                Doc089776867565357609 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeGet hashmaliciousRemcosBrowse
                                                  PACKIING-#U5ee3#U5dde#U7acb#U5f97 - EVER ATOP V.1319-008W KHH-RTM SO A268.scr.exeGet hashmaliciousXWormBrowse
                                                    rSOD219ISF-____.scr.exeGet hashmaliciousRemcosBrowse
                                                      rWWTLCLtoUSADCL.scr.exeGet hashmaliciousXWormBrowse
                                                        178.237.33.50E84Ddy7gSh.exeGet hashmaliciousRemcosBrowse
                                                        • geoplugin.net/json.gp
                                                        z49FACTURA-0987678.exeGet hashmaliciousRemcosBrowse
                                                        • geoplugin.net/json.gp
                                                        LBzGgy6rnu.docGet hashmaliciousRemcosBrowse
                                                        • geoplugin.net/json.gp
                                                        EIuz8Bk9kGav2ix.exeGet hashmaliciousRemcosBrowse
                                                        • geoplugin.net/json.gp
                                                        0200011080.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                        • geoplugin.net/json.gp
                                                        1099833039444.pdf.jsGet hashmaliciousRemcosBrowse
                                                        • geoplugin.net/json.gp
                                                        RFQ-24-10104-PO X241104754-007.exeGet hashmaliciousRemcosBrowse
                                                        • geoplugin.net/json.gp
                                                        FAT6789098700900.scr.exeGet hashmaliciousRemcosBrowse
                                                        • geoplugin.net/json.gp
                                                        ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeGet hashmaliciousRemcosBrowse
                                                        • geoplugin.net/json.gp
                                                        173317191746333e83fd715fcd29456f316941f504021238a7f0f8ba4a89827b03f83d6aba395.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                        • geoplugin.net/json.gp

                                                        Domains

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        geoplugin.netE84Ddy7gSh.exeGet hashmaliciousRemcosBrowse
                                                        • 178.237.33.50
                                                        z49FACTURA-0987678.exeGet hashmaliciousRemcosBrowse
                                                        • 178.237.33.50
                                                        LBzGgy6rnu.docGet hashmaliciousRemcosBrowse
                                                        • 178.237.33.50
                                                        EIuz8Bk9kGav2ix.exeGet hashmaliciousRemcosBrowse
                                                        • 178.237.33.50
                                                        0200011080.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                        • 178.237.33.50
                                                        1099833039444.pdf.jsGet hashmaliciousRemcosBrowse
                                                        • 178.237.33.50
                                                        RFQ-24-10104-PO X241104754-007.exeGet hashmaliciousRemcosBrowse
                                                        • 178.237.33.50
                                                        FAT6789098700900.scr.exeGet hashmaliciousRemcosBrowse
                                                        • 178.237.33.50
                                                        ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeGet hashmaliciousRemcosBrowse
                                                        • 178.237.33.50
                                                        173317191746333e83fd715fcd29456f316941f504021238a7f0f8ba4a89827b03f83d6aba395.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                        • 178.237.33.50

                                                        ASNs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        M247GBISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeGet hashmaliciousRemcosBrowse
                                                        • 104.250.180.178
                                                        THITWNSEI24112908089786756456545346568789-00010.scr.exeGet hashmaliciousXWormBrowse
                                                        • 104.250.180.178
                                                        rAttached_updat.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                        • 172.111.247.228
                                                        teste.arm.elfGet hashmaliciousGafgyt, Mirai, Moobot, OkiruBrowse
                                                        • 158.46.140.103
                                                        sora.ppc.elfGet hashmaliciousMiraiBrowse
                                                        • 38.201.44.7
                                                        la.bot.arm5.elfGet hashmaliciousUnknownBrowse
                                                        • 62.216.72.28
                                                        arm7-20241130-2047.elfGet hashmaliciousMiraiBrowse
                                                        • 38.206.34.38
                                                        sample.bin.exeGet hashmaliciousUnknownBrowse
                                                        • 172.86.76.228
                                                        sample.bin.exeGet hashmaliciousUnknownBrowse
                                                        • 172.86.76.228
                                                        EEghgCvQUy.exeGet hashmaliciousDanaBotBrowse
                                                        • 172.86.76.246
                                                        ATOM86-ASATOM86NLE84Ddy7gSh.exeGet hashmaliciousRemcosBrowse
                                                        • 178.237.33.50
                                                        z49FACTURA-0987678.exeGet hashmaliciousRemcosBrowse
                                                        • 178.237.33.50
                                                        LBzGgy6rnu.docGet hashmaliciousRemcosBrowse
                                                        • 178.237.33.50
                                                        EIuz8Bk9kGav2ix.exeGet hashmaliciousRemcosBrowse
                                                        • 178.237.33.50
                                                        0200011080.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                        • 178.237.33.50
                                                        1099833039444.pdf.jsGet hashmaliciousRemcosBrowse
                                                        • 178.237.33.50
                                                        RFQ-24-10104-PO X241104754-007.exeGet hashmaliciousRemcosBrowse
                                                        • 178.237.33.50
                                                        FAT6789098700900.scr.exeGet hashmaliciousRemcosBrowse
                                                        • 178.237.33.50
                                                        ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeGet hashmaliciousRemcosBrowse
                                                        • 178.237.33.50
                                                        173317191746333e83fd715fcd29456f316941f504021238a7f0f8ba4a89827b03f83d6aba395.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                        • 178.237.33.50

                                                        JA3 Fingerprints

                                                        No context

                                                        Dropped Files

                                                        No context

                                                        Created / dropped Files

                                                        C:\ProgramData\Adobe\Adobe.exe

                                                        Download File
                                                        Process:C:\Users\user\Desktop\aDGx3jaI7i.exe
                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):1011712
                                                        Entropy (8bit):7.8320350333655355
                                                        Encrypted:false
                                                        SSDEEP:24576:UL3gqH9oc5KKhWIpBwxgCeg+5LxcvFEgOX9BMN4h7A0:UL3gK9d5KKMIp9CT+5WagODRBd
                                                        MD5:18DF057D5952C7F5366335FF201849B5
                                                        SHA1:6C421F13A590822D583689221569CEFF31F2DBAE
                                                        SHA-256:87FCA3267CA394E5BC414194C7C6DEC142AE132921EFAA2763C6D15F430D6C58
                                                        SHA-512:4533B5078683C46E727DD2462745C5893AD9231FA85165595AF4242FF7D849AF29B3BF8EC2C7F91F3E03ACDED594BDC7561545CBAF87EDF4FC3AB37E349725DE
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: Avira, Detection: 100%
                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                        • Antivirus: ReversingLabs, Detection: 74%
                                                        Reputation:low
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...b"................0..f.............. ........@.. ....................................@.....................................O...................................tI..p............................................ ............... ..H............text....e... ...f.................. ..`.rsrc................h..............@..@.reloc...............n..............@..B.......................H..................$....[...............................................0............}.....r...p}......}......}......}.....( ......(......{.....o!.....{.....o!.....{.....o!.....{..........%.r...p.%.r...p.%.r...p.("...&*.0..-..........{.....X}.....{.... .....6.{.... .....).{.... .......{.... .......{.... ......+....,....{.....X}.....+X.{.... p....6.{.... X....).{.... @......{.... (#.....{.... .'....+....,....{.....X}.......{....(......{....r...p.|....(#...($...o%.....(......{

                                                        C:\ProgramData\Adobe\Adobe.exe:Zone.Identifier

                                                        Download File
                                                        Process:C:\Users\user\Desktop\aDGx3jaI7i.exe
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Category:modified
                                                        Size (bytes):26
                                                        Entropy (8bit):3.95006375643621
                                                        Encrypted:false
                                                        SSDEEP:3:ggPYV:rPYV
                                                        MD5:187F488E27DB4AF347237FE461A079AD
                                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                        Malicious:true
                                                        Reputation:high, very likely benign file
                                                        Preview:[ZoneTransfer]....ZoneId=0

                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Adobe.exe.log

                                                        Download File
                                                        Process:C:\ProgramData\Adobe\Adobe.exe
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):1216
                                                        Entropy (8bit):5.34331486778365
                                                        Encrypted:false
                                                        SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                        MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                        SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                        SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                        SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                        Malicious:false
                                                        Reputation:high, very likely benign file
                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\aDGx3jaI7i.exe.log

                                                        Download File
                                                        Process:C:\Users\user\Desktop\aDGx3jaI7i.exe
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):1216
                                                        Entropy (8bit):5.34331486778365
                                                        Encrypted:false
                                                        SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                        MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                        SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                        SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                        SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                        Malicious:true
                                                        Reputation:high, very likely benign file
                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\json[1].json

                                                        Download File
                                                        Process:C:\ProgramData\Adobe\Adobe.exe
                                                        File Type:JSON data
                                                        Category:dropped
                                                        Size (bytes):963
                                                        Entropy (8bit):5.014904284428935
                                                        Encrypted:false
                                                        SSDEEP:12:tkluJnd6CsGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkwV:qluNdRNuKyGX85jvXhNlT3/7AcV9Wro
                                                        MD5:B66CFB6461E507BB577CDE91F270844E
                                                        SHA1:6D952DE48032731679F8718D1F1C3F08202507C3
                                                        SHA-256:E231BBC873E9B30CCA58297CAA3E8945A4FC61556F378F2C5013B0DDCB7035BE
                                                        SHA-512:B5C1C188F10C9134EF38D0C5296E7AE95A7A486F858BE977F9A36D63CBE5790592881F3B8D12FEBBF1E555D0A9868632D9E590777E2D3143E74FD3A44C55575F
                                                        Malicious:false
                                                        Preview:{. "geoplugin_request":"8.46.123.228",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                                        Static File Info

                                                        General

                                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Entropy (8bit):7.8320350333655355
                                                        TrID:
                                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                        • Win32 Executable (generic) a (10002005/4) 49.75%
                                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                        • Windows Screen Saver (13104/52) 0.07%
                                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                                        File name:aDGx3jaI7i.exe
                                                        File size:1'011'712 bytes
                                                        MD5:18df057d5952c7f5366335ff201849b5
                                                        SHA1:6c421f13a590822d583689221569ceff31f2dbae
                                                        SHA256:87fca3267ca394e5bc414194c7c6dec142ae132921efaa2763c6d15f430d6c58
                                                        SHA512:4533b5078683c46e727dd2462745c5893ad9231fa85165595af4242ff7d849af29b3bf8ec2c7f91f3e03acded594bdc7561545cbaf87edf4fc3ab37e349725de
                                                        SSDEEP:24576:UL3gqH9oc5KKhWIpBwxgCeg+5LxcvFEgOX9BMN4h7A0:UL3gK9d5KKMIp9CT+5WagODRBd
                                                        TLSH:E02502603659DF26D9AA0FF40020E97207B56E8EB921E30A8ED9BCD77537BD01B54723
                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...b"................0..f............... ........@.. ....................................@................................

                                                        File Icon

                                                        Icon Hash:00928e8e8686b000

                                                        Static PE Info

                                                        General

                                                        Entrypoint:0x4f85ee
                                                        Entrypoint Section:.text
                                                        Digitally signed:false
                                                        Imagebase:0x400000
                                                        Subsystem:windows gui
                                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                        Time Stamp:0xF5C52262 [Mon Aug 30 19:28:34 2100 UTC]
                                                        TLS Callbacks:
                                                        CLR (.Net) Version:
                                                        OS Version Major:4
                                                        OS Version Minor:0
                                                        File Version Major:4
                                                        File Version Minor:0
                                                        Subsystem Version Major:4
                                                        Subsystem Version Minor:0
                                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                        Entrypoint Preview

                                                        Instruction
                                                        jmp dword ptr [00402000h]
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al

                                                        Data Directories

                                                        NameVirtual AddressVirtual Size Is in Section
                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xf859a0x4f.text
                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xfa0000x5b4.rsrc
                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xfc0000xc.reloc
                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0xf49740x70.text
                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                        Sections

                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                        .text0x20000xf65f40xf6600ab69b5921b60469b8746f93e45510320False0.9093466593734145data7.837102538187458IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                        .rsrc0xfa0000x5b40x600cecd7d7e8fe092b21855a20154fa1a10False0.4212239583333333data4.1104997201495825IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        .reloc0xfc0000xc0x2004ebf92dc894c2ee1447204609a23125fFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                        Resources

                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                        RT_VERSION0xfa0900x324data0.42786069651741293
                                                        RT_MANIFEST0xfa3c40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                        Imports

                                                        DLLImport
                                                        mscoree.dll_CorExeMain

                                                        Network Behavior

                                                        Suricata IDS Alerts

                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                        2024-12-03T17:03:26.428421+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.749704104.250.180.1787902TCP
                                                        2024-12-03T17:03:30.988392+01002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.749713178.237.33.5080TCP

                                                        Network Port Distribution

                                                        TCP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Dec 3, 2024 17:03:24.285913944 CET497047902192.168.2.7104.250.180.178
                                                        Dec 3, 2024 17:03:24.406485081 CET790249704104.250.180.178192.168.2.7
                                                        Dec 3, 2024 17:03:24.406833887 CET497047902192.168.2.7104.250.180.178
                                                        Dec 3, 2024 17:03:24.412713051 CET497047902192.168.2.7104.250.180.178
                                                        Dec 3, 2024 17:03:24.532686949 CET790249704104.250.180.178192.168.2.7
                                                        Dec 3, 2024 17:03:26.387339115 CET790249704104.250.180.178192.168.2.7
                                                        Dec 3, 2024 17:03:26.428421021 CET497047902192.168.2.7104.250.180.178
                                                        Dec 3, 2024 17:03:26.667169094 CET790249704104.250.180.178192.168.2.7
                                                        Dec 3, 2024 17:03:26.671956062 CET497047902192.168.2.7104.250.180.178
                                                        Dec 3, 2024 17:03:26.791910887 CET790249704104.250.180.178192.168.2.7
                                                        Dec 3, 2024 17:03:26.792084932 CET497047902192.168.2.7104.250.180.178
                                                        Dec 3, 2024 17:03:26.912241936 CET790249704104.250.180.178192.168.2.7
                                                        Dec 3, 2024 17:03:27.747111082 CET790249704104.250.180.178192.168.2.7
                                                        Dec 3, 2024 17:03:27.748776913 CET497047902192.168.2.7104.250.180.178
                                                        Dec 3, 2024 17:03:27.869051933 CET790249704104.250.180.178192.168.2.7
                                                        Dec 3, 2024 17:03:28.257062912 CET790249704104.250.180.178192.168.2.7
                                                        Dec 3, 2024 17:03:28.303481102 CET497047902192.168.2.7104.250.180.178
                                                        Dec 3, 2024 17:03:29.532088041 CET4971380192.168.2.7178.237.33.50
                                                        Dec 3, 2024 17:03:29.652190924 CET8049713178.237.33.50192.168.2.7
                                                        Dec 3, 2024 17:03:29.652319908 CET4971380192.168.2.7178.237.33.50
                                                        Dec 3, 2024 17:03:29.652636051 CET4971380192.168.2.7178.237.33.50
                                                        Dec 3, 2024 17:03:29.772689104 CET8049713178.237.33.50192.168.2.7
                                                        Dec 3, 2024 17:03:30.986015081 CET8049713178.237.33.50192.168.2.7
                                                        Dec 3, 2024 17:03:30.988392115 CET4971380192.168.2.7178.237.33.50
                                                        Dec 3, 2024 17:03:31.003842115 CET497047902192.168.2.7104.250.180.178
                                                        Dec 3, 2024 17:03:31.123850107 CET790249704104.250.180.178192.168.2.7
                                                        Dec 3, 2024 17:03:31.987306118 CET8049713178.237.33.50192.168.2.7
                                                        Dec 3, 2024 17:03:31.987467051 CET4971380192.168.2.7178.237.33.50
                                                        Dec 3, 2024 17:03:41.697335958 CET790249704104.250.180.178192.168.2.7
                                                        Dec 3, 2024 17:03:41.699341059 CET497047902192.168.2.7104.250.180.178
                                                        Dec 3, 2024 17:03:41.819891930 CET790249704104.250.180.178192.168.2.7
                                                        Dec 3, 2024 17:04:11.688049078 CET790249704104.250.180.178192.168.2.7
                                                        Dec 3, 2024 17:04:11.689361095 CET497047902192.168.2.7104.250.180.178
                                                        Dec 3, 2024 17:04:11.809611082 CET790249704104.250.180.178192.168.2.7
                                                        Dec 3, 2024 17:04:41.716989040 CET790249704104.250.180.178192.168.2.7
                                                        Dec 3, 2024 17:04:41.732851028 CET497047902192.168.2.7104.250.180.178
                                                        Dec 3, 2024 17:04:41.853327990 CET790249704104.250.180.178192.168.2.7
                                                        Dec 3, 2024 17:05:11.726739883 CET790249704104.250.180.178192.168.2.7
                                                        Dec 3, 2024 17:05:11.733042955 CET497047902192.168.2.7104.250.180.178
                                                        Dec 3, 2024 17:05:11.852998972 CET790249704104.250.180.178192.168.2.7
                                                        Dec 3, 2024 17:05:19.319540024 CET4971380192.168.2.7178.237.33.50
                                                        Dec 3, 2024 17:05:19.694401979 CET4971380192.168.2.7178.237.33.50
                                                        Dec 3, 2024 17:05:20.381901026 CET4971380192.168.2.7178.237.33.50
                                                        Dec 3, 2024 17:05:21.696408987 CET4971380192.168.2.7178.237.33.50
                                                        Dec 3, 2024 17:05:24.194458961 CET4971380192.168.2.7178.237.33.50
                                                        Dec 3, 2024 17:05:29.194427013 CET4971380192.168.2.7178.237.33.50
                                                        Dec 3, 2024 17:05:38.803837061 CET4971380192.168.2.7178.237.33.50
                                                        Dec 3, 2024 17:05:41.727992058 CET790249704104.250.180.178192.168.2.7
                                                        Dec 3, 2024 17:05:41.729532957 CET497047902192.168.2.7104.250.180.178
                                                        Dec 3, 2024 17:05:41.849535942 CET790249704104.250.180.178192.168.2.7
                                                        Dec 3, 2024 17:06:11.726921082 CET790249704104.250.180.178192.168.2.7
                                                        Dec 3, 2024 17:06:11.731703997 CET497047902192.168.2.7104.250.180.178
                                                        Dec 3, 2024 17:06:11.851620913 CET790249704104.250.180.178192.168.2.7
                                                        Dec 3, 2024 17:06:41.736754894 CET790249704104.250.180.178192.168.2.7
                                                        Dec 3, 2024 17:06:41.738375902 CET497047902192.168.2.7104.250.180.178
                                                        Dec 3, 2024 17:06:41.858325958 CET790249704104.250.180.178192.168.2.7
                                                        Dec 3, 2024 17:07:11.746961117 CET790249704104.250.180.178192.168.2.7
                                                        Dec 3, 2024 17:07:11.748265028 CET497047902192.168.2.7104.250.180.178
                                                        Dec 3, 2024 17:07:11.868496895 CET790249704104.250.180.178192.168.2.7

                                                        UDP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Dec 3, 2024 17:03:29.358349085 CET5939353192.168.2.71.1.1.1
                                                        Dec 3, 2024 17:03:29.502621889 CET53593931.1.1.1192.168.2.7

                                                        DNS Queries

                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                        Dec 3, 2024 17:03:29.358349085 CET192.168.2.71.1.1.10x3d6fStandard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                                        DNS Answers

                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                        Dec 3, 2024 17:03:29.502621889 CET1.1.1.1192.168.2.70x3d6fNo error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                                        HTTP Request Dependency Graph

                                                        • geoplugin.net

                                                        HTTP Packets

                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        0192.168.2.749713178.237.33.50806768C:\ProgramData\Adobe\Adobe.exe
                                                        TimestampBytes transferredDirectionData
                                                        Dec 3, 2024 17:03:29.652636051 CET71OUTGET /json.gp HTTP/1.1
                                                        Host: geoplugin.net
                                                        Cache-Control: no-cache
                                                        Dec 3, 2024 17:03:30.986015081 CET1171INHTTP/1.1 200 OK
                                                        date: Tue, 03 Dec 2024 16:03:30 GMT
                                                        server: Apache
                                                        content-length: 963
                                                        content-type: application/json; charset=utf-8
                                                        cache-control: public, max-age=300
                                                        access-control-allow-origin: *
                                                        Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 32 32 38 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 [TRUNCATED]
                                                        Data Ascii: { "geoplugin_request":"8.46.123.228", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                        Statistics

                                                        CPU Usage

                                                        Click to jump to process

                                                        Memory Usage

                                                        Click to jump to process

                                                        High Level Behavior Distribution

                                                        Click to dive into process behavior distribution

                                                        Behavior

                                                        Click to jump to process

                                                        System Behavior

                                                        General

                                                        Target ID:0
                                                        Start time:11:03:19
                                                        Start date:03/12/2024
                                                        Path:C:\Users\user\Desktop\aDGx3jaI7i.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\Desktop\aDGx3jaI7i.exe"
                                                        Imagebase:0x9c0000
                                                        File size:1'011'712 bytes
                                                        MD5 hash:18DF057D5952C7F5366335FF201849B5
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.1329927714.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.1329927714.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1329927714.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.1329927714.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                        Reputation:low
                                                        Has exited:true

                                                        General

                                                        Target ID:4
                                                        Start time:11:03:20
                                                        Start date:03/12/2024
                                                        Path:C:\Users\user\Desktop\aDGx3jaI7i.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\Desktop\aDGx3jaI7i.exe"
                                                        Imagebase:0xef0000
                                                        File size:1'011'712 bytes
                                                        MD5 hash:18DF057D5952C7F5366335FF201849B5
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000004.00000002.1327834572.00000000014BA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                        • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                        • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                        Reputation:low
                                                        Has exited:true

                                                        General

                                                        Target ID:5
                                                        Start time:11:03:21
                                                        Start date:03/12/2024
                                                        Path:C:\ProgramData\Adobe\Adobe.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\ProgramData\Adobe\Adobe.exe"
                                                        Imagebase:0x7d0000
                                                        File size:1'011'712 bytes
                                                        MD5 hash:18DF057D5952C7F5366335FF201849B5
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Antivirus matches:
                                                        • Detection: 100%, Avira
                                                        • Detection: 100%, Joe Sandbox ML
                                                        • Detection: 74%, ReversingLabs
                                                        Reputation:low
                                                        Has exited:true

                                                        General

                                                        Target ID:6
                                                        Start time:11:03:22
                                                        Start date:03/12/2024
                                                        Path:C:\ProgramData\Adobe\Adobe.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\ProgramData\Adobe\Adobe.exe"
                                                        Imagebase:0xfe0000
                                                        File size:1'011'712 bytes
                                                        MD5 hash:18DF057D5952C7F5366335FF201849B5
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000006.00000002.3762484937.0000000001687000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                        Reputation:low
                                                        Has exited:false

                                                        General

                                                        Target ID:8
                                                        Start time:11:03:33
                                                        Start date:03/12/2024
                                                        Path:C:\ProgramData\Adobe\Adobe.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\ProgramData\Adobe\Adobe.exe"
                                                        Imagebase:0xd00000
                                                        File size:1'011'712 bytes
                                                        MD5 hash:18DF057D5952C7F5366335FF201849B5
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Reputation:low
                                                        Has exited:true

                                                        General

                                                        Target ID:9
                                                        Start time:11:03:34
                                                        Start date:03/12/2024
                                                        Path:C:\ProgramData\Adobe\Adobe.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\ProgramData\Adobe\Adobe.exe"
                                                        Imagebase:0xd70000
                                                        File size:1'011'712 bytes
                                                        MD5 hash:18DF057D5952C7F5366335FF201849B5
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000009.00000002.1451161345.000000000125A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                        Reputation:low
                                                        Has exited:true

                                                        General

                                                        Target ID:11
                                                        Start time:12:32:24
                                                        Start date:03/12/2024
                                                        Path:C:\ProgramData\Adobe\Adobe.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\ProgramData\Adobe\Adobe.exe"
                                                        Imagebase:0x800000
                                                        File size:1'011'712 bytes
                                                        MD5 hash:18DF057D5952C7F5366335FF201849B5
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Reputation:low
                                                        Has exited:true

                                                        General

                                                        Target ID:12
                                                        Start time:12:32:25
                                                        Start date:03/12/2024
                                                        Path:C:\ProgramData\Adobe\Adobe.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"C:\ProgramData\Adobe\Adobe.exe"
                                                        Imagebase:0x2a0000
                                                        File size:1'011'712 bytes
                                                        MD5 hash:18DF057D5952C7F5366335FF201849B5
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Reputation:low
                                                        Has exited:true

                                                        General

                                                        Target ID:13
                                                        Start time:12:32:25
                                                        Start date:03/12/2024
                                                        Path:C:\ProgramData\Adobe\Adobe.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\ProgramData\Adobe\Adobe.exe"
                                                        Imagebase:0x990000
                                                        File size:1'011'712 bytes
                                                        MD5 hash:18DF057D5952C7F5366335FF201849B5
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000D.00000002.1542202226.00000000012AA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                        Reputation:low
                                                        Has exited:true

                                                        General

                                                        Target ID:14
                                                        Start time:12:32:32
                                                        Start date:03/12/2024
                                                        Path:C:\ProgramData\Adobe\Adobe.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\ProgramData\Adobe\Adobe.exe"
                                                        Imagebase:0xba0000
                                                        File size:1'011'712 bytes
                                                        MD5 hash:18DF057D5952C7F5366335FF201849B5
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Reputation:low
                                                        Has exited:true

                                                        General

                                                        Target ID:15
                                                        Start time:12:32:33
                                                        Start date:03/12/2024
                                                        Path:C:\ProgramData\Adobe\Adobe.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\ProgramData\Adobe\Adobe.exe"
                                                        Imagebase:0xc80000
                                                        File size:1'011'712 bytes
                                                        MD5 hash:18DF057D5952C7F5366335FF201849B5
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000F.00000002.1618135964.00000000014D7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                        Reputation:low
                                                        Has exited:true

                                                        Disassembly

                                                        Reset < >

                                                          Execution Graph

                                                          Execution Coverage:9.4%
                                                          Dynamic/Decrypted Code Coverage:100%
                                                          Signature Coverage:0%
                                                          Total number of Nodes:32
                                                          Total number of Limit Nodes:5
                                                          execution_graph 15142 11d4668 15143 11d467a 15142->15143 15144 11d4686 15143->15144 15146 11d4778 15143->15146 15147 11d479d 15146->15147 15151 11d4879 15147->15151 15155 11d4888 15147->15155 15152 11d48af 15151->15152 15153 11d498c 15152->15153 15159 11d44b4 15152->15159 15153->15153 15156 11d48af 15155->15156 15157 11d498c 15156->15157 15158 11d44b4 CreateActCtxA 15156->15158 15158->15157 15160 11d5918 CreateActCtxA 15159->15160 15162 11d59db 15160->15162 15163 11dd968 DuplicateHandle 15164 11dd9fe 15163->15164 15165 11db390 15168 11db478 15165->15168 15166 11db39f 15169 11db4bc 15168->15169 15170 11db499 15168->15170 15169->15166 15170->15169 15171 11db6c0 GetModuleHandleW 15170->15171 15172 11db6ed 15171->15172 15172->15166 15173 11dd720 15174 11dd766 GetCurrentProcess 15173->15174 15176 11dd7b8 GetCurrentThread 15174->15176 15177 11dd7b1 15174->15177 15178 11dd7ee 15176->15178 15179 11dd7f5 GetCurrentProcess 15176->15179 15177->15176 15178->15179 15180 11dd82b GetCurrentThreadId 15179->15180 15182 11dd884 15180->15182

                                                          Executed Functions

                                                          Function 011DD720 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • GetCurrentProcess.KERNEL32 ref: 011DD79E
                                                          • GetCurrentThread.KERNEL32 ref: 011DD7DB
                                                          • GetCurrentProcess.KERNEL32 ref: 011DD818
                                                          • GetCurrentThreadId.KERNEL32 ref: 011DD871
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1327876132.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_11d0000_aDGx3jaI7i.jbxd
                                                          Similarity
                                                          • API ID: Current$ProcessThread
                                                          • String ID:
                                                          • API String ID: 2063062207-0
                                                          • Opcode ID: 4d99d4e5828b31b20f9e304799658afbdcb0499ee7ffaf504de3e597f65c0207
                                                          • Instruction ID: e94c53adca625dfc98c54eb452d6eb669d8a1287bbdad03dd834e033870f0804
                                                          • Opcode Fuzzy Hash: 4d99d4e5828b31b20f9e304799658afbdcb0499ee7ffaf504de3e597f65c0207
                                                          • Instruction Fuzzy Hash: 5D5156B0D003498FEB18DFAAD548B9EBBF1AF88314F208559D419A72A0DB749945CF61
                                                          Function 011DB478 Relevance: 1.7, APIs: 1, Instructions: 201COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 21 11db478-11db497 22 11db499-11db4a6 call 11d9ef8 21->22 23 11db4c3-11db4c7 21->23 30 11db4bc 22->30 31 11db4a8 22->31 25 11db4c9-11db4d3 23->25 26 11db4db-11db51c 23->26 25->26 32 11db51e-11db526 26->32 33 11db529-11db537 26->33 30->23 76 11db4ae call 11db710 31->76 77 11db4ae call 11db720 31->77 32->33 34 11db539-11db53e 33->34 35 11db55b-11db55d 33->35 37 11db549 34->37 38 11db540-11db547 call 11db140 34->38 40 11db560-11db567 35->40 36 11db4b4-11db4b6 36->30 39 11db5f8-11db6b8 36->39 42 11db54b-11db559 37->42 38->42 71 11db6ba-11db6bd 39->71 72 11db6c0-11db6eb GetModuleHandleW 39->72 43 11db569-11db571 40->43 44 11db574-11db57b 40->44 42->40 43->44 45 11db57d-11db585 44->45 46 11db588-11db591 call 11db150 44->46 45->46 52 11db59e-11db5a3 46->52 53 11db593-11db59b 46->53 54 11db5a5-11db5ac 52->54 55 11db5c1-11db5ce 52->55 53->52 54->55 57 11db5ae-11db5be call 11db160 call 11db170 54->57 61 11db5f1-11db5f7 55->61 62 11db5d0-11db5ee 55->62 57->55 62->61 71->72 73 11db6ed-11db6f3 72->73 74 11db6f4-11db708 72->74 73->74 76->36 77->36
                                                          APIs
                                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 011DB6DE
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1327876132.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_11d0000_aDGx3jaI7i.jbxd
                                                          Similarity
                                                          • API ID: HandleModule
                                                          • String ID:
                                                          • API String ID: 4139908857-0
                                                          • Opcode ID: c35c6655d98476c64256c2d3c66c76bbe12844848ada63a712715f2befda03d8
                                                          • Instruction ID: 6ec79395e9463ee003c86fabdfd3d3e437e13bdb0a9625d690cf96a697706b54
                                                          • Opcode Fuzzy Hash: c35c6655d98476c64256c2d3c66c76bbe12844848ada63a712715f2befda03d8
                                                          • Instruction Fuzzy Hash: 7B815670A04B058FEB28DF29D55479ABBF1FF49304F008A2DD09ADBA50E774E849CB95
                                                          Function 011D590C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 78 11d590c-11d59d9 CreateActCtxA 80 11d59db-11d59e1 78->80 81 11d59e2-11d5a3c 78->81 80->81 88 11d5a3e-11d5a41 81->88 89 11d5a4b-11d5a4f 81->89 88->89 90 11d5a51-11d5a5d 89->90 91 11d5a60 89->91 90->91 92 11d5a61 91->92 92->92
                                                          APIs
                                                          • CreateActCtxA.KERNEL32(?), ref: 011D59C9
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1327876132.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_11d0000_aDGx3jaI7i.jbxd
                                                          Similarity
                                                          • API ID: Create
                                                          • String ID:
                                                          • API String ID: 2289755597-0
                                                          • Opcode ID: f0fdec5def6fb74277962e5cfff06bebe3418e00c07a66445bf09c17cc92abce
                                                          • Instruction ID: f7f918cdf5bb21202a9d6c60c5097b08ba91bd5a9db1c96826d8c6b70ff4212b
                                                          • Opcode Fuzzy Hash: f0fdec5def6fb74277962e5cfff06bebe3418e00c07a66445bf09c17cc92abce
                                                          • Instruction Fuzzy Hash: 2641D471C00729CBEB29CFAAC8857DDBBF6BF49304F20816AD409AB251DB756946CF50
                                                          Function 011D44B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 94 11d44b4-11d59d9 CreateActCtxA 97 11d59db-11d59e1 94->97 98 11d59e2-11d5a3c 94->98 97->98 105 11d5a3e-11d5a41 98->105 106 11d5a4b-11d5a4f 98->106 105->106 107 11d5a51-11d5a5d 106->107 108 11d5a60 106->108 107->108 109 11d5a61 108->109 109->109
                                                          APIs
                                                          • CreateActCtxA.KERNEL32(?), ref: 011D59C9
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1327876132.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_11d0000_aDGx3jaI7i.jbxd
                                                          Similarity
                                                          • API ID: Create
                                                          • String ID:
                                                          • API String ID: 2289755597-0
                                                          • Opcode ID: c88b7cc7b4d08115114f3a87a4f06266bdcbd8151432db23956fad23b849517b
                                                          • Instruction ID: 95de8c90df1f86fe0d8f50a151cb18e8285e1d65d6548ebd2cbf0eb2543e4b62
                                                          • Opcode Fuzzy Hash: c88b7cc7b4d08115114f3a87a4f06266bdcbd8151432db23956fad23b849517b
                                                          • Instruction Fuzzy Hash: A341F671C0072DCBEB28DFAAC88478DBBF6BF49304F208169D409AB251D7755946CF91
                                                          Function 011DD968 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 111 11dd968-11dd9fc DuplicateHandle 112 11dd9fe-11dda04 111->112 113 11dda05-11dda22 111->113 112->113
                                                          APIs
                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 011DD9EF
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1327876132.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_11d0000_aDGx3jaI7i.jbxd
                                                          Similarity
                                                          • API ID: DuplicateHandle
                                                          • String ID:
                                                          • API String ID: 3793708945-0
                                                          • Opcode ID: 5431f33d86167b1ec3d57d4d60f9bfd652973013e5bb59d60b8d9ea3b373daf9
                                                          • Instruction ID: aee2eec1d9ab37d571150c6f84894c7e695d2184ab1cdc5707028a07894d2664
                                                          • Opcode Fuzzy Hash: 5431f33d86167b1ec3d57d4d60f9bfd652973013e5bb59d60b8d9ea3b373daf9
                                                          • Instruction Fuzzy Hash: FD21E4B5D002489FDB10CFAAD984ADEBBF5EB48310F14801AE914A3350D375A944CFA1
                                                          Function 011DB678 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 116 11db678-11db6b8 117 11db6ba-11db6bd 116->117 118 11db6c0-11db6eb GetModuleHandleW 116->118 117->118 119 11db6ed-11db6f3 118->119 120 11db6f4-11db708 118->120 119->120
                                                          APIs
                                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 011DB6DE
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1327876132.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_11d0000_aDGx3jaI7i.jbxd
                                                          Similarity
                                                          • API ID: HandleModule
                                                          • String ID:
                                                          • API String ID: 4139908857-0
                                                          • Opcode ID: e01ffd1b432a0290748ad3fb6114b86836f0e2a8008450cc1e2b29c3798769b0
                                                          • Instruction ID: 8396728de3e8a5426e6892d32ebb9b89a4d9e1a044adf3d850617a7797ee6503
                                                          • Opcode Fuzzy Hash: e01ffd1b432a0290748ad3fb6114b86836f0e2a8008450cc1e2b29c3798769b0
                                                          • Instruction Fuzzy Hash: EC110FB6C002498FDB24CF9AC444ADEFBF4EB88324F11842AD429A7610C379A545CFA5
                                                          Function 0106D3D8 Relevance: .1, Instructions: 75COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1324791932.000000000106D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_106d000_aDGx3jaI7i.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 572d3c2eaef1959f77df6edc5cdee62c0ccbe134dae56867d6e6513cbaac19fc
                                                          • Instruction ID: 35d2fe275b03b5baee5384c8bc051a972ee6cf018b275b68c3f8f3cdbdb15431
                                                          • Opcode Fuzzy Hash: 572d3c2eaef1959f77df6edc5cdee62c0ccbe134dae56867d6e6513cbaac19fc
                                                          • Instruction Fuzzy Hash: 26214571604244DFDB15DF44D9C0B5ABFA9FB88324F20C1ADE9890F246C736E846CBA2
                                                          Function 0118D01C Relevance: .1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1327615042.000000000118D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0118D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_118d000_aDGx3jaI7i.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 136cef3bf042bc1886d766b2504478fba853367f289f2491c52acea675a4cea1
                                                          • Instruction ID: 74b26c97d4703e99e4cfdcfeae6e10fccef389437973e52457c9b709cd50663a
                                                          • Opcode Fuzzy Hash: 136cef3bf042bc1886d766b2504478fba853367f289f2491c52acea675a4cea1
                                                          • Instruction Fuzzy Hash: C821D075604304DFDF19EF94E9C4B16BB65EB84324F20C6ADD84A4B286C736D847CE62
                                                          Function 0118D1D4 Relevance: .1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1327615042.000000000118D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0118D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_118d000_aDGx3jaI7i.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 97d67e99aea988151558c62f8b759636f3504332a6ae7c5c61dc1b8c334ee5fd
                                                          • Instruction ID: 3d629677afc74fb6aaf609eccd1e10af41f8a09c6036dccbe1fa5c18f9885bf7
                                                          • Opcode Fuzzy Hash: 97d67e99aea988151558c62f8b759636f3504332a6ae7c5c61dc1b8c334ee5fd
                                                          • Instruction Fuzzy Hash: 0E21F571604304DFDF19EF94E9C0B15BB66FB84324F20C66DE8494B292C336D846CE62
                                                          Function 0106D3D3 Relevance: .1, Instructions: 56COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1324791932.000000000106D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_106d000_aDGx3jaI7i.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                                                          • Instruction ID: 0b83b9bf25f2b3f0022d7785a9ca6812dbb80eccfa2c7e725537acb118f1606d
                                                          • Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                                                          • Instruction Fuzzy Hash: CF11E176604240CFCB06CF44D5C0B56BFB2FB84324F24C2A9D8890B257C33AE856CBA1
                                                          Function 0118D1CF Relevance: .1, Instructions: 53COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1327615042.000000000118D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0118D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_118d000_aDGx3jaI7i.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                                                          • Instruction ID: 8816bea514433597ccfffb7e0e3824a0984dfe323b870b9fdb2f27fa6c8b249b
                                                          • Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                                                          • Instruction Fuzzy Hash: 3811BB75504280DFCB0AEF58D5C0B15BBA2FB84324F24C6ADD8494B296C33AD40ACF62
                                                          Function 0118D017 Relevance: .1, Instructions: 53COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1327615042.000000000118D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0118D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_118d000_aDGx3jaI7i.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                                                          • Instruction ID: a9361a2012723bf2b377023fd521dec7fdf7df8ff30194c12eec8185fe18fb3a
                                                          • Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                                                          • Instruction Fuzzy Hash: 4A11BE75504380CFDB16DF54E5C4B15BB62FB44314F24C6A9D8494B696C33AD40BCF61
                                                          Function 0106D745 Relevance: .0, Instructions: 45COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1324791932.000000000106D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_106d000_aDGx3jaI7i.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b41b1719e8f37cf7c4fa4891098cdd2d5af13e87bc32863daaf34cd3127946dd
                                                          • Instruction ID: 7c6f22df5d9bf0767c4ffc98e251d1821a940fe5b61f76ed6ebfecb96b798032
                                                          • Opcode Fuzzy Hash: b41b1719e8f37cf7c4fa4891098cdd2d5af13e87bc32863daaf34cd3127946dd
                                                          • Instruction Fuzzy Hash: 8201F7316043849AE7205E55CC84B6ABFDCEF41325F08C56AEDC80E282E27D9841CBB3
                                                          Function 0106D744 Relevance: .0, Instructions: 36COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1324791932.000000000106D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_106d000_aDGx3jaI7i.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 47bfb4e567b6f00032bef6bc0788c71d7cf625580b8acd0b0699e6c029bf5cb1
                                                          • Instruction ID: 238599710393b8ca94313385dddbdb9a1f95824783735a114152b1362ab408a5
                                                          • Opcode Fuzzy Hash: 47bfb4e567b6f00032bef6bc0788c71d7cf625580b8acd0b0699e6c029bf5cb1
                                                          • Instruction Fuzzy Hash: F3F0C2315043849EE7208E1AC888B66FFDCEB41734F18C09AED880A286D2799840CBB2

                                                          Non-executed Functions

                                                          Function 011DE274 Relevance: .3, Instructions: 264COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1327876132.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_11d0000_aDGx3jaI7i.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 542067ac0171137ec7a57158e809aa34cf2fac99803c059aa7726e91dcc28f01
                                                          • Instruction ID: 7de3660b22f60f646cfdcf376d69ee3c92af07cde65fc79fbe07255709d3c0db
                                                          • Opcode Fuzzy Hash: 542067ac0171137ec7a57158e809aa34cf2fac99803c059aa7726e91dcc28f01
                                                          • Instruction Fuzzy Hash: 73A18032E00216DFCF19DFB5C8445AEBBB2FF84305B15456AE906AF265DB31E906CB40

                                                          Execution Graph

                                                          Execution Coverage:2%
                                                          Dynamic/Decrypted Code Coverage:0%
                                                          Signature Coverage:2.2%
                                                          Total number of Nodes:742
                                                          Total number of Limit Nodes:17
                                                          execution_graph 47135 434918 47136 434924 ___BuildCatchObject 47135->47136 47162 434627 47136->47162 47138 43492b 47140 434954 47138->47140 47450 434a8a IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 47138->47450 47141 434993 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 47140->47141 47451 4442d2 5 API calls __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 47140->47451 47146 4349f3 47141->47146 47453 443487 35 API calls 6 library calls 47141->47453 47143 43496d 47145 434973 ___BuildCatchObject 47143->47145 47452 444276 5 API calls __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 47143->47452 47173 434ba5 47146->47173 47155 434a15 47156 434a1f 47155->47156 47455 4434bf 28 API calls _Atexit 47155->47455 47158 434a28 47156->47158 47456 443462 28 API calls _Atexit 47156->47456 47457 43479e 13 API calls 2 library calls 47158->47457 47161 434a30 47161->47145 47163 434630 47162->47163 47458 434cb6 IsProcessorFeaturePresent 47163->47458 47165 43463c 47459 438fb1 10 API calls 4 library calls 47165->47459 47167 434641 47168 434645 47167->47168 47460 44415f IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 47167->47460 47168->47138 47170 43464e 47171 43465c 47170->47171 47461 438fda 8 API calls 3 library calls 47170->47461 47171->47138 47462 436f10 47173->47462 47176 4349f9 47177 444223 47176->47177 47464 44f0d9 47177->47464 47179 434a02 47182 40ea00 47179->47182 47180 44422c 47180->47179 47468 446895 35 API calls 47180->47468 47470 41cbe1 LoadLibraryA GetProcAddress 47182->47470 47184 40ea1c GetModuleFileNameW 47475 40f3fe 47184->47475 47186 40ea38 47490 4020f6 47186->47490 47189 4020f6 28 API calls 47190 40ea56 47189->47190 47496 41beac 47190->47496 47194 40ea68 47522 401e8d 47194->47522 47196 40ea71 47197 40ea84 47196->47197 47198 40eace 47196->47198 47727 40fbee 116 API calls 47197->47727 47528 401e65 47198->47528 47201 40eade 47205 401e65 22 API calls 47201->47205 47202 40ea96 47203 401e65 22 API calls 47202->47203 47204 40eaa2 47203->47204 47728 410f72 36 API calls __EH_prolog 47204->47728 47206 40eafd 47205->47206 47533 40531e 47206->47533 47209 40eab4 47729 40fb9f 77 API calls 47209->47729 47210 40eb0c 47538 406383 47210->47538 47214 40eabd 47730 40f3eb 70 API calls 47214->47730 47220 401fd8 11 API calls 47222 40ef36 47220->47222 47221 401fd8 11 API calls 47223 40eb36 47221->47223 47454 443396 GetModuleHandleW 47222->47454 47224 401e65 22 API calls 47223->47224 47225 40eb3f 47224->47225 47555 401fc0 47225->47555 47227 40eb4a 47228 401e65 22 API calls 47227->47228 47229 40eb63 47228->47229 47230 401e65 22 API calls 47229->47230 47231 40eb7e 47230->47231 47232 40ebe9 47231->47232 47731 406c59 28 API calls 47231->47731 47233 401e65 22 API calls 47232->47233 47238 40ebf6 47233->47238 47235 40ebab 47236 401fe2 28 API calls 47235->47236 47237 40ebb7 47236->47237 47240 401fd8 11 API calls 47237->47240 47239 40ec3d 47238->47239 47245 413584 3 API calls 47238->47245 47559 40d0a4 47239->47559 47242 40ebc0 47240->47242 47732 413584 RegOpenKeyExA 47242->47732 47243 40ec43 47244 40eac6 47243->47244 47562 41b354 47243->47562 47244->47220 47251 40ec21 47245->47251 47249 40f38a 47769 4139e4 30 API calls 47249->47769 47250 40ec5e 47252 40ecb1 47250->47252 47579 407751 47250->47579 47251->47239 47735 4139e4 30 API calls 47251->47735 47255 401e65 22 API calls 47252->47255 47258 40ecba 47255->47258 47257 40f3a0 47770 4124b0 65 API calls ___scrt_fastfail 47257->47770 47265 40ecc6 47258->47265 47266 40eccb 47258->47266 47260 40ec87 47264 401e65 22 API calls 47260->47264 47261 40ec7d 47736 407773 30 API calls 47261->47736 47275 40ec90 47264->47275 47739 407790 CreateProcessA CloseHandle CloseHandle ___scrt_fastfail 47265->47739 47271 401e65 22 API calls 47266->47271 47267 40ec82 47737 40729b 97 API calls 47267->47737 47268 41bcef 28 API calls 47272 40f3ba 47268->47272 47273 40ecd4 47271->47273 47771 413a5e RegOpenKeyExW RegDeleteValueW 47272->47771 47583 41bcef 47273->47583 47275->47252 47279 40ecac 47275->47279 47276 40ecdf 47587 401f13 47276->47587 47738 40729b 97 API calls 47279->47738 47280 40f3cd 47283 401f09 11 API calls 47280->47283 47285 40f3d7 47283->47285 47286 401f09 11 API calls 47285->47286 47288 40f3e0 47286->47288 47772 40dd7d 27 API calls 47288->47772 47289 401e65 22 API calls 47291 40ecfc 47289->47291 47294 401e65 22 API calls 47291->47294 47292 40f3e5 47773 414f65 167 API calls _strftime 47292->47773 47296 40ed16 47294->47296 47297 401e65 22 API calls 47296->47297 47298 40ed30 47297->47298 47299 401e65 22 API calls 47298->47299 47300 40ed49 47299->47300 47301 40edb6 47300->47301 47303 401e65 22 API calls 47300->47303 47302 40edc5 47301->47302 47308 40ef41 ___scrt_fastfail 47301->47308 47304 401e65 22 API calls 47302->47304 47309 40ee4a 47302->47309 47306 40ed5e _wcslen 47303->47306 47305 40edd7 47304->47305 47307 401e65 22 API calls 47305->47307 47306->47301 47310 401e65 22 API calls 47306->47310 47311 40ede9 47307->47311 47742 413733 RegOpenKeyExA RegQueryValueExA RegCloseKey 47308->47742 47332 40ee45 ___scrt_fastfail 47309->47332 47312 40ed79 47310->47312 47314 401e65 22 API calls 47311->47314 47315 401e65 22 API calls 47312->47315 47316 40edfb 47314->47316 47317 40ed8e 47315->47317 47319 401e65 22 API calls 47316->47319 47599 40da6f 47317->47599 47318 40ef8c 47320 401e65 22 API calls 47318->47320 47321 40ee24 47319->47321 47322 40efb1 47320->47322 47327 401e65 22 API calls 47321->47327 47743 402093 47322->47743 47325 401f13 28 API calls 47326 40edad 47325->47326 47329 401f09 11 API calls 47326->47329 47330 40ee35 47327->47330 47329->47301 47657 40ce34 47330->47657 47331 40efc3 47749 4137aa 14 API calls 47331->47749 47332->47309 47740 413982 31 API calls 47332->47740 47336 40eede ctype 47340 401e65 22 API calls 47336->47340 47337 40efd9 47338 401e65 22 API calls 47337->47338 47339 40efe5 47338->47339 47750 43bb2c 39 API calls _strftime 47339->47750 47343 40eef5 47340->47343 47342 40eff2 47344 40f01f 47342->47344 47751 41ce2c 86 API calls ___scrt_fastfail 47342->47751 47343->47318 47345 401e65 22 API calls 47343->47345 47349 402093 28 API calls 47344->47349 47347 40ef12 47345->47347 47350 41bcef 28 API calls 47347->47350 47348 40f003 CreateThread 47348->47344 48048 41d4ee 10 API calls 47348->48048 47352 40f034 47349->47352 47351 40ef1e 47350->47351 47741 40f4af 103 API calls 47351->47741 47353 402093 28 API calls 47352->47353 47355 40f043 47353->47355 47752 41b580 79 API calls 47355->47752 47356 40ef23 47356->47318 47358 40ef2a 47356->47358 47358->47244 47359 40f048 47360 401e65 22 API calls 47359->47360 47361 40f054 47360->47361 47362 401e65 22 API calls 47361->47362 47363 40f066 47362->47363 47364 401e65 22 API calls 47363->47364 47365 40f086 47364->47365 47753 43bb2c 39 API calls _strftime 47365->47753 47367 40f093 47368 401e65 22 API calls 47367->47368 47369 40f09e 47368->47369 47370 401e65 22 API calls 47369->47370 47371 40f0af 47370->47371 47372 401e65 22 API calls 47371->47372 47373 40f0c4 47372->47373 47374 401e65 22 API calls 47373->47374 47375 40f0d5 47374->47375 47376 40f0dc StrToIntA 47375->47376 47754 409e1f 169 API calls _wcslen 47376->47754 47378 40f0ee 47379 401e65 22 API calls 47378->47379 47380 40f0f7 47379->47380 47381 40f13c 47380->47381 47755 43455e 47380->47755 47383 401e65 22 API calls 47381->47383 47388 40f14c 47383->47388 47385 401e65 22 API calls 47386 40f11f 47385->47386 47389 40f126 CreateThread 47386->47389 47387 40f194 47391 401e65 22 API calls 47387->47391 47388->47387 47390 43455e new 22 API calls 47388->47390 47389->47381 48052 41a045 102 API calls 2 library calls 47389->48052 47392 40f161 47390->47392 47396 40f19d 47391->47396 47393 401e65 22 API calls 47392->47393 47394 40f173 47393->47394 47399 40f17a CreateThread 47394->47399 47395 40f207 47397 401e65 22 API calls 47395->47397 47396->47395 47398 401e65 22 API calls 47396->47398 47402 40f210 47397->47402 47400 40f1b9 47398->47400 47399->47387 48049 41a045 102 API calls 2 library calls 47399->48049 47403 401e65 22 API calls 47400->47403 47401 40f255 47765 41b69e 79 API calls 47401->47765 47402->47401 47405 401e65 22 API calls 47402->47405 47406 40f1ce 47403->47406 47408 40f225 47405->47408 47762 40da23 31 API calls 47406->47762 47407 40f25e 47409 401f13 28 API calls 47407->47409 47413 401e65 22 API calls 47408->47413 47410 40f269 47409->47410 47412 401f09 11 API calls 47410->47412 47415 40f272 CreateThread 47412->47415 47416 40f23a 47413->47416 47414 40f1e1 47417 401f13 28 API calls 47414->47417 47420 40f293 CreateThread 47415->47420 47421 40f29f 47415->47421 48050 40f7e2 120 API calls 47415->48050 47763 43bb2c 39 API calls _strftime 47416->47763 47419 40f1ed 47417->47419 47422 401f09 11 API calls 47419->47422 47420->47421 48051 412132 137 API calls 47420->48051 47423 40f2b4 47421->47423 47424 40f2a8 CreateThread 47421->47424 47426 40f1f6 CreateThread 47422->47426 47428 40f307 47423->47428 47430 402093 28 API calls 47423->47430 47424->47423 48046 412716 38 API calls ___scrt_fastfail 47424->48046 47426->47395 48047 401be9 49 API calls _strftime 47426->48047 47427 40f247 47764 40c19d 7 API calls 47427->47764 47767 41353a RegOpenKeyExA RegQueryValueExA RegCloseKey 47428->47767 47431 40f2d7 47430->47431 47766 4052fd 28 API calls 47431->47766 47434 40f31f 47434->47288 47437 41bcef 28 API calls 47434->47437 47439 40f338 47437->47439 47768 413656 31 API calls 47439->47768 47444 40f34e 47445 401f09 11 API calls 47444->47445 47448 40f359 47445->47448 47446 40f381 DeleteFileW 47447 40f388 47446->47447 47446->47448 47447->47268 47448->47446 47448->47447 47449 40f36f Sleep 47448->47449 47449->47448 47450->47138 47451->47143 47452->47141 47453->47146 47454->47155 47455->47156 47456->47158 47457->47161 47458->47165 47459->47167 47460->47170 47461->47168 47463 434bb8 GetStartupInfoW 47462->47463 47463->47176 47465 44f0eb 47464->47465 47466 44f0e2 47464->47466 47465->47180 47469 44efd8 48 API calls 5 library calls 47466->47469 47468->47180 47469->47465 47471 41cc20 LoadLibraryA GetProcAddress 47470->47471 47472 41cc10 GetModuleHandleA GetProcAddress 47470->47472 47473 41cc49 44 API calls 47471->47473 47474 41cc39 LoadLibraryA GetProcAddress 47471->47474 47472->47471 47473->47184 47474->47473 47774 41b539 FindResourceA 47475->47774 47479 40f428 _Yarn 47784 4020b7 47479->47784 47482 401fe2 28 API calls 47483 40f44e 47482->47483 47484 401fd8 11 API calls 47483->47484 47485 40f457 47484->47485 47486 43bda0 _Yarn 21 API calls 47485->47486 47487 40f468 _Yarn 47486->47487 47790 406e13 47487->47790 47489 40f49b 47489->47186 47491 40210c 47490->47491 47492 4023ce 11 API calls 47491->47492 47493 402126 47492->47493 47494 402569 28 API calls 47493->47494 47495 402134 47494->47495 47495->47189 47844 4020df 47496->47844 47498 41bf2f 47499 401fd8 11 API calls 47498->47499 47500 41bf61 47499->47500 47502 401fd8 11 API calls 47500->47502 47501 41bf31 47850 4041a2 28 API calls 47501->47850 47505 41bf69 47502->47505 47506 401fd8 11 API calls 47505->47506 47508 40ea5f 47506->47508 47507 41bf3d 47509 401fe2 28 API calls 47507->47509 47518 40fb52 47508->47518 47511 41bf46 47509->47511 47510 401fe2 28 API calls 47517 41bebf 47510->47517 47512 401fd8 11 API calls 47511->47512 47514 41bf4e 47512->47514 47513 401fd8 11 API calls 47513->47517 47851 41cec5 28 API calls 47514->47851 47517->47498 47517->47501 47517->47510 47517->47513 47848 4041a2 28 API calls 47517->47848 47849 41cec5 28 API calls 47517->47849 47519 40fb5e 47518->47519 47521 40fb65 47518->47521 47852 402163 11 API calls 47519->47852 47521->47194 47523 402163 47522->47523 47524 40219f 47523->47524 47853 402730 11 API calls 47523->47853 47524->47196 47526 402184 47854 402712 11 API calls std::_Deallocate 47526->47854 47529 401e6d 47528->47529 47530 401e75 47529->47530 47855 402158 22 API calls 47529->47855 47530->47201 47534 4020df 11 API calls 47533->47534 47535 40532a 47534->47535 47856 4032a0 47535->47856 47537 405346 47537->47210 47860 4051ef 47538->47860 47540 406391 47864 402055 47540->47864 47543 401fe2 47544 401ff1 47543->47544 47551 402039 47543->47551 47545 4023ce 11 API calls 47544->47545 47546 401ffa 47545->47546 47547 40203c 47546->47547 47548 402015 47546->47548 47549 40267a 11 API calls 47547->47549 47879 403098 28 API calls 47548->47879 47549->47551 47552 401fd8 47551->47552 47553 4023ce 11 API calls 47552->47553 47554 401fe1 47553->47554 47554->47221 47556 401fd2 47555->47556 47557 401fc9 47555->47557 47556->47227 47880 4025e0 28 API calls 47557->47880 47881 401fab 47559->47881 47561 40d0ae CreateMutexA GetLastError 47561->47243 47882 41c048 47562->47882 47567 401fe2 28 API calls 47568 41b390 47567->47568 47569 401fd8 11 API calls 47568->47569 47570 41b398 47569->47570 47571 4135e1 31 API calls 47570->47571 47573 41b3ee 47570->47573 47572 41b3c1 47571->47572 47574 41b3cc StrToIntA 47572->47574 47573->47250 47575 41b3e3 47574->47575 47576 41b3da 47574->47576 47578 401fd8 11 API calls 47575->47578 47890 41cffa 22 API calls 47576->47890 47578->47573 47580 407765 47579->47580 47581 413584 3 API calls 47580->47581 47582 40776c 47581->47582 47582->47260 47582->47261 47584 41bd03 47583->47584 47891 40b93f 47584->47891 47586 41bd0b 47586->47276 47588 401f22 47587->47588 47589 401f6a 47587->47589 47590 402252 11 API calls 47588->47590 47596 401f09 47589->47596 47591 401f2b 47590->47591 47592 401f6d 47591->47592 47593 401f46 47591->47593 47924 402336 47592->47924 47923 40305c 28 API calls 47593->47923 47597 402252 11 API calls 47596->47597 47598 401f12 47597->47598 47598->47289 47928 401f86 47599->47928 47602 40dae0 47606 41c048 GetCurrentProcess 47602->47606 47603 40daab 47938 41b645 29 API calls 47603->47938 47604 40dbd4 GetLongPathNameW 47932 40417e 47604->47932 47605 40daa1 47605->47604 47609 40dae5 47606->47609 47612 40dae9 47609->47612 47613 40db3b 47609->47613 47610 40dab4 47614 401f13 28 API calls 47610->47614 47617 40417e 28 API calls 47612->47617 47616 40417e 28 API calls 47613->47616 47652 40dabe 47614->47652 47615 40417e 28 API calls 47618 40dbf8 47615->47618 47619 40db49 47616->47619 47620 40daf7 47617->47620 47941 40de0c 28 API calls 47618->47941 47625 40417e 28 API calls 47619->47625 47626 40417e 28 API calls 47620->47626 47621 401f09 11 API calls 47621->47605 47623 40dc0b 47942 402fa5 28 API calls 47623->47942 47628 40db5f 47625->47628 47629 40db0d 47626->47629 47627 40dc16 47943 402fa5 28 API calls 47627->47943 47940 402fa5 28 API calls 47628->47940 47939 402fa5 28 API calls 47629->47939 47633 40db18 47637 401f13 28 API calls 47633->47637 47634 40dc20 47638 401f09 11 API calls 47634->47638 47635 40db6a 47636 401f13 28 API calls 47635->47636 47639 40db75 47636->47639 47640 40db23 47637->47640 47641 40dc2a 47638->47641 47643 401f09 11 API calls 47639->47643 47644 401f09 11 API calls 47640->47644 47642 401f09 11 API calls 47641->47642 47645 40dc33 47642->47645 47646 40db7e 47643->47646 47647 40db2c 47644->47647 47648 401f09 11 API calls 47645->47648 47649 401f09 11 API calls 47646->47649 47650 401f09 11 API calls 47647->47650 47651 40dc3c 47648->47651 47649->47652 47650->47652 47653 401f09 11 API calls 47651->47653 47652->47621 47654 40dc45 47653->47654 47655 401f09 11 API calls 47654->47655 47656 40dc4e 47655->47656 47656->47325 47658 40ce47 _wcslen 47657->47658 47659 40ce51 47658->47659 47660 40ce9b 47658->47660 47663 40ce5a CreateDirectoryW 47659->47663 47661 40da6f 31 API calls 47660->47661 47662 40cead 47661->47662 47664 401f13 28 API calls 47662->47664 47945 409196 47663->47945 47666 40ce99 47664->47666 47669 401f09 11 API calls 47666->47669 47667 40ce76 47979 403014 47667->47979 47674 40cec4 47669->47674 47671 401f13 28 API calls 47672 40ce90 47671->47672 47673 401f09 11 API calls 47672->47673 47673->47666 47675 40cefa 47674->47675 47676 40cedd 47674->47676 47677 40cf03 CopyFileW 47675->47677 47678 40cd48 31 API calls 47676->47678 47679 40cfd4 47677->47679 47680 40cf15 _wcslen 47677->47680 47713 40ceee 47678->47713 47952 40cd48 47679->47952 47680->47679 47683 40cf31 47680->47683 47684 40cf84 47680->47684 47688 40da6f 31 API calls 47683->47688 47687 40da6f 31 API calls 47684->47687 47685 40d01a 47690 40d062 CloseHandle 47685->47690 47696 40417e 28 API calls 47685->47696 47686 40cfee 47694 40cff7 SetFileAttributesW 47686->47694 47691 40cf8a 47687->47691 47689 40cf37 47688->47689 47693 401f13 28 API calls 47689->47693 47978 401f04 47690->47978 47692 401f13 28 API calls 47691->47692 47726 40cf7e 47692->47726 47697 40cf43 47693->47697 47710 40d006 _wcslen 47694->47710 47699 40d030 47696->47699 47700 401f09 11 API calls 47697->47700 47698 40d07e ShellExecuteW 47701 40d091 47698->47701 47702 40d09b ExitProcess 47698->47702 47703 41bcef 28 API calls 47699->47703 47705 40cf4c 47700->47705 47706 40d0a4 CreateMutexA GetLastError 47701->47706 47707 40d043 47703->47707 47704 401f09 11 API calls 47708 40cf9c 47704->47708 47709 409196 28 API calls 47705->47709 47706->47713 47985 41384f RegCreateKeyW 47707->47985 47715 40cfa8 CreateDirectoryW 47708->47715 47711 40cf60 47709->47711 47710->47685 47712 40d017 SetFileAttributesW 47710->47712 47716 403014 28 API calls 47711->47716 47712->47685 47713->47332 47984 401f04 47715->47984 47719 40cf6c 47716->47719 47722 401f13 28 API calls 47719->47722 47720 401f09 11 API calls 47720->47690 47724 40cf75 47722->47724 47725 401f09 11 API calls 47724->47725 47725->47726 47726->47704 47727->47202 47728->47209 47729->47214 47731->47235 47733 4135ae RegQueryValueExA RegCloseKey 47732->47733 47734 40ebdf 47732->47734 47733->47734 47734->47232 47734->47249 47735->47239 47736->47267 47737->47260 47738->47252 47739->47266 47740->47336 47741->47356 47742->47318 47744 40209b 47743->47744 47745 4023ce 11 API calls 47744->47745 47746 4020a6 47745->47746 48038 4024ed 47746->48038 47749->47337 47750->47342 47751->47348 47752->47359 47753->47367 47754->47378 47759 434563 47755->47759 47756 43bda0 _Yarn 21 API calls 47756->47759 47757 40f10c 47757->47385 47759->47756 47759->47757 48042 443001 7 API calls 2 library calls 47759->48042 48043 434c99 RaiseException Concurrency::cancel_current_task __CxxThrowException@8 47759->48043 48044 4352fb RaiseException Concurrency::cancel_current_task __CxxThrowException@8 47759->48044 47762->47414 47763->47427 47764->47401 47765->47407 47767->47434 47768->47444 47769->47257 47771->47280 47772->47292 48045 41ada8 104 API calls 47773->48045 47775 41b556 LoadResource LockResource SizeofResource 47774->47775 47776 40f419 47774->47776 47775->47776 47777 43bda0 47776->47777 47783 4461b8 ___crtLCMapStringA 47777->47783 47778 4461f6 47794 44062d 20 API calls __dosmaperr 47778->47794 47780 4461e1 RtlAllocateHeap 47781 4461f4 47780->47781 47780->47783 47781->47479 47783->47778 47783->47780 47793 443001 7 API calls 2 library calls 47783->47793 47785 4020bf 47784->47785 47795 4023ce 47785->47795 47787 4020ca 47799 40250a 47787->47799 47789 4020d9 47789->47482 47791 4020b7 28 API calls 47790->47791 47792 406e27 47791->47792 47792->47489 47793->47783 47794->47781 47796 402428 47795->47796 47797 4023d8 47795->47797 47796->47787 47797->47796 47806 4027a7 11 API calls std::_Deallocate 47797->47806 47800 40251a 47799->47800 47801 402520 47800->47801 47802 402535 47800->47802 47807 402569 47801->47807 47817 4028e8 47802->47817 47805 402533 47805->47789 47806->47796 47828 402888 47807->47828 47809 40257d 47810 402592 47809->47810 47811 4025a7 47809->47811 47833 402a34 22 API calls 47810->47833 47813 4028e8 28 API calls 47811->47813 47816 4025a5 47813->47816 47814 40259b 47834 4029da 22 API calls 47814->47834 47816->47805 47818 4028f1 47817->47818 47819 402953 47818->47819 47820 4028fb 47818->47820 47842 4028a4 22 API calls 47819->47842 47823 402904 47820->47823 47824 402917 47820->47824 47836 402cae 47823->47836 47826 402915 47824->47826 47827 4023ce 11 API calls 47824->47827 47826->47805 47827->47826 47829 402890 47828->47829 47830 402898 47829->47830 47835 402ca3 22 API calls 47829->47835 47830->47809 47833->47814 47834->47816 47837 402cb8 __EH_prolog 47836->47837 47843 402e54 22 API calls 47837->47843 47839 4023ce 11 API calls 47841 402d92 47839->47841 47840 402d24 47840->47839 47841->47826 47843->47840 47845 4020e7 47844->47845 47846 4023ce 11 API calls 47845->47846 47847 4020f2 47846->47847 47847->47517 47848->47517 47849->47517 47850->47507 47851->47498 47852->47521 47853->47526 47854->47524 47857 4032aa 47856->47857 47858 4032c9 47857->47858 47859 4028e8 28 API calls 47857->47859 47858->47537 47859->47858 47861 4051fb 47860->47861 47870 405274 47861->47870 47863 405208 47863->47540 47865 402061 47864->47865 47866 4023ce 11 API calls 47865->47866 47867 40207b 47866->47867 47875 40267a 47867->47875 47871 405282 47870->47871 47874 4028a4 22 API calls 47871->47874 47876 40268b 47875->47876 47877 4023ce 11 API calls 47876->47877 47878 40208d 47877->47878 47878->47543 47879->47551 47880->47556 47883 41b362 47882->47883 47884 41c055 GetCurrentProcess 47882->47884 47885 4135e1 RegOpenKeyExA 47883->47885 47884->47883 47886 41360f RegQueryValueExA RegCloseKey 47885->47886 47887 413639 47885->47887 47886->47887 47888 402093 28 API calls 47887->47888 47889 41364e 47888->47889 47889->47567 47890->47575 47892 40b947 47891->47892 47897 402252 47892->47897 47894 40b952 47901 40b967 47894->47901 47896 40b961 47896->47586 47898 4022ac 47897->47898 47899 40225c 47897->47899 47898->47894 47899->47898 47908 402779 11 API calls std::_Deallocate 47899->47908 47902 40b9a1 47901->47902 47903 40b973 47901->47903 47920 4028a4 22 API calls 47902->47920 47909 4027e6 47903->47909 47907 40b97d 47907->47896 47908->47898 47910 4027ef 47909->47910 47911 402851 47910->47911 47912 4027f9 47910->47912 47922 4028a4 22 API calls 47911->47922 47915 402802 47912->47915 47916 402815 47912->47916 47921 402aea 28 API calls __EH_prolog 47915->47921 47917 402813 47916->47917 47919 402252 11 API calls 47916->47919 47917->47907 47919->47917 47921->47917 47923->47589 47925 402347 47924->47925 47926 402252 11 API calls 47925->47926 47927 4023c7 47926->47927 47927->47589 47929 401f8e 47928->47929 47930 402252 11 API calls 47929->47930 47931 401f99 47930->47931 47931->47602 47931->47603 47931->47605 47933 404186 47932->47933 47934 402252 11 API calls 47933->47934 47935 404191 47934->47935 47944 4041bc 28 API calls 47935->47944 47937 40419c 47937->47615 47938->47610 47939->47633 47940->47635 47941->47623 47942->47627 47943->47634 47944->47937 47946 401f86 11 API calls 47945->47946 47947 4091a2 47946->47947 47991 40314c 47947->47991 47949 4091bf 47995 40325d 47949->47995 47951 4091c7 47951->47667 47953 40cdaa 47952->47953 47954 40cd6e 47952->47954 47955 40cdeb 47953->47955 47957 40b9b7 28 API calls 47953->47957 48009 40b9b7 47954->48009 47958 40ce2c 47955->47958 47960 40b9b7 28 API calls 47955->47960 47962 40cdc1 47957->47962 47958->47685 47958->47686 47963 40ce02 47960->47963 47961 403014 28 API calls 47964 40cd8a 47961->47964 47965 403014 28 API calls 47962->47965 47966 403014 28 API calls 47963->47966 47967 41384f 14 API calls 47964->47967 47968 40cdcb 47965->47968 47969 40ce0c 47966->47969 47970 40cd9e 47967->47970 47971 41384f 14 API calls 47968->47971 47972 41384f 14 API calls 47969->47972 47973 401f09 11 API calls 47970->47973 47974 40cddf 47971->47974 47975 40ce20 47972->47975 47973->47953 47976 401f09 11 API calls 47974->47976 47977 401f09 11 API calls 47975->47977 47976->47955 47977->47958 48016 403222 47979->48016 47981 403022 48020 403262 47981->48020 47986 4138a1 47985->47986 47987 413864 47985->47987 47988 401f09 11 API calls 47986->47988 47990 41387d RegSetValueExW RegCloseKey 47987->47990 47989 40d056 47988->47989 47989->47720 47990->47986 47992 403156 47991->47992 47993 4027e6 28 API calls 47992->47993 47994 403175 47992->47994 47993->47994 47994->47949 47996 40323f 47995->47996 47999 4036a6 47996->47999 47998 40324c 47998->47951 48000 402888 22 API calls 47999->48000 48001 4036b9 48000->48001 48002 40372c 48001->48002 48003 4036de 48001->48003 48008 4028a4 22 API calls 48002->48008 48006 4027e6 28 API calls 48003->48006 48007 4036f0 48003->48007 48006->48007 48007->47998 48010 401f86 11 API calls 48009->48010 48011 40b9c3 48010->48011 48012 40314c 28 API calls 48011->48012 48013 40b9df 48012->48013 48014 40325d 28 API calls 48013->48014 48015 40b9f2 48014->48015 48015->47961 48017 40322e 48016->48017 48026 403618 48017->48026 48019 40323b 48019->47981 48021 40326e 48020->48021 48022 402252 11 API calls 48021->48022 48023 403288 48022->48023 48024 402336 11 API calls 48023->48024 48025 403031 48024->48025 48025->47671 48027 403626 48026->48027 48028 403644 48027->48028 48029 40362c 48027->48029 48030 40365c 48028->48030 48031 40369e 48028->48031 48032 4036a6 28 API calls 48029->48032 48033 403642 48030->48033 48035 4027e6 28 API calls 48030->48035 48037 4028a4 22 API calls 48031->48037 48032->48033 48033->48019 48035->48033 48039 4024f9 48038->48039 48040 40250a 28 API calls 48039->48040 48041 4020b1 48040->48041 48041->47331 48042->47759 48053 412829 61 API calls 48051->48053 48054 43bea8 48057 43beb4 _swprintf ___BuildCatchObject 48054->48057 48055 43bec2 48070 44062d 20 API calls __dosmaperr 48055->48070 48057->48055 48058 43beec 48057->48058 48065 445909 EnterCriticalSection 48058->48065 48060 43bef7 48066 43bf98 48060->48066 48061 43bec7 ___BuildCatchObject ___std_exception_copy 48065->48060 48067 43bfa6 48066->48067 48069 43bf02 48067->48069 48072 4497ec 36 API calls 2 library calls 48067->48072 48071 43bf1f LeaveCriticalSection std::_Lockit::~_Lockit 48069->48071 48070->48061 48071->48061 48072->48067 48073 40165e 48074 401666 48073->48074 48075 401669 48073->48075 48076 4016a8 48075->48076 48078 401696 48075->48078 48077 43455e new 22 API calls 48076->48077 48080 40169c 48077->48080 48079 43455e new 22 API calls 48078->48079 48079->48080

                                                          Executed Functions

                                                          Function 0041CBE1 Relevance: 148.9, APIs: 52, Strings: 33, Instructions: 176libraryloaderCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CBF6
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CBFF
                                                          • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CC16
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CC19
                                                          • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC2B
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CC2E
                                                          • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC3F
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CC42
                                                          • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040EA1C), ref: 0041CC54
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CC57
                                                          • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040EA1C), ref: 0041CC63
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CC66
                                                          • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040EA1C), ref: 0041CC77
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CC7A
                                                          • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040EA1C), ref: 0041CC8B
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CC8E
                                                          • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040EA1C), ref: 0041CC9F
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CCA2
                                                          • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040EA1C), ref: 0041CCB3
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CCB6
                                                          • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040EA1C), ref: 0041CCC7
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CCCA
                                                          • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040EA1C), ref: 0041CCDB
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CCDE
                                                          • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040EA1C), ref: 0041CCEF
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CCF2
                                                          • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040EA1C), ref: 0041CD03
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CD06
                                                          • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040EA1C), ref: 0041CD14
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CD17
                                                          • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040EA1C), ref: 0041CD28
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CD2B
                                                          • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040EA1C), ref: 0041CD38
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CD3B
                                                          • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040EA1C), ref: 0041CD48
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CD4B
                                                          • LoadLibraryA.KERNELBASE(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040EA1C), ref: 0041CD5D
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CD60
                                                          • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040EA1C), ref: 0041CD6D
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CD70
                                                          • GetModuleHandleA.KERNEL32(ntdll,NtQueryInformationProcess,?,?,?,?,0040EA1C), ref: 0041CD81
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CD84
                                                          • GetModuleHandleA.KERNEL32(kernel32,GetFinalPathNameByHandleW,?,?,?,?,0040EA1C), ref: 0041CD95
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CD98
                                                          • LoadLibraryA.KERNELBASE(Rstrtmgr,RmStartSession,?,?,?,?,0040EA1C), ref: 0041CDAA
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CDAD
                                                          • LoadLibraryA.KERNEL32(Rstrtmgr,RmRegisterResources,?,?,?,?,0040EA1C), ref: 0041CDBA
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CDBD
                                                          • LoadLibraryA.KERNEL32(Rstrtmgr,RmGetList,?,?,?,?,0040EA1C), ref: 0041CDCA
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CDCD
                                                          • LoadLibraryA.KERNEL32(Rstrtmgr,RmEndSession,?,?,?,?,0040EA1C), ref: 0041CDDA
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041CDDD
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AddressProc$LibraryLoad$HandleModule
                                                          • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetFinalPathNameByHandleW$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtQueryInformationProcess$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$RmEndSession$RmGetList$RmRegisterResources$RmStartSession$Rstrtmgr$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                                          • API String ID: 4236061018-3687161714
                                                          • Opcode ID: 6b21e851a0d3a51eeec0044f2aae63c374cf6436741b915ef551e22e35f3a136
                                                          • Instruction ID: 87b5fa294a9840a4da0a94e675c49188b16ea4214af7843bc20054d8537ab592
                                                          • Opcode Fuzzy Hash: 6b21e851a0d3a51eeec0044f2aae63c374cf6436741b915ef551e22e35f3a136
                                                          • Instruction Fuzzy Hash: 06419AA0E8035879DA107BB65D8DE3B3E5CD9857953614837B05C93550FBBCDC408EAE
                                                          Function 0040EA00 Relevance: 84.8, APIs: 14, Strings: 34, Instructions: 795COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 5 40ea00-40ea82 call 41cbe1 GetModuleFileNameW call 40f3fe call 4020f6 * 2 call 41beac call 40fb52 call 401e8d call 43fd50 22 40ea84-40eac9 call 40fbee call 401e65 call 401fab call 410f72 call 40fb9f call 40f3eb 5->22 23 40eace-40eb96 call 401e65 call 401fab call 401e65 call 40531e call 406383 call 401fe2 call 401fd8 * 2 call 401e65 call 401fc0 call 405aa6 call 401e65 call 4051e3 call 401e65 call 4051e3 5->23 49 40ef2d-40ef3e call 401fd8 22->49 69 40eb98-40ebe3 call 406c59 call 401fe2 call 401fd8 call 401fab call 413584 23->69 70 40ebe9-40ec04 call 401e65 call 40b9f8 23->70 69->70 100 40f38a-40f3a5 call 401fab call 4139e4 call 4124b0 69->100 79 40ec06-40ec25 call 401fab call 413584 70->79 80 40ec3e-40ec45 call 40d0a4 70->80 79->80 98 40ec27-40ec3d call 401fab call 4139e4 79->98 88 40ec47-40ec49 80->88 89 40ec4e-40ec55 80->89 92 40ef2c 88->92 93 40ec57 89->93 94 40ec59-40ec65 call 41b354 89->94 92->49 93->94 104 40ec67-40ec69 94->104 105 40ec6e-40ec72 94->105 98->80 126 40f3aa-40f3db call 41bcef call 401f04 call 413a5e call 401f09 * 2 100->126 104->105 108 40ecb1-40ecc4 call 401e65 call 401fab 105->108 109 40ec74 call 407751 105->109 127 40ecc6 call 407790 108->127 128 40eccb-40ed53 call 401e65 call 41bcef call 401f13 call 401f09 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab 108->128 118 40ec79-40ec7b 109->118 120 40ec87-40ec9a call 401e65 call 401fab 118->120 121 40ec7d-40ec82 call 407773 call 40729b 118->121 120->108 141 40ec9c-40eca2 120->141 121->120 156 40f3e0-40f3ea call 40dd7d call 414f65 126->156 127->128 177 40ed55-40ed6e call 401e65 call 401fab call 43bb56 128->177 178 40edbb-40edbf 128->178 141->108 144 40eca4-40ecaa 141->144 144->108 147 40ecac call 40729b 144->147 147->108 177->178 203 40ed70-40ed9c call 401e65 call 401fab call 401e65 call 401fab call 40da6f 177->203 179 40ef41-40efa1 call 436f10 call 40247c call 401fab * 2 call 413733 call 409092 178->179 180 40edc5-40edcc 178->180 234 40efa6-40effa call 401e65 call 401fab call 402093 call 401fab call 4137aa call 401e65 call 401fab call 43bb2c 179->234 182 40ee4a-40ee54 call 409092 180->182 183 40edce-40ee40 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 40ce34 180->183 193 40ee59-40ee7d call 40247c call 434829 182->193 272 40ee45-40ee48 183->272 211 40ee8c 193->211 212 40ee7f-40ee8a call 436f10 193->212 248 40eda1-40edb6 call 401f13 call 401f09 203->248 217 40ee8e-40ef03 call 401f04 call 43f859 call 40247c call 401fab call 40247c call 401fab call 413982 call 434832 call 401e65 call 40b9f8 211->217 212->217 217->234 288 40ef09-40ef28 call 401e65 call 41bcef call 40f4af 217->288 286 40f017-40f019 234->286 287 40effc 234->287 248->178 272->193 290 40f01b-40f01d 286->290 291 40f01f 286->291 289 40effe-40f015 call 41ce2c CreateThread 287->289 288->234 306 40ef2a 288->306 294 40f025-40f101 call 402093 * 2 call 41b580 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 43bb2c call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab StrToIntA call 409e1f call 401e65 call 401fab 289->294 290->289 291->294 344 40f103-40f13a call 43455e call 401e65 call 401fab CreateThread 294->344 345 40f13c 294->345 306->92 346 40f13e-40f156 call 401e65 call 401fab 344->346 345->346 356 40f194-40f1a7 call 401e65 call 401fab 346->356 357 40f158-40f18f call 43455e call 401e65 call 401fab CreateThread 346->357 367 40f207-40f21a call 401e65 call 401fab 356->367 368 40f1a9-40f202 call 401e65 call 401fab call 401e65 call 401fab call 40da23 call 401f13 call 401f09 CreateThread 356->368 357->356 379 40f255-40f279 call 41b69e call 401f13 call 401f09 367->379 380 40f21c-40f250 call 401e65 call 401fab call 401e65 call 401fab call 43bb2c call 40c19d 367->380 368->367 400 40f27b 379->400 401 40f27e-40f291 CreateThread 379->401 380->379 400->401 404 40f293-40f29d CreateThread 401->404 405 40f29f-40f2a6 401->405 404->405 408 40f2b4-40f2bb 405->408 409 40f2a8-40f2b2 CreateThread 405->409 412 40f2c9 408->412 413 40f2bd-40f2c0 408->413 409->408 418 40f2ce-40f302 call 402093 call 4052fd call 402093 call 41b580 call 401fd8 412->418 415 40f2c2-40f2c7 413->415 416 40f307-40f322 call 401fab call 41353a 413->416 415->418 416->156 427 40f328-40f368 call 41bcef call 401f04 call 413656 call 401f09 call 401f04 416->427 418->416 443 40f381-40f386 DeleteFileW 427->443 444 40f388 443->444 445 40f36a-40f36d 443->445 444->126 445->126 446 40f36f-40f37c Sleep call 401f04 445->446 446->443
                                                          APIs
                                                            • Part of subcall function 0041CBE1: LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CBF6
                                                            • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CBFF
                                                            • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CC16
                                                            • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC19
                                                            • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC2B
                                                            • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC2E
                                                            • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC3F
                                                            • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC42
                                                            • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040EA1C), ref: 0041CC54
                                                            • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC57
                                                            • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040EA1C), ref: 0041CC63
                                                            • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC66
                                                            • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040EA1C), ref: 0041CC77
                                                            • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC7A
                                                            • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040EA1C), ref: 0041CC8B
                                                            • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC8E
                                                            • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040EA1C), ref: 0041CC9F
                                                            • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCA2
                                                            • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040EA1C), ref: 0041CCB3
                                                            • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCB6
                                                            • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040EA1C), ref: 0041CCC7
                                                            • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCCA
                                                            • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040EA1C), ref: 0041CCDB
                                                            • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCDE
                                                            • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040EA1C), ref: 0041CCEF
                                                            • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCF2
                                                            • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040EA1C), ref: 0041CD03
                                                            • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CD06
                                                            • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040EA1C), ref: 0041CD14
                                                          • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\aDGx3jaI7i.exe,00000104), ref: 0040EA29
                                                            • Part of subcall function 00410F72: __EH_prolog.LIBCMT ref: 00410F77
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                                          • String ID: SG$ SG$8SG$8SG$Access Level: $Administrator$C:\Users\user\Desktop\aDGx3jaI7i.exe$Exe$Inj$PSG$Remcos Agent initialized$Software\$User$dMG$del$del$exepath$licence$license_code.txt$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG
                                                          • API String ID: 2830904901-384365559
                                                          • Opcode ID: ee0e117e6c276c318fe6ca7d8b92c193a7713c226bf446745b970d809f292d4a
                                                          • Instruction ID: f870588dacc207cf398a21a9077505b2b75b96970711a81e27f166ce8512e3fa
                                                          • Opcode Fuzzy Hash: ee0e117e6c276c318fe6ca7d8b92c193a7713c226bf446745b970d809f292d4a
                                                          • Instruction Fuzzy Hash: 9B32F960B043412BDA24B7729C57B7E26994F80748F50483FB9467B2E3EEBC8D45839E
                                                          Function 0040CE34 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 203fileCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • _wcslen.LIBCMT ref: 0040CE42
                                                          • CreateDirectoryW.KERNELBASE(00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040CE5B
                                                          • CopyFileW.KERNELBASE(C:\Users\user\Desktop\aDGx3jaI7i.exe,00000000,00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040CF0B
                                                          • _wcslen.LIBCMT ref: 0040CF21
                                                          • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040CFA9
                                                          • CopyFileW.KERNEL32(C:\Users\user\Desktop\aDGx3jaI7i.exe,00000000,00000000), ref: 0040CFBF
                                                          • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFFE
                                                          • _wcslen.LIBCMT ref: 0040D001
                                                          • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040D018
                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004750E4,0000000E), ref: 0040D068
                                                          • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000001), ref: 0040D086
                                                          • ExitProcess.KERNEL32 ref: 0040D09D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                                          • String ID: 6$C:\Users\user\Desktop\aDGx3jaI7i.exe$del$open
                                                          • API String ID: 1579085052-2018874254
                                                          • Opcode ID: 78ec28f4913f4d3f9f1528364862cf6ae71335d4f1464bd7cdb9a6dc9c28360f
                                                          • Instruction ID: 98553dc1b0994f0aa09194d7cf3a18af63584d9ff732256a229fdfb73b573f5c
                                                          • Opcode Fuzzy Hash: 78ec28f4913f4d3f9f1528364862cf6ae71335d4f1464bd7cdb9a6dc9c28360f
                                                          • Instruction Fuzzy Hash: 3151E820208302ABD615B7359C92A6F679D9F8471DF00443FF60AA61E3EF7C9D05866E
                                                          Function 0040DA6F Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • GetLongPathNameW.KERNELBASE(00000000,?,00000208), ref: 0040DBD5
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: LongNamePath
                                                          • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                                          • API String ID: 82841172-425784914
                                                          • Opcode ID: be4ac8304f295cf4b46394ea231ea9abe9adb1149d3e26b594abad322c0f2439
                                                          • Instruction ID: db29472287e64cad03ac4489520097095d7cef5d056ecb8d0020da3553efca3c
                                                          • Opcode Fuzzy Hash: be4ac8304f295cf4b46394ea231ea9abe9adb1149d3e26b594abad322c0f2439
                                                          • Instruction Fuzzy Hash: 0A4151715082019AC205F765DC96CAAB7B8AE90758F10053FB146B20E2FFBCAE4DC65B
                                                          Function 0041B354 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                            • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                                            • Part of subcall function 004135E1: RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 00413605
                                                            • Part of subcall function 004135E1: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 00413622
                                                            • Part of subcall function 004135E1: RegCloseKey.KERNELBASE(?), ref: 0041362D
                                                          • StrToIntA.SHLWAPI(00000000,0046CA08,00000000,00000000,00000000,004750E4,00000003,Exe,00000000,0000000E,00000000,004660CC,00000003,00000000), ref: 0041B3CD
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseCurrentOpenProcessQueryValue
                                                          • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                          • API String ID: 1866151309-2070987746
                                                          • Opcode ID: c98b1087101755a38b82246d9aa98e7144fe1c3d7bc526724a740bbc80c710b4
                                                          • Instruction ID: f33cb4008a08c387480eb48f471200dcc92f04aa72c22424ac0a9b44a4c1d04d
                                                          • Opcode Fuzzy Hash: c98b1087101755a38b82246d9aa98e7144fe1c3d7bc526724a740bbc80c710b4
                                                          • Instruction Fuzzy Hash: 8811C47064014926C704B7658C97EFE76198790344F94413BF806A61D3FB6C598683EE
                                                          Function 0041384F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 656 41384f-413862 RegCreateKeyW 657 4138a1 656->657 658 413864-41389f call 40247c call 401f04 RegSetValueExW RegCloseKey 656->658 659 4138a3-4138b1 call 401f09 657->659 658->659
                                                          APIs
                                                          • RegCreateKeyW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,?), ref: 0041385A
                                                          • RegSetValueExW.KERNELBASE(?,00000000,00000000,00000001,00000000,00000000,?,?,?,?,00000000,004752D8,771B37E0,?), ref: 00413888
                                                          • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,004752D8,771B37E0,?,?,?,?,?,0040CFE5,?,00000000), ref: 00413893
                                                          Strings
                                                          • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00413858
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseCreateValue
                                                          • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                                          • API String ID: 1818849710-1051519024
                                                          • Opcode ID: 3da2de30dd2e4c2ff773a1c969aacac889c14d245fa7b83563a43fe4ea506f1b
                                                          • Instruction ID: 9133f253890910ff78e8f434c24b82038cc7026402723a24ca4ec17c3e6d8cb5
                                                          • Opcode Fuzzy Hash: 3da2de30dd2e4c2ff773a1c969aacac889c14d245fa7b83563a43fe4ea506f1b
                                                          • Instruction Fuzzy Hash: 15F0C271440218FBCF00AFA1EC45FEE376CEF00756F10452AF905A61A1E7759E04DA94
                                                          Function 0040D0A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 666 40d0a4-40d0d0 call 401fab CreateMutexA GetLastError
                                                          APIs
                                                          • CreateMutexA.KERNELBASE(00000000,00000001,00000000,0040EC43,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,004660CC,00000003,00000000), ref: 0040D0B3
                                                          • GetLastError.KERNEL32 ref: 0040D0BE
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateErrorLastMutex
                                                          • String ID: SG
                                                          • API String ID: 1925916568-3189917014
                                                          • Opcode ID: eabddf02165d7cb7ab60b975d5c9d75332e346c4e6257b5baf50d4a4f7034b19
                                                          • Instruction ID: 57749e379dff282fb0cfe370275dd79dddcb706c5168e3a31171962593876721
                                                          • Opcode Fuzzy Hash: eabddf02165d7cb7ab60b975d5c9d75332e346c4e6257b5baf50d4a4f7034b19
                                                          • Instruction Fuzzy Hash: 0DD012B0605700EBDB186770ED5975839559744702F40487AB50FD99F1CBBC88908519
                                                          Function 004135E1 Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 669 4135e1-41360d RegOpenKeyExA 670 413642 669->670 671 41360f-413637 RegQueryValueExA RegCloseKey 669->671 672 413644 670->672 671->672 673 413639-413640 671->673 674 413649-413655 call 402093 672->674 673->674
                                                          APIs
                                                          • RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 00413605
                                                          • RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 00413622
                                                          • RegCloseKey.KERNELBASE(?), ref: 0041362D
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseOpenQueryValue
                                                          • String ID:
                                                          • API String ID: 3677997916-0
                                                          • Opcode ID: 859e64f62c27df18338a46db6ec3b0787647947da56704c1ae6da14bd80b9033
                                                          • Instruction ID: 0661f39b514c0023b6096d8878825bbc81d19e8e8981dfb5b132c5fecbfe39b6
                                                          • Opcode Fuzzy Hash: 859e64f62c27df18338a46db6ec3b0787647947da56704c1ae6da14bd80b9033
                                                          • Instruction Fuzzy Hash: 4A01D676900228FBCB209B91DC08DEF7F7DDB44B51F004066BB05A2240DA748E45DBA4
                                                          Function 00413584 Relevance: 4.5, APIs: 3, Instructions: 37registryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 677 413584-4135ac RegOpenKeyExA 678 4135db 677->678 679 4135ae-4135d9 RegQueryValueExA RegCloseKey 677->679 680 4135dd-4135e0 678->680 679->680
                                                          APIs
                                                          • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,00000000,00000000), ref: 004135A4
                                                          • RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 004135C2
                                                          • RegCloseKey.ADVAPI32(00000000), ref: 004135CD
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseOpenQueryValue
                                                          • String ID:
                                                          • API String ID: 3677997916-0
                                                          • Opcode ID: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                                                          • Instruction ID: 3ea041f737baa467864e73cd7e114674dd940ed34319bd14b5ec79364d8ab256
                                                          • Opcode Fuzzy Hash: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                                                          • Instruction Fuzzy Hash: 39F01D76900218FFDF109FA09C45FEE7BBDEB04B11F1044A5BA04E6191D6359F549B94
                                                          Function 0040165E Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 681 40165e-401664 682 401666-401668 681->682 683 401669-401674 681->683 684 401676 683->684 685 40167b-401685 683->685 684->685 686 401687-40168d 685->686 687 4016a8-4016a9 call 43455e 685->687 686->687 688 40168f-401694 686->688 691 4016ae-4016af 687->691 688->684 690 401696-4016a6 call 43455e 688->690 693 4016b1-4016b3 690->693 691->693
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9ebd29a8193938baf2c5ce5f6ec3a3ea5040e3c3e83895a942c6279db0e0dd98
                                                          • Instruction ID: 1e9d0a06bdb6e9f7b23a96960dfc4b712b0be9606a3b942e14a6d4fe6a34620f
                                                          • Opcode Fuzzy Hash: 9ebd29a8193938baf2c5ce5f6ec3a3ea5040e3c3e83895a942c6279db0e0dd98
                                                          • Instruction Fuzzy Hash: EBF0E2706042016BCB0C8B34CD50B2A37954B84325F248F7FF02BD61E0C73EC8918A0D
                                                          Function 004461B8 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 723 4461b8-4461c4 724 4461f6-446201 call 44062d 723->724 725 4461c6-4461c8 723->725 732 446203-446205 724->732 727 4461e1-4461f2 RtlAllocateHeap 725->727 728 4461ca-4461cb 725->728 729 4461f4 727->729 730 4461cd-4461d4 call 4455c6 727->730 728->727 729->732 730->724 735 4461d6-4461df call 443001 730->735 735->724 735->727
                                                          APIs
                                                          • RtlAllocateHeap.NTDLL(00000000,00435349,?,?,004388C7,?,?,00000000,00476B50,?,0040DE9D,00435349,?,?,?,?), ref: 004461EA
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AllocateHeap
                                                          • String ID:
                                                          • API String ID: 1279760036-0
                                                          • Opcode ID: 9dc7fa543976cc1aa64452a14dec52ea5ded8d4e1ebcbf177ce858167d1c4c1d
                                                          • Instruction ID: 139fbca062bb8bf671a891d82c3cf8fc988f9ce198a1a8b78c24da0334343556
                                                          • Opcode Fuzzy Hash: 9dc7fa543976cc1aa64452a14dec52ea5ded8d4e1ebcbf177ce858167d1c4c1d
                                                          • Instruction Fuzzy Hash: CEE0E531A0021267F6312A269C01B5B76599B437A0F170137AD15922D2CE6CCD0181EF

                                                          Non-executed Functions

                                                          Function 00407CD2 Relevance: 44.6, APIs: 10, Strings: 15, Instructions: 835filesleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetEvent.KERNEL32(?,?), ref: 00407CF4
                                                          • GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 00407DC2
                                                          • DeleteFileW.KERNEL32(00000000), ref: 00407DE4
                                                            • Part of subcall function 0041C322: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00474EE0,?), ref: 0041C37D
                                                            • Part of subcall function 0041C322: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,00474EE0,?), ref: 0041C3AD
                                                            • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00474EE0,?), ref: 0041C402
                                                            • Part of subcall function 0041C322: FindClose.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C463
                                                            • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C46A
                                                            • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                            • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                            • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(?,00000000,00401A45,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000), ref: 00404B47
                                                            • Part of subcall function 00404AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000,?,?,?,?,?,00401A45), ref: 00404B75
                                                          • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 004081D2
                                                          • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004082B3
                                                          • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 004084FF
                                                          • DeleteFileA.KERNEL32(?), ref: 0040868D
                                                            • Part of subcall function 00408847: __EH_prolog.LIBCMT ref: 0040884C
                                                            • Part of subcall function 00408847: FindFirstFileW.KERNEL32(00000000,?,00466618,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408905
                                                            • Part of subcall function 00408847: __CxxThrowException@8.LIBVCRUNTIME ref: 0040892D
                                                            • Part of subcall function 00408847: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040893A
                                                          • Sleep.KERNEL32(000007D0), ref: 00408733
                                                          • StrToIntA.SHLWAPI(00000000,00000000), ref: 00408775
                                                            • Part of subcall function 0041CA73: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CB68
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$Find$AttributesDeleteDirectoryEventFirstNextRemove$CloseDriveException@8ExecuteH_prologInfoLocalLogicalObjectParametersShellSingleSleepStringsSystemThrowTimeWaitsend
                                                          • String ID: (PG$Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$XPG$XPG$XPG$XPG$open$NG
                                                          • API String ID: 1067849700-181434739
                                                          • Opcode ID: 242667388ace93a285d24bd66e2fdef32e2e69470e7232581263b217e76cb61c
                                                          • Instruction ID: f533dcafa702064eae222fc9ff54aa9327b172b3479e3db69e1c842a3252ef64
                                                          • Opcode Fuzzy Hash: 242667388ace93a285d24bd66e2fdef32e2e69470e7232581263b217e76cb61c
                                                          • Instruction Fuzzy Hash: F04293716043016BC604FB76C9579AE77A9AF91348F80483FF542671E2EF7C9908879B
                                                          Function 0040569A Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 278pipesleepfileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __Init_thread_footer.LIBCMT ref: 004056E6
                                                            • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                          • __Init_thread_footer.LIBCMT ref: 00405723
                                                          • CreatePipe.KERNEL32(00476CCC,00476CB4,00476BD8,00000000,004660CC,00000000), ref: 004057B6
                                                          • CreatePipe.KERNEL32(00476CB8,00476CD4,00476BD8,00000000), ref: 004057CC
                                                          • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00476BE8,00476CBC), ref: 0040583F
                                                          • Sleep.KERNEL32(0000012C,00000093,?), ref: 00405897
                                                          • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004058BC
                                                          • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058E9
                                                            • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                                          • WriteFile.KERNEL32(00000000,00000000,?,00000000,00474F90,004660D0,00000062,004660B4), ref: 004059E4
                                                          • Sleep.KERNEL32(00000064,00000062,004660B4), ref: 004059FE
                                                          • TerminateProcess.KERNEL32(00000000), ref: 00405A17
                                                          • CloseHandle.KERNEL32 ref: 00405A23
                                                          • CloseHandle.KERNEL32 ref: 00405A2B
                                                          • CloseHandle.KERNEL32 ref: 00405A3D
                                                          • CloseHandle.KERNEL32 ref: 00405A45
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                                          • String ID: 0lG$0lG$0lG$0lG$0lG$SystemDrive$cmd.exe$kG
                                                          • API String ID: 2994406822-18413064
                                                          • Opcode ID: 069e1c8b270e62708b3ebeb5d363473b059d0bacde6312ecfb8e784b21879d38
                                                          • Instruction ID: feb7c3e087fbbfe745e3798ef664df189eb35a760580a6c3fca7c2e5343dee52
                                                          • Opcode Fuzzy Hash: 069e1c8b270e62708b3ebeb5d363473b059d0bacde6312ecfb8e784b21879d38
                                                          • Instruction Fuzzy Hash: 1A91C271604604AFD711FB36ED42A6B369AEB84308F01443FF589A62E2DB7D9C448F6D
                                                          Function 00412132 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 238threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCurrentProcessId.KERNEL32 ref: 00412141
                                                            • Part of subcall function 004138B2: RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                                                            • Part of subcall function 004138B2: RegSetValueExA.ADVAPI32(004660B4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138DB
                                                            • Part of subcall function 004138B2: RegCloseKey.ADVAPI32(004660B4,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138E6
                                                          • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00412181
                                                          • CloseHandle.KERNEL32(00000000), ref: 00412190
                                                          • CreateThread.KERNEL32(00000000,00000000,00412829,00000000,00000000,00000000), ref: 004121E6
                                                          • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 00412455
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
                                                          • String ID: Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe
                                                          • API String ID: 3018269243-13974260
                                                          • Opcode ID: 8006cda52f5219bdd696dd0d675ffe777c2bf0d6e0fdc247cffe885ec1085c4b
                                                          • Instruction ID: f1b014459f2de55ad39b9ce4e2eab06dd530905b6b6ad57ecd0cf2e75cce6712
                                                          • Opcode Fuzzy Hash: 8006cda52f5219bdd696dd0d675ffe777c2bf0d6e0fdc247cffe885ec1085c4b
                                                          • Instruction Fuzzy Hash: B971A23160430167C614FB72CD579AE77A4AE94308F40097FF586A21E2FFBC9A49C69E
                                                          Function 0040BB6B Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BBEA
                                                          • FindClose.KERNEL32(00000000), ref: 0040BC04
                                                          • FindNextFileA.KERNEL32(00000000,?), ref: 0040BD27
                                                          • FindClose.KERNEL32(00000000), ref: 0040BD4D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Find$CloseFile$FirstNext
                                                          • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                                          • API String ID: 1164774033-3681987949
                                                          • Opcode ID: b41a8e288d6c781c84b11b836a0024b7a118f79960b3641b573c725179fdc384
                                                          • Instruction ID: 8b0b2ff803da1d4b435a108118727fe7c74031c8ac088da8990f7d135a86af9b
                                                          • Opcode Fuzzy Hash: b41a8e288d6c781c84b11b836a0024b7a118f79960b3641b573c725179fdc384
                                                          • Instruction Fuzzy Hash: C7514F3190021A9ADB14FBB2DC56AEEB739AF10304F50057FF506721E2FF785A49CA99
                                                          Function 004168FC Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 80clipboardmemoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OpenClipboard.USER32 ref: 004168FD
                                                          • EmptyClipboard.USER32 ref: 0041690B
                                                          • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 0041692B
                                                          • GlobalLock.KERNEL32(00000000), ref: 00416934
                                                          • GlobalUnlock.KERNEL32(00000000), ref: 0041696A
                                                          • SetClipboardData.USER32(0000000D,00000000), ref: 00416973
                                                          • CloseClipboard.USER32 ref: 00416990
                                                          • OpenClipboard.USER32 ref: 00416997
                                                          • GetClipboardData.USER32(0000000D), ref: 004169A7
                                                          • GlobalLock.KERNEL32(00000000), ref: 004169B0
                                                          • GlobalUnlock.KERNEL32(00000000), ref: 004169B9
                                                          • CloseClipboard.USER32 ref: 004169BF
                                                            • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                                          • String ID: !D@
                                                          • API String ID: 3520204547-604454484
                                                          • Opcode ID: 22014e37a0533ad6d5301b9a6db5ea665297cd973015afcf0188733ddc164352
                                                          • Instruction ID: 548dc4d81477911aad8e8b192ef25fd2d65b79b2884d290c2f7190e4363fe536
                                                          • Opcode Fuzzy Hash: 22014e37a0533ad6d5301b9a6db5ea665297cd973015afcf0188733ddc164352
                                                          • Instruction Fuzzy Hash: 23215171204301EBD714BB71DC5DAAE7AA9AF88746F00043EF946961E2EF3C8C45866A
                                                          Function 0040BD72 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BDEA
                                                          • FindClose.KERNEL32(00000000), ref: 0040BE04
                                                          • FindNextFileA.KERNEL32(00000000,?), ref: 0040BEC4
                                                          • FindClose.KERNEL32(00000000), ref: 0040BEEA
                                                          • FindClose.KERNEL32(00000000), ref: 0040BF0B
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Find$Close$File$FirstNext
                                                          • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                          • API String ID: 3527384056-432212279
                                                          • Opcode ID: 957e4b9f77f0127c971f2cbaa54e22c6f4c97dcdb1298e2b7e9e5f591e6deb8c
                                                          • Instruction ID: 490896facf616f27299b965c2ba25c256be2621490ca3b25f990f1d956524bcc
                                                          • Opcode Fuzzy Hash: 957e4b9f77f0127c971f2cbaa54e22c6f4c97dcdb1298e2b7e9e5f591e6deb8c
                                                          • Instruction Fuzzy Hash: E0417F3190021AAACB04F7B2DC5A9EE7769AF11704F50057FF506B21E2EF385A458A9D
                                                          Function 0041A045 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 176sleeptimeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 0041A04A
                                                          • GdiplusStartup.GDIPLUS(00474ACC,?,00000000), ref: 0041A07C
                                                          • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041A108
                                                          • Sleep.KERNEL32(000003E8), ref: 0041A18E
                                                          • GetLocalTime.KERNEL32(?), ref: 0041A196
                                                          • Sleep.KERNEL32(00000000,00000018,00000000), ref: 0041A285
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                                          • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i$PG$PG$PG
                                                          • API String ID: 489098229-1431523004
                                                          • Opcode ID: ff633b37919728910dfc937bccb2b445014ea75fe5fd0d55b32db8f23cfde586
                                                          • Instruction ID: 12d64888f2a2aa40a87de1a625a26b3edd7a2139bf4817292c9f8cf1352d8a2d
                                                          • Opcode Fuzzy Hash: ff633b37919728910dfc937bccb2b445014ea75fe5fd0d55b32db8f23cfde586
                                                          • Instruction Fuzzy Hash: 7A517D70A002159ACB14BBB5C8529FD77A9AF54308F40407FF509AB1E2EF7C9D85C799
                                                          Function 0040F4AF Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 210processCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,004750E4,?,00475338), ref: 0040F4C9
                                                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00475338), ref: 0040F4F4
                                                          • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040F510
                                                          • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F58F
                                                          • CloseHandle.KERNEL32(00000000,?,00000000,?,?,00475338), ref: 0040F59E
                                                            • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                                            • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                                          • CloseHandle.KERNEL32(00000000,?,00475338), ref: 0040F6A9
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseHandleOpenProcessProcess32$CreateFileFirstModuleNameNextSnapshotToolhelp32
                                                          • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe
                                                          • API String ID: 3756808967-1743721670
                                                          • Opcode ID: 7e174afa80332a6d9799d90a5ef8f927f9e1300862e9f2cc4ca1dfb4d5584e6a
                                                          • Instruction ID: 73d50abc618c2a3d6a57d9d5b79267519347fdb4c989691d2635b3abfd1995a7
                                                          • Opcode Fuzzy Hash: 7e174afa80332a6d9799d90a5ef8f927f9e1300862e9f2cc4ca1dfb4d5584e6a
                                                          • Instruction Fuzzy Hash: B5712E705083419AC724FB21D8959AEB7E4AF90348F40483FF586631E3EF79994DCB9A
                                                          Function 00419662 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 206COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 0$1$2$3$4$5$6$7$VG
                                                          • API String ID: 0-1861860590
                                                          • Opcode ID: 23e062be4493d8f612a0f73d7cec249050aa78cf65a3b1cbc455386ce95aeb4f
                                                          • Instruction ID: 7133b754bba813e7b371628f59950815dc208a5c28e1558ec9b3f3725e93ffbd
                                                          • Opcode Fuzzy Hash: 23e062be4493d8f612a0f73d7cec249050aa78cf65a3b1cbc455386ce95aeb4f
                                                          • Instruction Fuzzy Hash: 9171E2709183019FD704EF21D862BAB7B94DF85710F00492FF5A26B2D1DE78AB49CB96
                                                          Function 00407538 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 56COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _wcslen.LIBCMT ref: 0040755C
                                                          • CoGetObject.OLE32(?,00000024,00466528,00000000), ref: 004075BD
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Object_wcslen
                                                          • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                                          • API String ID: 240030777-3166923314
                                                          • Opcode ID: ee0c587a1dfa56a4776c25ed63fc93c62e7d4b1650b4331978f6b80fa64f11fb
                                                          • Instruction ID: 28daeeabb8f9d0779e909056d36d27ae9c6096be3406941992b1a3e854751cf1
                                                          • Opcode Fuzzy Hash: ee0c587a1dfa56a4776c25ed63fc93c62e7d4b1650b4331978f6b80fa64f11fb
                                                          • Instruction Fuzzy Hash: 88113771D04214B6D710EA959845BDEB77C9B08714F15006FF904B2281EB7CAE448A6F
                                                          Function 0041A7D9 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004758E8), ref: 0041A7EF
                                                          • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 0041A83E
                                                          • GetLastError.KERNEL32 ref: 0041A84C
                                                          • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041A884
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                                          • String ID:
                                                          • API String ID: 3587775597-0
                                                          • Opcode ID: b4f2e3a96ffad31793e55c3957a9d7d505f7fea0f7d1b1d8364ea5c68624dc3d
                                                          • Instruction ID: 52116c85fb856a5ac6c14b0259405ec20ae2fa8d9cc538ef9907a440d1633313
                                                          • Opcode Fuzzy Hash: b4f2e3a96ffad31793e55c3957a9d7d505f7fea0f7d1b1d8364ea5c68624dc3d
                                                          • Instruction Fuzzy Hash: 17817071104301ABC304EF61D885DAFB7A8FF94749F50082EF185521A2EF78EE49CB9A
                                                          Function 00452690 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 188COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                                            • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                            • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                                            • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                            • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                                            • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448301
                                                          • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0045279C
                                                          • IsValidCodePage.KERNEL32(00000000), ref: 004527F7
                                                          • IsValidLocale.KERNEL32(?,00000001), ref: 00452806
                                                          • GetLocaleInfoW.KERNEL32(?,00001001,JD,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 0045284E
                                                          • GetLocaleInfoW.KERNEL32(?,00001002,00000000,00000040), ref: 0045286D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                                          • String ID: JD$JD$JD
                                                          • API String ID: 745075371-3517165026
                                                          • Opcode ID: d20e60e436924f937cd003670a139ed53a354482d02232a94d44678fcfb69b99
                                                          • Instruction ID: 3c84011e7dbdf7a6f9673bc5a23f9f2f22d5020eb6794df094384b3d0215d6fb
                                                          • Opcode Fuzzy Hash: d20e60e436924f937cd003670a139ed53a354482d02232a94d44678fcfb69b99
                                                          • Instruction Fuzzy Hash: 9B518571900205ABDB10DFA5CD45ABF77B8EF0A702F04046BED14E7292E7B89948CB69
                                                          Function 0040C388 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040C3D6
                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 0040C4A9
                                                          • FindClose.KERNEL32(00000000), ref: 0040C4B8
                                                          • FindClose.KERNEL32(00000000), ref: 0040C4E3
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Find$CloseFile$FirstNext
                                                          • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                          • API String ID: 1164774033-405221262
                                                          • Opcode ID: a3ce9096115a305f75ad61f69b74af84364be51e2e7fe5988e77a5b22bdf061e
                                                          • Instruction ID: 33618048715e6b2d4a7b39963b1e19558724686ef99070a322097c87c0ca4c0c
                                                          • Opcode Fuzzy Hash: a3ce9096115a305f75ad61f69b74af84364be51e2e7fe5988e77a5b22bdf061e
                                                          • Instruction Fuzzy Hash: 59313E31500219AACB14E761DC9A9EE7778AF50719F10057FF106B21E2EF7C9946CA4D
                                                          Function 0041C322 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00474EE0,?), ref: 0041C37D
                                                          • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,00474EE0,?), ref: 0041C3AD
                                                          • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,00474EE0,?), ref: 0041C41F
                                                          • DeleteFileW.KERNEL32(?,?,?,?,?,?,00474EE0,?), ref: 0041C42C
                                                            • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00474EE0,?), ref: 0041C402
                                                          • GetLastError.KERNEL32(?,?,?,?,?,00474EE0,?), ref: 0041C44D
                                                          • FindClose.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C463
                                                          • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C46A
                                                          • FindClose.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C473
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                                          • String ID:
                                                          • API String ID: 2341273852-0
                                                          • Opcode ID: 62a2abd498f26ce669d7ffff052401bb4e8331d26592ec8f44b35c1b9ec2a307
                                                          • Instruction ID: 53b23dfad01ba0d5beec27b7c27070a1caf437d6ccbc5233b8522822963bc02e
                                                          • Opcode Fuzzy Hash: 62a2abd498f26ce669d7ffff052401bb4e8331d26592ec8f44b35c1b9ec2a307
                                                          • Instruction Fuzzy Hash: 4A31807284431CAADB24E761DC89EEB736CAF09305F0405FBF559D2051EB3DDAC98A58
                                                          Function 00419B86 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 245fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindFirstFileW.KERNEL32(00000000,?), ref: 00419DDC
                                                          • FindNextFileW.KERNEL32(00000000,?,?), ref: 00419EA8
                                                            • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E84), ref: 0041C52F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$Find$CreateFirstNext
                                                          • String ID: 8SG$PXG$PXG$NG$PG
                                                          • API String ID: 341183262-3812160132
                                                          • Opcode ID: 6057b9e4d533bd61cce25273c00b3c03e778ec8b0db3b3232dce134713adbecb
                                                          • Instruction ID: 0eaaaed992bec346a468a6d62c1d6888972f0568f5be94e2eef244f320132bd5
                                                          • Opcode Fuzzy Hash: 6057b9e4d533bd61cce25273c00b3c03e778ec8b0db3b3232dce134713adbecb
                                                          • Instruction Fuzzy Hash: 998151315083415BC314FB22C856EEFB3A9AF90344F90493FF546671E2EF789A49C69A
                                                          Function 0040A2F3 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040A30E
                                                          • SetWindowsHookExA.USER32(0000000D,0040A2DF,00000000), ref: 0040A31C
                                                          • GetLastError.KERNEL32 ref: 0040A328
                                                            • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                          • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040A376
                                                          • TranslateMessage.USER32(?), ref: 0040A385
                                                          • DispatchMessageA.USER32(?), ref: 0040A390
                                                          Strings
                                                          • Keylogger initialization failure: error , xrefs: 0040A33C
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                                          • String ID: Keylogger initialization failure: error
                                                          • API String ID: 3219506041-952744263
                                                          • Opcode ID: d8c8387710f3476d83fdaf4ec3d7d354e2c1b68a13aa6285ca24eae745b098e4
                                                          • Instruction ID: 8743f2250fb8cae6a99ae5fb3d4b34fe2baf279f6720e4878f05ffc9670b3ffc
                                                          • Opcode Fuzzy Hash: d8c8387710f3476d83fdaf4ec3d7d354e2c1b68a13aa6285ca24eae745b098e4
                                                          • Instruction Fuzzy Hash: 6011BF31510301EBC710BB769D0986B77ACEA95715B20097EFC82E22D1EB34C910CBAA
                                                          Function 0040A41B Relevance: 12.1, APIs: 8, Instructions: 112keyboardthreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetForegroundWindow.USER32 ref: 0040A451
                                                          • GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A45D
                                                          • GetKeyboardLayout.USER32(00000000), ref: 0040A464
                                                          • GetKeyState.USER32(00000010), ref: 0040A46E
                                                          • GetKeyboardState.USER32(?), ref: 0040A479
                                                          • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A49C
                                                          • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4FC
                                                          • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A535
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                                          • String ID:
                                                          • API String ID: 1888522110-0
                                                          • Opcode ID: 6b13a39d4d7102bd722f9bbc25ae7d3563ebcd6996124b6635e543b06ec7d5c4
                                                          • Instruction ID: fd17a64e9e4f7f825196359ceba3421c6f582a70c0a4c9d277f8a97da3dc7bda
                                                          • Opcode Fuzzy Hash: 6b13a39d4d7102bd722f9bbc25ae7d3563ebcd6996124b6635e543b06ec7d5c4
                                                          • Instruction Fuzzy Hash: 1E316D72504308BFD700DF90DC45F9B7BECBB88744F00083AB645D61A0D7B5E9498BA6
                                                          Function 00414005 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 382registrylibraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004140D8
                                                          • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004140E4
                                                            • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                          • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 004142A5
                                                          • GetProcAddress.KERNEL32(00000000), ref: 004142AC
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AddressCloseCreateLibraryLoadProcsend
                                                          • String ID: SHDeleteKeyW$Shlwapi.dll
                                                          • API String ID: 2127411465-314212984
                                                          • Opcode ID: 6a0141b561faf8d52ce37dfc1c653a2c94c49b9733679f3dde35f2d6581a50f1
                                                          • Instruction ID: 51cedef5a77654bf04fe1bae55708f30d4330cefe0c145b830acf249c6506b6e
                                                          • Opcode Fuzzy Hash: 6a0141b561faf8d52ce37dfc1c653a2c94c49b9733679f3dde35f2d6581a50f1
                                                          • Instruction Fuzzy Hash: 16B1F671A0430066CA14FB76DC579AF36A85F91788F40053FB906771E2EE7D8A48C6DA
                                                          Function 00449210 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • _free.LIBCMT ref: 00449292
                                                          • _free.LIBCMT ref: 004492B6
                                                          • _free.LIBCMT ref: 0044943D
                                                          • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F244), ref: 0044944F
                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 004494C7
                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 004494F4
                                                          • _free.LIBCMT ref: 00449609
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                                          • String ID:
                                                          • API String ID: 314583886-0
                                                          • Opcode ID: 99b9f95825b3d3947f98974b62c5657870841952fc290d3d865075dfb712b2e8
                                                          • Instruction ID: 020e1479f4dc59d8c1013f8997fe2690be381d41ecad25fd3e4808fcef6bdafa
                                                          • Opcode Fuzzy Hash: 99b9f95825b3d3947f98974b62c5657870841952fc290d3d865075dfb712b2e8
                                                          • Instruction Fuzzy Hash: E0C13A71900205ABFB24DF79CD41AAF7BA8EF46314F2405AFE884D7291E7788D42D758
                                                          Function 004167EF Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 97libraryloadershutdownCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0041798D: GetCurrentProcess.KERNEL32(00000028,?), ref: 0041799A
                                                            • Part of subcall function 0041798D: OpenProcessToken.ADVAPI32(00000000), ref: 004179A1
                                                            • Part of subcall function 0041798D: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004179B3
                                                            • Part of subcall function 0041798D: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 004179D2
                                                            • Part of subcall function 0041798D: GetLastError.KERNEL32 ref: 004179D8
                                                          • ExitWindowsEx.USER32(00000000,00000001), ref: 00416891
                                                          • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 004168A6
                                                          • GetProcAddress.KERNEL32(00000000), ref: 004168AD
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                                          • String ID: !D@$PowrProf.dll$SetSuspendState
                                                          • API String ID: 1589313981-2876530381
                                                          • Opcode ID: ee499d4d47afde6cc3500bc760edfd9f3d73b5503f1d67301f657f5df503f6e6
                                                          • Instruction ID: 272f3f60014ab8f8f2fa2781f50e1ac7d9ab3f628c5d0f86ef79d7992e461550
                                                          • Opcode Fuzzy Hash: ee499d4d47afde6cc3500bc760edfd9f3d73b5503f1d67301f657f5df503f6e6
                                                          • Instruction Fuzzy Hash: D821B17060430166CA14FBB28856ABF36599F41388F41087FB501671D2EF3DD845C76E
                                                          Function 0041B411 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041B438
                                                          • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041B44E
                                                          • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041B467
                                                          • InternetCloseHandle.WININET(00000000), ref: 0041B4AD
                                                          • InternetCloseHandle.WININET(00000000), ref: 0041B4B0
                                                          Strings
                                                          • http://geoplugin.net/json.gp, xrefs: 0041B448
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Internet$CloseHandleOpen$FileRead
                                                          • String ID: http://geoplugin.net/json.gp
                                                          • API String ID: 3121278467-91888290
                                                          • Opcode ID: b01590e2803785cbe291e15456c0bc7acaef33a62877e88be574051367ac5976
                                                          • Instruction ID: e320c318363c88f1c040182635621d8729538b68a2f0080144892bf513bd3cc2
                                                          • Opcode Fuzzy Hash: b01590e2803785cbe291e15456c0bc7acaef33a62877e88be574051367ac5976
                                                          • Instruction Fuzzy Hash: 011198311053126BD224AB269C49EBF7F9CEF86765F10043EF945A2282DB689C44C6FA
                                                          Function 0040BA4D Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040BA89
                                                          • GetLastError.KERNEL32 ref: 0040BA93
                                                          Strings
                                                          • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040BA54
                                                          • UserProfile, xrefs: 0040BA59
                                                          • [Chrome StoredLogins found, cleared!], xrefs: 0040BAB9
                                                          • [Chrome StoredLogins not found], xrefs: 0040BAAD
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: DeleteErrorFileLast
                                                          • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                                          • API String ID: 2018770650-1062637481
                                                          • Opcode ID: d6312413c91956911aeebdf781d371ca6745e6f6be180b60b08b021ffbe32e09
                                                          • Instruction ID: 0532e36a1aab116e50a9f1d1704ee325f44086adb43c50cfffb7bf5285f9a594
                                                          • Opcode Fuzzy Hash: d6312413c91956911aeebdf781d371ca6745e6f6be180b60b08b021ffbe32e09
                                                          • Instruction Fuzzy Hash: 76018F61A402056ACB04B7B6DC5B9BE7724A921704B50057FF806722D2FE7D49098BDE
                                                          Function 0041798D Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCurrentProcess.KERNEL32(00000028,?), ref: 0041799A
                                                          • OpenProcessToken.ADVAPI32(00000000), ref: 004179A1
                                                          • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004179B3
                                                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 004179D2
                                                          • GetLastError.KERNEL32 ref: 004179D8
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                                          • String ID: SeShutdownPrivilege
                                                          • API String ID: 3534403312-3733053543
                                                          • Opcode ID: d49d9c43419eaec1bfbdc5cb8a800583ef6843b46de48ba71f06d4aa9fea9060
                                                          • Instruction ID: 35ac2027e355ce869dd6e937a138cd84cb59798e299a7bc9dfe05b1c572390d3
                                                          • Opcode Fuzzy Hash: d49d9c43419eaec1bfbdc5cb8a800583ef6843b46de48ba71f06d4aa9fea9060
                                                          • Instruction Fuzzy Hash: 38F03A71802229FBDB10ABA1EC4DAEF7FBCEF05612F100465B909A1152D7348E04CBB5
                                                          Function 0040928E Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 00409293
                                                            • Part of subcall function 004048C8: connect.WS2_32(?,?,?), ref: 004048E0
                                                            • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 0040932F
                                                          • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 0040938D
                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 004093E5
                                                          • FindClose.KERNEL32(00000000), ref: 004093FC
                                                            • Part of subcall function 00404E26: WaitForSingleObject.KERNEL32(?,000000FF,00000000,00474EF8,PkGNG,00000000,00474EF8,00404CA8,00000000,?,?,?,00474EF8,?), ref: 00404E38
                                                            • Part of subcall function 00404E26: SetEvent.KERNEL32(?), ref: 00404E43
                                                            • Part of subcall function 00404E26: CloseHandle.KERNEL32(?), ref: 00404E4C
                                                          • FindClose.KERNEL32(00000000), ref: 004095F4
                                                            • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(?,00000000,00401A45,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000), ref: 00404B47
                                                            • Part of subcall function 00404AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000,?,?,?,?,?,00401A45), ref: 00404B75
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Find$Close$EventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsend
                                                          • String ID:
                                                          • API String ID: 1824512719-0
                                                          • Opcode ID: a810edf30761c72987c4cb58374515ca85b7de027ac2e2c904d565530509331a
                                                          • Instruction ID: 89df7f8b75d3b77417eb58d09b4f39b7dfb13bde992cfd9524fc7595df83f5be
                                                          • Opcode Fuzzy Hash: a810edf30761c72987c4cb58374515ca85b7de027ac2e2c904d565530509331a
                                                          • Instruction Fuzzy Hash: 34B19D32900109AACB14EBA1DD92AEDB379AF44314F50417FF506B60E2EF785F49CB59
                                                          Function 00446270 Relevance: 9.2, APIs: 2, Strings: 3, Instructions: 464COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: FSE$FSE$PkGNG
                                                          • API String ID: 0-1266307253
                                                          • Opcode ID: 321144b451aceacc10be44255a5eb5313de52b8189587c3c0fdae4375c3dd106
                                                          • Instruction ID: f88ef0336175cd1615890b4a552d96ffb4623b3c947145a2eaf1ae153763923c
                                                          • Opcode Fuzzy Hash: 321144b451aceacc10be44255a5eb5313de52b8189587c3c0fdae4375c3dd106
                                                          • Instruction Fuzzy Hash: AA025D71E002199BEF14CFA9D8806AEFBF1FF49314F26816AD819E7384D734AD418B85
                                                          Function 0041AADB Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,0041A731,00000000), ref: 0041AAE4
                                                          • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,0041A731,00000000), ref: 0041AAF9
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB06
                                                          • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,0041A731,00000000), ref: 0041AB11
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB23
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB26
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Service$CloseHandle$Open$ManagerStart
                                                          • String ID:
                                                          • API String ID: 276877138-0
                                                          • Opcode ID: 9428b136f56b7ac5d2013585799c428180de648bb4d6702bc273cde58ba3a705
                                                          • Instruction ID: 14dbf03deabb1432b93a26d2ddf90514dbbc411f15d31c7908333a88c2a5d316
                                                          • Opcode Fuzzy Hash: 9428b136f56b7ac5d2013585799c428180de648bb4d6702bc273cde58ba3a705
                                                          • Instruction Fuzzy Hash: FEF0E971141225AFD2115B209C88DFF276CDF85B66B00082AF901921919B68CC45E579
                                                          Function 0040F7E2 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88sleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00413584: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,00000000,00000000), ref: 004135A4
                                                            • Part of subcall function 00413584: RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 004135C2
                                                            • Part of subcall function 00413584: RegCloseKey.ADVAPI32(00000000), ref: 004135CD
                                                          • Sleep.KERNEL32(00000BB8), ref: 0040F896
                                                          • ExitProcess.KERNEL32 ref: 0040F905
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseExitOpenProcessQuerySleepValue
                                                          • String ID: 5.1.3 Pro$override$pth_unenc
                                                          • API String ID: 2281282204-1392497409
                                                          • Opcode ID: 8dc85b8ab8054d92d7c853158ed1b7be28c6e4132a02577863bfe4ed9005faa9
                                                          • Instruction ID: d275b5d15c9ff05a0ec0da3c9587874d7690dc7fa5d0ec02d6e8a4ede61593ab
                                                          • Opcode Fuzzy Hash: 8dc85b8ab8054d92d7c853158ed1b7be28c6e4132a02577863bfe4ed9005faa9
                                                          • Instruction Fuzzy Hash: 5921E171B0420127D6087676885B6AE399A9B80708F50453FF409672D7FF7C8E0483AF
                                                          Function 004524BC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,004527DB,?,00000000), ref: 00452555
                                                          • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,004527DB,?,00000000), ref: 0045257E
                                                          • GetACP.KERNEL32(?,?,004527DB,?,00000000), ref: 00452593
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: InfoLocale
                                                          • String ID: ACP$OCP
                                                          • API String ID: 2299586839-711371036
                                                          • Opcode ID: 61c68c86ee519c97ea86d50e82dd2762e668b1fdc7e44e8e256cfbf4b452970f
                                                          • Instruction ID: 097c3b5166b2d36aca1cb621bb06e922528e2ea4561953c90108b9915aa2a338
                                                          • Opcode Fuzzy Hash: 61c68c86ee519c97ea86d50e82dd2762e668b1fdc7e44e8e256cfbf4b452970f
                                                          • Instruction Fuzzy Hash: 7E21F932600108B6D734CF14CA10A9B73A6EB16B53B564467ED09D7312F7B6DD44C398
                                                          Function 0041B539 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041B54A
                                                          • LoadResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B55E
                                                          • LockResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B565
                                                          • SizeofResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B574
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Resource$FindLoadLockSizeof
                                                          • String ID: SETTINGS
                                                          • API String ID: 3473537107-594951305
                                                          • Opcode ID: a45aaf07b9511fe1cfb91064365b640b81f442c86eb18a115f7d7951e0b61df2
                                                          • Instruction ID: d04f7a3eece584ab18b37ce022e38df3785cd6d6757b7dd0dc659012c7d5cbc3
                                                          • Opcode Fuzzy Hash: a45aaf07b9511fe1cfb91064365b640b81f442c86eb18a115f7d7951e0b61df2
                                                          • Instruction Fuzzy Hash: 8EE01A76600B22EBEB211BB1AC4CD863E29F7C97637140075F90586231CB798840DA98
                                                          Function 004096A0 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 004096A5
                                                          • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 0040971D
                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 00409746
                                                          • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 0040975D
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Find$File$CloseFirstH_prologNext
                                                          • String ID:
                                                          • API String ID: 1157919129-0
                                                          • Opcode ID: dd0421224294bb62472ab89505622d6763c67607e6c73e6d1c5958e8fabc376b
                                                          • Instruction ID: 8e52766585a78a9bd0f7e398a9017c7fe376444e683812dd136b20495b515571
                                                          • Opcode Fuzzy Hash: dd0421224294bb62472ab89505622d6763c67607e6c73e6d1c5958e8fabc376b
                                                          • Instruction Fuzzy Hash: 7F814C328001099BCB15EBA2DC969EDB378AF14318F10417FE506B71E2EF789E49CB58
                                                          Function 00408847 Relevance: 7.7, APIs: 5, Instructions: 186fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 0040884C
                                                          • FindFirstFileW.KERNEL32(00000000,?,00466618,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408905
                                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 0040892D
                                                          • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040893A
                                                          • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408A50
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                                                          • String ID:
                                                          • API String ID: 1771804793-0
                                                          • Opcode ID: c12026e9037f7077d6674168e11e0174e172a37dfeca1e693adefd43d85b88e8
                                                          • Instruction ID: 0d5560aa06bbfb8d15084ed76e809f646cede1ce68103026aeaac9ba950e1e68
                                                          • Opcode Fuzzy Hash: c12026e9037f7077d6674168e11e0174e172a37dfeca1e693adefd43d85b88e8
                                                          • Instruction Fuzzy Hash: 9D517F72900209AACB04FB65DD569ED7778AF10308F50417FB906B71E2EF389B49CB89
                                                          Function 00406EEB Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406FF7
                                                          • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 004070DB
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: DownloadExecuteFileShell
                                                          • String ID: C:\Users\user\Desktop\aDGx3jaI7i.exe$open
                                                          • API String ID: 2825088817-25955839
                                                          • Opcode ID: 194bc319dbbf73870cb717309eca5eed55f05450b30b29468f4271e2579073ce
                                                          • Instruction ID: 89f65c5a2840bfed21b3c91f130df949caec66636536da5e2ea9f2eef63816fc
                                                          • Opcode Fuzzy Hash: 194bc319dbbf73870cb717309eca5eed55f05450b30b29468f4271e2579073ce
                                                          • Instruction Fuzzy Hash: 5261B371A0830166CA14FB76C8569BE37A59F81758F40093FB9427B2D3EE3C9905C69B
                                                          Function 00407877 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00407892
                                                          • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 0040795A
                                                            • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FileFind$FirstNextsend
                                                          • String ID: XPG$XPG
                                                          • API String ID: 4113138495-1962359302
                                                          • Opcode ID: d9722b1f8dd4e3be1274e677256ccf7990f5e649a2613ef60cc85d6cc6a2ecd3
                                                          • Instruction ID: fedc3c23448d2be437c2d68ef58725aa3c97e5c0e74d328490a6b39f64eed896
                                                          • Opcode Fuzzy Hash: d9722b1f8dd4e3be1274e677256ccf7990f5e649a2613ef60cc85d6cc6a2ecd3
                                                          • Instruction Fuzzy Hash: 2D21A4315083015BC714FB61D895CEFB3ACAF90358F40493EF696620E1FF78AA098A5B
                                                          Function 0041CA73 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CB68
                                                            • Part of subcall function 004137AA: RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,0046612C), ref: 004137B9
                                                            • Part of subcall function 004137AA: RegSetValueExA.ADVAPI32(0046612C,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0041CB42,WallpaperStyle,0046612C,00000001,00474EE0,00000000), ref: 004137E1
                                                            • Part of subcall function 004137AA: RegCloseKey.ADVAPI32(0046612C,?,?,0041CB42,WallpaperStyle,0046612C,00000001,00474EE0,00000000,?,00408798,00000001), ref: 004137EC
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseCreateInfoParametersSystemValue
                                                          • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                                          • API String ID: 4127273184-3576401099
                                                          • Opcode ID: f5c8ef2c27851cf1013244d94d6a0450d36d3a4faca39a9ae70033779c708183
                                                          • Instruction ID: 8ac436d711b2fc3476497f69dc57c3b9a547a247a31514f467319d0910454585
                                                          • Opcode Fuzzy Hash: f5c8ef2c27851cf1013244d94d6a0450d36d3a4faca39a9ae70033779c708183
                                                          • Instruction Fuzzy Hash: D7118472BC425022E81831396D9BFBE28068343F61F54456BF6022A6CAE4CF6A9143CF
                                                          Function 00443355 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCurrentProcess.KERNEL32(00000003,PkGNG,0044332B,00000003,0046E958,0000000C,00443482,00000003,00000002,00000000,PkGNG,004461B7,00000003), ref: 00443376
                                                          • TerminateProcess.KERNEL32(00000000), ref: 0044337D
                                                          • ExitProcess.KERNEL32 ref: 0044338F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Process$CurrentExitTerminate
                                                          • String ID: PkGNG
                                                          • API String ID: 1703294689-263838557
                                                          • Opcode ID: 4e3b9aa1e9039f050651c305726e439f17232b6e89e74059b12d513dd76054c6
                                                          • Instruction ID: 4b22f3a5ffe79ca7dfb81d814e561f82a31e4bef9a776fe0bb9daccb8e878f4b
                                                          • Opcode Fuzzy Hash: 4e3b9aa1e9039f050651c305726e439f17232b6e89e74059b12d513dd76054c6
                                                          • Instruction Fuzzy Hash: 9FE0B635401608FBDF11AF55DE09A5D3BAAEB40B56F005469FC498A272CF79EE42CB88
                                                          Function 00451D58 Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                                            • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                            • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                                            • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                          • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00444AF4,?,?,?,?,?,?,00000004), ref: 00451E3A
                                                          • _wcschr.LIBVCRUNTIME ref: 00451ECA
                                                          • _wcschr.LIBVCRUNTIME ref: 00451ED8
                                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00444AF4,00000000,00444C14), ref: 00451F7B
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                                          • String ID:
                                                          • API String ID: 4212172061-0
                                                          • Opcode ID: 542ab58a55aa9f08c463a9389d0e41dfe4354c1e35855495671bf6e32f2bde7c
                                                          • Instruction ID: 2c98265d6c7a89d72caae9d33925a6d6107158c78f730362dcab12f0c71d6669
                                                          • Opcode Fuzzy Hash: 542ab58a55aa9f08c463a9389d0e41dfe4354c1e35855495671bf6e32f2bde7c
                                                          • Instruction Fuzzy Hash: 7F611976600606AAD714AB75CC42FBB73A8EF04306F14056FFD05DB292EB78E948C769
                                                          Function 0045201B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                                            • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                            • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                                            • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                          • EnumSystemLocalesW.KERNEL32(00452143,00000001,00000000,?,JD,?,00452770,00000000,?,?,?), ref: 0045208D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                          • String ID: p'E$JD
                                                          • API String ID: 1084509184-908320845
                                                          • Opcode ID: 475d6d5c58d7186cd22417851423cdf86cfe6bc0717def2965f4a7021c27fb53
                                                          • Instruction ID: b0e9e6415e7ea3a3ed95e939ef0edb9d062384d4a1a0bde9f31cc9ceae225fa6
                                                          • Opcode Fuzzy Hash: 475d6d5c58d7186cd22417851423cdf86cfe6bc0717def2965f4a7021c27fb53
                                                          • Instruction Fuzzy Hash: 0211553A2007019FDB189F39C9916BBBB92FF8075AB14482EEE4687B41D7B5A946C740
                                                          Function 00452143 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                                            • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                            • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                                            • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                            • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                                            • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448301
                                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452197
                                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004521E8
                                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004522A8
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorInfoLastLocale$_free$_abort
                                                          • String ID:
                                                          • API String ID: 2829624132-0
                                                          • Opcode ID: 1ce7e7c7dfcd5f502045176aa51a1e3ace1f8c45826c3dbb4c0c9878229dab74
                                                          • Instruction ID: 283aa9570716a6929da4b93cb0bca45b8c77d553a5ebfd19e37a994bad1de6ac
                                                          • Opcode Fuzzy Hash: 1ce7e7c7dfcd5f502045176aa51a1e3ace1f8c45826c3dbb4c0c9878229dab74
                                                          • Instruction Fuzzy Hash: F361A235500207ABDF289F24CE82B7A77A8EF05306F1441BBED05C6656E7BC9D89CB58
                                                          Function 0043BB71 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • IsDebuggerPresent.KERNEL32 ref: 0043BC69
                                                          • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0043BC73
                                                          • UnhandledExceptionFilter.KERNEL32(?), ref: 0043BC80
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                          • String ID:
                                                          • API String ID: 3906539128-0
                                                          • Opcode ID: 1e0b73e88f7870ac8a7e49df57248e9339733cda2bb7518ac33a0b9eb889d704
                                                          • Instruction ID: 25e88f5a56b9fbea854716c485460a06fbe33a825339a9765be54c88dd7cea35
                                                          • Opcode Fuzzy Hash: 1e0b73e88f7870ac8a7e49df57248e9339733cda2bb7518ac33a0b9eb889d704
                                                          • Instruction Fuzzy Hash: 0431D374901218ABCB21DF65D9887CDBBB8EF0C311F5051EAE81CA7251EB749F818F48
                                                          Function 004338C8 Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,?,00433550,00000034,?,?,00000000), ref: 004338DA
                                                          • CryptGenRandom.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,PkGNG,004335E3,?,?,?), ref: 004338F0
                                                          • CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,?,?,PkGNG,004335E3,?,?,?,0041E2E2), ref: 00433902
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Crypt$Context$AcquireRandomRelease
                                                          • String ID:
                                                          • API String ID: 1815803762-0
                                                          • Opcode ID: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                                          • Instruction ID: d68cd6f5f98cbfa2ab0450769c499d20ea76a36e668e3df749659bd42d9a4b78
                                                          • Opcode Fuzzy Hash: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                                          • Instruction Fuzzy Hash: 40E09A31208310FBEB301F21AC08F573AA5EF89B66F200A3AF256E40E4D6A68801965C
                                                          Function 0040B749 Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OpenClipboard.USER32(00000000), ref: 0040B74C
                                                          • GetClipboardData.USER32(0000000D), ref: 0040B758
                                                          • CloseClipboard.USER32 ref: 0040B760
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Clipboard$CloseDataOpen
                                                          • String ID:
                                                          • API String ID: 2058664381-0
                                                          • Opcode ID: 26d649817908997ada01c7e81b47d9ed8d660a846a8981428adfc510ab3c4a2f
                                                          • Instruction ID: 1c65eecdd0087a0ffd0b0a04a5b63b9ff0c479b34dfa65f2e767e94bdce73387
                                                          • Opcode Fuzzy Hash: 26d649817908997ada01c7e81b47d9ed8d660a846a8981428adfc510ab3c4a2f
                                                          • Instruction Fuzzy Hash: 45E0EC31745320EFC3206B609C49F9B6AA4DF85B52F05443AB905BB2E5DB78CC4086AD
                                                          Function 00434CB6 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • IsProcessorFeaturePresent.KERNEL32(0000000A,00000000), ref: 00434CCF
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FeaturePresentProcessor
                                                          • String ID:
                                                          • API String ID: 2325560087-3916222277
                                                          • Opcode ID: 4259bdeace04940204f61aa74a979230364aaba3051b8f8e0efcae6fb7ed6494
                                                          • Instruction ID: 5e37b39ef68b784d6588b9ddffa6793edf4c3ade0924e8be62ba08be237937aa
                                                          • Opcode Fuzzy Hash: 4259bdeace04940204f61aa74a979230364aaba3051b8f8e0efcae6fb7ed6494
                                                          • Instruction Fuzzy Hash: E4515B71D002488FEB24CF69D98579EBBF4FB88314F24956BD419EB264D378A940CF98
                                                          Function 0044E8F9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: .
                                                          • API String ID: 0-248832578
                                                          • Opcode ID: e4ba95ef050ff9873834a062f40f8bfe8ca2f849e5d953d5b04f24550caf4fd0
                                                          • Instruction ID: 7baa6cf80f4bdea99dbc4d330b45aada8194c6230f36d830dc1b60d3871032d3
                                                          • Opcode Fuzzy Hash: e4ba95ef050ff9873834a062f40f8bfe8ca2f849e5d953d5b04f24550caf4fd0
                                                          • Instruction Fuzzy Hash: DF3107B1900259AFEB24DE7ACC84EFB7BBDEB46318F0401AEF41897291E6349D418B54
                                                          Function 004520B6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                                            • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                            • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                                            • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                          • EnumSystemLocalesW.KERNEL32(00452393,00000001,?,?,JD,?,00452734,JD,?,?,?,?,?,00444AED,?,?), ref: 00452102
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                          • String ID: JD
                                                          • API String ID: 1084509184-2669065882
                                                          • Opcode ID: 43afbb6a7401c46fb6bd1099fc40b6d5da7848bdbd3577d5ff827f5c50c4ae4e
                                                          • Instruction ID: 883a99871793c155097d9da94a803295819168bd30f8f35cc04eca091e96b9f4
                                                          • Opcode Fuzzy Hash: 43afbb6a7401c46fb6bd1099fc40b6d5da7848bdbd3577d5ff827f5c50c4ae4e
                                                          • Instruction Fuzzy Hash: E8F0FF363007056FDB245F399881A6B7B96FB82769B04482EFE458B682DAB99C42D604
                                                          Function 0044896D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,?,?,00000004), ref: 004489C0
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: InfoLocale
                                                          • String ID: GetLocaleInfoEx
                                                          • API String ID: 2299586839-2904428671
                                                          • Opcode ID: 53574c2ecf56bfb558b2c309ca3eb91f9c7a0a18e0f2245662e0b0bedf18becb
                                                          • Instruction ID: 58f0578312c774904006f9ed4749830948a62bec6dc8fde4d932476f73229d15
                                                          • Opcode Fuzzy Hash: 53574c2ecf56bfb558b2c309ca3eb91f9c7a0a18e0f2245662e0b0bedf18becb
                                                          • Instruction Fuzzy Hash: C0F0F631640608FBDB016F61DC06F6E7B25EB04751F00056EFC0966251DE368D2096DE
                                                          Function 004120B2 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F72,?,?,?,?,00000000), ref: 00412122
                                                          • HeapFree.KERNEL32(00000000,?,?,?,?,00000000), ref: 00412129
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Heap$FreeProcess
                                                          • String ID:
                                                          • API String ID: 3859560861-0
                                                          • Opcode ID: 95356b50ae1c40d028bb7c10486cf6eec28d3cbd66e590edfc92b155960a397c
                                                          • Instruction ID: dd486cb6b879bf1be37f4e59d5b3b18419fca2aff5c7e471244091183f2ba527
                                                          • Opcode Fuzzy Hash: 95356b50ae1c40d028bb7c10486cf6eec28d3cbd66e590edfc92b155960a397c
                                                          • Instruction Fuzzy Hash: 0D113632000B11AFC7309F54DE85957BBEAFF08715305892EF29682922CB75FCA0CB48
                                                          Function 00452393 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                                            • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                            • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                                            • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                            • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                                            • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448301
                                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004523E7
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorLast$_free$InfoLocale_abort
                                                          • String ID:
                                                          • API String ID: 1663032902-0
                                                          • Opcode ID: b4047fd74fafd511f87100a415ff7352fa71784cc782813174b617cf7262d9f7
                                                          • Instruction ID: 2d4dd0c1c30cd12b50dfb53a4a1f7f5f9091958bb121381f53cce851c87d7921
                                                          • Opcode Fuzzy Hash: b4047fd74fafd511f87100a415ff7352fa71784cc782813174b617cf7262d9f7
                                                          • Instruction Fuzzy Hash: F921D632600606ABDB249F25DD41FBB73A8EB06316F10407FED01D6152EBBC9D48CB59
                                                          Function 004525C3 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                                            • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                            • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                                            • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                          • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00452361,00000000,00000000,?), ref: 004525EF
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorLast$InfoLocale_abort_free
                                                          • String ID:
                                                          • API String ID: 2692324296-0
                                                          • Opcode ID: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                                                          • Instruction ID: 8c29d710edde3bbc403447a64c1727e90569dbd09ff88c71ffccea9529c81983
                                                          • Opcode Fuzzy Hash: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                                                          • Instruction Fuzzy Hash: C4F04936A00116BBDB245A24D905BBF7B58EB01315F04446BEC05A3241FAF8FD058694
                                                          Function 0041B69E Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetUserNameW.ADVAPI32(?,0040F25E), ref: 0041B6D3
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: NameUser
                                                          • String ID:
                                                          • API String ID: 2645101109-0
                                                          • Opcode ID: 6f8df8ca086827d3b7a07e2ceec29cc063485458526563a8914dedb1098b546b
                                                          • Instruction ID: 8360233331794fbd8bccde093e114755ab2a7c2896376219b9d5f45c8fb32f7b
                                                          • Opcode Fuzzy Hash: 6f8df8ca086827d3b7a07e2ceec29cc063485458526563a8914dedb1098b546b
                                                          • Instruction Fuzzy Hash: 90014F7190011CABCB01EBD1DC45EEDB7BCAF44309F10016AB505B21A1EFB46E88CBA8
                                                          Function 00448484 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00445909: EnterCriticalSection.KERNEL32(?,?,0044305C,00000000,0046E938,0000000C,00443017,?,?,?,00445BA7,?,?,0044834A,00000001,00000364), ref: 00445918
                                                          • EnumSystemLocalesW.KERNEL32(0044843E,00000001,0046EAE0,0000000C), ref: 004484BC
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CriticalEnterEnumLocalesSectionSystem
                                                          • String ID:
                                                          • API String ID: 1272433827-0
                                                          • Opcode ID: 08771b5932cf67d2f7a499a1ea32343f451e1cff339441a182db03018af17ba2
                                                          • Instruction ID: 901ea181f65c0ebd25502bb0be635eecd519ab6688482fb1bf3a60b9f01fb263
                                                          • Opcode Fuzzy Hash: 08771b5932cf67d2f7a499a1ea32343f451e1cff339441a182db03018af17ba2
                                                          • Instruction Fuzzy Hash: 37F04F76A50200EFEB00EF69D946B4D37E0FB04725F10446EF514DB2A2DB7899809B49
                                                          Function 00451FD0 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                                            • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                            • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                                            • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                          • EnumSystemLocalesW.KERNEL32(00451F27,00000001,?,?,?,00452792,JD,?,?,?,?,?,00444AED,?,?,?), ref: 00452007
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                          • String ID:
                                                          • API String ID: 1084509184-0
                                                          • Opcode ID: 06cdaad2b1dd0330ee545a4703de2c72ad4f4425d90ac6c7aa7d45dfeb8c5d5b
                                                          • Instruction ID: 16a122e2f6617649f53ffd93528404cf76eb0d70ff9257d35f530b0535ef024d
                                                          • Opcode Fuzzy Hash: 06cdaad2b1dd0330ee545a4703de2c72ad4f4425d90ac6c7aa7d45dfeb8c5d5b
                                                          • Instruction Fuzzy Hash: 84F0203630020597CB04AF75D845B6A7F90EB82729B06009AFE058B6A2C7799842C754
                                                          Function 0040F90C Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,00415537,00474EE0,00475A00,00474EE0,00000000,00474EE0,00000000,00474EE0,5.1.3 Pro), ref: 0040F920
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: InfoLocale
                                                          • String ID:
                                                          • API String ID: 2299586839-0
                                                          • Opcode ID: 60ac6b383c0d02c34bbf412ad9b051435ec7f82dc161eda072fb95a07eb92a85
                                                          • Instruction ID: 54543d52817102a935349e0949155b160d3bd36039d058f0142c014f19b14c2e
                                                          • Opcode Fuzzy Hash: 60ac6b383c0d02c34bbf412ad9b051435ec7f82dc161eda072fb95a07eb92a85
                                                          • Instruction Fuzzy Hash: D5D05B3074421C77D61096959D0AEAA779CD701B52F0001A6BB05D72C0D9E15E0087D1
                                                          Function 00434BD8 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetUnhandledExceptionFilter.KERNEL32(Function_00034BE4,0043490B), ref: 00434BDD
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ExceptionFilterUnhandled
                                                          • String ID:
                                                          • API String ID: 3192549508-0
                                                          • Opcode ID: 2ffe05228c785604148d814c7fc250910b5f8136668f43492b8067ac5164d55b
                                                          • Instruction ID: 702e07acd891e046c8aea5fc6397425f5e3bd38ef0af78e1c7fed93ac6412050
                                                          • Opcode Fuzzy Hash: 2ffe05228c785604148d814c7fc250910b5f8136668f43492b8067ac5164d55b
                                                          • Instruction Fuzzy Hash:
                                                          Function 00418EB1 Relevance: 49.3, APIs: 27, Strings: 1, Instructions: 328windowmemoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00418ECB
                                                          • CreateCompatibleDC.GDI32(00000000), ref: 00418ED8
                                                            • Part of subcall function 00419360: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00419390
                                                          • CreateCompatibleBitmap.GDI32(00000000,?), ref: 00418F4E
                                                          • DeleteDC.GDI32(00000000), ref: 00418F65
                                                          • DeleteDC.GDI32(00000000), ref: 00418F68
                                                          • DeleteObject.GDI32(00000000), ref: 00418F6B
                                                          • SelectObject.GDI32(00000000,00000000), ref: 00418F8C
                                                          • DeleteDC.GDI32(00000000), ref: 00418F9D
                                                          • DeleteDC.GDI32(00000000), ref: 00418FA0
                                                          • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00418FC4
                                                          • GetIconInfo.USER32(?,?), ref: 00418FF8
                                                          • DeleteObject.GDI32(?), ref: 00419027
                                                          • DeleteObject.GDI32(?), ref: 00419034
                                                          • DrawIcon.USER32(00000000,?,?,?), ref: 00419041
                                                          • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 00419077
                                                          • GetObjectA.GDI32(00000000,00000018,?), ref: 004190A3
                                                          • LocalAlloc.KERNEL32(00000040,00000001), ref: 00419110
                                                          • GlobalAlloc.KERNEL32(00000000,?), ref: 0041917F
                                                          • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 004191A3
                                                          • DeleteDC.GDI32(?), ref: 004191B7
                                                          • DeleteDC.GDI32(00000000), ref: 004191BA
                                                          • DeleteObject.GDI32(00000000), ref: 004191BD
                                                          • GlobalFree.KERNEL32(?), ref: 004191C8
                                                          • DeleteObject.GDI32(00000000), ref: 0041927C
                                                          • GlobalFree.KERNEL32(?), ref: 00419283
                                                          • DeleteDC.GDI32(?), ref: 00419293
                                                          • DeleteDC.GDI32(00000000), ref: 0041929E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIcon$BitmapBitsDisplayDrawEnumInfoLocalSelectSettingsStretch
                                                          • String ID: DISPLAY
                                                          • API String ID: 479521175-865373369
                                                          • Opcode ID: a3a4741cb06b3bb280ebd52fb29a8cd3e9580c118e1ba6673d441af15fd395ed
                                                          • Instruction ID: e1b8f987aa81746083de8242de432fb1856ba331ec6d7e725e66c1191a76d441
                                                          • Opcode Fuzzy Hash: a3a4741cb06b3bb280ebd52fb29a8cd3e9580c118e1ba6673d441af15fd395ed
                                                          • Instruction Fuzzy Hash: 64C14C71504301AFD720DF25DC48BABBBE9EB88715F04482EF98993291DB34ED45CB6A
                                                          Function 0041812A Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 289libraryloaderthreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00418171
                                                          • GetProcAddress.KERNEL32(00000000), ref: 00418174
                                                          • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 00418185
                                                          • GetProcAddress.KERNEL32(00000000), ref: 00418188
                                                          • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 00418199
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041819C
                                                          • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004181AD
                                                          • GetProcAddress.KERNEL32(00000000), ref: 004181B0
                                                          • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00418252
                                                          • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041826A
                                                          • GetThreadContext.KERNEL32(?,00000000), ref: 00418280
                                                          • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 004182A6
                                                          • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00418328
                                                          • TerminateProcess.KERNEL32(?,00000000), ref: 0041833C
                                                          • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041837C
                                                          • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00418446
                                                          • SetThreadContext.KERNEL32(?,00000000), ref: 00418463
                                                          • ResumeThread.KERNEL32(?), ref: 00418470
                                                          • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00418487
                                                          • GetCurrentProcess.KERNEL32(?), ref: 00418492
                                                          • TerminateProcess.KERNEL32(?,00000000), ref: 004184AD
                                                          • GetLastError.KERNEL32 ref: 004184B5
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                                          • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                                                          • API String ID: 4188446516-3035715614
                                                          • Opcode ID: 270f6f13d6fde63ba60b02dc59acd4711bf4d0802e0e8c14fb5fe4b704ceb149
                                                          • Instruction ID: d7ba82c79e3f17b97bd8f2c1aaed993f07984c16d96ff77cb9dc1491e823fc6f
                                                          • Opcode Fuzzy Hash: 270f6f13d6fde63ba60b02dc59acd4711bf4d0802e0e8c14fb5fe4b704ceb149
                                                          • Instruction Fuzzy Hash: 69A15FB0604305AFDB209F64DD85B6B7BE8FF48705F00482EF685D6291EB78D844CB59
                                                          Function 0040D45B Relevance: 45.8, APIs: 6, Strings: 20, Instructions: 282registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,?,0040D84A), ref: 0041289B
                                                            • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF,?,0040D84A), ref: 004128AE
                                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040D558
                                                          • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D56B
                                                          • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040D584
                                                          • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040D5B4
                                                            • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2B8,00000000,00000000,?,0040D47D,?,00000000), ref: 0040B8F6
                                                            • Part of subcall function 0040B8E7: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B902
                                                            • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2A2,00000000,?,0040D47D,?,00000000), ref: 0040B910
                                                            • Part of subcall function 0041C482: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041C5A1,00000000,00000000,00000000), ref: 0041C4C1
                                                          • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D7FF
                                                          • ExitProcess.KERNEL32 ref: 0040D80B
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                          • String ID: """, 0$")$8SG$@qF$@qF$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                                                          • API String ID: 1861856835-1447701601
                                                          • Opcode ID: 5bfd04f2c3675bb3e4ccca17f50e3f4c8b9b0143e22e23c3ef80078f3e2ac138
                                                          • Instruction ID: 9f807323933333198641953f201c1fc8368d74e19fdabe041c5449f7db564f80
                                                          • Opcode Fuzzy Hash: 5bfd04f2c3675bb3e4ccca17f50e3f4c8b9b0143e22e23c3ef80078f3e2ac138
                                                          • Instruction Fuzzy Hash: 8791B0716082005AC315FB62D8529AF77A8AFD4309F10443FB64AA71E3EF7C9D49C65E
                                                          Function 0040D0D1 Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 260registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,?,0040D84A), ref: 0041289B
                                                            • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF,?,0040D84A), ref: 004128AE
                                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1E0
                                                          • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D1F3
                                                          • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D223
                                                          • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D232
                                                            • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2B8,00000000,00000000,?,0040D47D,?,00000000), ref: 0040B8F6
                                                            • Part of subcall function 0040B8E7: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B902
                                                            • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2A2,00000000,?,0040D47D,?,00000000), ref: 0040B910
                                                            • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040407C), ref: 0041BA30
                                                          • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D44D
                                                          • ExitProcess.KERNEL32 ref: 0040D454
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                          • String ID: ")$.vbs$8SG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("$xpF
                                                          • API String ID: 3797177996-2483056239
                                                          • Opcode ID: 4ed49e942f17f0f2b3abb6c7cdc5849daee16a078121c92a28a1cb87cb179660
                                                          • Instruction ID: f7f00373e35faeae073ffedb9d5543756e5675edee5c5b567d0d61755fae189b
                                                          • Opcode Fuzzy Hash: 4ed49e942f17f0f2b3abb6c7cdc5849daee16a078121c92a28a1cb87cb179660
                                                          • Instruction Fuzzy Hash: 6181AF716082405AC315FB62D8529AF77A8AFD0308F10483FB58A671E3EF7C9E49C65E
                                                          Function 004124B0 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 190synchronizationsleepfileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,004750E4,00000003), ref: 004124CF
                                                          • ExitProcess.KERNEL32(00000000), ref: 004124DB
                                                          • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00412555
                                                          • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412564
                                                          • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0041256F
                                                          • CloseHandle.KERNEL32(00000000), ref: 00412576
                                                          • GetCurrentProcessId.KERNEL32 ref: 0041257C
                                                          • PathFileExistsW.SHLWAPI(?), ref: 004125AD
                                                          • GetTempPathW.KERNEL32(00000104,?), ref: 00412610
                                                          • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 0041262A
                                                          • lstrcatW.KERNEL32(?,.exe), ref: 0041263C
                                                            • Part of subcall function 0041C482: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041C5A1,00000000,00000000,00000000), ref: 0041C4C1
                                                          • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 0041267C
                                                          • Sleep.KERNEL32(000001F4), ref: 004126BD
                                                          • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 004126D2
                                                          • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004126DD
                                                          • CloseHandle.KERNEL32(00000000), ref: 004126E4
                                                          • GetCurrentProcessId.KERNEL32 ref: 004126EA
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
                                                          • String ID: .exe$8SG$WDH$exepath$open$temp_
                                                          • API String ID: 2649220323-436679193
                                                          • Opcode ID: 898725a538578efc964f3db07f9b73ad570f6512a08a1881f5d957b613d7759d
                                                          • Instruction ID: ea0e71dbd1735df2f0ffa6a76a18ae54bfb239dee3d1740714ca762960b89f4c
                                                          • Opcode Fuzzy Hash: 898725a538578efc964f3db07f9b73ad570f6512a08a1881f5d957b613d7759d
                                                          • Instruction Fuzzy Hash: 4C51C871A00215BBDB10ABA09C99EFE336D9B04715F1041ABF501E71D2EF7C8E858A5D
                                                          Function 0041B0D8 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041B1CD
                                                          • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041B1E1
                                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,004660B4), ref: 0041B209
                                                          • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00474EE0,00000000), ref: 0041B21F
                                                          • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041B260
                                                          • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041B278
                                                          • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041B28D
                                                          • SetEvent.KERNEL32 ref: 0041B2AA
                                                          • WaitForSingleObject.KERNEL32(000001F4), ref: 0041B2BB
                                                          • CloseHandle.KERNEL32 ref: 0041B2CB
                                                          • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041B2ED
                                                          • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041B2F7
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                                          • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$NG
                                                          • API String ID: 738084811-2094122233
                                                          • Opcode ID: 7c34508947559437a3a277e9d61a1f5e5f7acc13b7aac5b1e5b5860917e6a28f
                                                          • Instruction ID: 904a2ea9ee052b7cd0d2885f28b370526ea16529c5f4723dacad6ab52bd59ce6
                                                          • Opcode Fuzzy Hash: 7c34508947559437a3a277e9d61a1f5e5f7acc13b7aac5b1e5b5860917e6a28f
                                                          • Instruction Fuzzy Hash: 015193B12842056ED314B731DC96ABF779CDB80359F10053FB246621E2EF789D498AAE
                                                          Function 00401A6D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                                                          • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401B03
                                                          • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401B13
                                                          • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401B23
                                                          • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401B33
                                                          • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401B43
                                                          • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B54
                                                          • WriteFile.KERNEL32(00000000,00472AAA,00000002,00000000,00000000), ref: 00401B65
                                                          • WriteFile.KERNEL32(00000000,00472AAC,00000004,00000000,00000000), ref: 00401B75
                                                          • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401B85
                                                          • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B96
                                                          • WriteFile.KERNEL32(00000000,00472AB6,00000002,00000000,00000000), ref: 00401BA7
                                                          • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401BB7
                                                          • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401BC7
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$Write$Create
                                                          • String ID: RIFF$WAVE$data$fmt
                                                          • API String ID: 1602526932-4212202414
                                                          • Opcode ID: bdde9fe629d6d0b3cb01441b1d036ed99aff71c5e0b2c5a0236a53ffdd76988e
                                                          • Instruction ID: e437df56db769974f3bb03b9acf3047b6271bea3308615ff466a61b001f8e6b8
                                                          • Opcode Fuzzy Hash: bdde9fe629d6d0b3cb01441b1d036ed99aff71c5e0b2c5a0236a53ffdd76988e
                                                          • Instruction Fuzzy Hash: D1413F72644218BAE210DB51DD85FBB7FECEB89B50F40441AFA44D60C0E7A5E909DBB3
                                                          Function 004072AB Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Users\user\Desktop\aDGx3jaI7i.exe,00000001,00407688,C:\Users\user\Desktop\aDGx3jaI7i.exe,00000003,004076B0,004752D8,00407709), ref: 004072BF
                                                          • GetProcAddress.KERNEL32(00000000), ref: 004072C8
                                                          • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 004072DD
                                                          • GetProcAddress.KERNEL32(00000000), ref: 004072E0
                                                          • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 004072F1
                                                          • GetProcAddress.KERNEL32(00000000), ref: 004072F4
                                                          • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 00407305
                                                          • GetProcAddress.KERNEL32(00000000), ref: 00407308
                                                          • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 00407319
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0040731C
                                                          • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 0040732D
                                                          • GetProcAddress.KERNEL32(00000000), ref: 00407330
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AddressHandleModuleProc
                                                          • String ID: C:\Users\user\Desktop\aDGx3jaI7i.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                                          • API String ID: 1646373207-2279347655
                                                          • Opcode ID: f3da3711bb85931ca03a42678d4c0c1881451176f862cc8ba737a85fa656c6e8
                                                          • Instruction ID: 405170eedd050388d8f538cead316ce70cca9a1d875d15a5a69166cce564cbe9
                                                          • Opcode Fuzzy Hash: f3da3711bb85931ca03a42678d4c0c1881451176f862cc8ba737a85fa656c6e8
                                                          • Instruction Fuzzy Hash: 0A0152A0E4431676D711AF7AAC44D577E9D9E41351311487BB405E2292EEBCE800CD6E
                                                          Function 0041C0AC Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlenW.KERNEL32(?), ref: 0041C0C7
                                                          • _memcmp.LIBVCRUNTIME ref: 0041C0DF
                                                          • lstrlenW.KERNEL32(?), ref: 0041C0F8
                                                          • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041C133
                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041C146
                                                          • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041C18A
                                                          • lstrcmpW.KERNEL32(?,?), ref: 0041C1A5
                                                          • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041C1BD
                                                          • _wcslen.LIBCMT ref: 0041C1CC
                                                          • FindVolumeClose.KERNEL32(?), ref: 0041C1EC
                                                          • GetLastError.KERNEL32 ref: 0041C204
                                                          • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041C231
                                                          • lstrcatW.KERNEL32(?,?), ref: 0041C24A
                                                          • lstrcpyW.KERNEL32(?,?), ref: 0041C259
                                                          • GetLastError.KERNEL32 ref: 0041C261
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                                          • String ID: ?
                                                          • API String ID: 3941738427-1684325040
                                                          • Opcode ID: a0ce836f87bdb73d1aed96e44626d16fc1f948222461cff8e144d7328d36a715
                                                          • Instruction ID: 8d48ee17a24f37a9bc83e71ffc922dd471ae74eb47091415c6e266b1ff6a60c4
                                                          • Opcode Fuzzy Hash: a0ce836f87bdb73d1aed96e44626d16fc1f948222461cff8e144d7328d36a715
                                                          • Instruction Fuzzy Hash: B541A671584316EBD720DFA0DC889DBB7ECEB84745F00092BF545D2162EB78CA88CB96
                                                          Function 00414DC1 Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 109libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414E10
                                                          • LoadLibraryA.KERNEL32(?), ref: 00414E52
                                                          • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E72
                                                          • FreeLibrary.KERNEL32(00000000), ref: 00414E79
                                                          • LoadLibraryA.KERNEL32(?), ref: 00414EB1
                                                          • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414EC3
                                                          • FreeLibrary.KERNEL32(00000000), ref: 00414ECA
                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 00414ED9
                                                          • FreeLibrary.KERNEL32(00000000), ref: 00414EF0
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                                          • String ID: EIA$\ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
                                                          • API String ID: 2490988753-3346362794
                                                          • Opcode ID: bff3b13f7ac9eea3f878ccf145141800db562e87b1258dd51974eed62fb821cf
                                                          • Instruction ID: 3d65f6a93fba2a0b2eac8854c7d2b2934d6e6a161d7d6dc9994b6ec54a408268
                                                          • Opcode Fuzzy Hash: bff3b13f7ac9eea3f878ccf145141800db562e87b1258dd51974eed62fb821cf
                                                          • Instruction Fuzzy Hash: 5E31C4B1905315A7D7209F65CC84DDF76DCAB84754F004A2AF944A3210D738D985CBAE
                                                          Function 0044F4AD Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free$EnvironmentVariable$_wcschr
                                                          • String ID:
                                                          • API String ID: 3899193279-0
                                                          • Opcode ID: a471c829ddd5e79256b59335d7b350d61db07916532beff835d4a4e17985a3d6
                                                          • Instruction ID: 2409d22e097b45b84bdb59948eb4ebc1cd1141af37d2d18b4001dba56dac1aed
                                                          • Opcode Fuzzy Hash: a471c829ddd5e79256b59335d7b350d61db07916532beff835d4a4e17985a3d6
                                                          • Instruction Fuzzy Hash: E3D135B1D003006FFB24AF799D82A6B7BA8EF01314F05417FE945A7382EB7D99098759
                                                          Function 00412AEF Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 482sleepfileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00412B08
                                                            • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040407C), ref: 0041BA30
                                                            • Part of subcall function 004185A3: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E84), ref: 004185B9
                                                            • Part of subcall function 004185A3: CloseHandle.KERNEL32(00465E84,?,?,004040F5,00465E84), ref: 004185C2
                                                          • Sleep.KERNEL32(0000000A,00465E84), ref: 00412C5A
                                                          • Sleep.KERNEL32(0000000A,00465E84,00465E84), ref: 00412CFC
                                                          • Sleep.KERNEL32(0000000A,00465E84,00465E84,00465E84), ref: 00412D9E
                                                          • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E00
                                                          • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E37
                                                          • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E73
                                                          • Sleep.KERNEL32(000001F4,00465E84,00465E84,00465E84), ref: 00412E8D
                                                          • Sleep.KERNEL32(00000064), ref: 00412ECF
                                                            • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                                          • String ID: /stext "$0TG$0TG$NG$NG
                                                          • API String ID: 1223786279-2576077980
                                                          • Opcode ID: 8c943dcdbf7e2afa2f8ef9492e2a8597070d00b8e9ecf695a3f99b050f00a8b7
                                                          • Instruction ID: 10d3359c81a21c2239512d2238f4034584c87ebec4848cfd83014516dee20f06
                                                          • Opcode Fuzzy Hash: 8c943dcdbf7e2afa2f8ef9492e2a8597070d00b8e9ecf695a3f99b050f00a8b7
                                                          • Instruction Fuzzy Hash: 2F0268315083414AC325FB62D891AEFB3E5AFD4348F50483FF58A931E2EF785A49C65A
                                                          Function 0041C720 Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041C742
                                                          • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041C786
                                                          • RegCloseKey.ADVAPI32(?), ref: 0041CA50
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseEnumOpen
                                                          • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
                                                          • API String ID: 1332880857-3714951968
                                                          • Opcode ID: f13192da4e66231cc3a913cdaba6528dc2f099d68fe13da123ac92ab36a9ee38
                                                          • Instruction ID: 8204223968f620e226549da85b9b34a309c849e8d9bbed411749b7727356edba
                                                          • Opcode Fuzzy Hash: f13192da4e66231cc3a913cdaba6528dc2f099d68fe13da123ac92ab36a9ee38
                                                          • Instruction Fuzzy Hash: 3E8133311082459BC325EF11D851EEFB7E8BF94309F10492FB589921A2FF74AE49CA5A
                                                          Function 0041D620 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041D66B
                                                          • GetCursorPos.USER32(?), ref: 0041D67A
                                                          • SetForegroundWindow.USER32(?), ref: 0041D683
                                                          • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041D69D
                                                          • Shell_NotifyIconA.SHELL32(00000002,00474B48), ref: 0041D6EE
                                                          • ExitProcess.KERNEL32 ref: 0041D6F6
                                                          • CreatePopupMenu.USER32 ref: 0041D6FC
                                                          • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041D711
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                                          • String ID: Close
                                                          • API String ID: 1657328048-3535843008
                                                          • Opcode ID: 2cdbc08d807d068952302bab703dbbbb7de86244cd36d8f377370d21a5bc842f
                                                          • Instruction ID: ffebe08b42ddc2cad69fc5dc181b4667ce265f065f51bc56e4a7814a85689449
                                                          • Opcode Fuzzy Hash: 2cdbc08d807d068952302bab703dbbbb7de86244cd36d8f377370d21a5bc842f
                                                          • Instruction Fuzzy Hash: 2D213BB1544209FFDF155FA4ED0EAAA3F35EB08302F000125F909951B2D779EDA1EB19
                                                          Function 00404E26 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 65synchronizationCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • WaitForSingleObject.KERNEL32(?,000000FF,00000000,00474EF8,PkGNG,00000000,00474EF8,00404CA8,00000000,?,?,?,00474EF8,?), ref: 00404E38
                                                          • SetEvent.KERNEL32(?), ref: 00404E43
                                                          • CloseHandle.KERNEL32(?), ref: 00404E4C
                                                          • closesocket.WS2_32(?), ref: 00404E5A
                                                          • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00404E91
                                                          • SetEvent.KERNEL32(?), ref: 00404EA2
                                                          • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00404EA9
                                                          • SetEvent.KERNEL32(?), ref: 00404EBA
                                                          • CloseHandle.KERNEL32(?), ref: 00404EBF
                                                          • CloseHandle.KERNEL32(?), ref: 00404EC4
                                                          • SetEvent.KERNEL32(?), ref: 00404ED1
                                                          • CloseHandle.KERNEL32(?), ref: 00404ED6
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                                          • String ID: PkGNG
                                                          • API String ID: 3658366068-263838557
                                                          • Opcode ID: 1684f4f73009feb69d70dfcf302ee3e014c0b3edf4bc9f5cbab22c6bf1399946
                                                          • Instruction ID: 681aebbacbf541c1c6cd6dfca6fba55586e42b113d9ea1c0d4e3a90daa9851ad
                                                          • Opcode Fuzzy Hash: 1684f4f73009feb69d70dfcf302ee3e014c0b3edf4bc9f5cbab22c6bf1399946
                                                          • Instruction Fuzzy Hash: DE21EA71154B04AFDB216B26DC49B1BBBA1FF40326F104A2DE2E211AF1CB79B851DB58
                                                          Function 00445DD7 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free$Info
                                                          • String ID:
                                                          • API String ID: 2509303402-0
                                                          • Opcode ID: d11cf9d75a9b095113a5c4e7a536203a51778a2c4217635f9f2315e0a594c0ce
                                                          • Instruction ID: 03d8b0dccc9171d7b4ee81f85837dfa1205ba0d7832ce976ccf3d084d520ac26
                                                          • Opcode Fuzzy Hash: d11cf9d75a9b095113a5c4e7a536203a51778a2c4217635f9f2315e0a594c0ce
                                                          • Instruction Fuzzy Hash: AFB1CE719002059FEB21DF69C881BEEBBF4BF09304F15842EF495A7242DB79AC458B69
                                                          Function 00408BB5 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 328fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00408D1E
                                                          • GetFileSizeEx.KERNEL32(00000000,?), ref: 00408D56
                                                          • __aulldiv.LIBCMT ref: 00408D88
                                                            • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                            • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                          • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00408EAB
                                                          • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408EC6
                                                          • CloseHandle.KERNEL32(00000000), ref: 00408F9F
                                                          • CloseHandle.KERNEL32(00000000,00000052), ref: 00408FE9
                                                          • CloseHandle.KERNEL32(00000000), ref: 00409037
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
                                                          • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $NG
                                                          • API String ID: 3086580692-2582957567
                                                          • Opcode ID: 2a6cbd74b7f1d7262aabe967babe0c7563b8d160d0352d0a7d413315700012c3
                                                          • Instruction ID: 3fce176daff91a8ac67d7e00268aa6ddaa8eb0a69c3dc15cdf5b3728eb075172
                                                          • Opcode Fuzzy Hash: 2a6cbd74b7f1d7262aabe967babe0c7563b8d160d0352d0a7d413315700012c3
                                                          • Instruction Fuzzy Hash: CCB1A1316083409BC314FB26C941AAFB7E5AFC4358F40492FF589622D2EF789945CB8B
                                                          Function 0040A761 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163sleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • Sleep.KERNEL32(00001388), ref: 0040A77B
                                                            • Part of subcall function 0040A6B0: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A788), ref: 0040A6E6
                                                            • Part of subcall function 0040A6B0: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A788), ref: 0040A6F5
                                                            • Part of subcall function 0040A6B0: Sleep.KERNEL32(00002710,?,?,?,0040A788), ref: 0040A722
                                                            • Part of subcall function 0040A6B0: CloseHandle.KERNEL32(00000000,?,?,?,0040A788), ref: 0040A729
                                                          • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040A7B7
                                                          • GetFileAttributesW.KERNEL32(00000000), ref: 0040A7C8
                                                          • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040A7DF
                                                          • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 0040A859
                                                            • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E84), ref: 0041C52F
                                                          • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00466478,00000000,00000000,00000000), ref: 0040A962
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                                          • String ID: 8SG$8SG$pQG$pQG$PG$PG
                                                          • API String ID: 3795512280-1152054767
                                                          • Opcode ID: ff793148450d5445b41cee081077762d1b1ae7bc4452be26425da9ad383290d3
                                                          • Instruction ID: 2a79d88b44a8fc0b04dcb000ea34af81e4c48788ca5147296d011aa32960a087
                                                          • Opcode Fuzzy Hash: ff793148450d5445b41cee081077762d1b1ae7bc4452be26425da9ad383290d3
                                                          • Instruction Fuzzy Hash: B6516E716043015ACB15BB72C866ABE77AA9F80349F00483FF646B71E2DF7C9D09865E
                                                          Function 004048C8 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 144networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • connect.WS2_32(?,?,?), ref: 004048E0
                                                          • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A00
                                                          • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A0E
                                                          • WSAGetLastError.WS2_32 ref: 00404A21
                                                            • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                                          • String ID: Connection Failed: $Connection Refused$PkGNG$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                                          • API String ID: 994465650-3229884001
                                                          • Opcode ID: f8a90a434b368baa81854eed5f01dc5ff272a353476d3d54f953a4ddd85b29a4
                                                          • Instruction ID: 8b7d3ad86a52f8452b0ebae4faff6649d271d562dba2871a89d137605d3bb54b
                                                          • Opcode Fuzzy Hash: f8a90a434b368baa81854eed5f01dc5ff272a353476d3d54f953a4ddd85b29a4
                                                          • Instruction Fuzzy Hash: CE41E8B57506017BC61877BB890B52E7A56AB81308B50017FEA0256AD3FA7D9C108BEF
                                                          Function 00451346 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • ___free_lconv_mon.LIBCMT ref: 0045138A
                                                            • Part of subcall function 00450582: _free.LIBCMT ref: 0045059F
                                                            • Part of subcall function 00450582: _free.LIBCMT ref: 004505B1
                                                            • Part of subcall function 00450582: _free.LIBCMT ref: 004505C3
                                                            • Part of subcall function 00450582: _free.LIBCMT ref: 004505D5
                                                            • Part of subcall function 00450582: _free.LIBCMT ref: 004505E7
                                                            • Part of subcall function 00450582: _free.LIBCMT ref: 004505F9
                                                            • Part of subcall function 00450582: _free.LIBCMT ref: 0045060B
                                                            • Part of subcall function 00450582: _free.LIBCMT ref: 0045061D
                                                            • Part of subcall function 00450582: _free.LIBCMT ref: 0045062F
                                                            • Part of subcall function 00450582: _free.LIBCMT ref: 00450641
                                                            • Part of subcall function 00450582: _free.LIBCMT ref: 00450653
                                                            • Part of subcall function 00450582: _free.LIBCMT ref: 00450665
                                                            • Part of subcall function 00450582: _free.LIBCMT ref: 00450677
                                                          • _free.LIBCMT ref: 0045137F
                                                            • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                                            • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                          • _free.LIBCMT ref: 004513A1
                                                          • _free.LIBCMT ref: 004513B6
                                                          • _free.LIBCMT ref: 004513C1
                                                          • _free.LIBCMT ref: 004513E3
                                                          • _free.LIBCMT ref: 004513F6
                                                          • _free.LIBCMT ref: 00451404
                                                          • _free.LIBCMT ref: 0045140F
                                                          • _free.LIBCMT ref: 00451447
                                                          • _free.LIBCMT ref: 0045144E
                                                          • _free.LIBCMT ref: 0045146B
                                                          • _free.LIBCMT ref: 00451483
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                          • String ID:
                                                          • API String ID: 161543041-0
                                                          • Opcode ID: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                                          • Instruction ID: 2428002f6fd8eb1a99257b9b861ac38f7c05b5b97acacff09fd9d8cf260fe807
                                                          • Opcode Fuzzy Hash: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                                          • Instruction Fuzzy Hash: 403193715003009FEB20AA39D846F5B73E8EF02315F62992FE849D7662DF78AD44C729
                                                          Function 0040D83A Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 148COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,?,0040D84A), ref: 0041289B
                                                            • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF,?,0040D84A), ref: 004128AE
                                                            • Part of subcall function 00413733: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 0041374F
                                                            • Part of subcall function 00413733: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 00413768
                                                            • Part of subcall function 00413733: RegCloseKey.ADVAPI32(?), ref: 00413773
                                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040D894
                                                          • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D9F3
                                                          • ExitProcess.KERNEL32 ref: 0040D9FF
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                                          • String ID: """, 0$.vbs$8SG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                                                          • API String ID: 1913171305-3159800282
                                                          • Opcode ID: 44289f883dd7562718e3be597d001429dd6f7e5766c69b57721553f9088b28da
                                                          • Instruction ID: 6f299f75ad759bd4c56b3f4cab90e5e1fe41ff60d22e8747b975e3d2bb757992
                                                          • Opcode Fuzzy Hash: 44289f883dd7562718e3be597d001429dd6f7e5766c69b57721553f9088b28da
                                                          • Instruction Fuzzy Hash: 9B4129719001155ACB15FBA2DC56DEEB778AF50709F10017FB10AB21E2FF785E8ACA98
                                                          Function 00450680 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free
                                                          • String ID:
                                                          • API String ID: 269201875-0
                                                          • Opcode ID: f91d4b90763e5671f10523a72ee64b05bbc7cd6159c247d47fb1287d0ca389aa
                                                          • Instruction ID: 80ca3ff3fa16d46db3e6ae4c9b8471dba03f652ca918f9f25067e0b92ee87d4d
                                                          • Opcode Fuzzy Hash: f91d4b90763e5671f10523a72ee64b05bbc7cd6159c247d47fb1287d0ca389aa
                                                          • Instruction Fuzzy Hash: 30C183B6D40204ABEB20DBA9CC43FDE77F8AB09705F150166FE04EB283D6B49D459768
                                                          Function 00455C5B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00455929: CreateFileW.KERNEL32(00000000,00000000,?,00455D04,?,?,00000000,?,00455D04,00000000,0000000C), ref: 00455946
                                                          • GetLastError.KERNEL32 ref: 00455D6F
                                                          • __dosmaperr.LIBCMT ref: 00455D76
                                                          • GetFileType.KERNEL32(00000000), ref: 00455D82
                                                          • GetLastError.KERNEL32 ref: 00455D8C
                                                          • __dosmaperr.LIBCMT ref: 00455D95
                                                          • CloseHandle.KERNEL32(00000000), ref: 00455DB5
                                                          • CloseHandle.KERNEL32(?), ref: 00455EFF
                                                          • GetLastError.KERNEL32 ref: 00455F31
                                                          • __dosmaperr.LIBCMT ref: 00455F38
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                          • String ID: H
                                                          • API String ID: 4237864984-2852464175
                                                          • Opcode ID: 3e80e4deedef708004bf5c1f14aafc2c87dd9643035db764e93b071d2df20022
                                                          • Instruction ID: 7cd045c9b8f196398d23f94ba58010557f508cd7b58f44c29b3e784ccbbfb847
                                                          • Opcode Fuzzy Hash: 3e80e4deedef708004bf5c1f14aafc2c87dd9643035db764e93b071d2df20022
                                                          • Instruction Fuzzy Hash: 44A14532A106049FDF19AF68DC657BE3BA0EB06325F24015EEC11AB392D6398D1AC759
                                                          Function 0044ACC9 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 216COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,tC,0043EA74,?,?,PkGNG,0044AF1A,00000001,00000001,A4E85006), ref: 0044AD23
                                                          • __alloca_probe_16.LIBCMT ref: 0044AD5B
                                                          • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,PkGNG,0044AF1A,00000001,00000001,A4E85006,?,?,?), ref: 0044ADA9
                                                          • __alloca_probe_16.LIBCMT ref: 0044AE40
                                                          • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,A4E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044AEA3
                                                          • __freea.LIBCMT ref: 0044AEB0
                                                            • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435349,?,?,004388C7,?,?,00000000,00476B50,?,0040DE9D,00435349,?,?,?,?), ref: 004461EA
                                                          • __freea.LIBCMT ref: 0044AEB9
                                                          • __freea.LIBCMT ref: 0044AEDE
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                                          • String ID: PkGNG$tC
                                                          • API String ID: 3864826663-4196309852
                                                          • Opcode ID: a3cbb47ee8d45342a2f0fb6a002504832f0ae0c467949e665f7c3dc78735deda
                                                          • Instruction ID: de232b2c18f644b0009b05ef7aad101f1c584e700cc6948cb3d999d9ae9be8cc
                                                          • Opcode Fuzzy Hash: a3cbb47ee8d45342a2f0fb6a002504832f0ae0c467949e665f7c3dc78735deda
                                                          • Instruction Fuzzy Hash: 41514C72A80206AFFB258F64CC41EBF77A9DB44750F25462EFC14D7240EB38DC60869A
                                                          Function 00450AA5 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 204COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free
                                                          • String ID: \&G$\&G$`&G
                                                          • API String ID: 269201875-253610517
                                                          • Opcode ID: f361c4fdd0f35bb0b590f5a399794b5d5c57f6d7c3c5bbd0b76040d27d65b4a3
                                                          • Instruction ID: 59c4f5d9f803fa3be21c2588ad204ea2c1e8261bb9e1a4607c4596bf86990b35
                                                          • Opcode Fuzzy Hash: f361c4fdd0f35bb0b590f5a399794b5d5c57f6d7c3c5bbd0b76040d27d65b4a3
                                                          • Instruction Fuzzy Hash: 86610E75900205AFDB21DF69C842B9ABBF4EF06710F24426BED44EB242E774AD45CB58
                                                          Function 00414BEB Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 65535$udp
                                                          • API String ID: 0-1267037602
                                                          • Opcode ID: 92e56e7e39f2557d79d3192c533dec3724d183fd0175ec4c26052f24408cebce
                                                          • Instruction ID: a9902b4e2b63063b067a15c036b171ad6d3a8658db747517b03e91dd9f9ead29
                                                          • Opcode Fuzzy Hash: 92e56e7e39f2557d79d3192c533dec3724d183fd0175ec4c26052f24408cebce
                                                          • Instruction Fuzzy Hash: FB51D431605301ABDB609B14E905BFB77E8ABC5754F08042FF88597390E76CCCC1969E
                                                          Function 0040AD11 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __Init_thread_footer.LIBCMT ref: 0040AD73
                                                          • Sleep.KERNEL32(000001F4), ref: 0040AD7E
                                                          • GetForegroundWindow.USER32 ref: 0040AD84
                                                          • GetWindowTextLengthW.USER32(00000000), ref: 0040AD8D
                                                          • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040ADC1
                                                          • Sleep.KERNEL32(000003E8), ref: 0040AE8F
                                                            • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,00000000,0040B245,00000000), ref: 0040A69D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                                          • String ID: [${ User has been idle for $ minutes }$]
                                                          • API String ID: 911427763-3954389425
                                                          • Opcode ID: a9d80c92317e710bb0ee7b8060ee11baa7f71990c7fa4e3373d3f7fac537cda3
                                                          • Instruction ID: 479ab846abdc3ffa357cf8cfb056c4a9d7a1c57035fbb5610920680a3dc8d5cf
                                                          • Opcode Fuzzy Hash: a9d80c92317e710bb0ee7b8060ee11baa7f71990c7fa4e3373d3f7fac537cda3
                                                          • Instruction Fuzzy Hash: 1251E2716043419BD714FB22D856AAE7795AF84308F10093FF986A22E2EF7C9D44C69F
                                                          Function 0043A8BA Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A912
                                                          • GetLastError.KERNEL32(?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A91F
                                                          • __dosmaperr.LIBCMT ref: 0043A926
                                                          • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A952
                                                          • GetLastError.KERNEL32(?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A95C
                                                          • __dosmaperr.LIBCMT ref: 0043A963
                                                          • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D55,?), ref: 0043A9A6
                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A9B0
                                                          • __dosmaperr.LIBCMT ref: 0043A9B7
                                                          • _free.LIBCMT ref: 0043A9C3
                                                          • _free.LIBCMT ref: 0043A9CA
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                                          • String ID:
                                                          • API String ID: 2441525078-0
                                                          • Opcode ID: 65e47024088546fc334146591d56820f873165bf99cfabfd31b4add3ed5f98c2
                                                          • Instruction ID: 3a2165a63a30732921e8d6571a772c998230e0148124485b419b79488018c54b
                                                          • Opcode Fuzzy Hash: 65e47024088546fc334146591d56820f873165bf99cfabfd31b4add3ed5f98c2
                                                          • Instruction Fuzzy Hash: 8631D5B180420AFBDF01AFA5CC45EAF3B6CEF09324F11451AF950662A1DB38CD61DB66
                                                          Function 004054A0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetEvent.KERNEL32(?,?), ref: 004054BF
                                                          • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040556F
                                                          • TranslateMessage.USER32(?), ref: 0040557E
                                                          • DispatchMessageA.USER32(?), ref: 00405589
                                                          • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00474F78), ref: 00405641
                                                          • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 00405679
                                                            • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                                          • String ID: CloseChat$DisplayMessage$GetMessage
                                                          • API String ID: 2956720200-749203953
                                                          • Opcode ID: 591c48c1281b6b3b80d7ee549707424c1b5dd5eb9ee896b19b31c0dcecb944f2
                                                          • Instruction ID: d37e718accd843302ceacc2187c81124e04698433963f5de03abd71ab6b9016f
                                                          • Opcode Fuzzy Hash: 591c48c1281b6b3b80d7ee549707424c1b5dd5eb9ee896b19b31c0dcecb944f2
                                                          • Instruction Fuzzy Hash: 39419071A04301ABCB14FB76DC5A86F37A9AB85704F40493EF516A31E1EF3C8905CB9A
                                                          Function 00417D1A Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 108filesynchronizationCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00417F67: __EH_prolog.LIBCMT ref: 00417F6C
                                                          • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,004660B4), ref: 00417E17
                                                          • CloseHandle.KERNEL32(00000000), ref: 00417E20
                                                          • DeleteFileA.KERNEL32(00000000), ref: 00417E2F
                                                          • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00417DE3
                                                            • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
                                                          • String ID: 0VG$0VG$<$@$Temp
                                                          • API String ID: 1704390241-2575729100
                                                          • Opcode ID: 770267ec3d45abc508c60553e0d69256dfd3bd3466962ea0f4637c0737b4c84d
                                                          • Instruction ID: 01f79aac078c9204ae4226344def03f9678a0966abb138ad227abf0e83d93267
                                                          • Opcode Fuzzy Hash: 770267ec3d45abc508c60553e0d69256dfd3bd3466962ea0f4637c0737b4c84d
                                                          • Instruction Fuzzy Hash: 18417E319002099ACB14FB62DC56AEE7735AF00318F50417EF50A761E1EF7C5A8ACB99
                                                          Function 0041697B Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 46clipboardCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OpenClipboard.USER32 ref: 0041697C
                                                          • EmptyClipboard.USER32 ref: 0041698A
                                                          • CloseClipboard.USER32 ref: 00416990
                                                          • OpenClipboard.USER32 ref: 00416997
                                                          • GetClipboardData.USER32(0000000D), ref: 004169A7
                                                          • GlobalLock.KERNEL32(00000000), ref: 004169B0
                                                          • GlobalUnlock.KERNEL32(00000000), ref: 004169B9
                                                          • CloseClipboard.USER32 ref: 004169BF
                                                            • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                                          • String ID: !D@
                                                          • API String ID: 2172192267-604454484
                                                          • Opcode ID: da78ba80ec0729aaebbd7618c01a60a0d67124b513bef4f543176b1e835a0158
                                                          • Instruction ID: c3dc955394dadbf9cb8fa72aed918e4e170398eafb94270add22466952777bd7
                                                          • Opcode Fuzzy Hash: da78ba80ec0729aaebbd7618c01a60a0d67124b513bef4f543176b1e835a0158
                                                          • Instruction Fuzzy Hash: AA014C31204301EFC714BB72DC49AAE7BA5AF88742F40047EF906861E2DF388C45C659
                                                          Function 0041330D Relevance: 15.2, APIs: 10, Instructions: 153fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00413452
                                                          • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00413460
                                                          • GetFileSize.KERNEL32(?,00000000), ref: 0041346D
                                                          • UnmapViewOfFile.KERNEL32(00000000), ref: 0041348D
                                                          • CloseHandle.KERNEL32(00000000), ref: 0041349A
                                                          • CloseHandle.KERNEL32(?), ref: 004134A0
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$CloseHandleView$CreateMappingSizeUnmap
                                                          • String ID:
                                                          • API String ID: 297527592-0
                                                          • Opcode ID: 574f29b59094fb47ce71c879203f8806fd1a71798bcc0508934a1059045681f6
                                                          • Instruction ID: 84c8eec30da1abd4ec43dfc3561b6153623c17c5959ee0fa3a13cc5c00e14cc2
                                                          • Opcode Fuzzy Hash: 574f29b59094fb47ce71c879203f8806fd1a71798bcc0508934a1059045681f6
                                                          • Instruction Fuzzy Hash: F041F331104301BBD7119F25EC49F6B3BACEFC9769F10052EF655D21A2DB38DA40866E
                                                          Function 0041AB9E Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABAD
                                                          • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABC4
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABD1
                                                          • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABE0
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABF1
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABF4
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Service$CloseHandle$Open$ControlManager
                                                          • String ID:
                                                          • API String ID: 221034970-0
                                                          • Opcode ID: 06969d4054276dbf450069cd14adbb04630f9483e2dd0d38d9b092c5558579ee
                                                          • Instruction ID: a7ddf6af562b27afc3fdb57d9320cc893b1711f81dd6882f7bac22400d97ef93
                                                          • Opcode Fuzzy Hash: 06969d4054276dbf450069cd14adbb04630f9483e2dd0d38d9b092c5558579ee
                                                          • Instruction Fuzzy Hash: 1411E931501218BFD711AF64DC85CFF3B6CDB41B66B000426FA0692191EB689D46AAFA
                                                          Function 004481A1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _free.LIBCMT ref: 004481B5
                                                            • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                                            • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                          • _free.LIBCMT ref: 004481C1
                                                          • _free.LIBCMT ref: 004481CC
                                                          • _free.LIBCMT ref: 004481D7
                                                          • _free.LIBCMT ref: 004481E2
                                                          • _free.LIBCMT ref: 004481ED
                                                          • _free.LIBCMT ref: 004481F8
                                                          • _free.LIBCMT ref: 00448203
                                                          • _free.LIBCMT ref: 0044820E
                                                          • _free.LIBCMT ref: 0044821C
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free$ErrorFreeHeapLast
                                                          • String ID:
                                                          • API String ID: 776569668-0
                                                          • Opcode ID: 7409258e8d3de90c3944c0df00460aed843c684c15a9003062b0a9d40dd376ab
                                                          • Instruction ID: 68a5115f29dd4dda1e04096f5587add38bc33a27c3b2fba9646c6a67a64c999e
                                                          • Opcode Fuzzy Hash: 7409258e8d3de90c3944c0df00460aed843c684c15a9003062b0a9d40dd376ab
                                                          • Instruction Fuzzy Hash: AA11E9B6901108BFDB01FF55C852CDD3B65FF05354B0244AAF9488F222DB75DE509B95
                                                          Function 00411530 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 191COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Eventinet_ntoa
                                                          • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$NG
                                                          • API String ID: 3578746661-3604713145
                                                          • Opcode ID: b4a5048139e32fa5358392bcd4dae65f386fe0adb6418481ea130d7a464a4ccc
                                                          • Instruction ID: 5b49fc9f60f15aadef5e91219dcc0d557585a55aed20fbc46105045b647f8dc0
                                                          • Opcode Fuzzy Hash: b4a5048139e32fa5358392bcd4dae65f386fe0adb6418481ea130d7a464a4ccc
                                                          • Instruction Fuzzy Hash: 5351D531A042015BC714FB36D95AAAE36A5AB84344F40453FFA06676F2EF7C8985C7CE
                                                          Function 00455F84 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,0045707F), ref: 00455FA7
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: DecodePointer
                                                          • String ID: acos$asin$exp$log$log10$pow$sqrt
                                                          • API String ID: 3527080286-3064271455
                                                          • Opcode ID: 91e2bc993b3a5d0be0d2963f4ae304432519259fdd54363bb3d88c255dc20ba7
                                                          • Instruction ID: a80f67f54703b8f0c72b4cfac69ffbb6288a0afb30985e2ab5cebdbe3ffe6fde
                                                          • Opcode Fuzzy Hash: 91e2bc993b3a5d0be0d2963f4ae304432519259fdd54363bb3d88c255dc20ba7
                                                          • Instruction Fuzzy Hash: BB515071900909DBCF10DF58E9481BDBBB0FF49306F924197D841A7396DB798928CB1E
                                                          Function 0044B43C Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 152fileCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,PkGNG,0044BBB1,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B47E
                                                          • __fassign.LIBCMT ref: 0044B4F9
                                                          • __fassign.LIBCMT ref: 0044B514
                                                          • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0044B53A
                                                          • WriteFile.KERNEL32(?,FF8BC35D,00000000,0044BBB1,00000000,?,?,?,?,?,?,?,?,PkGNG,0044BBB1,?), ref: 0044B559
                                                          • WriteFile.KERNEL32(?,?,00000001,0044BBB1,00000000,?,?,?,?,?,?,?,?,PkGNG,0044BBB1,?), ref: 0044B592
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                          • String ID: PkGNG
                                                          • API String ID: 1324828854-263838557
                                                          • Opcode ID: 311db8d3e4a1a0a231de64f74e89b34bd80b314b172ec9a4a2cdea1eea97895d
                                                          • Instruction ID: 262f0c9efa3d8d05c94b564727faad167cb6e35c827a04fe4b8fb241bd644287
                                                          • Opcode Fuzzy Hash: 311db8d3e4a1a0a231de64f74e89b34bd80b314b172ec9a4a2cdea1eea97895d
                                                          • Instruction Fuzzy Hash: 2151B470A00249AFDB10CFA8D845AEEFBF8EF09304F14456BE955E7291E734D941CBA9
                                                          Function 004174D0 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 00417530
                                                            • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E84), ref: 0041C52F
                                                          • Sleep.KERNEL32(00000064), ref: 0041755C
                                                          • DeleteFileW.KERNEL32(00000000), ref: 00417590
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$CreateDeleteExecuteShellSleep
                                                          • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                                          • API String ID: 1462127192-2001430897
                                                          • Opcode ID: f341753d6f3a08b8f61e7ed043ac881f71afe8c82c6e57c86a755af76922d4c4
                                                          • Instruction ID: 6598d36db715e58345e35b35962d03aab6dacf30af49f41f33489dbeb2d48940
                                                          • Opcode Fuzzy Hash: f341753d6f3a08b8f61e7ed043ac881f71afe8c82c6e57c86a755af76922d4c4
                                                          • Instruction Fuzzy Hash: 17313F71940119AADB04FB61DC96DED7735AF50309F00017EF606731E2EF785A8ACA9C
                                                          Function 004073E7 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 99COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCurrentProcess.KERNEL32(00472B14,00000000,004752D8,00003000,00000004,00000000,00000001), ref: 00407418
                                                          • GetCurrentProcess.KERNEL32(00472B14,00000000,00008000,?,00000000,00000001,00000000,00407691,C:\Users\user\Desktop\aDGx3jaI7i.exe), ref: 004074D9
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CurrentProcess
                                                          • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir
                                                          • API String ID: 2050909247-4242073005
                                                          • Opcode ID: cf568b37148f4497f81ab12635e2dca67c7b70f724ed768a1d25f1bc6ab9bf95
                                                          • Instruction ID: c8d37550e6f1e63eabf3c93e4c9511e0cbcdb01d3c289a22ccdf2b55afca88d7
                                                          • Opcode Fuzzy Hash: cf568b37148f4497f81ab12635e2dca67c7b70f724ed768a1d25f1bc6ab9bf95
                                                          • Instruction Fuzzy Hash: DE317EB1A44300ABD314EF65DD46F1677B8BB04705F10087EF509A6692EBB8B8458B6F
                                                          Function 00401D0B Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _strftime.LIBCMT ref: 00401D50
                                                            • Part of subcall function 00401A6D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                                                          • waveInUnprepareHeader.WINMM(00472A88,00000020,00000000,?), ref: 00401E02
                                                          • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401E40
                                                          • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401E4F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                                          • String ID: %Y-%m-%d %H.%M$.wav$dMG$|MG
                                                          • API String ID: 3809562944-243156785
                                                          • Opcode ID: 5ca57e464fc48cfd7ac60de242ae16507c8b77f4a1a81d17ad6b6b7cf7425d61
                                                          • Instruction ID: 12771182903f202c4b9d99511a6abf0f0559d076e6e3c56183b1657b5f9df8bc
                                                          • Opcode Fuzzy Hash: 5ca57e464fc48cfd7ac60de242ae16507c8b77f4a1a81d17ad6b6b7cf7425d61
                                                          • Instruction Fuzzy Hash: AA318F315043019FC324EB22DC56A9E77A8FB84315F40443EF189A21F2EFB89A49CB5E
                                                          Function 00410E9C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 75COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00410EA9
                                                          • int.LIBCPMT ref: 00410EBC
                                                            • Part of subcall function 0040E0FC: std::_Lockit::_Lockit.LIBCPMT ref: 0040E10D
                                                            • Part of subcall function 0040E0FC: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E127
                                                          • std::_Facet_Register.LIBCPMT ref: 00410EFC
                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00410F05
                                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 00410F23
                                                          • __Init_thread_footer.LIBCMT ref: 00410F64
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
                                                          • String ID: ,kG$0kG
                                                          • API String ID: 3815856325-2015055088
                                                          • Opcode ID: 9b6f417909eb5cd4a3a9238d92eaca8e17f16862a4fd72c37d6a1f751429c824
                                                          • Instruction ID: 6b7561e6e5701aa818233467e21ea388c72e3112cb5a37ed7db11c94fdfc7bf8
                                                          • Opcode Fuzzy Hash: 9b6f417909eb5cd4a3a9238d92eaca8e17f16862a4fd72c37d6a1f751429c824
                                                          • Instruction Fuzzy Hash: 682129329005249BCB14FB6AD8429DE77A9DF48324F21416FF404E72D1DFB9AD818B9D
                                                          Function 00401BE9 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 71COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BF9
                                                          • waveInOpen.WINMM(00472AC0,000000FF,00472AA8,Function_00001D0B,00000000,00000000,00000024), ref: 00401C8F
                                                          • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401CE3
                                                          • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401CF2
                                                          • waveInStart.WINMM ref: 00401CFE
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                                          • String ID: dMG$|MG$PG
                                                          • API String ID: 1356121797-532278878
                                                          • Opcode ID: eef3d83c920f1a8878cb9ae4af55a885980d63effcab8dea3858d63941c1ab5b
                                                          • Instruction ID: 1e392cdedf79dd274444ae0cc0b76d6cc185fd36309c60cea9b16e967c73269b
                                                          • Opcode Fuzzy Hash: eef3d83c920f1a8878cb9ae4af55a885980d63effcab8dea3858d63941c1ab5b
                                                          • Instruction Fuzzy Hash: 51212A71604201AFC7399F66EE15A6A7BB6FB94715B00803FA10DD76B1DBB84881CB5C
                                                          Function 0041D4EE Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041D507
                                                            • Part of subcall function 0041D5A0: RegisterClassExA.USER32(00000030), ref: 0041D5EC
                                                            • Part of subcall function 0041D5A0: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D607
                                                            • Part of subcall function 0041D5A0: GetLastError.KERNEL32 ref: 0041D611
                                                          • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041D53E
                                                          • lstrcpynA.KERNEL32(00474B60,Remcos,00000080), ref: 0041D558
                                                          • Shell_NotifyIconA.SHELL32(00000000,00474B48), ref: 0041D56E
                                                          • TranslateMessage.USER32(?), ref: 0041D57A
                                                          • DispatchMessageA.USER32(?), ref: 0041D584
                                                          • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041D591
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                                          • String ID: Remcos
                                                          • API String ID: 1970332568-165870891
                                                          • Opcode ID: bb528cd859a2941ef755fedfca18549d942758f832e9eaa985f33bd327a59cbd
                                                          • Instruction ID: 0a96d410cd687733bc2db9baaca44b2a156926270a6f860d3af68fdb0bcdced8
                                                          • Opcode Fuzzy Hash: bb528cd859a2941ef755fedfca18549d942758f832e9eaa985f33bd327a59cbd
                                                          • Instruction Fuzzy Hash: CA0152B1840244EBD7109FA5EC4CFABBB7CEBC5705F00406AF515931A1D778D885CB58
                                                          Function 0044CE00 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 41332500f0008602d77d1c660e50033fd15bda36b9a02a1f3ccc300d02d52732
                                                          • Instruction ID: c312da418a410335279f0cc1971bad4557be7deeadefc114a47e367d78dfde09
                                                          • Opcode Fuzzy Hash: 41332500f0008602d77d1c660e50033fd15bda36b9a02a1f3ccc300d02d52732
                                                          • Instruction Fuzzy Hash: 94C1FA70D04249AFEF11DFA8CC41BAE7BB0AF09304F19415AE915A7392C77C9941CB69
                                                          Function 00453E03 Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,004540DC,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00453EAF
                                                          • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00453F32
                                                          • __alloca_probe_16.LIBCMT ref: 00453F6A
                                                          • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,004540DC,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00453FC5
                                                          • __alloca_probe_16.LIBCMT ref: 00454014
                                                          • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00453FDC
                                                            • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435349,?,?,004388C7,?,?,00000000,00476B50,?,0040DE9D,00435349,?,?,?,?), ref: 004461EA
                                                          • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00454058
                                                          • __freea.LIBCMT ref: 00454083
                                                          • __freea.LIBCMT ref: 0045408F
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                                          • String ID:
                                                          • API String ID: 201697637-0
                                                          • Opcode ID: 3cd8063f553076ce798424c5fc2191fe96cf15845bda9c8b0815eea935c1a584
                                                          • Instruction ID: 957693029e8655488503f3238c5b69ab87e72ad781d0cd1ca1c521277c14990f
                                                          • Opcode Fuzzy Hash: 3cd8063f553076ce798424c5fc2191fe96cf15845bda9c8b0815eea935c1a584
                                                          • Instruction Fuzzy Hash: 2B91D472E002069BDB208E65C846EEFBBF59F49756F14051BED00EB282D73DCD898769
                                                          Function 004451FA Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00448295: GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                                            • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                                            • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                                            • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                                          • _memcmp.LIBVCRUNTIME ref: 004454A4
                                                          • _free.LIBCMT ref: 00445515
                                                          • _free.LIBCMT ref: 0044552E
                                                          • _free.LIBCMT ref: 00445560
                                                          • _free.LIBCMT ref: 00445569
                                                          • _free.LIBCMT ref: 00445575
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free$ErrorLast$_abort_memcmp
                                                          • String ID: C
                                                          • API String ID: 1679612858-1037565863
                                                          • Opcode ID: 57e83dca3a851dc1354698b3345e0422ed2f7d5811d10dab12b85ea15fb2e044
                                                          • Instruction ID: c5fa7cd4a0def74fccfc383a36f0c71fd12082b8797d706f49daa7c6421ebafc
                                                          • Opcode Fuzzy Hash: 57e83dca3a851dc1354698b3345e0422ed2f7d5811d10dab12b85ea15fb2e044
                                                          • Instruction Fuzzy Hash: D4B13775A016199FEB24DF18C885BAEB7B4FF48304F5085EAE809A7351E774AE90CF44
                                                          Function 00414945 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: tcp$udp
                                                          • API String ID: 0-3725065008
                                                          • Opcode ID: e3882082d73cb51732241927fa811467e6376eb334e21639ae703d67e169e483
                                                          • Instruction ID: 4fb2fbaa1818e082f2863e0a7c91e4ace7fe62ed23b491eff3584b955907a2f3
                                                          • Opcode Fuzzy Hash: e3882082d73cb51732241927fa811467e6376eb334e21639ae703d67e169e483
                                                          • Instruction Fuzzy Hash: FC7197706083028FDB248F55D4817ABB7E4AFC8355F20482FF88697351E778DE858B9A
                                                          Function 0040186A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __Init_thread_footer.LIBCMT ref: 004018BE
                                                          • ExitThread.KERNEL32 ref: 004018F6
                                                          • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00474EE0,00000000), ref: 00401A04
                                                            • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                                          • String ID: PkG$XMG$NG$NG
                                                          • API String ID: 1649129571-3151166067
                                                          • Opcode ID: a6c6281f9468bedd5a2c51a416d0a2a3443504d2818988bdbccb9fdc1c563a82
                                                          • Instruction ID: 94ec9d015e3317cd6a1a8c0f3f0e5257b1b149af30ff9c9aaa6ade548e88cebb
                                                          • Opcode Fuzzy Hash: a6c6281f9468bedd5a2c51a416d0a2a3443504d2818988bdbccb9fdc1c563a82
                                                          • Instruction Fuzzy Hash: 7441D5312042109BC324FB26DD96ABE73A6AB85314F00453FF54AA61F2DF386D4AC71D
                                                          Function 0040799E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,00474EE0,00465FB4,?,00000000,00408037,00000000), ref: 00407A00
                                                          • WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000,?,000186A0,?,?,00000000,00408037,00000000,?,?,0000000A,00000000), ref: 00407A48
                                                            • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                          • CloseHandle.KERNEL32(00000000,?,00000000,00408037,00000000,?,?,0000000A,00000000), ref: 00407A88
                                                          • MoveFileW.KERNEL32(00000000,00000000), ref: 00407AA5
                                                          • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AD0
                                                          • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AE0
                                                            • Part of subcall function 00404B96: WaitForSingleObject.KERNEL32(?,000000FF,?,00474EF8,00404C49,00000000,?,?,?,00474EF8,?), ref: 00404BA5
                                                            • Part of subcall function 00404B96: SetEvent.KERNEL32(?), ref: 00404BC3
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                                          • String ID: .part
                                                          • API String ID: 1303771098-3499674018
                                                          • Opcode ID: c438b6c3ad66c49b0c8fac277bcd0795076709a98bb5b529a829fc4e1ae4dc70
                                                          • Instruction ID: fa021c15c5d1e87e569c09a19ead990ccf19330fc060556597d24b4305e87d8f
                                                          • Opcode Fuzzy Hash: c438b6c3ad66c49b0c8fac277bcd0795076709a98bb5b529a829fc4e1ae4dc70
                                                          • Instruction Fuzzy Hash: 3A31B571508345AFC310EB61D84599FB3A8FF94359F00493FB945A21D2EB78EE08CB9A
                                                          Function 004199DB Relevance: 12.1, APIs: 8, Instructions: 117keyboardCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendInput.USER32 ref: 00419A25
                                                          • SendInput.USER32(00000001,?,0000001C,00000000), ref: 00419A4D
                                                          • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419A74
                                                          • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419A92
                                                          • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AB2
                                                          • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AD7
                                                          • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AF9
                                                          • SendInput.USER32(00000001,00000000,0000001C), ref: 00419B1C
                                                            • Part of subcall function 004199CE: MapVirtualKeyA.USER32(00000000,00000000), ref: 004199D4
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: InputSend$Virtual
                                                          • String ID:
                                                          • API String ID: 1167301434-0
                                                          • Opcode ID: fc4380392ba50379eb6d472fb1d17d58296046c22f58e77cb3b57b5de18c14a3
                                                          • Instruction ID: b6cba15de7ba168fc32b54cb564de1fb898aed6d56f2455a0f9f7e0387a20004
                                                          • Opcode Fuzzy Hash: fc4380392ba50379eb6d472fb1d17d58296046c22f58e77cb3b57b5de18c14a3
                                                          • Instruction Fuzzy Hash: 2431AE71218349A9E220DFA5DC41BDFBBECAF89B44F04080FF58457291CAA49D8C876B
                                                          Function 004475F1 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: __freea$__alloca_probe_16_free
                                                          • String ID: a/p$am/pm$h{D
                                                          • API String ID: 2936374016-2303565833
                                                          • Opcode ID: 4ddb7e6ff69264204235b909ea28f14837368a743d4617b198cabd7c05983ebc
                                                          • Instruction ID: c225e1f32c331ede1d29eb10815d0f52c76e58365e66366979e06629ded2ae5c
                                                          • Opcode Fuzzy Hash: 4ddb7e6ff69264204235b909ea28f14837368a743d4617b198cabd7c05983ebc
                                                          • Instruction Fuzzy Hash: 94D1E1719082068AFB299F68C845ABFB7B1EF05300F28455BE501AB351D73D9E43CBA9
                                                          Function 00444D7C Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435349,?,?,004388C7,?,?,00000000,00476B50,?,0040DE9D,00435349,?,?,?,?), ref: 004461EA
                                                          • _free.LIBCMT ref: 00444E87
                                                          • _free.LIBCMT ref: 00444E9E
                                                          • _free.LIBCMT ref: 00444EBD
                                                          • _free.LIBCMT ref: 00444ED8
                                                          • _free.LIBCMT ref: 00444EEF
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free$AllocateHeap
                                                          • String ID: KED
                                                          • API String ID: 3033488037-2133951994
                                                          • Opcode ID: 4e35ff1e2d87e21165085a9225b40beb0941a1a7db736cbd5727a613c3eec6b7
                                                          • Instruction ID: 6eb5fd97c930506827bd935ec23fdf2bd7e2f8155051dcdfd38a61b70e77380a
                                                          • Opcode Fuzzy Hash: 4e35ff1e2d87e21165085a9225b40beb0941a1a7db736cbd5727a613c3eec6b7
                                                          • Instruction Fuzzy Hash: 2351B371A00604ABEB20DF29CC42B6B77F4FF89724B25456EE809D7751E739E901CB98
                                                          Function 00413A90 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 179registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413AF7
                                                          • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413B26
                                                          • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 00413BC6
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Enum$InfoQueryValue
                                                          • String ID: [regsplt]$xUG$TG
                                                          • API String ID: 3554306468-1165877943
                                                          • Opcode ID: 0915e5250acf3bea082794a31251f109dca26ef8e60840e512c7265f34e5d9a1
                                                          • Instruction ID: 25111a67c66830bda9a991cbd11294aa9b1843c944dfd5f4caafe5fa1545c2ae
                                                          • Opcode Fuzzy Hash: 0915e5250acf3bea082794a31251f109dca26ef8e60840e512c7265f34e5d9a1
                                                          • Instruction Fuzzy Hash: 05512D71900219AADB11EB95DC86EEEB77DAF04305F10007AE505B6191EF746B48CBA9
                                                          Function 00413D48 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 135registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00413D81
                                                            • Part of subcall function 00413A90: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413AF7
                                                            • Part of subcall function 00413A90: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413B26
                                                            • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                          • RegCloseKey.ADVAPI32(00000000,004660B4,004660B4,00466478,00466478,00000071), ref: 00413EEF
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseEnumInfoOpenQuerysend
                                                          • String ID: xUG$NG$NG$TG
                                                          • API String ID: 3114080316-2811732169
                                                          • Opcode ID: e4b1693873f9bfafd7d4200e3b5d9e02c59f6be64668d25b7482fecaa941673b
                                                          • Instruction ID: 39136fa66a1b3d14a29046baa0c8a2124f92290552efa608aac098e6c3039c27
                                                          • Opcode Fuzzy Hash: e4b1693873f9bfafd7d4200e3b5d9e02c59f6be64668d25b7482fecaa941673b
                                                          • Instruction Fuzzy Hash: 03419F316042005AC324F726D852AEF76A99FD1384F40883FF549671D2EF7C5949866E
                                                          Function 004511AC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 110COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • MultiByteToWideChar.KERNEL32(?,00000000,000000FF,?,00000000,00000000,0043F918,?,00000000,?,00000001,?,000000FF,00000001,0043F918,?), ref: 004511F9
                                                          • __alloca_probe_16.LIBCMT ref: 00451231
                                                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00451282
                                                          • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00451294
                                                          • __freea.LIBCMT ref: 0045129D
                                                            • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435349,?,?,004388C7,?,?,00000000,00476B50,?,0040DE9D,00435349,?,?,?,?), ref: 004461EA
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                                          • String ID: PkGNG
                                                          • API String ID: 313313983-263838557
                                                          • Opcode ID: 9f5a2a67851111230ceb537eb1b7ccf29ba8faad681cfee17df3cfbc13bcf043
                                                          • Instruction ID: f723c28c07ecd650b398e20bb728631ced1c531215915adb10fa1f31571a6cea
                                                          • Opcode Fuzzy Hash: 9f5a2a67851111230ceb537eb1b7ccf29ba8faad681cfee17df3cfbc13bcf043
                                                          • Instruction Fuzzy Hash: F7310331A0020AABDF249F65DC41EAF7BA5EB04701F0445AAFC08E72A2E739CC55CB94
                                                          Function 0041B71B Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 91COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00413656: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?,004750E4), ref: 00413678
                                                            • Part of subcall function 00413656: RegQueryValueExW.ADVAPI32(?,0040F34E,00000000,00000000,?,00000400), ref: 00413697
                                                            • Part of subcall function 00413656: RegCloseKey.ADVAPI32(?), ref: 004136A0
                                                            • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                                          • _wcslen.LIBCMT ref: 0041B7F4
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseCurrentOpenProcessQueryValue_wcslen
                                                          • String ID: .exe$8SG$http\shell\open\command$program files (x86)\$program files\
                                                          • API String ID: 37874593-122982132
                                                          • Opcode ID: 6e4530202917b19cbbea06c57cde587f82f9719f354b1f28db5066e5f2e92548
                                                          • Instruction ID: 00334f857bbe6022557327a28fa8f115e820bd32ca6b34e50ab8c41aa79dd428
                                                          • Opcode Fuzzy Hash: 6e4530202917b19cbbea06c57cde587f82f9719f354b1f28db5066e5f2e92548
                                                          • Instruction Fuzzy Hash: 42218872A001046BDB14BAB59CD6AFE766D9B48728F10043FF505B72C3EE3C9D49426D
                                                          Function 0040BF24 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 004135E1: RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 00413605
                                                            • Part of subcall function 004135E1: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 00413622
                                                            • Part of subcall function 004135E1: RegCloseKey.KERNELBASE(?), ref: 0041362D
                                                          • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040BFA6
                                                          • PathFileExistsA.SHLWAPI(?), ref: 0040BFB3
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                                          • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                                          • API String ID: 1133728706-4073444585
                                                          • Opcode ID: 82f3536f7391415d25674f0736c327500bde81d48cd9b738ac55359f41ca632d
                                                          • Instruction ID: a06d8339010b4a31413dea3cf8b7af81beee50618fccc2c871009a62ab4f9f33
                                                          • Opcode Fuzzy Hash: 82f3536f7391415d25674f0736c327500bde81d48cd9b738ac55359f41ca632d
                                                          • Instruction Fuzzy Hash: BC215230A40219A6CB14F7F1CC969EE77299F50744F80017FE502B71D1EB7D6945C6DA
                                                          Function 00456BD3 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6348a53403ba44e76667cab5d3d4b8c4f90ca5e92cff7b4211fa09d26e343de5
                                                          • Instruction ID: d4e598e7927038c57750db0ba161657e9615562456f8c919f0676739ef068bdb
                                                          • Opcode Fuzzy Hash: 6348a53403ba44e76667cab5d3d4b8c4f90ca5e92cff7b4211fa09d26e343de5
                                                          • Instruction Fuzzy Hash: 931127B2504214BBEB216F768C05D1F7A5CEB86726B52062EFD55C7292DA3CCC0186A8
                                                          Function 00450F7A Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00450CC1: _free.LIBCMT ref: 00450CEA
                                                          • _free.LIBCMT ref: 00450FC8
                                                            • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                                            • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                          • _free.LIBCMT ref: 00450FD3
                                                          • _free.LIBCMT ref: 00450FDE
                                                          • _free.LIBCMT ref: 00451032
                                                          • _free.LIBCMT ref: 0045103D
                                                          • _free.LIBCMT ref: 00451048
                                                          • _free.LIBCMT ref: 00451053
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free$ErrorFreeHeapLast
                                                          • String ID:
                                                          • API String ID: 776569668-0
                                                          • Opcode ID: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                                          • Instruction ID: 345e916fd15b447c36d88a7a8914fd19e4c3e0710e9d23c2e9f19f8556552687
                                                          • Opcode Fuzzy Hash: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                                          • Instruction Fuzzy Hash: C111D231402704AAE621BB72CC03FCB779CAF03304F454D2EBEA967153C7ACB4185654
                                                          Function 0041119E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 004111AB
                                                          • int.LIBCPMT ref: 004111BE
                                                            • Part of subcall function 0040E0FC: std::_Lockit::_Lockit.LIBCPMT ref: 0040E10D
                                                            • Part of subcall function 0040E0FC: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E127
                                                          • std::_Facet_Register.LIBCPMT ref: 004111FE
                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00411207
                                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 00411225
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                          • String ID: (mG
                                                          • API String ID: 2536120697-4059303827
                                                          • Opcode ID: 4fb09889b2dc78d6b9bc341806ed1c893def47308d87ec9f5bd5aa626124b671
                                                          • Instruction ID: b4facbf35e110c19f3eede998f69f9310dce987b63f856d60fe44c7d5fb17b17
                                                          • Opcode Fuzzy Hash: 4fb09889b2dc78d6b9bc341806ed1c893def47308d87ec9f5bd5aa626124b671
                                                          • Instruction Fuzzy Hash: 42112732900114A7CB14EB9AD8018DEB7699F44364F11456FF904F72E1DB789E45CBC8
                                                          Function 0043A3DA Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLastError.KERNEL32(?,?,0043A3D1,0043933E), ref: 0043A3E8
                                                          • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0043A3F6
                                                          • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A40F
                                                          • SetLastError.KERNEL32(00000000,?,0043A3D1,0043933E), ref: 0043A461
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorLastValue___vcrt_
                                                          • String ID:
                                                          • API String ID: 3852720340-0
                                                          • Opcode ID: 786e665d26cf754d1d2cf441f113ccf6d654ddd054b4af6544b9cbcea7eecff9
                                                          • Instruction ID: 228fd8bb196f6ae1284969ba5442ea73dc67404c1df350b3d70410c0baad6fb0
                                                          • Opcode Fuzzy Hash: 786e665d26cf754d1d2cf441f113ccf6d654ddd054b4af6544b9cbcea7eecff9
                                                          • Instruction Fuzzy Hash: 87019C322483515EA61027797C8A62B2648EB293B9F30523FF518805F1EF984C90910D
                                                          Function 004075EB Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Users\user\Desktop\aDGx3jaI7i.exe), ref: 0040760B
                                                            • Part of subcall function 00407538: _wcslen.LIBCMT ref: 0040755C
                                                            • Part of subcall function 00407538: CoGetObject.OLE32(?,00000024,00466528,00000000), ref: 004075BD
                                                          • CoUninitialize.OLE32 ref: 00407664
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: InitializeObjectUninitialize_wcslen
                                                          • String ID: C:\Users\user\Desktop\aDGx3jaI7i.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                                          • API String ID: 3851391207-712605096
                                                          • Opcode ID: d877cea0863f9d3afa12868748af2f8600b5022738d517222c004e226c4c5a05
                                                          • Instruction ID: e4e7d1672fbddd81374e29e92f863be8f9bad83f72bb7a306ddb251afa86686e
                                                          • Opcode Fuzzy Hash: d877cea0863f9d3afa12868748af2f8600b5022738d517222c004e226c4c5a05
                                                          • Instruction Fuzzy Hash: 4501D272B087116BE2246B65DC4AF6B3748DB41B25F11053FF901A62C1EAB9FC0146AB
                                                          Function 0040BADC Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040BB18
                                                          • GetLastError.KERNEL32 ref: 0040BB22
                                                          Strings
                                                          • [Chrome Cookies not found], xrefs: 0040BB3C
                                                          • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040BAE3
                                                          • [Chrome Cookies found, cleared!], xrefs: 0040BB48
                                                          • UserProfile, xrefs: 0040BAE8
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: DeleteErrorFileLast
                                                          • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                                          • API String ID: 2018770650-304995407
                                                          • Opcode ID: d4592947abf79dc324386ffcaf4b9b591dee499912662422a1d7ea612805fe04
                                                          • Instruction ID: 5dee569c6883bfd73109a670bb68234af0f28e4caad238985ba957b2c74b96e7
                                                          • Opcode Fuzzy Hash: d4592947abf79dc324386ffcaf4b9b591dee499912662422a1d7ea612805fe04
                                                          • Instruction Fuzzy Hash: 5B01DF71A402055BCA04B7B6CC1B9BE7B24E922704B50017FF502726D6FE3E5D0986CE
                                                          Function 0041CE2C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 48memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • AllocConsole.KERNEL32(00475338), ref: 0041CE35
                                                          • ShowWindow.USER32(00000000,00000000), ref: 0041CE4E
                                                          • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CE73
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Console$AllocOutputShowWindow
                                                          • String ID: Remcos v$5.1.3 Pro$CONOUT$
                                                          • API String ID: 2425139147-2212855755
                                                          • Opcode ID: bb520a2f19826cc6a1c283625bbcfbf44085728638f029a4a140c4eec348b460
                                                          • Instruction ID: 6efa3de70d430de9448838496adf33c47162c0890a3ad1875f095e209401f165
                                                          • Opcode Fuzzy Hash: bb520a2f19826cc6a1c283625bbcfbf44085728638f029a4a140c4eec348b460
                                                          • Instruction Fuzzy Hash: A90144B1A80304BBD610F7F19C8BF9E77AC9B14B05F500527BA04A70D2EB6DD944466E
                                                          Function 004433DA Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,PkGNG,0044338B,00000003,PkGNG,0044332B,00000003,0046E958,0000000C,00443482,00000003,00000002), ref: 004433FA
                                                          • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044340D
                                                          • FreeLibrary.KERNEL32(00000000,?,?,PkGNG,0044338B,00000003,PkGNG,0044332B,00000003,0046E958,0000000C,00443482,00000003,00000002,00000000,PkGNG), ref: 00443430
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AddressFreeHandleLibraryModuleProc
                                                          • String ID: CorExitProcess$PkGNG$mscoree.dll
                                                          • API String ID: 4061214504-213444651
                                                          • Opcode ID: ffd65e2a986ef432bd98aae630379cdfc9b477bc787d361fad657d5437817096
                                                          • Instruction ID: d7bd46dfab834bb5d48edea7818df211002af85bf4a2e706b61bd78119be3437
                                                          • Opcode Fuzzy Hash: ffd65e2a986ef432bd98aae630379cdfc9b477bc787d361fad657d5437817096
                                                          • Instruction Fuzzy Hash: 4EF04931900208FBDB159F65DC45B9EBF74EF04753F0040A5F805A2251DB758E40CA99
                                                          Function 0043AB5C Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __allrem.LIBCMT ref: 0043ACE9
                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD05
                                                          • __allrem.LIBCMT ref: 0043AD1C
                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD3A
                                                          • __allrem.LIBCMT ref: 0043AD51
                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD6F
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                          • String ID:
                                                          • API String ID: 1992179935-0
                                                          • Opcode ID: 3b7debe300bd30616e6d17b60b5e1d5511deed8aaa3e59a787e888dcedb96ab2
                                                          • Instruction ID: c7cd181284538591ee8af1586cca3d38175ba7b34bac8e5aa56d350f01832762
                                                          • Opcode Fuzzy Hash: 3b7debe300bd30616e6d17b60b5e1d5511deed8aaa3e59a787e888dcedb96ab2
                                                          • Instruction Fuzzy Hash: 5F815972A40B05ABE7209F29CC41B6FB3A99F48324F24152FF591D67C1E77CE910875A
                                                          Function 00404371 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 206sleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • Sleep.KERNEL32(00000000,?), ref: 004044C4
                                                            • Part of subcall function 00404607: __EH_prolog.LIBCMT ref: 0040460C
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: H_prologSleep
                                                          • String ID: CloseCamera$FreeFrame$GetFrame$HNG$OpenCamera
                                                          • API String ID: 3469354165-3054508432
                                                          • Opcode ID: 588905819a17ed9d8355987b74c7beb25f2e927385f5d419dcb4dc6cdd0db807
                                                          • Instruction ID: df1e58e957a7578ae16e417911435538e3341edc64810737793f4aa4f8849b6c
                                                          • Opcode Fuzzy Hash: 588905819a17ed9d8355987b74c7beb25f2e927385f5d419dcb4dc6cdd0db807
                                                          • Instruction Fuzzy Hash: A751E171A042106BCA14FB369D0A66E3755ABC4748F00443FFA0A676E2DF7D8E45839E
                                                          Function 00411D39 Relevance: 9.2, APIs: 6, Instructions: 206memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 004117D7: SetLastError.KERNEL32(0000000D,00411D57,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 004117DD
                                                          • SetLastError.KERNEL32(000000C1,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 00411D72
                                                          • GetNativeSystemInfo.KERNEL32(?,?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 00411DE0
                                                          • SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,00000000), ref: 00411E04
                                                            • Part of subcall function 00411CDE: VirtualAlloc.KERNEL32(00000040,00000040,00000040,00000040,00411E22,?,00000000,00003000,00000040,00000000,?,00000000), ref: 00411CEE
                                                          • GetProcessHeap.KERNEL32(00000008,00000040,?,?,?,?,00000000), ref: 00411E4B
                                                          • HeapAlloc.KERNEL32(00000000,?,?,?,?,00000000), ref: 00411E52
                                                          • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00411F65
                                                            • Part of subcall function 004120B2: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F72,?,?,?,?,00000000), ref: 00412122
                                                            • Part of subcall function 004120B2: HeapFree.KERNEL32(00000000,?,?,?,?,00000000), ref: 00412129
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
                                                          • String ID:
                                                          • API String ID: 3950776272-0
                                                          • Opcode ID: 0997a6c101f2dd0e8850336bac1793923a5345a50e97098554ef69f44a303648
                                                          • Instruction ID: da58ab861bd0a84ec3871346ef31e8b8814b9d9500880b3a3e1890ad13292c25
                                                          • Opcode Fuzzy Hash: 0997a6c101f2dd0e8850336bac1793923a5345a50e97098554ef69f44a303648
                                                          • Instruction Fuzzy Hash: F761A270700611ABCB209F66C981BAA7BA5AF44704F14411AFF05877A2D77CE8C2CBD9
                                                          Function 0044597A Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: __cftoe
                                                          • String ID:
                                                          • API String ID: 4189289331-0
                                                          • Opcode ID: 30f97a14dd6f87c9245b8e0b778041a74f07a421c1ac77e9beff42b74887127b
                                                          • Instruction ID: b93b8478136607885b926496a305f1bfb884a7f6acf724e610c81469f19cb9e5
                                                          • Opcode Fuzzy Hash: 30f97a14dd6f87c9245b8e0b778041a74f07a421c1ac77e9beff42b74887127b
                                                          • Instruction Fuzzy Hash: 2551FD72500605ABFF209B598C81EAF77A8EF45334F25421FF915A6293DB3DD900C66D
                                                          Function 0041AD09 Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,0041A41F,00000000), ref: 0041AD19
                                                          • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,0041A41F,00000000), ref: 0041AD2D
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD3A
                                                          • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0041A41F,00000000), ref: 0041AD6F
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD81
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD84
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                                          • String ID:
                                                          • API String ID: 493672254-0
                                                          • Opcode ID: f3d4b447748c037b2dac55463b57a149c398f0d820f611c96b244fdc7ed94624
                                                          • Instruction ID: 77e668261cf9ee2bd18e5a0e87596c089765e66a1be6d3c981f75cbf7ed2a716
                                                          • Opcode Fuzzy Hash: f3d4b447748c037b2dac55463b57a149c398f0d820f611c96b244fdc7ed94624
                                                          • Instruction Fuzzy Hash: A7016D311462157AD6111B34AC4EFFB3B6CDB02772F10032BF625965D1DA68CE8195AB
                                                          Function 0044A084 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 305COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: __alldvrm$_strrchr
                                                          • String ID: PkGNG
                                                          • API String ID: 1036877536-263838557
                                                          • Opcode ID: 8f78adc186be73fa66820e99e070c83f6be0ee509df7c4dfd67e0dde8c439993
                                                          • Instruction ID: 8ce1af842cd152cb2b2428f5d584a25f6c9224aafe101b92c03b71ca88d34985
                                                          • Opcode Fuzzy Hash: 8f78adc186be73fa66820e99e070c83f6be0ee509df7c4dfd67e0dde8c439993
                                                          • Instruction Fuzzy Hash: 87A156729846829FF721CF58C8817AEBBA5FF15314F2841AFE8859B381D27C8C51C75A
                                                          Function 00448295 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLastError.KERNEL32(?,0043F770,0043A875,0043F770,00474EF8,PkGNG,0043CE65,FF8BC35D,00474EF8,00474EF8), ref: 00448299
                                                          • _free.LIBCMT ref: 004482CC
                                                          • _free.LIBCMT ref: 004482F4
                                                          • SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448301
                                                          • SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044830D
                                                          • _abort.LIBCMT ref: 00448313
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorLast$_free$_abort
                                                          • String ID:
                                                          • API String ID: 3160817290-0
                                                          • Opcode ID: 0dc6b6a3e4ae5b17dec3dccad88ee1f92140bcc2d5108ccd544116d6be2417e2
                                                          • Instruction ID: 8d34d3ffa9a8a5ca7629c839d325bdddc3ef58a145117f7ac1d0225592351e3a
                                                          • Opcode Fuzzy Hash: 0dc6b6a3e4ae5b17dec3dccad88ee1f92140bcc2d5108ccd544116d6be2417e2
                                                          • Instruction Fuzzy Hash: 8EF0A435101B006BF611772A6C06B6F26599BD3B69F36042FFD18962D2EF6DCC42816D
                                                          Function 0041AB37 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB46
                                                          • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB5A
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB67
                                                          • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB76
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB88
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB8B
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Service$CloseHandle$Open$ControlManager
                                                          • String ID:
                                                          • API String ID: 221034970-0
                                                          • Opcode ID: bc8933c3fd8e2fa998b2246ab8c72ed9b0f5170f60f0245b371609b51ac54b8f
                                                          • Instruction ID: 443f58cffa4f299642b313368f914f767bd977a6fac550f0ec2f38f013616b5a
                                                          • Opcode Fuzzy Hash: bc8933c3fd8e2fa998b2246ab8c72ed9b0f5170f60f0245b371609b51ac54b8f
                                                          • Instruction Fuzzy Hash: E4F0F631541318BBD7116F259C49DFF3B6CDB45B62F000026FE0992192EB68DD4595F9
                                                          Function 0041AC3B Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC4A
                                                          • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC5E
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC6B
                                                          • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC7A
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC8C
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC8F
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Service$CloseHandle$Open$ControlManager
                                                          • String ID:
                                                          • API String ID: 221034970-0
                                                          • Opcode ID: 94d93926ec858c5890fc603d54741d931e0eaafa3f6b468ff921a10e10d86c77
                                                          • Instruction ID: 80b71cf000cc834045a6d48b23744411b71cc7e49355023a2f572df053a73ec4
                                                          • Opcode Fuzzy Hash: 94d93926ec858c5890fc603d54741d931e0eaafa3f6b468ff921a10e10d86c77
                                                          • Instruction Fuzzy Hash: 73F0C231501218ABD611AF65AC4AEFF3B6CDB45B62F00002AFE0992192EB38CD4595E9
                                                          Function 0041ACA2 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACB1
                                                          • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACC5
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACD2
                                                          • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACE1
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACF3
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACF6
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Service$CloseHandle$Open$ControlManager
                                                          • String ID:
                                                          • API String ID: 221034970-0
                                                          • Opcode ID: 4f42f77feb4e09d2984437374767d6fba58dab4553ac710dbf5187c031f369c2
                                                          • Instruction ID: 4c72e2560426042a93d841201029be6eaa37955ba2c7d49e75f16ae618c5df44
                                                          • Opcode Fuzzy Hash: 4f42f77feb4e09d2984437374767d6fba58dab4553ac710dbf5187c031f369c2
                                                          • Instruction Fuzzy Hash: 85F0F631501228BBD7116F25AC49DFF3B6CDB45B62F00002AFE0992192EB38CD46A6F9
                                                          Function 00442851 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: PkGNG
                                                          • API String ID: 0-263838557
                                                          • Opcode ID: 423e02715d989b220add50ecbde53982322c6e48bca96a6cd7fe69295545b5c8
                                                          • Instruction ID: b0a34e1ed6630e1fb57c9e62860a3601010315cd62f19612bff23542d182db60
                                                          • Opcode Fuzzy Hash: 423e02715d989b220add50ecbde53982322c6e48bca96a6cd7fe69295545b5c8
                                                          • Instruction Fuzzy Hash: 70412AB1600704BFE724AF79CD41B5EBBE8EB88714F10462FF145DB281E3B999058798
                                                          Function 00404CC3 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121synchronizationthreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00474F50), ref: 00404DB3
                                                          • CreateThread.KERNEL32(00000000,00000000,?,00474EF8,00000000,00000000), ref: 00404DC7
                                                          • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00404DD2
                                                          • CloseHandle.KERNEL32(?), ref: 00404DDB
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                                          • String ID: PkGNG
                                                          • API String ID: 3360349984-263838557
                                                          • Opcode ID: 5462e3d1f33464a1ed2da8decfb29ddc2098cc431de268282224d20d0e393637
                                                          • Instruction ID: 30d48123e17294c38ae6f490953f1b42a5ca81467cb0df1087f173bd09261e59
                                                          • Opcode Fuzzy Hash: 5462e3d1f33464a1ed2da8decfb29ddc2098cc431de268282224d20d0e393637
                                                          • Instruction Fuzzy Hash: 684182B1108301AFC714EB62CD55DBFB7EDAFD4314F40093EF992A22E1DB3899098666
                                                          Function 0040B19F Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B1AD
                                                          • wsprintfW.USER32 ref: 0040B22E
                                                            • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,00000000,0040B245,00000000), ref: 0040A69D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: EventLocalTimewsprintf
                                                          • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                                                          • API String ID: 1497725170-248792730
                                                          • Opcode ID: b92970106d7d5ed65003fb4f3b7a0e91fd1e2f7406e6a9ff2526561c329a63fb
                                                          • Instruction ID: 4bcbbea8953a56f0834a7592719eb704c83d71ae81c48fe005db4fd1b538d991
                                                          • Opcode Fuzzy Hash: b92970106d7d5ed65003fb4f3b7a0e91fd1e2f7406e6a9ff2526561c329a63fb
                                                          • Instruction Fuzzy Hash: 88114272404118AACB19AB96EC55CFE77BCEE48315B00012FF506A61D1FF7C5A45C6AD
                                                          Function 0040A6B0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A788), ref: 0040A6E6
                                                          • GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A788), ref: 0040A6F5
                                                          • Sleep.KERNEL32(00002710,?,?,?,0040A788), ref: 0040A722
                                                          • CloseHandle.KERNEL32(00000000,?,?,?,0040A788), ref: 0040A729
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$CloseCreateHandleSizeSleep
                                                          • String ID: XQG
                                                          • API String ID: 1958988193-3606453820
                                                          • Opcode ID: 09b71735cca9286fb237afdc81f34cc8b89fa37515d8f2a58262fc809d9c95cd
                                                          • Instruction ID: fa029248b1ac628aedb802b18ed81a98d1a4018e107c0b234daa3009ae89debe
                                                          • Opcode Fuzzy Hash: 09b71735cca9286fb237afdc81f34cc8b89fa37515d8f2a58262fc809d9c95cd
                                                          • Instruction Fuzzy Hash: 96110130600740AADA31A734988961F7BA9DB45356F44483EF1866B6D3C67DDC64C71F
                                                          Function 0041D5A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegisterClassExA.USER32(00000030), ref: 0041D5EC
                                                          • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D607
                                                          • GetLastError.KERNEL32 ref: 0041D611
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ClassCreateErrorLastRegisterWindow
                                                          • String ID: 0$MsgWindowClass
                                                          • API String ID: 2877667751-2410386613
                                                          • Opcode ID: 722de5e8388a8877474a119f468a3301e062738380f3873f65828015e8b741e1
                                                          • Instruction ID: e808ecd18ef19f47bd472c0c6462b34ef8490c58390ad3ae495a6aa035ed2a4b
                                                          • Opcode Fuzzy Hash: 722de5e8388a8877474a119f468a3301e062738380f3873f65828015e8b741e1
                                                          • Instruction Fuzzy Hash: 1F0125B1D00219ABDB00DFA5EC849EFBBBCEA08355F40453AF914A6241EB7589058AA4
                                                          Function 00407790 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 004077D6
                                                          • CloseHandle.KERNEL32(?), ref: 004077E5
                                                          • CloseHandle.KERNEL32(?), ref: 004077EA
                                                          Strings
                                                          • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 004077CC
                                                          • C:\Windows\System32\cmd.exe, xrefs: 004077D1
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseHandle$CreateProcess
                                                          • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                                          • API String ID: 2922976086-4183131282
                                                          • Opcode ID: c38a1c4fbaf06b70ee3143182280ce63ac5342037887d892980c2b2f1eb259a7
                                                          • Instruction ID: 1887ccd63cb29ce90d3c4a9dee080bc6fb52b3336ad705aa4023eed0db3a7680
                                                          • Opcode Fuzzy Hash: c38a1c4fbaf06b70ee3143182280ce63ac5342037887d892980c2b2f1eb259a7
                                                          • Instruction Fuzzy Hash: 04F09672D4029C76CB20ABD7AC0EEDF7F3CEBC5B11F00051AF904A2045DA745400CAB5
                                                          Function 0040729B Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: SG$C:\Users\user\Desktop\aDGx3jaI7i.exe
                                                          • API String ID: 0-3737536350
                                                          • Opcode ID: 534232ae4986bc0cd44d5d9dbb6e579f37bf6e7b645008295a27304146529b35
                                                          • Instruction ID: 5ffff352cfcc2e87221e4fa572a01d73507d198e899e6baa5594ec663d9dd15d
                                                          • Opcode Fuzzy Hash: 534232ae4986bc0cd44d5d9dbb6e579f37bf6e7b645008295a27304146529b35
                                                          • Instruction Fuzzy Hash: 8DF02BB0E04600EBCB1477345D296AA3656A780397F40487BF507EB2F2EBBD5C41871E
                                                          Function 004050E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00474EF8), ref: 00405120
                                                          • SetEvent.KERNEL32(?), ref: 0040512C
                                                          • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00405137
                                                          • CloseHandle.KERNEL32(?), ref: 00405140
                                                            • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                                          • String ID: KeepAlive | Disabled
                                                          • API String ID: 2993684571-305739064
                                                          • Opcode ID: 260c2b08e01b5d66b359e99273a0c89895ec309b6af50f33d4504d26b953d9d7
                                                          • Instruction ID: dc79248355977efa3495ea8e96f68553e1f2867eb32bbe7dc6984d352a193ca4
                                                          • Opcode Fuzzy Hash: 260c2b08e01b5d66b359e99273a0c89895ec309b6af50f33d4504d26b953d9d7
                                                          • Instruction Fuzzy Hash: 5DF06D71904711BBDB203B758D0AAAB7E95AB06315F0009BEF982916E2D6798C408F9A
                                                          Function 0041AE51 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                          • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 0041AE83
                                                          • PlaySoundW.WINMM(00000000,00000000), ref: 0041AE91
                                                          • Sleep.KERNEL32(00002710), ref: 0041AE98
                                                          • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 0041AEA1
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: PlaySound$HandleLocalModuleSleepTime
                                                          • String ID: Alarm triggered
                                                          • API String ID: 614609389-2816303416
                                                          • Opcode ID: fc1dfc3d80636db02bd80d67f349f84282c1adb2487fd06cf6dad27e320cdf65
                                                          • Instruction ID: 264e31dd7f8ae4a58c3cd97330858728e5483d82e525179ed11d996d756d41c5
                                                          • Opcode Fuzzy Hash: fc1dfc3d80636db02bd80d67f349f84282c1adb2487fd06cf6dad27e320cdf65
                                                          • Instruction Fuzzy Hash: 3EE0D826A40220779A10337B6D0FD6F3D29CAC3B2570100BFFA05660C2DD540C01C6FB
                                                          Function 0041CDE9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041CE7E), ref: 0041CDF3
                                                          • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041CE7E), ref: 0041CE00
                                                          • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041CE7E), ref: 0041CE0D
                                                          • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041CE7E), ref: 0041CE20
                                                          Strings
                                                          • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041CE13
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Console$AttributeText$BufferHandleInfoScreen
                                                          • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                                          • API String ID: 3024135584-2418719853
                                                          • Opcode ID: e39debb9b2b39d29e793f9bd33498d8add4ef2108ba1fa2e7e75c33182c8a1d6
                                                          • Instruction ID: 3099d3b49c49d1df3d44327ff87017ee7d1b0803ff7cdb2815dc6b7c28d9377e
                                                          • Opcode Fuzzy Hash: e39debb9b2b39d29e793f9bd33498d8add4ef2108ba1fa2e7e75c33182c8a1d6
                                                          • Instruction Fuzzy Hash: B6E04872504315E7E31027B5EC4DCAB7B7CE745613B100266FA16915D39A749C41C6B5
                                                          Function 004413EA Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3500d967bf213ad3b95b014004bc41782de99095ad53c5e0f3d0147f9504bf37
                                                          • Instruction ID: 15e211ccade7fc2a5debfa8ad78d9bfa955d5b29a73147504924d067d3782226
                                                          • Opcode Fuzzy Hash: 3500d967bf213ad3b95b014004bc41782de99095ad53c5e0f3d0147f9504bf37
                                                          • Instruction Fuzzy Hash: 2771D4319012569BEB21CF55C884AFFBB75EF55310F19412BE815672A0DB78CCC1CBA8
                                                          Function 004493E5 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F244), ref: 0044944F
                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 004494C7
                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 004494F4
                                                          • _free.LIBCMT ref: 0044943D
                                                            • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                                            • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                          • _free.LIBCMT ref: 00449609
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                                          • String ID:
                                                          • API String ID: 1286116820-0
                                                          • Opcode ID: 5cd2e88b37ead4a53a3ad7e2b8222e2e62bf3e8d34a7aba608fbabac987024fa
                                                          • Instruction ID: 45cf5ea20785abb2a7eec221213eb08c1b8584214e6df16efc40294c4842d026
                                                          • Opcode Fuzzy Hash: 5cd2e88b37ead4a53a3ad7e2b8222e2e62bf3e8d34a7aba608fbabac987024fa
                                                          • Instruction Fuzzy Hash: 1B51EC71900205ABEB14EF69DD819AFB7B8EF44724F20066FE418D3291EB789D41DB58
                                                          Function 0040F938 Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F956
                                                          • Process32FirstW.KERNEL32(00000000,?), ref: 0040F97A
                                                          • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F989
                                                          • CloseHandle.KERNEL32(00000000), ref: 0040FB40
                                                            • Part of subcall function 0041C076: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040F634,00000000,?,?,00475338), ref: 0041C08B
                                                            • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                                            • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                                          • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040FB31
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Process$OpenProcess32$Next$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                                          • String ID:
                                                          • API String ID: 4269425633-0
                                                          • Opcode ID: f228ff349881c5e95adb389dcff9344117252c23684542f11b6a3310bcbf0aa2
                                                          • Instruction ID: d02cab962e177bd28921c4f9a71df23b762ba7d31cecf8da060328e0f3db66c6
                                                          • Opcode Fuzzy Hash: f228ff349881c5e95adb389dcff9344117252c23684542f11b6a3310bcbf0aa2
                                                          • Instruction Fuzzy Hash: 5F4136311083419BC325F722DC51AEFB3A5AF94305F50493EF58A921E2EF385A49C65A
                                                          Function 00443E99 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free
                                                          • String ID:
                                                          • API String ID: 269201875-0
                                                          • Opcode ID: 1c82e8231a1e7df7fc61a9fb39ee41d92c56425fa3e393906510b0ca3dcf776a
                                                          • Instruction ID: bbec49e9ccdd5c2af131aecc9b6810ea24321c3eb42f74c08fbdd36582e243a3
                                                          • Opcode Fuzzy Hash: 1c82e8231a1e7df7fc61a9fb39ee41d92c56425fa3e393906510b0ca3dcf776a
                                                          • Instruction Fuzzy Hash: 5F41E232E00200AFEB14DF78C881A5EB3B5EF89B18F1545AEE915EB351D735AE05CB84
                                                          Function 0044F3DA Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetEnvironmentStringsW.KERNEL32 ref: 0044F3E3
                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044F406
                                                            • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435349,?,?,004388C7,?,?,00000000,00476B50,?,0040DE9D,00435349,?,?,?,?), ref: 004461EA
                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044F42C
                                                          • _free.LIBCMT ref: 0044F43F
                                                          • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044F44E
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                          • String ID:
                                                          • API String ID: 336800556-0
                                                          • Opcode ID: 7d1f56057eec42b9e44eaca7954531e52edb8e618f6c0f5134274d299c642649
                                                          • Instruction ID: b6d7bf627ac8e1e23e8e90154f8049d5dc13ee9613ce4caf203d647ba434722a
                                                          • Opcode Fuzzy Hash: 7d1f56057eec42b9e44eaca7954531e52edb8e618f6c0f5134274d299c642649
                                                          • Instruction Fuzzy Hash: 2401DF72602721BF37211ABB5C8DC7F6AACDEC6FA5355013AFD04D2202DE688D0691B9
                                                          Function 0041C482 Relevance: 7.6, APIs: 5, Instructions: 67fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041C5A1,00000000,00000000,00000000), ref: 0041C4C1
                                                          • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000004,00000000,0041C5A1,00000000,00000000), ref: 0041C4DE
                                                          • CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041C5A1,00000000,00000000), ref: 0041C4EA
                                                          • WriteFile.KERNEL32(00000000,00000000,00000000,00406FC0,00000000,?,00000004,00000000,0041C5A1,00000000,00000000), ref: 0041C4FB
                                                          • CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041C5A1,00000000,00000000), ref: 0041C508
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$CloseHandle$CreatePointerWrite
                                                          • String ID:
                                                          • API String ID: 1852769593-0
                                                          • Opcode ID: 03b5af7f289a82a83928ea742180afc1da621273c2f808e1c0dcbcf6c59c1bfa
                                                          • Instruction ID: 0233a984b642d2e84dd4fc2cab076f06cd7f632185dc4648213adf39284592b7
                                                          • Opcode Fuzzy Hash: 03b5af7f289a82a83928ea742180afc1da621273c2f808e1c0dcbcf6c59c1bfa
                                                          • Instruction Fuzzy Hash: 6311E571288215BFE7104A24ACC8EBB739CEB46365F10862BF912D22D0C624DC418639
                                                          Function 00448319 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLastError.KERNEL32(?,00000000,?,0043BCD6,00000000,?,?,0043BD5A,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0044831E
                                                          • _free.LIBCMT ref: 00448353
                                                          • _free.LIBCMT ref: 0044837A
                                                          • SetLastError.KERNEL32(00000000), ref: 00448387
                                                          • SetLastError.KERNEL32(00000000), ref: 00448390
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorLast$_free
                                                          • String ID:
                                                          • API String ID: 3170660625-0
                                                          • Opcode ID: 9e58827e066efea2178fd81b79d5a13276d1a5d22b614d366fbfb6265f5784d7
                                                          • Instruction ID: 5af5a014564f127a9d6b3613d5887cb4baea3ca98ff5bc54bcf39f1731b7af1a
                                                          • Opcode Fuzzy Hash: 9e58827e066efea2178fd81b79d5a13276d1a5d22b614d366fbfb6265f5784d7
                                                          • Instruction Fuzzy Hash: 3401F936100B006BB7117A2A5C45E6F3259DBD2B75B35093FFD1892292EF7ECC02812D
                                                          Function 00450A3C Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • _free.LIBCMT ref: 00450A54
                                                            • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                                            • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                          • _free.LIBCMT ref: 00450A66
                                                          • _free.LIBCMT ref: 00450A78
                                                          • _free.LIBCMT ref: 00450A8A
                                                          • _free.LIBCMT ref: 00450A9C
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free$ErrorFreeHeapLast
                                                          • String ID:
                                                          • API String ID: 776569668-0
                                                          • Opcode ID: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                                          • Instruction ID: 72fff71e7c38304dd33e0b5962bcef44c8ad6e5fbb3f6de42623dcf71f8de19c
                                                          • Opcode Fuzzy Hash: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                                          • Instruction Fuzzy Hash: F7F012765053006B9620EB5DE883C1773D9EA157117A68C1BF549DB652C778FCC0866C
                                                          Function 004440E8 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _free.LIBCMT ref: 00444106
                                                            • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                                            • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                                          • _free.LIBCMT ref: 00444118
                                                          • _free.LIBCMT ref: 0044412B
                                                          • _free.LIBCMT ref: 0044413C
                                                          • _free.LIBCMT ref: 0044414D
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free$ErrorFreeHeapLast
                                                          • String ID:
                                                          • API String ID: 776569668-0
                                                          • Opcode ID: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                                          • Instruction ID: 0e9c2896d1a2baf17e4b980eca3efa8a556ca0a6e45d827b59e8921ed08f8926
                                                          • Opcode Fuzzy Hash: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                                          • Instruction Fuzzy Hash: 91F03AB18025208FA731AF2DBD528053BA1A705720356853BF40C62A71C7B849C2DFDF
                                                          Function 0044BAB7 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: PkGNG
                                                          • API String ID: 0-263838557
                                                          • Opcode ID: 5e00ae4c16f04a5a408ad6ef1dd4f82ff0aaed16414488ba1079334ecebbb015
                                                          • Instruction ID: da8fb74aa53f7b39327717419ea6793f6800af9799f3d5c2cf6102f7e15971fb
                                                          • Opcode Fuzzy Hash: 5e00ae4c16f04a5a408ad6ef1dd4f82ff0aaed16414488ba1079334ecebbb015
                                                          • Instruction Fuzzy Hash: 1451C171D00209AAEF109FA5D885BAFBBB8EF45314F14015FE905A7291CB38D911CBA9
                                                          Function 0044E769 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _strpbrk.LIBCMT ref: 0044E7B8
                                                          • _free.LIBCMT ref: 0044E8D5
                                                            • Part of subcall function 0043BD68: IsProcessorFeaturePresent.KERNEL32(00000017,0043BD3A,?,?,?,?,?,00000000,?,?,0043BD5A,00000000,00000000,00000000,00000000,00000000), ref: 0043BD6A
                                                            • Part of subcall function 0043BD68: GetCurrentProcess.KERNEL32(C0000417), ref: 0043BD8C
                                                            • Part of subcall function 0043BD68: TerminateProcess.KERNEL32(00000000), ref: 0043BD93
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                                                          • String ID: *?$.
                                                          • API String ID: 2812119850-3972193922
                                                          • Opcode ID: 425935087bf6a06ef5f668eca0c2840133b7cce1b1476d2e54c501535b2ee598
                                                          • Instruction ID: bbc13fc8ee10fdca904a4e9292213e09ebfa005f106ef5a16faeda3ce4fd08f7
                                                          • Opcode Fuzzy Hash: 425935087bf6a06ef5f668eca0c2840133b7cce1b1476d2e54c501535b2ee598
                                                          • Instruction Fuzzy Hash: C251B175E00209AFEF14DFAAC881AAEF7B5FF58314F24416EE844E7341E6399A018B54
                                                          Function 00415B25 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CountEventTick
                                                          • String ID: !D@$NG
                                                          • API String ID: 180926312-2721294649
                                                          • Opcode ID: a4aab35ccc54d2c049395e9cccc79d0a895acf0a29bf002e31ef8271a6ce894c
                                                          • Instruction ID: 3ac9408315e1e6036cedb879f74fb80cbd33a95067926c5a5f9e9f7d680cff10
                                                          • Opcode Fuzzy Hash: a4aab35ccc54d2c049395e9cccc79d0a895acf0a29bf002e31ef8271a6ce894c
                                                          • Instruction Fuzzy Hash: 3E51A5315082019AC724FB32D852AFF73A5AF94304F50483FF54A671E2EF3C5945C68A
                                                          Function 00409EDE Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 157COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetKeyboardLayoutNameA.USER32(?), ref: 00409F0E
                                                            • Part of subcall function 004048C8: connect.WS2_32(?,?,?), ref: 004048E0
                                                            • Part of subcall function 0041C5A6: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00409F96,00474EE0,?,00474EE0,00000000,00474EE0,00000000), ref: 0041C5BB
                                                            • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateFileKeyboardLayoutNameconnectsend
                                                          • String ID: XQG$NG$PG
                                                          • API String ID: 1634807452-3565412412
                                                          • Opcode ID: fd0e2637303639c3914413e18f481dca8088ebaee1bdd9cde4e16d3ac9440c52
                                                          • Instruction ID: 86122f73fea86c9dce3a8c8dcd7d10d1556e7c038dfd98f63e082762e027ad1b
                                                          • Opcode Fuzzy Hash: fd0e2637303639c3914413e18f481dca8088ebaee1bdd9cde4e16d3ac9440c52
                                                          • Instruction Fuzzy Hash: 955120315082419BC328FB32D851AEFB3E5AFD4348F50493FF54AA71E2EF78594A8649
                                                          Function 004434D5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\aDGx3jaI7i.exe,00000104), ref: 00443515
                                                          • _free.LIBCMT ref: 004435E0
                                                          • _free.LIBCMT ref: 004435EA
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free$FileModuleName
                                                          • String ID: C:\Users\user\Desktop\aDGx3jaI7i.exe
                                                          • API String ID: 2506810119-981402267
                                                          • Opcode ID: 85df99244543f45e80e68b9da345e50485f416d8f0a3fa02bb076d818d98866e
                                                          • Instruction ID: e5efe6401a3e5f1db0e1141fbbc5a3d1caea7301f6195c2e8eaff0a3f5655f7e
                                                          • Opcode Fuzzy Hash: 85df99244543f45e80e68b9da345e50485f416d8f0a3fa02bb076d818d98866e
                                                          • Instruction Fuzzy Hash: D63193B1A00254BFEB21DF9A998199EBBF8EB84B15F10406BF40597311D6B88F41CB99
                                                          Function 0044B89F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101fileCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,00000D55,00000000,00000000,FF8BC35D,00000000,?,PkGNG,0044BBFE,?,00000000,FF8BC35D), ref: 0044B952
                                                          • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0044B980
                                                          • GetLastError.KERNEL32 ref: 0044B9B1
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ByteCharErrorFileLastMultiWideWrite
                                                          • String ID: PkGNG
                                                          • API String ID: 2456169464-263838557
                                                          • Opcode ID: f851102e1cc74a1ce765c461dca65e8698d1b877b070f44673effa5d02d51bb5
                                                          • Instruction ID: 31ac96f82a5847659344ef20b41dc67af7a50504b34fbd786f6314a6cc22fa3b
                                                          • Opcode Fuzzy Hash: f851102e1cc74a1ce765c461dca65e8698d1b877b070f44673effa5d02d51bb5
                                                          • Instruction Fuzzy Hash: B13161B5A102199FDB14CF59DD819EAB7B9FB08305F0444BEE90AD7251D734ED80CBA4
                                                          Function 0040404C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93sleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404066
                                                            • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040407C), ref: 0041BA30
                                                            • Part of subcall function 004185A3: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E84), ref: 004185B9
                                                            • Part of subcall function 004185A3: CloseHandle.KERNEL32(00465E84,?,?,004040F5,00465E84), ref: 004185C2
                                                            • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E84), ref: 0041C52F
                                                          • Sleep.KERNEL32(000000FA,00465E84), ref: 00404138
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                                          • String ID: /sort "Visit Time" /stext "$0NG
                                                          • API String ID: 368326130-3219657780
                                                          • Opcode ID: f5c404a57f00050fa5d5548abde154df0d56c489b7f689880ad68785094229b8
                                                          • Instruction ID: 7a7c83aa22bf4ff3424ba87d95d637a61540eed1193ecfb54830ab602693969f
                                                          • Opcode Fuzzy Hash: f5c404a57f00050fa5d5548abde154df0d56c489b7f689880ad68785094229b8
                                                          • Instruction Fuzzy Hash: 2C316371A0011956CB15FBA6DC569ED7375AF90308F00007FF60AB71E2EF785D49CA99
                                                          Function 0041631F Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _wcslen.LIBCMT ref: 00416330
                                                            • Part of subcall function 004138B2: RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                                                            • Part of subcall function 004138B2: RegSetValueExA.ADVAPI32(004660B4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138DB
                                                            • Part of subcall function 004138B2: RegCloseKey.ADVAPI32(004660B4,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138E6
                                                            • Part of subcall function 00409E1F: _wcslen.LIBCMT ref: 00409E38
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _wcslen$CloseCreateValue
                                                          • String ID: !D@$okmode$PG
                                                          • API String ID: 3411444782-3370592832
                                                          • Opcode ID: 33c7808d8a7b0bded71eafecf17113fbf2925580b38271ada3cd576753f1e43b
                                                          • Instruction ID: 097cdf197a66b89fefcd85ce8a19d7acc75244c7017ebd4eb32b8c3ef24b572d
                                                          • Opcode Fuzzy Hash: 33c7808d8a7b0bded71eafecf17113fbf2925580b38271ada3cd576753f1e43b
                                                          • Instruction Fuzzy Hash: 1E11A571B442011BDA187B32D862BBD22969F84348F80843FF546AF2E2DFBD4C51975D
                                                          Function 0040C627 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0040C4FE: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C531
                                                          • PathFileExistsW.SHLWAPI(00000000), ref: 0040C658
                                                          • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C6C3
                                                          Strings
                                                          • User Data\Profile ?\Network\Cookies, xrefs: 0040C670
                                                          • User Data\Default\Network\Cookies, xrefs: 0040C63E
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ExistsFilePath
                                                          • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                                          • API String ID: 1174141254-1980882731
                                                          • Opcode ID: 94e3019874633fdbfa545aa7663ce5ff9a408d6cc8816db895689c957fef93bc
                                                          • Instruction ID: a3c4a2fc075df05cc4efb8d324c4514c6f5a9a9113215be8183f294a60e8cc46
                                                          • Opcode Fuzzy Hash: 94e3019874633fdbfa545aa7663ce5ff9a408d6cc8816db895689c957fef93bc
                                                          • Instruction Fuzzy Hash: 0621E27190011A96CB14FBA2DC96DEEBB7CAE50319B40053FF506B31D2EF789946C6D8
                                                          Function 0040C6F6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0040C561: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C594
                                                          • PathFileExistsW.SHLWAPI(00000000), ref: 0040C727
                                                          • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C792
                                                          Strings
                                                          • User Data\Profile ?\Network\Cookies, xrefs: 0040C73F
                                                          • User Data\Default\Network\Cookies, xrefs: 0040C70D
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ExistsFilePath
                                                          • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                                          • API String ID: 1174141254-1980882731
                                                          • Opcode ID: cd02b2d6f0091136f3bd33ffae0826dfdd9dcae469dd48ae7039cc879f52ebfc
                                                          • Instruction ID: 531025beeaae0c5c42121d483a56170e39db3028f8febaf9efde6b64dfa31b71
                                                          • Opcode Fuzzy Hash: cd02b2d6f0091136f3bd33ffae0826dfdd9dcae469dd48ae7039cc879f52ebfc
                                                          • Instruction Fuzzy Hash: 4821127190011A96CB04F7A2DC96CEEBB78AE50359B40013FF506B31D2EF789946C6D8
                                                          Function 0040A1B4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateThread.KERNEL32(00000000,00000000,0040A2B8,004750F0,00000000,00000000), ref: 0040A239
                                                          • CreateThread.KERNEL32(00000000,00000000,0040A2A2,004750F0,00000000,00000000), ref: 0040A249
                                                          • CreateThread.KERNEL32(00000000,00000000,0040A2C4,004750F0,00000000,00000000), ref: 0040A255
                                                            • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B1AD
                                                            • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateThread$LocalTimewsprintf
                                                          • String ID: Offline Keylogger Started
                                                          • API String ID: 465354869-4114347211
                                                          • Opcode ID: 460aeebbd05c9109f8f1e9d4cf1c4a7c90257216c04fbe0fa29816e89daae231
                                                          • Instruction ID: fa9a7328340dc7f48b0d085764b542104813bfc3ea66268f7111ac5d0199d402
                                                          • Opcode Fuzzy Hash: 460aeebbd05c9109f8f1e9d4cf1c4a7c90257216c04fbe0fa29816e89daae231
                                                          • Instruction Fuzzy Hash: 1111ABB12003187ED210BB368C87CBB765DDA4139CB40057FF946221C2EA795D14CAFB
                                                          Function 0040AF29 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B1AD
                                                            • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                                            • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                          • CreateThread.KERNEL32(00000000,00000000,0040A2A2,?,00000000,00000000), ref: 0040AFA9
                                                          • CreateThread.KERNEL32(00000000,00000000,0040A2C4,?,00000000,00000000), ref: 0040AFB5
                                                          • CreateThread.KERNEL32(00000000,00000000,0040A2D0,?,00000000,00000000), ref: 0040AFC1
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateThread$LocalTime$wsprintf
                                                          • String ID: Online Keylogger Started
                                                          • API String ID: 112202259-1258561607
                                                          • Opcode ID: 77df2eb5e9a30333ff56a104ce6f74fac6c8f24925e0e44ba138bd3ce2eab701
                                                          • Instruction ID: 1fd114496b08e8c1d91a2f23279a740fccf8855fe00c80ef0b78f2cd7c44f0e8
                                                          • Opcode Fuzzy Hash: 77df2eb5e9a30333ff56a104ce6f74fac6c8f24925e0e44ba138bd3ce2eab701
                                                          • Instruction Fuzzy Hash: 2A01C4A07003193EE62076368C8BDBF7A6DCA91398F4004BFF641362C2E97D1C1586FA
                                                          Function 0041B580 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 59timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: LocalTime
                                                          • String ID: | $%02i:%02i:%02i:%03i $PkGNG
                                                          • API String ID: 481472006-3277280411
                                                          • Opcode ID: d9bff088cb76c426919b24c8266bea5d45f0a8ea700e32831e669085e32f1d03
                                                          • Instruction ID: 036da7e0cd4114b6fa9428aab3af546923e8b827a5fb64715830670d2b1b9b5a
                                                          • Opcode Fuzzy Hash: d9bff088cb76c426919b24c8266bea5d45f0a8ea700e32831e669085e32f1d03
                                                          • Instruction Fuzzy Hash: 091190714082455AC304FB62D8519FFB3E9AB84348F50093FF88AA21E1EF3CDA45C69E
                                                          Function 00404F51 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLocalTime.KERNEL32(?), ref: 00404F81
                                                          • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00404FCD
                                                          • CreateThread.KERNEL32(00000000,00000000,00405150,?,00000000,00000000), ref: 00404FE0
                                                          Strings
                                                          • KeepAlive | Enabled | Timeout: , xrefs: 00404F94
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Create$EventLocalThreadTime
                                                          • String ID: KeepAlive | Enabled | Timeout:
                                                          • API String ID: 2532271599-1507639952
                                                          • Opcode ID: a02ae91ac195284b5da0ea0fcd2ef2636c7927f14dee073a7222123f061fd718
                                                          • Instruction ID: 41fa32a9fb91b1633a7afb8999ae97baef60c60c8d6252053b050d354fdafbcf
                                                          • Opcode Fuzzy Hash: a02ae91ac195284b5da0ea0fcd2ef2636c7927f14dee073a7222123f061fd718
                                                          • Instruction Fuzzy Hash: 82110A71800385BAC720A7779C0DEAB7FACDBD2714F04046FF54162291D6B89445CBBA
                                                          Function 00406A9E Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryA.KERNEL32(crypt32,CryptUnprotectData), ref: 00406ABD
                                                          • GetProcAddress.KERNEL32(00000000), ref: 00406AC4
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AddressLibraryLoadProc
                                                          • String ID: CryptUnprotectData$crypt32
                                                          • API String ID: 2574300362-2380590389
                                                          • Opcode ID: 905686a6130e311fdcec2a0cd22c75bab7e39712089f0cc697143e337071fc99
                                                          • Instruction ID: 59ed3cbb63f31e38ea488d6bd85f24bb9ff1ce5495ed4d1509158228521d53cd
                                                          • Opcode Fuzzy Hash: 905686a6130e311fdcec2a0cd22c75bab7e39712089f0cc697143e337071fc99
                                                          • Instruction Fuzzy Hash: 2C01B975604216BBCB18CFAD9D449AF7BB4AB45300B00417EE956E3381DA74E9008B95
                                                          Function 0044C2D3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • SetFilePointerEx.KERNEL32(00000000,00000000,00000002,FF8BC369,00000000,FF8BC35D,00000000,10558B1C,10558B1C,PkGNG,0044C382,FF8BC369,00000000,00000002,00000000,PkGNG), ref: 0044C30C
                                                          • GetLastError.KERNEL32 ref: 0044C316
                                                          • __dosmaperr.LIBCMT ref: 0044C31D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorFileLastPointer__dosmaperr
                                                          • String ID: PkGNG
                                                          • API String ID: 2336955059-263838557
                                                          • Opcode ID: 97215d8b8c2dce734124090270f13308d8b04423b03663272671d6b8c31aea6f
                                                          • Instruction ID: 8193a85edd99f1e073baf55791db2896ff72ac9ff19ac05387a69161c0de0417
                                                          • Opcode Fuzzy Hash: 97215d8b8c2dce734124090270f13308d8b04423b03663272671d6b8c31aea6f
                                                          • Instruction Fuzzy Hash: FB019032A11108BBDB01DFDDDC4586E7B19EB81320B28034EFD2097280EAB4DD119794
                                                          Function 0040515C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405159), ref: 00405173
                                                          • CloseHandle.KERNEL32(?), ref: 004051CA
                                                          • SetEvent.KERNEL32(?), ref: 004051D9
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseEventHandleObjectSingleWait
                                                          • String ID: Connection Timeout
                                                          • API String ID: 2055531096-499159329
                                                          • Opcode ID: 638b915a1fb33ffee36d9cd6321bbf62091d502496d276d1835a730be56b6213
                                                          • Instruction ID: b176daa04f7f78a72cd0d213bf0bcd41e0e3849ccec9e2477ca34bbc74fb9340
                                                          • Opcode Fuzzy Hash: 638b915a1fb33ffee36d9cd6321bbf62091d502496d276d1835a730be56b6213
                                                          • Instruction Fuzzy Hash: C901F530940F00AFD7216B368D8642BBFE0EF00306704093EE68356AE2D6789800CF89
                                                          Function 0040E800 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E86E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Exception@8Throw
                                                          • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                          • API String ID: 2005118841-1866435925
                                                          • Opcode ID: e1bdae5122e534e22181349a294e5dd283a76e5484cb2b4dd901af9da0e19607
                                                          • Instruction ID: 287a1f786264602a2f100ba68ee8cd07dacd1bfc9ef62352ff5e55a88b78f620
                                                          • Opcode Fuzzy Hash: e1bdae5122e534e22181349a294e5dd283a76e5484cb2b4dd901af9da0e19607
                                                          • Instruction Fuzzy Hash: 59018F626583087AEB14B697CC03FBA33685B10708F10CC3BBD01765C2EA7D6A61C66F
                                                          Function 0041CB72 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 42windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FormatMessageA.KERNEL32(00001100,00000000,00000000,00000400,?,00000000,00000000,00474EF8,00474EF8,PkGNG,00404A40), ref: 0041CB9A
                                                          • LocalFree.KERNEL32(?,?), ref: 0041CBC0
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FormatFreeLocalMessage
                                                          • String ID: @J@$PkGNG
                                                          • API String ID: 1427518018-1416487119
                                                          • Opcode ID: 43e67b6722ad7e97e4d7411bd93802a0b45ac2c2c041eafaafa940aa2d942fec
                                                          • Instruction ID: 923000db8f6a2d31ebee0df48ef62036c6bc2ff20d3f060cbaedccf048ea6ec3
                                                          • Opcode Fuzzy Hash: 43e67b6722ad7e97e4d7411bd93802a0b45ac2c2c041eafaafa940aa2d942fec
                                                          • Instruction Fuzzy Hash: 34F0A930B00219A6DF14A766DC4ADFF772DDB44305B10407FB605B21D1DE785D059659
                                                          Function 0040DFE1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 0040DFEC
                                                          • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040E02B
                                                            • Part of subcall function 004356CD: _Yarn.LIBCPMT ref: 004356EC
                                                            • Part of subcall function 004356CD: _Yarn.LIBCPMT ref: 00435710
                                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E051
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                                          • String ID: bad locale name
                                                          • API String ID: 3628047217-1405518554
                                                          • Opcode ID: 0e967f5f4c551f764c071b3c3fecd2d0a166eebc37c8bba363630da575d49789
                                                          • Instruction ID: 7f9ccd90240ef42149755af47b5df127ed13e8783c268b42739d505c0e35a915
                                                          • Opcode Fuzzy Hash: 0e967f5f4c551f764c071b3c3fecd2d0a166eebc37c8bba363630da575d49789
                                                          • Instruction Fuzzy Hash: 77F08131544A085AC338FA62D863DDA73B49F14358F50457FB406268D2EF78BA0CCA9D
                                                          Function 004137AA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,0046612C), ref: 004137B9
                                                          • RegSetValueExA.ADVAPI32(0046612C,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0041CB42,WallpaperStyle,0046612C,00000001,00474EE0,00000000), ref: 004137E1
                                                          • RegCloseKey.ADVAPI32(0046612C,?,?,0041CB42,WallpaperStyle,0046612C,00000001,00474EE0,00000000,?,00408798,00000001), ref: 004137EC
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseCreateValue
                                                          • String ID: Control Panel\Desktop
                                                          • API String ID: 1818849710-27424756
                                                          • Opcode ID: 6030d9855dac89f4cd46f7f8c789974497344dcf9873e73d86c3d4cdefa30cde
                                                          • Instruction ID: b09b06e14e5a963f4ed757ac8f346f2723baee7be417271cc0de3610a50c6458
                                                          • Opcode Fuzzy Hash: 6030d9855dac89f4cd46f7f8c789974497344dcf9873e73d86c3d4cdefa30cde
                                                          • Instruction Fuzzy Hash: A4F06272500218FBDF00AFA1DC45DEA376CEF04751F108566FD1AA61A1DB359E14DB54
                                                          Function 00416C68 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateThread.KERNEL32(00000000,00000000,Function_0001D4EE,00000000,00000000,00000000), ref: 00416C82
                                                          • ShowWindow.USER32(00000009), ref: 00416C9C
                                                          • SetForegroundWindow.USER32 ref: 00416CA8
                                                            • Part of subcall function 0041CE2C: AllocConsole.KERNEL32(00475338), ref: 0041CE35
                                                            • Part of subcall function 0041CE2C: ShowWindow.USER32(00000000,00000000), ref: 0041CE4E
                                                            • Part of subcall function 0041CE2C: SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CE73
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Window$ConsoleShow$AllocCreateForegroundOutputThread
                                                          • String ID: !D@
                                                          • API String ID: 3446828153-604454484
                                                          • Opcode ID: 4d9bf94020eca6f9e295162147b2deb229949cce80f8bc9c3a6d36dbd144fb99
                                                          • Instruction ID: 9f5213224becab59645eda34593d96b16d6ada18beeab21aaf628210512d7754
                                                          • Opcode Fuzzy Hash: 4d9bf94020eca6f9e295162147b2deb229949cce80f8bc9c3a6d36dbd144fb99
                                                          • Instruction Fuzzy Hash: ECF05E70149340EAD720AB62ED45AFA7B69EB54341F01487BF909C20F2DB389C94865E
                                                          Function 00416129 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0041616B
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ExecuteShell
                                                          • String ID: /C $cmd.exe$open
                                                          • API String ID: 587946157-3896048727
                                                          • Opcode ID: df79394fdd2e8ac4c6a51a4d6bf5cb7422c6ad95fc7d3df390015c01fd08e55b
                                                          • Instruction ID: 08f4dee505367bf09000beb2be63de5ecd082ae46aa0e0363999309db21c3e05
                                                          • Opcode Fuzzy Hash: df79394fdd2e8ac4c6a51a4d6bf5cb7422c6ad95fc7d3df390015c01fd08e55b
                                                          • Instruction Fuzzy Hash: 5EE0C0B0204305ABC605F675DC96CBF73ADAA94749B50483F7142A20E2EF7C9D49C65D
                                                          Function 0040140A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 00401414
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0040141B
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AddressHandleModuleProc
                                                          • String ID: GetCursorInfo$User32.dll
                                                          • API String ID: 1646373207-2714051624
                                                          • Opcode ID: d896883a00b7c9d91a41f0e937368129b1e8cf7bb1ae53218dcc7360cef0261f
                                                          • Instruction ID: 8b26e8b19aea132afe7ec2793fcae50f4a2deac5c44528798ee909e27cd98dc2
                                                          • Opcode Fuzzy Hash: d896883a00b7c9d91a41f0e937368129b1e8cf7bb1ae53218dcc7360cef0261f
                                                          • Instruction Fuzzy Hash: 6BB092B4981740FB8F102BB0AE4EA193A25B614703B1008B6F046961A2EBB888009A2E
                                                          Function 004014AF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 004014B9
                                                          • GetProcAddress.KERNEL32(00000000), ref: 004014C0
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AddressLibraryLoadProc
                                                          • String ID: GetLastInputInfo$User32.dll
                                                          • API String ID: 2574300362-1519888992
                                                          • Opcode ID: 97ca63f656fbe05ba3a699769711b358361c41ed64750357eec187df6322536e
                                                          • Instruction ID: d02e03e3b89f99dad65f23c179d95e13f318a7fd709defe56253aab8848571e2
                                                          • Opcode Fuzzy Hash: 97ca63f656fbe05ba3a699769711b358361c41ed64750357eec187df6322536e
                                                          • Instruction Fuzzy Hash: EFB092B8580300FBCB102FA0AD4E91E3A68AA18703B1008A7F441C21A1EBB888009F5F
                                                          Function 00456C9A Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free
                                                          • String ID:
                                                          • API String ID: 269201875-0
                                                          • Opcode ID: 5a84445a6d60efe319971740dde2d2f541f568e0726df331b0a843d8179482b0
                                                          • Instruction ID: 6f8591e81a910498abf0b0e408487d1c0faf04506bf4bd3dd9e850377c22d226
                                                          • Opcode Fuzzy Hash: 5a84445a6d60efe319971740dde2d2f541f568e0726df331b0a843d8179482b0
                                                          • Instruction Fuzzy Hash: 34413931B00104AAEB207B7A9C4666F3AB5DF45735F570A1FFD28C7293DA7C481D426A
                                                          Function 0040C047 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          • [Cleared browsers logins and cookies.], xrefs: 0040C11F
                                                          • Cleared browsers logins and cookies., xrefs: 0040C130
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Sleep
                                                          • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                                          • API String ID: 3472027048-1236744412
                                                          • Opcode ID: 857d3cd121560083d8ce3f08402db4584d0000cc5e9f96a8e1a49aed9ab164ab
                                                          • Instruction ID: 5a72b8a34604a64e244bad04561a930bad76f77e78bf22f3e088d6afb7384554
                                                          • Opcode Fuzzy Hash: 857d3cd121560083d8ce3f08402db4584d0000cc5e9f96a8e1a49aed9ab164ab
                                                          • Instruction Fuzzy Hash: A431A805648381EDD6116BF514967AB7B824A53748F0882BFB8C4373C3DA7A4808C79F
                                                          Function 0040A564 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0041C5E2: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041C5F2
                                                            • Part of subcall function 0041C5E2: GetWindowTextLengthW.USER32(00000000), ref: 0041C5FB
                                                            • Part of subcall function 0041C5E2: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041C625
                                                          • Sleep.KERNEL32(000001F4), ref: 0040A5AE
                                                          • Sleep.KERNEL32(00000064), ref: 0040A638
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Window$SleepText$ForegroundLength
                                                          • String ID: [ $ ]
                                                          • API String ID: 3309952895-93608704
                                                          • Opcode ID: 0877f6620f6187a1062b87b3f34e88cc83cbee9ae63c8039862e0d8bb1bff125
                                                          • Instruction ID: 6255842b65d5da3793f092b3f1447ea5db7efb23f61c0c2d19f8aa6a86066f85
                                                          • Opcode Fuzzy Hash: 0877f6620f6187a1062b87b3f34e88cc83cbee9ae63c8039862e0d8bb1bff125
                                                          • Instruction Fuzzy Hash: CB119F315143006BC614BB26CC579AF77A8AB90348F40083FF552661E3EF79AE18869B
                                                          Function 00443AD3 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: fcebbc467d131149bede3708c03e30a5933a8f2bf6fa192c1d79c37d30f8ae05
                                                          • Instruction ID: 2af8e1c260e5220142bf0b5f8a7e988c949d9a3a1697e0ff4d6bcf25ce69da1b
                                                          • Opcode Fuzzy Hash: fcebbc467d131149bede3708c03e30a5933a8f2bf6fa192c1d79c37d30f8ae05
                                                          • Instruction Fuzzy Hash: 7E01F2B26093557EFA202E786CC2F67630DCB51FBAB31033BB520612D2DB68DD40452C
                                                          Function 00443B52 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d36049e99d51c5662ea1cdccde7f001ca18baa555cb14a41c95be32ad22d597f
                                                          • Instruction ID: 437de9af4247593539f95cdbb70b1dc5411192884b5f12beac7b10196549b189
                                                          • Opcode Fuzzy Hash: d36049e99d51c5662ea1cdccde7f001ca18baa555cb14a41c95be32ad22d597f
                                                          • Instruction Fuzzy Hash: CB01ADB26096527ABA202E796CC5E27634CDB42BBA335037BF821512E3DF68DE054169
                                                          Function 004485E6 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,0044858D,?,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue), ref: 00448618
                                                          • GetLastError.KERNEL32(?,0044858D,?,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue,0045F170,0045F178,00000000,00000364,?,00448367), ref: 00448624
                                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0044858D,?,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue,0045F170,0045F178,00000000), ref: 00448632
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: LibraryLoad$ErrorLast
                                                          • String ID:
                                                          • API String ID: 3177248105-0
                                                          • Opcode ID: 8f9b5e85c90ff7ccd8dc2bf5dda10acfb836c822a6cf5ef36d60eb5c9189937f
                                                          • Instruction ID: 239c22332ac31c5199b3ba4764290be2907fca328f5d1df1ca03bb1201a614b6
                                                          • Opcode Fuzzy Hash: 8f9b5e85c90ff7ccd8dc2bf5dda10acfb836c822a6cf5ef36d60eb5c9189937f
                                                          • Instruction Fuzzy Hash: D401FC32602322EBDB618A78EC4495F7758AF15BA2B22093AF909D3241DF24DC01C6EC
                                                          Function 0041C516 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E84), ref: 0041C52F
                                                          • GetFileSize.KERNEL32(00000000,00000000,00000000,?,?,00000000,0040412F,00465E84), ref: 0041C543
                                                          • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,0040412F,00465E84), ref: 0041C568
                                                          • CloseHandle.KERNEL32(00000000,?,00000000,0040412F,00465E84), ref: 0041C576
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$CloseCreateHandleReadSize
                                                          • String ID:
                                                          • API String ID: 3919263394-0
                                                          • Opcode ID: 253de0e05f1e183a51722a251bf095503662c065c08e6289a01aaeef394dcb57
                                                          • Instruction ID: 4673af35f3eeaf13de89ae80f5e83caf65f56e40ae5cb47f4621101913e6d1ef
                                                          • Opcode Fuzzy Hash: 253de0e05f1e183a51722a251bf095503662c065c08e6289a01aaeef394dcb57
                                                          • Instruction Fuzzy Hash: 50F0C2B1241318BFE6101B25ADC9EBB369DDB866A9F10063EF802A22D1DA698D055139
                                                          Function 0041C26E Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                                          • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                                          • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C2C4
                                                          • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C2CC
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseHandleOpenProcess
                                                          • String ID:
                                                          • API String ID: 39102293-0
                                                          • Opcode ID: 81942e7addce2a1bdc39bfb83f2669cd8d6753e4bd6c5855ff2ce9cbe7850470
                                                          • Instruction ID: 82f86893bb8475317186349f6084970b7a3011258d8579340058f5d8518f4318
                                                          • Opcode Fuzzy Hash: 81942e7addce2a1bdc39bfb83f2669cd8d6753e4bd6c5855ff2ce9cbe7850470
                                                          • Instruction Fuzzy Hash: 9C01F231680215ABD61066949C8AFA7B66C8B84756F0001ABFA08D22A2EF74CD81466A
                                                          Function 004398E3 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • ___BuildCatchObject.LIBVCRUNTIME ref: 004398FA
                                                            • Part of subcall function 00439F32: ___AdjustPointer.LIBCMT ref: 00439F7C
                                                          • _UnwindNestedFrames.LIBCMT ref: 00439911
                                                          • ___FrameUnwindToState.LIBVCRUNTIME ref: 00439923
                                                          • CallCatchBlock.LIBVCRUNTIME ref: 00439947
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                                          • String ID:
                                                          • API String ID: 2633735394-0
                                                          • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                                          • Instruction ID: 1eef882e9718bbd9a0ab38cd68ce054dbb3f9d4064fa539f417e17899f1f7293
                                                          • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                                          • Instruction Fuzzy Hash: 38010532000109BBCF125F56CC01EDA3BAAEF5C754F05901AF95865221C3BAE862ABA4
                                                          Function 0041941E Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetSystemMetrics.USER32(0000004C), ref: 0041942B
                                                          • GetSystemMetrics.USER32(0000004D), ref: 00419431
                                                          • GetSystemMetrics.USER32(0000004E), ref: 00419437
                                                          • GetSystemMetrics.USER32(0000004F), ref: 0041943D
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: MetricsSystem
                                                          • String ID:
                                                          • API String ID: 4116985748-0
                                                          • Opcode ID: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                                          • Instruction ID: fd4820a3fb0c8fcfb80096478546269f04700e3de9cdf271d69d174aa35805c7
                                                          • Opcode Fuzzy Hash: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                                          • Instruction Fuzzy Hash: 3FF0A4B1B043155BD700EE758C51A6B6ADAEBD4364F10043FF60887281EFB8DC468B84
                                                          Function 00438FB1 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00438FB1
                                                          • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00438FB6
                                                          • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00438FBB
                                                            • Part of subcall function 0043A4BA: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0043A4CB
                                                          • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00438FD0
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                                          • String ID:
                                                          • API String ID: 1761009282-0
                                                          • Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                                          • Instruction ID: 3a6c9073cd349407f79861cc5a63413a30b4b1af88e8d748f4708d1390bfb410
                                                          • Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                                          • Instruction Fuzzy Hash: 8DC04C44080381552C50B6B2110B2AF83521C7E38CF9074DFBDD1579474D5D052F553F
                                                          Function 00442CAD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __startOneArgErrorHandling.LIBCMT ref: 00442D3D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorHandling__start
                                                          • String ID: pow
                                                          • API String ID: 3213639722-2276729525
                                                          • Opcode ID: ba08a0cb9aac2d09af1d9c353536d0054585ad8ee24c5cded07915036f7ff901
                                                          • Instruction ID: 2abd0c7c8e13d4a8cd2c8141c546921d868ac315c0d238e81b652aa6ec7fde8b
                                                          • Opcode Fuzzy Hash: ba08a0cb9aac2d09af1d9c353536d0054585ad8ee24c5cded07915036f7ff901
                                                          • Instruction Fuzzy Hash: 92515AE1E0460296FB167714CE4137B6794AB50741F70497BF0D6823EAEA7C8C859B4F
                                                          Function 00449EBC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • WideCharToMultiByte.KERNEL32(000000FF,00000000,00000006,00000001,?,?,00000000,?,00000000,?,?,00000000,00000006,?,?,?), ref: 00449F8F
                                                          • GetLastError.KERNEL32 ref: 00449FAB
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ByteCharErrorLastMultiWide
                                                          • String ID: PkGNG
                                                          • API String ID: 203985260-263838557
                                                          • Opcode ID: d1185fb95bfff78fff583c453b007e19375680cfc0f7d37f8e74ebb942ffdfee
                                                          • Instruction ID: e4919e29a80df6b7ced925805d10dfcffaa1b378e184719e11b938f1b8f94c7b
                                                          • Opcode Fuzzy Hash: d1185fb95bfff78fff583c453b007e19375680cfc0f7d37f8e74ebb942ffdfee
                                                          • Instruction Fuzzy Hash: 2331E430200201ABFB21EF56C845BAB7768EF45721F15016BF815C7391DB38CD45E7A9
                                                          Function 0040B783 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                                          • __Init_thread_footer.LIBCMT ref: 0040B7D2
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Init_thread_footer__onexit
                                                          • String ID: [End of clipboard]$[Text copied to clipboard]
                                                          • API String ID: 1881088180-3686566968
                                                          • Opcode ID: 7be63757e29b9f91be4cc1fce50211db745ac7e2ddcf3fa0e25e131e1c8bf245
                                                          • Instruction ID: 844f446031992ee5170c212df839aebd4a436c67f2956c9e8fe8aff684c3a130
                                                          • Opcode Fuzzy Hash: 7be63757e29b9f91be4cc1fce50211db745ac7e2ddcf3fa0e25e131e1c8bf245
                                                          • Instruction Fuzzy Hash: 30217131A102198ACB14FBA6D8929EDB375AF54318F10443FE505771D2EF786D4ACA8C
                                                          Function 00451BB7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00451E12,?,00000050,?,?,?,?,?), ref: 00451C92
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: ACP$OCP
                                                          • API String ID: 0-711371036
                                                          • Opcode ID: 28d359b86f53a769e50845c8979a9c95ba506d3f4f520eddc938968d94c37ac1
                                                          • Instruction ID: 09b953eaa346ea86c897215e5a2a15a508f8bcb16f9b984b1dadcb699cf7d301
                                                          • Opcode Fuzzy Hash: 28d359b86f53a769e50845c8979a9c95ba506d3f4f520eddc938968d94c37ac1
                                                          • Instruction Fuzzy Hash: E821D862A80204A6DB36CF14C941BAB7266DB54B13F568426ED0AD7322F73BED45C35C
                                                          Function 0044B7B1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81fileCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • WriteFile.KERNEL32(?,?,?,?,00000000,FF8BC35D,00000000,?,PkGNG,0044BBEE,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B85B
                                                          • GetLastError.KERNEL32 ref: 0044B884
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorFileLastWrite
                                                          • String ID: PkGNG
                                                          • API String ID: 442123175-263838557
                                                          • Opcode ID: 9f33f136d580808b36a549075194831cac44b680ed95d57240af363647088f83
                                                          • Instruction ID: 9972a58bdd01e134d13becd973f3089a2f7b3635eb9ddb95e5d59f4384582b5e
                                                          • Opcode Fuzzy Hash: 9f33f136d580808b36a549075194831cac44b680ed95d57240af363647088f83
                                                          • Instruction Fuzzy Hash: B2316F31A00619DBCB24DF59DD8099AF3F9FF48301B1485AAE909D7261E734ED81CBA8
                                                          Function 0044B6D2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77fileCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • WriteFile.KERNEL32(?,?,?,?,00000000,FF8BC35D,00000000,?,PkGNG,0044BC0E,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B76D
                                                          • GetLastError.KERNEL32 ref: 0044B796
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorFileLastWrite
                                                          • String ID: PkGNG
                                                          • API String ID: 442123175-263838557
                                                          • Opcode ID: 482fa6ac77512a0fc819500aa413458c203250297fd7de672378db3e029a087c
                                                          • Instruction ID: c865f2f287ade0309940dd9d446f9ab1351fd896516eb6f8948e0fb5ca6ebdce
                                                          • Opcode Fuzzy Hash: 482fa6ac77512a0fc819500aa413458c203250297fd7de672378db3e029a087c
                                                          • Instruction Fuzzy Hash: 69219435600219DFDB14CF69D980BEAB3F9EB48312F1048AAE94AD7251D734ED85CB64
                                                          Function 00404FF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415D04,?,00000001,0000004C,00000000), ref: 00405030
                                                            • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                          • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415D04,?,00000001,0000004C,00000000), ref: 00405087
                                                          Strings
                                                          • KeepAlive | Enabled | Timeout: , xrefs: 0040501F
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: LocalTime
                                                          • String ID: KeepAlive | Enabled | Timeout:
                                                          • API String ID: 481472006-1507639952
                                                          • Opcode ID: 145f269d181a8435875c36411829170d0c63d951855ea4e88e6edb1186bb4574
                                                          • Instruction ID: e3b05ee6596aa2f5bef7afedc99ae4e94a3de8d8e2082a6dce2ef35069f0368d
                                                          • Opcode Fuzzy Hash: 145f269d181a8435875c36411829170d0c63d951855ea4e88e6edb1186bb4574
                                                          • Instruction Fuzzy Hash: 8D2104719107806BD700B736980A76F7B64E751308F44097EE8491B2E2EB7D5A88CBEF
                                                          Function 00416676 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62sleepfilenetworkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • Sleep.KERNEL32 ref: 0041667B
                                                          • URLDownloadToFileW.URLMON(00000000,00000000,00000002,00000000,00000000), ref: 004166DD
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: DownloadFileSleep
                                                          • String ID: !D@
                                                          • API String ID: 1931167962-604454484
                                                          • Opcode ID: 092e42fcb9aaa0e887aa486cfc6f9746e7f9b69877162c24d85fe42e211bf098
                                                          • Instruction ID: 05e88009b36717a37a8ab5ea381c0ce1ab0270976c353b8abb87c8adb32aa340
                                                          • Opcode Fuzzy Hash: 092e42fcb9aaa0e887aa486cfc6f9746e7f9b69877162c24d85fe42e211bf098
                                                          • Instruction Fuzzy Hash: F21142716083029AC614FF72D8969AE77A4AF50348F400C7FF546531E2EE3C9949C65A
                                                          Function 0041ADA8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • PathFileExistsW.SHLWAPI(00000000), ref: 0041ADCD
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ExistsFilePath
                                                          • String ID: alarm.wav$hYG
                                                          • API String ID: 1174141254-2782910960
                                                          • Opcode ID: b1264f66081e357ea998da1c4a3710e4054d322a9d90202bb867bf05cfcdbcb2
                                                          • Instruction ID: 4122455f09fb97d0238bc6f6df8f07100adf7eded08faacdf9dae369850c3b42
                                                          • Opcode Fuzzy Hash: b1264f66081e357ea998da1c4a3710e4054d322a9d90202bb867bf05cfcdbcb2
                                                          • Instruction Fuzzy Hash: 6401B57078831156CA04F77688166EE77959B80718F00847FF64A162E2EFBC9E59C6CF
                                                          Function 0040B08C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B1AD
                                                            • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                                            • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                                          • CloseHandle.KERNEL32(?), ref: 0040B0EF
                                                          • UnhookWindowsHookEx.USER32 ref: 0040B102
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                                          • String ID: Online Keylogger Stopped
                                                          • API String ID: 1623830855-1496645233
                                                          • Opcode ID: d2011962e6819f9b37a51f0e1cf8c7d5879c21619fea64d9aec53d325501bd1f
                                                          • Instruction ID: 2c7fc3a8f12b1f8c565497f75251163d8124a4eac963031352a4caf2a1bdec21
                                                          • Opcode Fuzzy Hash: d2011962e6819f9b37a51f0e1cf8c7d5879c21619fea64d9aec53d325501bd1f
                                                          • Instruction Fuzzy Hash: 6F01F530600610ABD7217B35C81B7BE7B729B41304F4004BFE982265C2EBB91856C7DE
                                                          Function 00448C33 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,A4E85006,00000001,?,0043CEA5), ref: 00448CA4
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: String
                                                          • String ID: LCMapStringEx$PkGNG
                                                          • API String ID: 2568140703-1065776982
                                                          • Opcode ID: aac5d351483de452061b997450265c1da9567a4c5720285b7a7b965a3286f227
                                                          • Instruction ID: c3f282dcf0fd97a5c368a601407465e3bede0a00add2935535d0592c00eac712
                                                          • Opcode Fuzzy Hash: aac5d351483de452061b997450265c1da9567a4c5720285b7a7b965a3286f227
                                                          • Instruction Fuzzy Hash: 3001253254120CFBCF02AF91DD02EEE7F66EF08751F04416AFE1965161CA3A8971EB99
                                                          Function 004017EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • waveInPrepareHeader.WINMM(?,00000020,?,?,00476B50,00474EE0,?,00000000,00401A15), ref: 00401849
                                                          • waveInAddBuffer.WINMM(?,00000020,?,00000000,00401A15), ref: 0040185F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: wave$BufferHeaderPrepare
                                                          • String ID: XMG
                                                          • API String ID: 2315374483-813777761
                                                          • Opcode ID: db4cc151110a5f9a71eb5ce2d7546914e9eb517e880c4322ad0588f055fadbe6
                                                          • Instruction ID: 6f1d19605e244f5f119b09d66236675289974365e05be472c2159163c6862827
                                                          • Opcode Fuzzy Hash: db4cc151110a5f9a71eb5ce2d7546914e9eb517e880c4322ad0588f055fadbe6
                                                          • Instruction Fuzzy Hash: D3016D71700301AFD7209F75EC48969BBA9FB89355701413AF409D3762EB759C90CBA8
                                                          Function 00448B66 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • IsValidLocale.KERNEL32(00000000,kKD,00000000,00000001,?,?,00444B6B,?,?,?,?,00000004), ref: 00448BB2
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: LocaleValid
                                                          • String ID: IsValidLocaleName$kKD
                                                          • API String ID: 1901932003-3269126172
                                                          • Opcode ID: e2be842f2307acef5cef967ff3e72c46beaafbec9f28b2cc6d0622aebebc3446
                                                          • Instruction ID: c774fcfd7954269485cc3e12fd2bed3330e0a6a7af379781e67d062e13931268
                                                          • Opcode Fuzzy Hash: e2be842f2307acef5cef967ff3e72c46beaafbec9f28b2cc6d0622aebebc3446
                                                          • Instruction Fuzzy Hash: 9BF05230A80708FBDB016B60DC06FAE7B54CB44B12F10007EFD046B291DE799E0091ED
                                                          Function 0040C4FE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C531
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ExistsFilePath
                                                          • String ID: UserProfile$\AppData\Local\Google\Chrome\
                                                          • API String ID: 1174141254-4188645398
                                                          • Opcode ID: f9a07996837724957705d56df4e2d94e9c7b3399acd9f5249461b7d2a15f9b23
                                                          • Instruction ID: 9b0ec594f197676e752fca63164bf20e3c748e9c9f1ad615e42e10c79405690b
                                                          • Opcode Fuzzy Hash: f9a07996837724957705d56df4e2d94e9c7b3399acd9f5249461b7d2a15f9b23
                                                          • Instruction Fuzzy Hash: FEF05E30A00219A6CA04BBB69C478AF7B289910759B40017FBA01B21D3EE78994586DD
                                                          Function 0040C561 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C594
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ExistsFilePath
                                                          • String ID: UserProfile$\AppData\Local\Microsoft\Edge\
                                                          • API String ID: 1174141254-2800177040
                                                          • Opcode ID: b27d649c1a99b770e2ee573beac095cc0176eb12c484dff086be6ac562635e32
                                                          • Instruction ID: ebfb9b6c20c42028ef61fa2b9513503d2b9bf0243ac81fc6585c9643e3935da3
                                                          • Opcode Fuzzy Hash: b27d649c1a99b770e2ee573beac095cc0176eb12c484dff086be6ac562635e32
                                                          • Instruction Fuzzy Hash: F1F05E70A0021AE6CA04BBB69C478EF7B2C9910755B40017BBA01721D3FE7CA94586ED
                                                          Function 0040C5C4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • PathFileExistsW.SHLWAPI(00000000,\Opera Software\Opera Stable\,00000000), ref: 0040C5F7
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ExistsFilePath
                                                          • String ID: AppData$\Opera Software\Opera Stable\
                                                          • API String ID: 1174141254-1629609700
                                                          • Opcode ID: 92b8fe468143de46e4b25ecc4db10b81df2d2be94452298da839e48cb23232ed
                                                          • Instruction ID: 695210f55460e2722832162fecb8267ed9c5d90cd61684e29202a639a57ef244
                                                          • Opcode Fuzzy Hash: 92b8fe468143de46e4b25ecc4db10b81df2d2be94452298da839e48cb23232ed
                                                          • Instruction Fuzzy Hash: 38F05E30A00219D6CA14BBB69C478EF7B2C9950755F1005BBBA01B21D3EE789941C6ED
                                                          Function 0040B681 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetKeyState.USER32(00000011), ref: 0040B686
                                                            • Part of subcall function 0040A41B: GetForegroundWindow.USER32 ref: 0040A451
                                                            • Part of subcall function 0040A41B: GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A45D
                                                            • Part of subcall function 0040A41B: GetKeyboardLayout.USER32(00000000), ref: 0040A464
                                                            • Part of subcall function 0040A41B: GetKeyState.USER32(00000010), ref: 0040A46E
                                                            • Part of subcall function 0040A41B: GetKeyboardState.USER32(?), ref: 0040A479
                                                            • Part of subcall function 0040A41B: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A49C
                                                            • Part of subcall function 0040A41B: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4FC
                                                            • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,00000000,0040B245,00000000), ref: 0040A69D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                                          • String ID: [AltL]$[AltR]
                                                          • API String ID: 2738857842-2658077756
                                                          • Opcode ID: 973633859d93ff8360b83ac9e1d77558cdb0b7c4d5bdbb5f5e50dc46d20ac961
                                                          • Instruction ID: d407634c764e35d79823ffb94670adf82ecea3c262ef0a09b09082b5b6a355d5
                                                          • Opcode Fuzzy Hash: 973633859d93ff8360b83ac9e1d77558cdb0b7c4d5bdbb5f5e50dc46d20ac961
                                                          • Instruction Fuzzy Hash: B2E0652171032052C859363D592FABE2D11CB41B64B42097FF842AB7D6DABF4D5543CF
                                                          Function 004489D7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetSystemTimeAsFileTime.KERNEL32(00000000,0043AB37), ref: 00448A16
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Time$FileSystem
                                                          • String ID: GetSystemTimePreciseAsFileTime$PkGNG
                                                          • API String ID: 2086374402-949981407
                                                          • Opcode ID: 36094b6d006a7c5976d2fe62b58f2756bffc72267d66b89a94896d775de98ed0
                                                          • Instruction ID: bacba389ed7ed90706db716b221aab5ed2509560655679cc0f09f15d90276a03
                                                          • Opcode Fuzzy Hash: 36094b6d006a7c5976d2fe62b58f2756bffc72267d66b89a94896d775de98ed0
                                                          • Instruction Fuzzy Hash: 79E0E531A81618FBD7116B25EC02E7EBB50DB08B02B10027FFC05A7292EE754D14D6DE
                                                          Function 004161C5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 004161E3
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ExecuteShell
                                                          • String ID: !D@$open
                                                          • API String ID: 587946157-1586967515
                                                          • Opcode ID: 30a1d241cab23d886832e5a2cf84020a5ff996eade7e739dca91f4d882a6cfc9
                                                          • Instruction ID: 3b2857edeaddefe186f4a0a52e989bb70d7a4cfa1db765b6d796ce97600c5b03
                                                          • Opcode Fuzzy Hash: 30a1d241cab23d886832e5a2cf84020a5ff996eade7e739dca91f4d882a6cfc9
                                                          • Instruction Fuzzy Hash: 4AE012712483059AD214EA72DC92EFEB35CAB54755F404C3FF506524E2EF3C5C49C66A
                                                          Function 004555CB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • ___initconout.LIBCMT ref: 004555DB
                                                            • Part of subcall function 00456B9D: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,004555E0,00000000,PkGNG,0044B61D,?,FF8BC35D,00000000,?,00000000), ref: 00456BB0
                                                          • WriteConsoleW.KERNEL32(FFFFFFFE,FF8BC369,00000001,00000000,00000000,00000000,PkGNG,0044B61D,?,FF8BC35D,00000000,?,00000000,PkGNG,0044BB99,?), ref: 004555FE
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ConsoleCreateFileWrite___initconout
                                                          • String ID: PkGNG
                                                          • API String ID: 3087715906-263838557
                                                          • Opcode ID: 4fd586c33a7e536def3848490aff3c82696797501ee569242fdde9145b290049
                                                          • Instruction ID: 53f4b2898eb153bde3bf118a85e4039abf363423ff24ad7888d91dc13aa78fd6
                                                          • Opcode Fuzzy Hash: 4fd586c33a7e536def3848490aff3c82696797501ee569242fdde9145b290049
                                                          • Instruction Fuzzy Hash: C5E0EDB0100548BBDA208B69DC29EBA3328EB00331F500369FE29C62D2EB34EC44C769
                                                          Function 0040B6DB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetKeyState.USER32(00000012), ref: 0040B6E0
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: State
                                                          • String ID: [CtrlL]$[CtrlR]
                                                          • API String ID: 1649606143-2446555240
                                                          • Opcode ID: 1321bbb6cc8174ef42da852326f734558715e41d50b56193fb2d1a3bfc871e5f
                                                          • Instruction ID: b338140f060b4cc34328e336f8905ed3f99262ec5dadafe534bff25dd27afc5e
                                                          • Opcode Fuzzy Hash: 1321bbb6cc8174ef42da852326f734558715e41d50b56193fb2d1a3bfc871e5f
                                                          • Instruction Fuzzy Hash: CFE04F2160072052C5243A7D561A67A2911C7C2764F41057BE9826B7C6DABE891452DF
                                                          Function 0040E7DA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                                          • __Init_thread_footer.LIBCMT ref: 00410F64
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Init_thread_footer__onexit
                                                          • String ID: ,kG$0kG
                                                          • API String ID: 1881088180-2015055088
                                                          • Opcode ID: 9b05eae692bf82ff893255be440f7f21efe509fead0387458dc7709882e6db21
                                                          • Instruction ID: 52a075922dd803dc3791164d579436726ad124eb3de8ddc986de269a183bf650
                                                          • Opcode Fuzzy Hash: 9b05eae692bf82ff893255be440f7f21efe509fead0387458dc7709882e6db21
                                                          • Instruction Fuzzy Hash: A8E0D8315149208EC514B729E542AC53395DB0E324B21907BF014D72D2CBAE78C28E5D
                                                          Function 00413A5E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040D509,00000000,?,00000000), ref: 00413A6C
                                                          • RegDeleteValueW.ADVAPI32(?,?,?,00000000), ref: 00413A80
                                                          Strings
                                                          • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00413A6A
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: DeleteOpenValue
                                                          • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                                          • API String ID: 2654517830-1051519024
                                                          • Opcode ID: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                                          • Instruction ID: 8a242acd51d06e7ce72e997358fe7bb9804e2c240f13b939b69747d851efcbee
                                                          • Opcode Fuzzy Hash: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                                          • Instruction Fuzzy Hash: FFE0C231244208FBEF104FB1DD06FFA7B2CDB01F42F1006A9BA0692192C626CE049664
                                                          Function 00440CE1 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401D55), ref: 00440D77
                                                          • GetLastError.KERNEL32 ref: 00440D85
                                                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00440DE0
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ByteCharMultiWide$ErrorLast
                                                          • String ID:
                                                          • API String ID: 1717984340-0
                                                          • Opcode ID: aa9c90e467390f2e0f6591fe7c9965b03d9b59885bed7a4237b1e33e934d31eb
                                                          • Instruction ID: 51be13377619d21db21fabe69686c0ed70cae26876ac5a8e773c252addda8789
                                                          • Opcode Fuzzy Hash: aa9c90e467390f2e0f6591fe7c9965b03d9b59885bed7a4237b1e33e934d31eb
                                                          • Instruction Fuzzy Hash: 2D412670A00212AFEF218FA5C8447BBBBA4EF41310F2045AAFA59573E1DB399C31C759
                                                          Function 00411B9A Relevance: 5.1, APIs: 4, Instructions: 119COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • IsBadReadPtr.KERNEL32(?,00000014), ref: 00411BC7
                                                          • IsBadReadPtr.KERNEL32(?,00000014), ref: 00411C93
                                                          • SetLastError.KERNEL32(0000007F,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00411CB5
                                                          • SetLastError.KERNEL32(0000007E,00411F2B), ref: 00411CCC
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.1327256007.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_aDGx3jaI7i.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorLastRead
                                                          • String ID:
                                                          • API String ID: 4100373531-0
                                                          • Opcode ID: 90639ee29dfdd48ecb3f8d3d3319bc7730bab7022ac74643829df8c5f46e8e60
                                                          • Instruction ID: 65e884089caabfe283b2879acbb60db065d5dd9ad58be7743d127bf22715a70c
                                                          • Opcode Fuzzy Hash: 90639ee29dfdd48ecb3f8d3d3319bc7730bab7022ac74643829df8c5f46e8e60
                                                          • Instruction Fuzzy Hash: 60419D716443059FEB248F19DC84BA7B3E4FF44714F00082EEA4A876A1F738E845CB99

                                                          Execution Graph

                                                          Execution Coverage:11%
                                                          Dynamic/Decrypted Code Coverage:100%
                                                          Signature Coverage:0%
                                                          Total number of Nodes:188
                                                          Total number of Limit Nodes:7
                                                          execution_graph 32351 7400840 32355 7400870 32351->32355 32359 7400878 32351->32359 32352 740085d 32356 7400865 32355->32356 32356->32355 32357 74008e3 DrawTextExW 32356->32357 32358 740091e 32357->32358 32358->32352 32360 7400865 32359->32360 32360->32359 32361 74008e3 DrawTextExW 32360->32361 32362 740091e 32361->32362 32362->32352 32363 7402ac2 32364 7402ac8 CloseHandle 32363->32364 32365 7402b2f 32364->32365 32544 105b390 32547 105b478 32544->32547 32545 105b39f 32548 105b482 32547->32548 32549 105b436 32547->32549 32550 105b4bc 32548->32550 32551 105b6c0 GetModuleHandleW 32548->32551 32549->32545 32550->32545 32552 105b6ed 32551->32552 32552->32545 32553 105d720 32554 105d766 32553->32554 32558 105d900 32554->32558 32561 105d8fa 32554->32561 32555 105d853 32564 105b374 32558->32564 32562 105d92e 32561->32562 32563 105b374 DuplicateHandle 32561->32563 32562->32555 32563->32562 32565 105d968 DuplicateHandle 32564->32565 32566 105d92e 32565->32566 32566->32555 32588 7315d88 32589 7315f13 32588->32589 32590 7315dae 32588->32590 32590->32589 32593 7316008 PostMessageW 32590->32593 32595 7316000 32590->32595 32594 7316074 32593->32594 32594->32590 32596 7316008 PostMessageW 32595->32596 32597 7316074 32596->32597 32597->32590 32567 1054668 32568 105467a 32567->32568 32569 1054686 32568->32569 32571 1054778 32568->32571 32572 105479d 32571->32572 32576 1054879 32572->32576 32580 1054888 32572->32580 32578 10548af 32576->32578 32577 105498c 32578->32577 32584 10544b4 32578->32584 32582 10548af 32580->32582 32581 105498c 32581->32581 32582->32581 32583 10544b4 CreateActCtxA 32582->32583 32583->32581 32585 1055918 CreateActCtxA 32584->32585 32587 10559db 32585->32587 32366 731423e 32368 7314179 32366->32368 32367 731427a 32368->32367 32371 7314c20 32368->32371 32389 7314c10 32368->32389 32372 7314c3a 32371->32372 32407 731527f 32372->32407 32412 73151fc 32372->32412 32418 73154dd 32372->32418 32423 73152b7 32372->32423 32432 7315317 32372->32432 32437 73151d4 32372->32437 32442 7315215 32372->32442 32447 7315632 32372->32447 32452 7315852 32372->32452 32457 7315033 32372->32457 32462 7315253 32372->32462 32467 731596e 32372->32467 32472 73150af 32372->32472 32476 73153af 32372->32476 32481 7315687 32372->32481 32373 7314c5e 32373->32368 32390 7314c20 32389->32390 32392 7315253 2 API calls 32390->32392 32393 7315033 2 API calls 32390->32393 32394 7315852 2 API calls 32390->32394 32395 7315632 2 API calls 32390->32395 32396 7315215 2 API calls 32390->32396 32397 73151d4 2 API calls 32390->32397 32398 7315317 2 API calls 32390->32398 32399 73152b7 4 API calls 32390->32399 32400 73154dd 2 API calls 32390->32400 32401 73151fc 2 API calls 32390->32401 32402 731527f 2 API calls 32390->32402 32403 7315687 2 API calls 32390->32403 32404 73153af 2 API calls 32390->32404 32405 73150af 2 API calls 32390->32405 32406 731596e 2 API calls 32390->32406 32391 7314c5e 32391->32368 32392->32391 32393->32391 32394->32391 32395->32391 32396->32391 32397->32391 32398->32391 32399->32391 32400->32391 32401->32391 32402->32391 32403->32391 32404->32391 32405->32391 32406->32391 32408 73152a4 32407->32408 32486 7313ad1 32408->32486 32490 7313ad8 32408->32490 32409 7315390 32409->32373 32413 7315205 32412->32413 32414 73151d3 32412->32414 32413->32373 32416 7313ad1 WriteProcessMemory 32414->32416 32417 7313ad8 WriteProcessMemory 32414->32417 32415 7315922 32416->32415 32417->32415 32419 73154ea 32418->32419 32494 7313bc0 32419->32494 32498 7313bc8 32419->32498 32420 731550d 32424 73152bc 32423->32424 32425 731554c 32424->32425 32426 731540e 32424->32426 32510 7313940 32425->32510 32514 7313938 32425->32514 32502 7313450 32426->32502 32506 7313458 32426->32506 32427 73154c3 32427->32373 32427->32427 32433 731525a 32432->32433 32518 7313a10 32433->32518 32522 7313a18 32433->32522 32434 7315aa1 32438 73151e4 32437->32438 32440 7313ad1 WriteProcessMemory 32438->32440 32441 7313ad8 WriteProcessMemory 32438->32441 32439 7315922 32440->32439 32441->32439 32443 73158b0 32442->32443 32445 7313ad1 WriteProcessMemory 32443->32445 32446 7313ad8 WriteProcessMemory 32443->32446 32444 73158d4 32445->32444 32446->32444 32448 73157c5 32447->32448 32526 7315c70 32448->32526 32531 7315c60 32448->32531 32449 7315478 32453 7315792 32452->32453 32455 7313450 ResumeThread 32453->32455 32456 7313458 ResumeThread 32453->32456 32454 73154c3 32454->32373 32454->32454 32455->32454 32456->32454 32458 7315041 32457->32458 32536 7313d60 32458->32536 32540 7313d54 32458->32540 32463 7315259 32462->32463 32465 7313a10 VirtualAllocEx 32463->32465 32466 7313a18 VirtualAllocEx 32463->32466 32464 7315aa1 32465->32464 32466->32464 32468 7315792 32467->32468 32469 73154c3 32468->32469 32470 7313450 ResumeThread 32468->32470 32471 7313458 ResumeThread 32468->32471 32469->32373 32469->32469 32470->32469 32471->32469 32473 73150eb 32472->32473 32474 7313d60 CreateProcessA 32472->32474 32475 7313d54 CreateProcessA 32472->32475 32473->32373 32474->32473 32475->32473 32478 731525a 32476->32478 32477 7315aa1 32479 7313a10 VirtualAllocEx 32478->32479 32480 7313a18 VirtualAllocEx 32478->32480 32479->32477 32480->32477 32482 731525a 32481->32482 32484 7313a10 VirtualAllocEx 32482->32484 32485 7313a18 VirtualAllocEx 32482->32485 32483 7315aa1 32484->32483 32485->32483 32487 7313ad6 WriteProcessMemory 32486->32487 32489 7313b77 32487->32489 32489->32409 32491 7313b1c WriteProcessMemory 32490->32491 32493 7313b77 32491->32493 32493->32409 32495 7313bc8 ReadProcessMemory 32494->32495 32497 7313c57 32495->32497 32497->32420 32499 7313c13 ReadProcessMemory 32498->32499 32501 7313c57 32499->32501 32501->32420 32503 7313458 ResumeThread 32502->32503 32505 73134c9 32503->32505 32505->32427 32507 7313498 ResumeThread 32506->32507 32509 73134c9 32507->32509 32509->32427 32511 7313985 Wow64SetThreadContext 32510->32511 32513 73139cd 32511->32513 32513->32427 32515 731393d Wow64SetThreadContext 32514->32515 32517 73139cd 32515->32517 32517->32427 32519 7313a18 VirtualAllocEx 32518->32519 32521 7313a95 32519->32521 32521->32434 32523 7313a58 VirtualAllocEx 32522->32523 32525 7313a95 32523->32525 32525->32434 32527 7315c85 32526->32527 32529 7313940 Wow64SetThreadContext 32527->32529 32530 7313938 Wow64SetThreadContext 32527->32530 32528 7315c9b 32528->32449 32529->32528 32530->32528 32532 7315c70 32531->32532 32534 7313940 Wow64SetThreadContext 32532->32534 32535 7313938 Wow64SetThreadContext 32532->32535 32533 7315c9b 32533->32449 32534->32533 32535->32533 32537 7313de9 CreateProcessA 32536->32537 32539 7313fab 32537->32539 32541 7313d60 CreateProcessA 32540->32541 32543 7313fab 32541->32543

                                                          Executed Functions

                                                          Function 07313D54 Relevance: 1.8, APIs: 1, Instructions: 250processCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 649 7313d54-7313df5 652 7313df7-7313e01 649->652 653 7313e2e-7313e4e 649->653 652->653 654 7313e03-7313e05 652->654 658 7313e50-7313e5a 653->658 659 7313e87-7313eb6 653->659 655 7313e07-7313e11 654->655 656 7313e28-7313e2b 654->656 660 7313e13 655->660 661 7313e15-7313e24 655->661 656->653 658->659 662 7313e5c-7313e5e 658->662 669 7313eb8-7313ec2 659->669 670 7313eef-7313fa9 CreateProcessA 659->670 660->661 661->661 663 7313e26 661->663 664 7313e81-7313e84 662->664 665 7313e60-7313e6a 662->665 663->656 664->659 667 7313e6c 665->667 668 7313e6e-7313e7d 665->668 667->668 668->668 671 7313e7f 668->671 669->670 672 7313ec4-7313ec6 669->672 681 7313fb2-7314038 670->681 682 7313fab-7313fb1 670->682 671->664 674 7313ee9-7313eec 672->674 675 7313ec8-7313ed2 672->675 674->670 676 7313ed4 675->676 677 7313ed6-7313ee5 675->677 676->677 677->677 679 7313ee7 677->679 679->674 692 7314048-731404c 681->692 693 731403a-731403e 681->693 682->681 694 731405c-7314060 692->694 695 731404e-7314052 692->695 693->692 696 7314040 693->696 698 7314070-7314074 694->698 699 7314062-7314066 694->699 695->694 697 7314054 695->697 696->692 697->694 701 7314086-731408d 698->701 702 7314076-731407c 698->702 699->698 700 7314068 699->700 700->698 703 73140a4 701->703 704 731408f-731409e 701->704 702->701 705 73140a5 703->705 704->703 705->705
                                                          APIs
                                                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07313F96
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.1345736039.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_7310000_Adobe.jbxd
                                                          Similarity
                                                          • API ID: CreateProcess
                                                          • String ID:
                                                          • API String ID: 963392458-0
                                                          • Opcode ID: d324a3de973a19847fa4a9097a02404bc8ac87ee6f79f0b4c04fbfc41bf6c243
                                                          • Instruction ID: 7d8154ee0d7e51429abfb7faea4ec87e188cc8c70973c9b70aed4829c52c123b
                                                          • Opcode Fuzzy Hash: d324a3de973a19847fa4a9097a02404bc8ac87ee6f79f0b4c04fbfc41bf6c243
                                                          • Instruction Fuzzy Hash: 5AA14EB1D0075ADFEB24DF69C841BEDBBB2BF48310F148569E808A7240DB759985CF92
                                                          Function 07313D60 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 707 7313d60-7313df5 709 7313df7-7313e01 707->709 710 7313e2e-7313e4e 707->710 709->710 711 7313e03-7313e05 709->711 715 7313e50-7313e5a 710->715 716 7313e87-7313eb6 710->716 712 7313e07-7313e11 711->712 713 7313e28-7313e2b 711->713 717 7313e13 712->717 718 7313e15-7313e24 712->718 713->710 715->716 719 7313e5c-7313e5e 715->719 726 7313eb8-7313ec2 716->726 727 7313eef-7313fa9 CreateProcessA 716->727 717->718 718->718 720 7313e26 718->720 721 7313e81-7313e84 719->721 722 7313e60-7313e6a 719->722 720->713 721->716 724 7313e6c 722->724 725 7313e6e-7313e7d 722->725 724->725 725->725 728 7313e7f 725->728 726->727 729 7313ec4-7313ec6 726->729 738 7313fb2-7314038 727->738 739 7313fab-7313fb1 727->739 728->721 731 7313ee9-7313eec 729->731 732 7313ec8-7313ed2 729->732 731->727 733 7313ed4 732->733 734 7313ed6-7313ee5 732->734 733->734 734->734 736 7313ee7 734->736 736->731 749 7314048-731404c 738->749 750 731403a-731403e 738->750 739->738 751 731405c-7314060 749->751 752 731404e-7314052 749->752 750->749 753 7314040 750->753 755 7314070-7314074 751->755 756 7314062-7314066 751->756 752->751 754 7314054 752->754 753->749 754->751 758 7314086-731408d 755->758 759 7314076-731407c 755->759 756->755 757 7314068 756->757 757->755 760 73140a4 758->760 761 731408f-731409e 758->761 759->758 762 73140a5 760->762 761->760 762->762
                                                          APIs
                                                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07313F96
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.1345736039.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_7310000_Adobe.jbxd
                                                          Similarity
                                                          • API ID: CreateProcess
                                                          • String ID:
                                                          • API String ID: 963392458-0
                                                          • Opcode ID: 001f54727174e44247dae2f0ec9abde12b7f83e0eb7827248e5a86cafcb0c10c
                                                          • Instruction ID: 97e487787cfd828faebaea87215f488ff153f455d1e40e46652f332215da7643
                                                          • Opcode Fuzzy Hash: 001f54727174e44247dae2f0ec9abde12b7f83e0eb7827248e5a86cafcb0c10c
                                                          • Instruction Fuzzy Hash: 09914CB1D0031ADFEB24DF69C8417EDBBB2BF48314F1485A9E808A7240DB759985CF92
                                                          Function 0105B478 Relevance: 1.7, APIs: 1, Instructions: 218COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 764 105b478-105b480 765 105b436-105b455 764->765 766 105b482-105b497 764->766 778 105b464-105b46c 765->778 779 105b457-105b462 765->779 768 105b4c3-105b4c7 766->768 769 105b499-105b4a6 call 1059ef8 766->769 770 105b4c9-105b4d3 768->770 771 105b4db-105b51c 768->771 775 105b4bc 769->775 776 105b4a8 769->776 770->771 782 105b51e-105b526 771->782 783 105b529-105b537 771->783 775->768 826 105b4ae call 105b710 776->826 827 105b4ae call 105b720 776->827 781 105b46f-105b474 778->781 779->781 782->783 785 105b539-105b53e 783->785 786 105b55b-105b55d 783->786 784 105b4b4-105b4b6 784->775 787 105b5f8-105b6b8 784->787 789 105b540-105b547 call 105b140 785->789 790 105b549 785->790 788 105b560-105b567 786->788 821 105b6c0-105b6eb GetModuleHandleW 787->821 822 105b6ba-105b6bd 787->822 793 105b574-105b57b 788->793 794 105b569-105b571 788->794 792 105b54b-105b559 789->792 790->792 792->788 796 105b57d-105b585 793->796 797 105b588-105b591 call 105b150 793->797 794->793 796->797 802 105b593-105b59b 797->802 803 105b59e-105b5a3 797->803 802->803 804 105b5a5-105b5ac 803->804 805 105b5c1-105b5ce 803->805 804->805 807 105b5ae-105b5be call 105b160 call 105b170 804->807 812 105b5f1-105b5f7 805->812 813 105b5d0-105b5ee 805->813 807->805 813->812 823 105b6f4-105b708 821->823 824 105b6ed-105b6f3 821->824 822->821 824->823 826->784 827->784
                                                          APIs
                                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 0105B6DE
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.1339070775.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1050000_Adobe.jbxd
                                                          Similarity
                                                          • API ID: HandleModule
                                                          • String ID:
                                                          • API String ID: 4139908857-0
                                                          • Opcode ID: 20af2ac2cc2ef9d6c355cfee3bf86ef2a9a107f887587ff9950d96c862709db5
                                                          • Instruction ID: 245571b3d90c0afafee86d4350caef7b5c0575f3cce4081f88ee3b694f8f49fd
                                                          • Opcode Fuzzy Hash: 20af2ac2cc2ef9d6c355cfee3bf86ef2a9a107f887587ff9950d96c862709db5
                                                          • Instruction Fuzzy Hash: 8A913570A00B058FD7A5CF29D04579ABBF2BF48304F008969D586DBA51DB75E846CB90
                                                          Function 010544B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 828 10544b4-10559d9 CreateActCtxA 831 10559e2-1055a3c 828->831 832 10559db-10559e1 828->832 839 1055a3e-1055a41 831->839 840 1055a4b-1055a4f 831->840 832->831 839->840 841 1055a51-1055a5d 840->841 842 1055a60 840->842 841->842 844 1055a61 842->844 844->844
                                                          APIs
                                                          • CreateActCtxA.KERNEL32(?), ref: 010559C9
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.1339070775.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1050000_Adobe.jbxd
                                                          Similarity
                                                          • API ID: Create
                                                          • String ID:
                                                          • API String ID: 2289755597-0
                                                          • Opcode ID: 9bd0d4c35a0d43f9f340397e5da8c2ddf8831cdbf59e9a46c62ee2ae4a3333be
                                                          • Instruction ID: b32d3497251fc752f5843664325e72504c7a500f69a92fe993a5533b5411bde4
                                                          • Opcode Fuzzy Hash: 9bd0d4c35a0d43f9f340397e5da8c2ddf8831cdbf59e9a46c62ee2ae4a3333be
                                                          • Instruction Fuzzy Hash: 0B41E070C0072DCBDB24DFA9D884B9EBBF5BF48304F20806AD408AB251DB766946CF90
                                                          Function 0105590C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 845 105590c-1055913 846 1055918-10559d9 CreateActCtxA 845->846 848 10559e2-1055a3c 846->848 849 10559db-10559e1 846->849 856 1055a3e-1055a41 848->856 857 1055a4b-1055a4f 848->857 849->848 856->857 858 1055a51-1055a5d 857->858 859 1055a60 857->859 858->859 861 1055a61 859->861 861->861
                                                          APIs
                                                          • CreateActCtxA.KERNEL32(?), ref: 010559C9
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.1339070775.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1050000_Adobe.jbxd
                                                          Similarity
                                                          • API ID: Create
                                                          • String ID:
                                                          • API String ID: 2289755597-0
                                                          • Opcode ID: 1258aff05eb029d41d8e66731a13df2230193db823a5d7f5a1a15a60df6b42d2
                                                          • Instruction ID: 686a2b39f4d98bc1d6948ab25ee3bba862880aab73eb7943288412c3bf8dfa53
                                                          • Opcode Fuzzy Hash: 1258aff05eb029d41d8e66731a13df2230193db823a5d7f5a1a15a60df6b42d2
                                                          • Instruction Fuzzy Hash: 1141D0B1C0071DCBDB24DFAAD884B9EBBF5BF48314F60816AD408AB251DB756946CF50
                                                          Function 07400870 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 862 7400870-7400874 863 7400876-7400896 862->863 864 740089c 862->864 863->864 866 7400865-740086f 864->866 867 740089d-74008c4 864->867 866->862 868 74008c6-74008cc 867->868 869 74008cf-74008de 867->869 868->869 870 74008e0 869->870 871 74008e3-740091c DrawTextExW 869->871 870->871 872 7400925-7400942 871->872 873 740091e-7400924 871->873 873->872
                                                          APIs
                                                          • DrawTextExW.USER32(?,?,?,?,?,?), ref: 0740090F
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.1346015430.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_7400000_Adobe.jbxd
                                                          Similarity
                                                          • API ID: DrawText
                                                          • String ID:
                                                          • API String ID: 2175133113-0
                                                          • Opcode ID: 15dcb98618533b5c64b0f470142f673476cf5595dc6a70e2c29c1c150b3b8287
                                                          • Instruction ID: d970815c1445e3eff3b172440391c03f562fe6a4bbfb793a3ac10c30a5dd4287
                                                          • Opcode Fuzzy Hash: 15dcb98618533b5c64b0f470142f673476cf5595dc6a70e2c29c1c150b3b8287
                                                          • Instruction Fuzzy Hash: E13102B6D003499FDB10CF9AD880ADEFBF5FB48320F15842AE919A7250D775A945CFA0
                                                          Function 07313AD1 Relevance: 1.6, APIs: 1, Instructions: 77injectionCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 968 7313ad1-7313ad4 969 7313ad6-7313b19 968->969 970 7313b1c-7313b26 968->970 969->970 972 7313b36-7313b75 WriteProcessMemory 970->972 973 7313b28-7313b34 970->973 975 7313b77-7313b7d 972->975 976 7313b7e-7313bae 972->976 973->972 975->976
                                                          APIs
                                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07313B68
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.1345736039.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_7310000_Adobe.jbxd
                                                          Similarity
                                                          • API ID: MemoryProcessWrite
                                                          • String ID:
                                                          • API String ID: 3559483778-0
                                                          • Opcode ID: bb535c336c09dc811aeddfedfafe1772b68bd2006d557499053727e98edb7747
                                                          • Instruction ID: f6b7f7454a9fcea31f6e9ff4853b2acd187281d61f8c0a737078348711bdce7c
                                                          • Opcode Fuzzy Hash: bb535c336c09dc811aeddfedfafe1772b68bd2006d557499053727e98edb7747
                                                          • Instruction Fuzzy Hash: D92157B59003499FDB10DFAAC880BEEBBF5FF48320F508529E958A3240D7789941CBA1
                                                          Function 07400878 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 990 7400878-7400896 991 740089c 990->991 992 7400865-7400874 991->992 993 740089d-74008c4 991->993 992->991 999 7400876-7400877 992->999 994 74008c6-74008cc 993->994 995 74008cf-74008de 993->995 994->995 997 74008e0 995->997 998 74008e3-740091c DrawTextExW 995->998 997->998 1000 7400925-7400942 998->1000 1001 740091e-7400924 998->1001 999->990 1001->1000
                                                          APIs
                                                          • DrawTextExW.USER32(?,?,?,?,?,?), ref: 0740090F
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.1346015430.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_7400000_Adobe.jbxd
                                                          Similarity
                                                          • API ID: DrawText
                                                          • String ID:
                                                          • API String ID: 2175133113-0
                                                          • Opcode ID: 94fc27bf1dd862d7b125bbf9dc3a9a20e2c0fd77212baa4b3ec16224db837ed5
                                                          • Instruction ID: ff0d5b023a49030a1c9b201131ee46371b3be63ba928fb1d3b72249300df74e9
                                                          • Opcode Fuzzy Hash: 94fc27bf1dd862d7b125bbf9dc3a9a20e2c0fd77212baa4b3ec16224db837ed5
                                                          • Instruction Fuzzy Hash: 5F21CEB5D0030A9FDB10CF9AD884ADEBBF5FB48320F14842AE919A7350D775A945CFA0
                                                          Function 07313AD8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 980 7313ad8-7313b26 982 7313b36-7313b75 WriteProcessMemory 980->982 983 7313b28-7313b34 980->983 985 7313b77-7313b7d 982->985 986 7313b7e-7313bae 982->986 983->982 985->986
                                                          APIs
                                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07313B68
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.1345736039.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_7310000_Adobe.jbxd
                                                          Similarity
                                                          • API ID: MemoryProcessWrite
                                                          • String ID:
                                                          • API String ID: 3559483778-0
                                                          • Opcode ID: 04d4ce97d37b314f4fd4aee3275201caacdd56d61f5bbc73d351cf6121538dbc
                                                          • Instruction ID: a284bcabc7e5d6d6afed38df70798970f841d33936c6cc72ec07660608121c49
                                                          • Opcode Fuzzy Hash: 04d4ce97d37b314f4fd4aee3275201caacdd56d61f5bbc73d351cf6121538dbc
                                                          • Instruction Fuzzy Hash: 312157B5D003099FDB10DFAAC881BEEBBF5FF48310F508429E918A7240D7789941CBA0
                                                          Function 07313BC0 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07313C48
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.1345736039.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_7310000_Adobe.jbxd
                                                          Similarity
                                                          • API ID: MemoryProcessRead
                                                          • String ID:
                                                          • API String ID: 1726664587-0
                                                          • Opcode ID: 8d4cb5ac0f197c7a159c5122af14ede9546fc462256285cea4000444b1fdb848
                                                          • Instruction ID: 5fcfd1d0c9bd334fb09595ebdfd669114afc229b5f4e4f08e4933d110074ef1c
                                                          • Opcode Fuzzy Hash: 8d4cb5ac0f197c7a159c5122af14ede9546fc462256285cea4000444b1fdb848
                                                          • Instruction Fuzzy Hash: 132126B5C003499FDB10DFAAC841BEEBBF5FF48320F508429E958A7240CB359941DBA1
                                                          Function 07313938 Relevance: 1.6, APIs: 1, Instructions: 67threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 073139BE
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.1345736039.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_7310000_Adobe.jbxd
                                                          Similarity
                                                          • API ID: ContextThreadWow64
                                                          • String ID:
                                                          • API String ID: 983334009-0
                                                          • Opcode ID: 058a2c8b9729bfe92919056d27461cb2c4600c1da5f881ec18836b61835117e6
                                                          • Instruction ID: 810aa870960fc18c2ef974b4244ddd38c62700c57ff70813cd7e253450b53591
                                                          • Opcode Fuzzy Hash: 058a2c8b9729bfe92919056d27461cb2c4600c1da5f881ec18836b61835117e6
                                                          • Instruction Fuzzy Hash: A0216AB5D003098FDB14DFAAC485BEEBBF4EF48314F508429D459A7240CB789945CFA1
                                                          Function 0105B374 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0105D92E,?,?,?,?,?), ref: 0105D9EF
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.1339070775.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1050000_Adobe.jbxd
                                                          Similarity
                                                          • API ID: DuplicateHandle
                                                          • String ID:
                                                          • API String ID: 3793708945-0
                                                          • Opcode ID: 9c9d2690db77c8b46aa27f78ae9e689b25853f40e6385333c46fccee02e19891
                                                          • Instruction ID: b334051cfdf295c475c6596c289fa1172de11110005eb2744bb3e36c2f326b17
                                                          • Opcode Fuzzy Hash: 9c9d2690db77c8b46aa27f78ae9e689b25853f40e6385333c46fccee02e19891
                                                          • Instruction Fuzzy Hash: 1D21E3B5D003499FDB10CF9AD984AEEBBF5EB48310F14845AE954A3350D375A940CFA5
                                                          Function 07313BC8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07313C48
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.1345736039.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_7310000_Adobe.jbxd
                                                          Similarity
                                                          • API ID: MemoryProcessRead
                                                          • String ID:
                                                          • API String ID: 1726664587-0
                                                          • Opcode ID: a1d55a668f1819aa2742e010d17fc807136a0c2202afade81c6008c79b418089
                                                          • Instruction ID: 8b6532dca877051311eda826e83a24cdc584b71315529cfe6535ef150e9810a2
                                                          • Opcode Fuzzy Hash: a1d55a668f1819aa2742e010d17fc807136a0c2202afade81c6008c79b418089
                                                          • Instruction Fuzzy Hash: B22128B5C003499FDB14DFAAC841BEEBBF5FF48320F508429E959A7240CB399941CBA1
                                                          Function 07313940 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 073139BE
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.1345736039.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_7310000_Adobe.jbxd
                                                          Similarity
                                                          • API ID: ContextThreadWow64
                                                          • String ID:
                                                          • API String ID: 983334009-0
                                                          • Opcode ID: c7359b943ab6fd14965ea4745f3de45f74e2464f4602056976cae5305ecd04a3
                                                          • Instruction ID: fa1d756d40c5ae137818ca9d8d1d2186ceb61ee6ccbbf2ccf4cfa4b99e736db6
                                                          • Opcode Fuzzy Hash: c7359b943ab6fd14965ea4745f3de45f74e2464f4602056976cae5305ecd04a3
                                                          • Instruction Fuzzy Hash: 1A2149B1D003098FDB14DFAAC4857EEBBF4EF48324F54842AD459A7240CB789945CFA1
                                                          Function 0105D960 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0105D92E,?,?,?,?,?), ref: 0105D9EF
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.1339070775.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1050000_Adobe.jbxd
                                                          Similarity
                                                          • API ID: DuplicateHandle
                                                          • String ID:
                                                          • API String ID: 3793708945-0
                                                          • Opcode ID: 0b6259e9b952f183a2205717824fc70348072ab5bb5382c96c2ca7e7916513d2
                                                          • Instruction ID: 932fc2684ad03c2fa0671f91ec83450b820f2a54b14f5d5fb63186bb06d6ffca
                                                          • Opcode Fuzzy Hash: 0b6259e9b952f183a2205717824fc70348072ab5bb5382c96c2ca7e7916513d2
                                                          • Instruction Fuzzy Hash: 2721E0B5D002499FDB10CFA9D985AEEBBF5EB08320F15841AE958A3250D378A945CFA1
                                                          Function 07313A10 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07313A86
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.1345736039.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_7310000_Adobe.jbxd
                                                          Similarity
                                                          • API ID: AllocVirtual
                                                          • String ID:
                                                          • API String ID: 4275171209-0
                                                          • Opcode ID: 3b7b8a9be5e2860dd3eaa701e48eb40b24c912bc1a7b5573e56bb866107116e9
                                                          • Instruction ID: 425dc0920f691faaf9cb954ef8f4e77100dc167cfbc00ebce2117945f3aaa2b0
                                                          • Opcode Fuzzy Hash: 3b7b8a9be5e2860dd3eaa701e48eb40b24c912bc1a7b5573e56bb866107116e9
                                                          • Instruction Fuzzy Hash: 9C1144758003499FDB24DFAAC845BEEBBF5EB48320F108819E519A7250CB75A941CFA1
                                                          Function 07313A18 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07313A86
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.1345736039.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_7310000_Adobe.jbxd
                                                          Similarity
                                                          • API ID: AllocVirtual
                                                          • String ID:
                                                          • API String ID: 4275171209-0
                                                          • Opcode ID: 9c89a6a66c92f9f20622cbe51f81b408eae492e50c9457f13d5c81d262ae95ca
                                                          • Instruction ID: 173e8f5629fc81d31edcf954df691c9a60fbbd040883b3d18e37a65d1a18acdd
                                                          • Opcode Fuzzy Hash: 9c89a6a66c92f9f20622cbe51f81b408eae492e50c9457f13d5c81d262ae95ca
                                                          • Instruction Fuzzy Hash: 99112675C003499FDB24DFAAC845BEEBBF5EF48320F148819E519A7250CB75A941CFA1
                                                          Function 07313450 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.1345736039.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_7310000_Adobe.jbxd
                                                          Similarity
                                                          • API ID: ResumeThread
                                                          • String ID:
                                                          • API String ID: 947044025-0
                                                          • Opcode ID: dae54ede513e52c342a46cc7d023afe0133d7080fb4a72a8f4c400f3c2424968
                                                          • Instruction ID: f05625e4eab758ffcd6a3b6913f13273b3f4afa6439bb9e793e929be691d98ae
                                                          • Opcode Fuzzy Hash: dae54ede513e52c342a46cc7d023afe0133d7080fb4a72a8f4c400f3c2424968
                                                          • Instruction Fuzzy Hash: F5117C74D003498FDB20DFAAC8457AEFBF4AF88320F10841DD419A3240CB35A941CBA5
                                                          Function 07316000 Relevance: 1.6, APIs: 1, Instructions: 50windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • PostMessageW.USER32(?,?,?,?), ref: 07316065
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.1345736039.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_7310000_Adobe.jbxd
                                                          Similarity
                                                          • API ID: MessagePost
                                                          • String ID:
                                                          • API String ID: 410705778-0
                                                          • Opcode ID: 2f5d0c13dc3e8768acf2b0785c9681e7c27e534e5996b00413a6e42def7951d4
                                                          • Instruction ID: 6740ca1ea4efe14ca16fbe0e609794f182c45972650f87b951faa8e18b1c9257
                                                          • Opcode Fuzzy Hash: 2f5d0c13dc3e8768acf2b0785c9681e7c27e534e5996b00413a6e42def7951d4
                                                          • Instruction Fuzzy Hash: 4B11C2B58043499FDB20DF9AD985BEEBFF8EB48320F108859E558A7240C775A944CFA1
                                                          Function 07313458 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.1345736039.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_7310000_Adobe.jbxd
                                                          Similarity
                                                          • API ID: ResumeThread
                                                          • String ID:
                                                          • API String ID: 947044025-0
                                                          • Opcode ID: e8a623d59f973d198ae0b9bd6597336771c0ced3476cde1adaada9cce99a75ea
                                                          • Instruction ID: fd17be76da3bb53739b77b181ab01bd7d3a39784d55588c0f5f1ebc01bb29fe1
                                                          • Opcode Fuzzy Hash: e8a623d59f973d198ae0b9bd6597336771c0ced3476cde1adaada9cce99a75ea
                                                          • Instruction Fuzzy Hash: DE116AB1D003098FDB24DFAAC8457AEFBF5EF48320F108429D419A7240CB39A941CFA4
                                                          Function 0105B678 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 0105B6DE
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.1339070775.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1050000_Adobe.jbxd
                                                          Similarity
                                                          • API ID: HandleModule
                                                          • String ID:
                                                          • API String ID: 4139908857-0
                                                          • Opcode ID: 59a4676bdc78330ed8e64128d999843341ed0fa91824b2dd566ac4fe8244d389
                                                          • Instruction ID: b24180de61c452e4159d02eb08a38ff313b2e90103cab7e4bd51da7f46b706dd
                                                          • Opcode Fuzzy Hash: 59a4676bdc78330ed8e64128d999843341ed0fa91824b2dd566ac4fe8244d389
                                                          • Instruction Fuzzy Hash: 86110FB5C003498FDB20DF9AC444A9EFBF5AF88220F10846AD868A7210C379A545CFA1
                                                          Function 07316008 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • PostMessageW.USER32(?,?,?,?), ref: 07316065
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.1345736039.0000000007310000.00000040.00000800.00020000.00000000.sdmp, Offset: 07310000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_7310000_Adobe.jbxd
                                                          Similarity
                                                          • API ID: MessagePost
                                                          • String ID:
                                                          • API String ID: 410705778-0
                                                          • Opcode ID: 89d826ca75cb4063bc7b5698db6ab7a07f0536d42152d0ce15be1f0868258575
                                                          • Instruction ID: 281b15eb2d77b56bd50ce638d66a0f8448d8a7f641694a3180f482fb4f23bcf8
                                                          • Opcode Fuzzy Hash: 89d826ca75cb4063bc7b5698db6ab7a07f0536d42152d0ce15be1f0868258575
                                                          • Instruction Fuzzy Hash: 4C11E2B5800349DFDB20DF9AC985BDEFBF8EB48320F10885AE558A7240C775A944CFA1
                                                          Function 07402AC2 Relevance: 1.3, APIs: 1, Instructions: 52COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,07402979,?,?), ref: 07402B20
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.1346015430.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_7400000_Adobe.jbxd
                                                          Similarity
                                                          • API ID: CloseHandle
                                                          • String ID:
                                                          • API String ID: 2962429428-0
                                                          • Opcode ID: e8f7c9a039710b1aae5d3620782116c14c8bb2fceec56b2d445675e68233c0e3
                                                          • Instruction ID: 7780ce6dde4d49579e83f82c544159c9bd08c4b95eb14d559f2fb24a6ddfa5cf
                                                          • Opcode Fuzzy Hash: e8f7c9a039710b1aae5d3620782116c14c8bb2fceec56b2d445675e68233c0e3
                                                          • Instruction Fuzzy Hash: 831158B58003099FDB20DF99D445BEEBBF4FB48320F10842AD558A7280C739A949CFA5
                                                          Function 07401FBC Relevance: 1.3, APIs: 1, Instructions: 50COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,07402979,?,?), ref: 07402B20
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.1346015430.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_7400000_Adobe.jbxd
                                                          Similarity
                                                          • API ID: CloseHandle
                                                          • String ID:
                                                          • API String ID: 2962429428-0
                                                          • Opcode ID: eceb391cec9b4d52ab2d66616942c20ed07a912152b0cae1d6a7c511c7fc964d
                                                          • Instruction ID: c4999659b7245f45e601d3cdd2430185f0f5bd723bf466439af0310dc4e8dfbb
                                                          • Opcode Fuzzy Hash: eceb391cec9b4d52ab2d66616942c20ed07a912152b0cae1d6a7c511c7fc964d
                                                          • Instruction Fuzzy Hash: 001146B58003499FCB20DF99D445BEEBBF4FB48320F10842AD958A7280C779A944CFA5
                                                          Function 00D6D110 Relevance: .1, Instructions: 75COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.1338066770.0000000000D6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D6D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_d6d000_Adobe.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 206258b3adc29a4da9c2b5b0167b0f0ad142998bcb1e689a57f7a3c706f04a08
                                                          • Instruction ID: 5b61cb18396474f7213cb403e0523000402cbcb86c31fb6ad097f35f83e070ef
                                                          • Opcode Fuzzy Hash: 206258b3adc29a4da9c2b5b0167b0f0ad142998bcb1e689a57f7a3c706f04a08
                                                          • Instruction Fuzzy Hash: 02210072A04304DFDB14DF10E9C0B26BF67FB99320F248169E8490B256C37AD856CAB2
                                                          Function 00D6D3D8 Relevance: .1, Instructions: 75COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.1338066770.0000000000D6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D6D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_d6d000_Adobe.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e250845c72d7f04b0b2b89757663901e8d4bfcbc01bd6a8fd733a6ce16a3171e
                                                          • Instruction ID: 76c662d7684d026adb5fe0bc07f1b4e877394d68463ab161185f665cc90db868
                                                          • Opcode Fuzzy Hash: e250845c72d7f04b0b2b89757663901e8d4bfcbc01bd6a8fd733a6ce16a3171e
                                                          • Instruction Fuzzy Hash: B8210371A04244DFDB14DF10E9C0B16BB66FB98324F24C169E8490F25AC736FC56CAB2
                                                          Function 00D7D1D4 Relevance: .1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.1338135892.0000000000D7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D7D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_d7d000_Adobe.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f938f284e62d51dc512a2d3c8f83aed8e3e13ad060078a89edd36e368dd550e4
                                                          • Instruction ID: 8e280ff775ba587ffb778c9740f971f770220a39d460de608ce236980ce6c437
                                                          • Opcode Fuzzy Hash: f938f284e62d51dc512a2d3c8f83aed8e3e13ad060078a89edd36e368dd550e4
                                                          • Instruction Fuzzy Hash: 7421CF71A04200AFDB15DF10D980B26BBB6FF84314F24C6ADE84D4B296D336D847CA75
                                                          Function 00D7D01C Relevance: .1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.1338135892.0000000000D7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D7D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_d7d000_Adobe.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1dfcd743c19d311a4a29f429d132deb05661dd0e07262462417425c50b4cd54a
                                                          • Instruction ID: a557f741eae5c07893aa6c46730d8f302edfdbce0d0eb821c771ec5bc7eab501
                                                          • Opcode Fuzzy Hash: 1dfcd743c19d311a4a29f429d132deb05661dd0e07262462417425c50b4cd54a
                                                          • Instruction Fuzzy Hash: 0121D075604200DFDB14DF14D984B16BB76EF84314F24C56DE84E4B286D336D847CA72
                                                          Function 00D7D005 Relevance: .1, Instructions: 62COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.1338135892.0000000000D7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D7D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_d7d000_Adobe.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 476b7b9eaefdd381994589c7afce5c5c0507d46233bb2c7f6106762487cb0fa0
                                                          • Instruction ID: e04689f49295b7d78de44d248282c7becb625c09c565d45a091bf36c79054436
                                                          • Opcode Fuzzy Hash: 476b7b9eaefdd381994589c7afce5c5c0507d46233bb2c7f6106762487cb0fa0
                                                          • Instruction Fuzzy Hash: CA2150755093808FCB16CF24D994715BF72EF46314F28C5EAD8498B6A7D33A980ACB62
                                                          Function 00D6D3D3 Relevance: .1, Instructions: 56COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.1338066770.0000000000D6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D6D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_d6d000_Adobe.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                                                          • Instruction ID: ec6fe2d8272bfa19d242731117b6e1a6b1fdf3c13bbaac5db0f9fbb66b9ca88d
                                                          • Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                                                          • Instruction Fuzzy Hash: B311E676A04240DFCB15CF14D5C4B16BF72FB94324F28C6A9D8494B656C33AE856CBA1
                                                          Function 00D6D10B Relevance: .1, Instructions: 56COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.1338066770.0000000000D6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D6D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_d6d000_Adobe.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                                                          • Instruction ID: 144d545da89f141636b058f2d9754b87317220d96b90e50057402df7d11fdf91
                                                          • Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                                                          • Instruction Fuzzy Hash: 8111E676A04340CFCB15CF10D9C4B16BF72FB95324F28C5A9D8094B256C37AD856CBA1
                                                          Function 00D7D1CF Relevance: .1, Instructions: 53COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.1338135892.0000000000D7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D7D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_d7d000_Adobe.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                                                          • Instruction ID: 50c735eb722c522c3b3f989e0e8f8d9ae5a382cacb231bcce8515e7f94f60d33
                                                          • Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                                                          • Instruction Fuzzy Hash: 5A118B75504280DFCB15DF14D5C4B15BBB2FF84324F28C6ADD8494B696D33AD84ACB61
                                                          Function 00D6D745 Relevance: .0, Instructions: 45COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.1338066770.0000000000D6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D6D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_d6d000_Adobe.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2ba96d2d1905ee4ed71edd48f57c1ec45077cb4169c07e5dfdddbeaf04968ff1
                                                          • Instruction ID: 9190a33d413b9bae3d9a8f2c3583f340d082e7facc0f687ce7683dc74b2d3b60
                                                          • Opcode Fuzzy Hash: 2ba96d2d1905ee4ed71edd48f57c1ec45077cb4169c07e5dfdddbeaf04968ff1
                                                          • Instruction Fuzzy Hash: CE012631A083409BE7205E21EDC4B26BF99DF81325F1CC56AED4A0F282D279DC41CAB3
                                                          Function 00D6D744 Relevance: .0, Instructions: 36COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.1338066770.0000000000D6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D6D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_d6d000_Adobe.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6d027d745e1c06dad3d14b3c2e0941c598a365bdae21d460e9ebdf6211bbd1b1
                                                          • Instruction ID: afa4412731834c8d32224a14d17f8dcaab4197c76a8ba5fcf618aec63dbad8ff
                                                          • Opcode Fuzzy Hash: 6d027d745e1c06dad3d14b3c2e0941c598a365bdae21d460e9ebdf6211bbd1b1
                                                          • Instruction Fuzzy Hash: D3F06D71504384AFE7209E16D988B62FF98EB91734F18C55AED095B286C279AC44CBB2

                                                          Execution Graph

                                                          Execution Coverage:9.7%
                                                          Dynamic/Decrypted Code Coverage:100%
                                                          Signature Coverage:0%
                                                          Total number of Nodes:32
                                                          Total number of Limit Nodes:5
                                                          execution_graph 14405 a2d720 14406 a2d766 GetCurrentProcess 14405->14406 14408 a2d7b1 14406->14408 14409 a2d7b8 GetCurrentThread 14406->14409 14408->14409 14410 a2d7f5 GetCurrentProcess 14409->14410 14411 a2d7ee 14409->14411 14412 a2d82b GetCurrentThreadId 14410->14412 14411->14410 14414 a2d884 14412->14414 14415 a2b390 14418 a2b478 14415->14418 14416 a2b39f 14419 a2b499 14418->14419 14420 a2b4bc 14418->14420 14419->14420 14421 a2b6c0 GetModuleHandleW 14419->14421 14420->14416 14422 a2b6ed 14421->14422 14422->14416 14423 a24668 14424 a2467a 14423->14424 14425 a24686 14424->14425 14427 a24778 14424->14427 14428 a2479d 14427->14428 14432 a24888 14428->14432 14436 a24879 14428->14436 14433 a248af 14432->14433 14434 a2498c 14433->14434 14440 a244b4 14433->14440 14437 a248af 14436->14437 14438 a244b4 CreateActCtxA 14437->14438 14439 a2498c 14437->14439 14438->14439 14441 a25918 CreateActCtxA 14440->14441 14443 a259db 14441->14443 14444 a2d968 DuplicateHandle 14445 a2d9fe 14444->14445

                                                          Executed Functions

                                                          Function 00A2D720 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • GetCurrentProcess.KERNEL32 ref: 00A2D79E
                                                          • GetCurrentThread.KERNEL32 ref: 00A2D7DB
                                                          • GetCurrentProcess.KERNEL32 ref: 00A2D818
                                                          • GetCurrentThreadId.KERNEL32 ref: 00A2D871
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.1452595948.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_a20000_Adobe.jbxd
                                                          Similarity
                                                          • API ID: Current$ProcessThread
                                                          • String ID:
                                                          • API String ID: 2063062207-0
                                                          • Opcode ID: 6c06f613fdf853d32d7955ab159e25a8ac6b21fe28e9d70b7c3e279855354350
                                                          • Instruction ID: 41a7b11c8352b9a7d608c6be9ba1e237e2945386d652da1c0baece3e524016c4
                                                          • Opcode Fuzzy Hash: 6c06f613fdf853d32d7955ab159e25a8ac6b21fe28e9d70b7c3e279855354350
                                                          • Instruction Fuzzy Hash: 105177B0D003498FDB14DFAAE548B9EBBF1EF88314F208469E418A7360DB749949CF65
                                                          Function 00A2B478 Relevance: 1.7, APIs: 1, Instructions: 203COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 21 a2b478-a2b497 22 a2b4c3-a2b4c7 21->22 23 a2b499-a2b4a6 call a29ef8 21->23 25 a2b4db-a2b51c 22->25 26 a2b4c9-a2b4d3 22->26 30 a2b4a8 23->30 31 a2b4bc 23->31 32 a2b529-a2b537 25->32 33 a2b51e-a2b526 25->33 26->25 76 a2b4ae call a2b720 30->76 77 a2b4ae call a2b710 30->77 31->22 34 a2b55b-a2b55d 32->34 35 a2b539-a2b53e 32->35 33->32 40 a2b560-a2b567 34->40 37 a2b540-a2b547 call a2b140 35->37 38 a2b549 35->38 36 a2b4b4-a2b4b6 36->31 39 a2b5f8-a2b6b8 36->39 42 a2b54b-a2b559 37->42 38->42 71 a2b6c0-a2b6eb GetModuleHandleW 39->71 72 a2b6ba-a2b6bd 39->72 43 a2b574-a2b57b 40->43 44 a2b569-a2b571 40->44 42->40 45 a2b588-a2b591 call a2b150 43->45 46 a2b57d-a2b585 43->46 44->43 52 a2b593-a2b59b 45->52 53 a2b59e-a2b5a3 45->53 46->45 52->53 54 a2b5c1-a2b5ce 53->54 55 a2b5a5-a2b5ac 53->55 61 a2b5d0-a2b5ee 54->61 62 a2b5f1-a2b5f7 54->62 55->54 57 a2b5ae-a2b5be call a2b160 call a2b170 55->57 57->54 61->62 73 a2b6f4-a2b708 71->73 74 a2b6ed-a2b6f3 71->74 72->71 74->73 76->36 77->36
                                                          APIs
                                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 00A2B6DE
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.1452595948.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_a20000_Adobe.jbxd
                                                          Similarity
                                                          • API ID: HandleModule
                                                          • String ID:
                                                          • API String ID: 4139908857-0
                                                          • Opcode ID: 7db08c85a35cdb19ca0496becf4e97297f3d17069ec53a841ced94e4c24fe2a1
                                                          • Instruction ID: 45e288744fc756635b3534100c2ca1e6d325ab46c27a5563c108603ac09f2428
                                                          • Opcode Fuzzy Hash: 7db08c85a35cdb19ca0496becf4e97297f3d17069ec53a841ced94e4c24fe2a1
                                                          • Instruction Fuzzy Hash: 14816770A10B158FD724DF29E55579ABBF1FF88300F008A2DD486DBA50D734E94ACBA0
                                                          Function 00A2590C Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 78 a2590c-a259d9 CreateActCtxA 80 a259e2-a25a3c 78->80 81 a259db-a259e1 78->81 88 a25a4b-a25a4f 80->88 89 a25a3e-a25a41 80->89 81->80 90 a25a60 88->90 91 a25a51-a25a5d 88->91 89->88 93 a25a61 90->93 91->90 93->93
                                                          APIs
                                                          • CreateActCtxA.KERNEL32(?), ref: 00A259C9
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.1452595948.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_a20000_Adobe.jbxd
                                                          Similarity
                                                          • API ID: Create
                                                          • String ID:
                                                          • API String ID: 2289755597-0
                                                          • Opcode ID: 42adb914860e9bd8ce90696e59e1ce4db7c062f408bb48f08db673c993ea5b32
                                                          • Instruction ID: 80f66f8efe1d47a5b2f6d1a24639ea1940b3dc4ac32325c4b05afcef0a4cabb1
                                                          • Opcode Fuzzy Hash: 42adb914860e9bd8ce90696e59e1ce4db7c062f408bb48f08db673c993ea5b32
                                                          • Instruction Fuzzy Hash: AC410271C00B29CFEB24CFAAC885BDEBBB5BF49314F20816AD408AB251DB755946CF50
                                                          Function 00A244B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 94 a244b4-a259d9 CreateActCtxA 97 a259e2-a25a3c 94->97 98 a259db-a259e1 94->98 105 a25a4b-a25a4f 97->105 106 a25a3e-a25a41 97->106 98->97 107 a25a60 105->107 108 a25a51-a25a5d 105->108 106->105 110 a25a61 107->110 108->107 110->110
                                                          APIs
                                                          • CreateActCtxA.KERNEL32(?), ref: 00A259C9
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.1452595948.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_a20000_Adobe.jbxd
                                                          Similarity
                                                          • API ID: Create
                                                          • String ID:
                                                          • API String ID: 2289755597-0
                                                          • Opcode ID: f72d59c9c6f693d3d6e37871758b09416bd3c4cd117b5f831012b46b84ce338c
                                                          • Instruction ID: 1eeed1e9ac6a0fc020d43ac864bb4cb3056b07edd9596c536a8ac90e13ee9a24
                                                          • Opcode Fuzzy Hash: f72d59c9c6f693d3d6e37871758b09416bd3c4cd117b5f831012b46b84ce338c
                                                          • Instruction Fuzzy Hash: C241D471C00B2DCBDB24DFAAD88579EBBF5BF48314F20816AD408AB251DB756946CF50
                                                          Function 00A2D968 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 111 a2d968-a2d9fc DuplicateHandle 112 a2da05-a2da22 111->112 113 a2d9fe-a2da04 111->113 113->112
                                                          APIs
                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00A2D9EF
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.1452595948.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_a20000_Adobe.jbxd
                                                          Similarity
                                                          • API ID: DuplicateHandle
                                                          • String ID:
                                                          • API String ID: 3793708945-0
                                                          • Opcode ID: 6f8ec4d4948f25a976385e37b8fb0ef7bbbed01e1879d783e48af18f5b5147e0
                                                          • Instruction ID: 626216865724f4fb72a99065885b08802d4f1b8ae8728184cd93f66cf0200de7
                                                          • Opcode Fuzzy Hash: 6f8ec4d4948f25a976385e37b8fb0ef7bbbed01e1879d783e48af18f5b5147e0
                                                          • Instruction Fuzzy Hash: FA21E4B5D003489FDB10CF9AD884ADEFBF5EB48310F14801AE914A3350D374A940CFA0
                                                          Function 00A2B678 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 116 a2b678-a2b6b8 117 a2b6c0-a2b6eb GetModuleHandleW 116->117 118 a2b6ba-a2b6bd 116->118 119 a2b6f4-a2b708 117->119 120 a2b6ed-a2b6f3 117->120 118->117 120->119
                                                          APIs
                                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 00A2B6DE
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.1452595948.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_a20000_Adobe.jbxd
                                                          Similarity
                                                          • API ID: HandleModule
                                                          • String ID:
                                                          • API String ID: 4139908857-0
                                                          • Opcode ID: 3c9f8f9950c1baf332ee9cf9cc3588e27571c1c46c8de511ce3a6d59c6040163
                                                          • Instruction ID: db8fae66e552ed8aac88232218a9cbe9d1b9613010afaf6cb50cffc5769da332
                                                          • Opcode Fuzzy Hash: 3c9f8f9950c1baf332ee9cf9cc3588e27571c1c46c8de511ce3a6d59c6040163
                                                          • Instruction Fuzzy Hash: EE110FB5C003498FCB20DF9AD444A9EFBF4AB88320F10842AD829A7610C379A545CFA1
                                                          Function 0098D3D8 Relevance: .1, Instructions: 75COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.1452336374.000000000098D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0098D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_98d000_Adobe.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: be96d902ec19a8e343ba14d5fb91b7dfdd2d65ec9b3c212c1c0326d30e62dfd6
                                                          • Instruction ID: 876b7b6a77d1daf29c68b86a2080d3f9244cb5342dbcf29d52e3a4b3c52636ba
                                                          • Opcode Fuzzy Hash: be96d902ec19a8e343ba14d5fb91b7dfdd2d65ec9b3c212c1c0326d30e62dfd6
                                                          • Instruction Fuzzy Hash: 3F212871505204DFDB14EF20D9C0B16BB65FB94324F20C569D8090F3E6C33AE856CBA2
                                                          Function 0098D110 Relevance: .1, Instructions: 75COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.1452336374.000000000098D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0098D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_98d000_Adobe.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 54ce4427f8688f74c8d841c32b23c04b4e13471c1cc5f1dd07dea52b25e45f90
                                                          • Instruction ID: 7c9e07be864728ae8fc859a4fa988465a30379a18e0d4e29a1edd5a6c3f8efb8
                                                          • Opcode Fuzzy Hash: 54ce4427f8688f74c8d841c32b23c04b4e13471c1cc5f1dd07dea52b25e45f90
                                                          • Instruction Fuzzy Hash: 0321F571609204DFDB19EF10D9C8F16BF66FF94324F248569E9090B396C33AD856CBA2
                                                          Function 0099D01C Relevance: .1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.1452389441.000000000099D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0099D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_99d000_Adobe.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9ed1e07fdcf38ebd6ba1e8ebb9c7f51bc940f6b06d2c00e99ea1d3fa801afb6f
                                                          • Instruction ID: 05bf7c402491ad3cce2b3c8cccd53f0451e0868f75ba1f55b09d4f007de62419
                                                          • Opcode Fuzzy Hash: 9ed1e07fdcf38ebd6ba1e8ebb9c7f51bc940f6b06d2c00e99ea1d3fa801afb6f
                                                          • Instruction Fuzzy Hash: CA21D075605300DFDF14DF28D9C4B26BB65EB88314F24C969D84A4B286C33AD847CA62
                                                          Function 0099D1D4 Relevance: .1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.1452389441.000000000099D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0099D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_99d000_Adobe.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 97719e081cc79cbda3a8183706b066229190d3b456ef2082a25bcb9b11b4affb
                                                          • Instruction ID: 20fd96dd0c08b0e281cc9b82195d4153f1be0b7cf3c52d1b40632d03baa2ed33
                                                          • Opcode Fuzzy Hash: 97719e081cc79cbda3a8183706b066229190d3b456ef2082a25bcb9b11b4affb
                                                          • Instruction Fuzzy Hash: C4210775605300DFDF15DF18D9C0B19BB65FB84314F20C96DD8494B296C33AD846CB61
                                                          Function 0099D006 Relevance: .1, Instructions: 62COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.1452389441.000000000099D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0099D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_99d000_Adobe.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 65e3956286355ec41be393ee33d80c1292579b0ea9a3f26837c4bd4c7112cf6e
                                                          • Instruction ID: 8cf04b1844b8f1352b2585a4843e3e6bfe827f8ad993253c672b6ee97aa2e9be
                                                          • Opcode Fuzzy Hash: 65e3956286355ec41be393ee33d80c1292579b0ea9a3f26837c4bd4c7112cf6e
                                                          • Instruction Fuzzy Hash: 08215E755093808FDB16CF24D9D4715BF71EB46314F28C5EAD8898B6A7C33A980ACB62
                                                          Function 0098D3D3 Relevance: .1, Instructions: 56COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.1452336374.000000000098D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0098D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_98d000_Adobe.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                                                          • Instruction ID: e0f048856f69217eb9cf41437334336b1c786cccdb77b2c06020d47de5392e7a
                                                          • Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                                                          • Instruction Fuzzy Hash: 8B110376504240DFCB05DF10D5C0B16BF72FB94324F24C2A9D8090B3A6C33AE85ACBA1
                                                          Function 0098D10B Relevance: .1, Instructions: 56COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.1452336374.000000000098D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0098D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_98d000_Adobe.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                                                          • Instruction ID: 374575709e112c8094aa13160af9638ed8534bbd5cf1ed5e420dee8fbed2e797
                                                          • Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                                                          • Instruction Fuzzy Hash: 5411AF76508240CFCB15DF10D9C4B16BF72FB94324F2485A9D8094B296C33AD856CBA1
                                                          Function 0099D1CF Relevance: .1, Instructions: 53COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.1452389441.000000000099D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0099D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_99d000_Adobe.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                                                          • Instruction ID: a500f7fb1e9bee3d6c5c0e42df25eae82251f36b330ffd70462a164bc4f5ef34
                                                          • Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                                                          • Instruction Fuzzy Hash: F8118B75504280DFDB15DF14D6C4B19BBA2FB84324F24C6ADD8494B696C33AD84ACB61
                                                          Function 0098D745 Relevance: .0, Instructions: 45COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.1452336374.000000000098D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0098D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_98d000_Adobe.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 281ad4b00004d45ca8c394f31ef2a42a32ef99da21bdf047f78d0c33c201fb42
                                                          • Instruction ID: f5fa9a9a64d50c1b99f55817963b34365b044744d2003ee7a9819f643509753e
                                                          • Opcode Fuzzy Hash: 281ad4b00004d45ca8c394f31ef2a42a32ef99da21bdf047f78d0c33c201fb42
                                                          • Instruction Fuzzy Hash: 5101F2B150A3449AE720AE21CC84B26BB9CDF41365F18C96AED090E3C2D6399841CBB6
                                                          Function 0098D744 Relevance: .0, Instructions: 36COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.1452336374.000000000098D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0098D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_98d000_Adobe.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 04972b3c9339655de4e864a3491e815802d69b549bf37728efd2b4627984c278
                                                          • Instruction ID: 85f5126dc0c68e1fbc9186676a7d4232d86e37d1bf79c28b79f286a603e5ff60
                                                          • Opcode Fuzzy Hash: 04972b3c9339655de4e864a3491e815802d69b549bf37728efd2b4627984c278
                                                          • Instruction Fuzzy Hash: 73F06D71505384AEE7209E16C888B66FFACEB91774F18C55AED084A2C6C279AC44CBB1

                                                          Execution Graph

                                                          Execution Coverage:11.4%
                                                          Dynamic/Decrypted Code Coverage:100%
                                                          Signature Coverage:0%
                                                          Total number of Nodes:273
                                                          Total number of Limit Nodes:9
                                                          execution_graph 30960 11cd01c 30961 11cd034 30960->30961 30962 11cd08e 30961->30962 30967 5182108 30961->30967 30971 518139c 30961->30971 30982 5182e69 30961->30982 30993 51820f8 30961->30993 30968 518212e 30967->30968 30969 518139c CallWindowProcW 30968->30969 30970 518214f 30969->30970 30970->30962 30972 51813a7 30971->30972 30973 5182ed9 30972->30973 30975 5182ec9 30972->30975 31023 51814c4 30973->31023 30997 5189db8 30975->30997 31002 5189dc8 30975->31002 31007 5183000 30975->31007 31012 5182ff0 30975->31012 31017 51830cc 30975->31017 30976 5182ed7 30983 5182e78 30982->30983 30984 5182ed9 30983->30984 30986 5182ec9 30983->30986 30985 51814c4 CallWindowProcW 30984->30985 30987 5182ed7 30985->30987 30988 5189db8 CallWindowProcW 30986->30988 30989 5189dc8 CallWindowProcW 30986->30989 30990 51830cc CallWindowProcW 30986->30990 30991 5182ff0 CallWindowProcW 30986->30991 30992 5183000 CallWindowProcW 30986->30992 30988->30987 30989->30987 30990->30987 30991->30987 30992->30987 30994 518212e 30993->30994 30995 518139c CallWindowProcW 30994->30995 30996 518214f 30995->30996 30996->30962 30998 5189dbb 30997->30998 30999 5189ddd 30997->30999 30998->30999 31000 51814c4 CallWindowProcW 30998->31000 30999->30976 31001 5189e08 31000->31001 31001->30976 31003 5189dd5 31002->31003 31004 5189ddd 31003->31004 31005 51814c4 CallWindowProcW 31003->31005 31004->30976 31006 5189e08 31005->31006 31006->30976 31009 5183014 31007->31009 31008 51830a0 31008->30976 31027 51830b8 31009->31027 31030 51830a8 31009->31030 31014 5183000 31012->31014 31013 51830a0 31013->30976 31015 51830b8 CallWindowProcW 31014->31015 31016 51830a8 CallWindowProcW 31014->31016 31015->31013 31016->31013 31018 51830da 31017->31018 31019 518308a 31017->31019 31021 51830b8 CallWindowProcW 31019->31021 31022 51830a8 CallWindowProcW 31019->31022 31020 51830a0 31020->30976 31021->31020 31022->31020 31024 51814cf 31023->31024 31025 51845ba CallWindowProcW 31024->31025 31026 5184569 31024->31026 31025->31026 31026->30976 31028 51830c9 31027->31028 31034 51844f1 31027->31034 31028->31008 31031 51830b8 31030->31031 31032 51830c9 31031->31032 31033 51844f1 CallWindowProcW 31031->31033 31032->31008 31033->31032 31035 51814c4 CallWindowProcW 31034->31035 31036 518450a 31035->31036 31036->31028 31037 7486288 31038 7486413 31037->31038 31039 74862ae 31037->31039 31039->31038 31042 7486508 31039->31042 31045 7486501 31039->31045 31043 748650d PostMessageW 31042->31043 31044 7486574 31043->31044 31044->31039 31046 7486508 31045->31046 31047 748650d PostMessageW 31045->31047 31046->31047 31048 7486574 31047->31048 31048->31039 31049 748425c 31050 7484263 31049->31050 31052 7484179 31049->31052 31051 7484411 31052->31051 31053 7484387 31052->31053 31057 7484c20 31052->31057 31075 7484be9 31052->31075 31093 7484bf8 31052->31093 31058 7484c3a 31057->31058 31059 7484c5e 31058->31059 31111 74851d4 31058->31111 31116 7485253 31058->31116 31121 7485033 31058->31121 31126 7485632 31058->31126 31131 7485852 31058->31131 31136 748527f 31058->31136 31141 748521e 31058->31141 31146 74854dd 31058->31146 31151 74851fc 31058->31151 31156 7485687 31058->31156 31161 74853af 31058->31161 31166 74850af 31058->31166 31170 748596e 31058->31170 31175 74852b7 31058->31175 31184 7485317 31058->31184 31059->31052 31076 7484bf2 31075->31076 31076->31052 31077 7484bce 31076->31077 31078 748596e 2 API calls 31076->31078 31079 74850af 2 API calls 31076->31079 31080 74853af 2 API calls 31076->31080 31081 7485687 2 API calls 31076->31081 31082 74851fc 2 API calls 31076->31082 31083 74854dd 2 API calls 31076->31083 31084 748521e 2 API calls 31076->31084 31085 748527f 2 API calls 31076->31085 31086 7485852 2 API calls 31076->31086 31087 7485632 2 API calls 31076->31087 31088 7485033 2 API calls 31076->31088 31089 7485253 2 API calls 31076->31089 31090 74851d4 2 API calls 31076->31090 31091 7485317 2 API calls 31076->31091 31092 74852b7 4 API calls 31076->31092 31077->31052 31078->31077 31079->31077 31080->31077 31081->31077 31082->31077 31083->31077 31084->31077 31085->31077 31086->31077 31087->31077 31088->31077 31089->31077 31090->31077 31091->31077 31092->31077 31094 7484c04 31093->31094 31094->31052 31095 7484bce 31094->31095 31096 748596e 2 API calls 31094->31096 31097 74850af 2 API calls 31094->31097 31098 74853af 2 API calls 31094->31098 31099 7485687 2 API calls 31094->31099 31100 74851fc 2 API calls 31094->31100 31101 74854dd 2 API calls 31094->31101 31102 748521e 2 API calls 31094->31102 31103 748527f 2 API calls 31094->31103 31104 7485852 2 API calls 31094->31104 31105 7485632 2 API calls 31094->31105 31106 7485033 2 API calls 31094->31106 31107 7485253 2 API calls 31094->31107 31108 74851d4 2 API calls 31094->31108 31109 7485317 2 API calls 31094->31109 31110 74852b7 4 API calls 31094->31110 31095->31052 31096->31095 31097->31095 31098->31095 31099->31095 31100->31095 31101->31095 31102->31095 31103->31095 31104->31095 31105->31095 31106->31095 31107->31095 31108->31095 31109->31095 31110->31095 31112 74851e4 31111->31112 31189 7483ad8 31112->31189 31193 7483ad1 31112->31193 31113 7485922 31117 7485259 31116->31117 31197 7483a10 31117->31197 31201 7483a18 31117->31201 31118 7485aa1 31122 7485041 31121->31122 31205 7483d60 31122->31205 31209 7483d54 31122->31209 31127 74857c5 31126->31127 31213 7485c60 31127->31213 31218 7485c70 31127->31218 31128 7485478 31132 7485792 31131->31132 31231 7483458 31132->31231 31235 7483450 31132->31235 31133 74854c3 31133->31059 31133->31133 31137 74852a4 31136->31137 31139 7483ad8 WriteProcessMemory 31137->31139 31140 7483ad1 WriteProcessMemory 31137->31140 31138 7485390 31138->31059 31139->31138 31140->31138 31142 7485227 31141->31142 31144 7483ad8 WriteProcessMemory 31142->31144 31145 7483ad1 WriteProcessMemory 31142->31145 31143 74858d4 31144->31143 31145->31143 31147 74854ea 31146->31147 31239 7483bc8 31147->31239 31243 7483bc0 31147->31243 31148 748550d 31152 74851d3 31151->31152 31152->31059 31154 7483ad8 WriteProcessMemory 31152->31154 31155 7483ad1 WriteProcessMemory 31152->31155 31153 7485922 31154->31153 31155->31153 31157 748525a 31156->31157 31159 7483a18 VirtualAllocEx 31157->31159 31160 7483a10 VirtualAllocEx 31157->31160 31158 7485aa1 31159->31158 31160->31158 31163 748525a 31161->31163 31162 7485aa1 31162->31162 31164 7483a18 VirtualAllocEx 31163->31164 31165 7483a10 VirtualAllocEx 31163->31165 31164->31162 31165->31162 31167 74850eb 31166->31167 31168 7483d60 CreateProcessA 31166->31168 31169 7483d54 CreateProcessA 31166->31169 31167->31059 31168->31167 31169->31167 31171 7485792 31170->31171 31172 74854c3 31171->31172 31173 7483458 ResumeThread 31171->31173 31174 7483450 ResumeThread 31171->31174 31172->31059 31172->31172 31173->31172 31174->31172 31176 74852bc 31175->31176 31177 748554c 31176->31177 31178 748540e 31176->31178 31182 7483938 Wow64SetThreadContext 31177->31182 31183 7483940 Wow64SetThreadContext 31177->31183 31180 7483458 ResumeThread 31178->31180 31181 7483450 ResumeThread 31178->31181 31179 74854c3 31179->31059 31180->31179 31181->31179 31182->31179 31183->31179 31185 748525a 31184->31185 31187 7483a18 VirtualAllocEx 31185->31187 31188 7483a10 VirtualAllocEx 31185->31188 31186 7485aa1 31187->31186 31188->31186 31190 7483add WriteProcessMemory 31189->31190 31192 7483b77 31190->31192 31192->31113 31194 7483ad6 WriteProcessMemory 31193->31194 31196 7483b77 31194->31196 31196->31113 31198 7483a18 VirtualAllocEx 31197->31198 31200 7483a95 31198->31200 31200->31118 31202 7483a1d VirtualAllocEx 31201->31202 31204 7483a95 31202->31204 31204->31118 31206 7483d65 CreateProcessA 31205->31206 31208 7483fab 31206->31208 31210 7483d60 CreateProcessA 31209->31210 31212 7483fab 31210->31212 31212->31212 31214 7485c70 31213->31214 31223 7483938 31214->31223 31227 7483940 31214->31227 31215 7485c9b 31215->31128 31219 7485c75 31218->31219 31221 7483938 Wow64SetThreadContext 31219->31221 31222 7483940 Wow64SetThreadContext 31219->31222 31220 7485c9b 31220->31128 31221->31220 31222->31220 31224 748393d Wow64SetThreadContext 31223->31224 31226 74839cd 31224->31226 31226->31215 31228 7483945 Wow64SetThreadContext 31227->31228 31230 74839cd 31228->31230 31230->31215 31232 7483498 ResumeThread 31231->31232 31234 74834c9 31232->31234 31234->31133 31236 7483458 ResumeThread 31235->31236 31238 74834c9 31236->31238 31238->31133 31240 7483c13 ReadProcessMemory 31239->31240 31242 7483c57 31240->31242 31242->31148 31244 7483c13 ReadProcessMemory 31243->31244 31246 7483c57 31244->31246 31246->31148 31251 507d720 31252 507d766 31251->31252 31255 507d900 31252->31255 31258 507b374 31255->31258 31259 507d968 DuplicateHandle 31258->31259 31260 507d853 31259->31260 31261 5186cb0 31262 5186cdd 31261->31262 31268 5189b48 31262->31268 31272 5189b3a 31262->31272 31263 5186fb7 31264 5186ad8 SetTimer 31263->31264 31265 5186fd0 31264->31265 31269 5189b76 31268->31269 31271 5189c01 31269->31271 31276 51895ac 31269->31276 31273 5189b48 31272->31273 31274 51895ac SetTimer 31273->31274 31275 5189c01 31273->31275 31274->31275 31278 51895b7 31276->31278 31277 5189d08 31277->31271 31278->31277 31280 51895dc 31278->31280 31281 5189e40 SetTimer 31280->31281 31282 5189eac 31281->31282 31282->31277 31247 5181f47 31248 5181f4f CreateWindowExW 31247->31248 31250 5182074 31248->31250 31283 5074668 31284 507467a 31283->31284 31285 5074686 31284->31285 31287 5074783 31284->31287 31288 507479d 31287->31288 31292 507487f 31288->31292 31296 5074888 31288->31296 31294 50748af 31292->31294 31293 507498c 31294->31293 31300 50744b4 31294->31300 31297 50748af 31296->31297 31298 507498c 31297->31298 31299 50744b4 CreateActCtxA 31297->31299 31299->31298 31301 5075918 CreateActCtxA 31300->31301 31303 50759db 31301->31303 31304 507b678 31305 507b6c0 GetModuleHandleW 31304->31305 31306 507b6ba 31304->31306 31307 507b6ed 31305->31307 31306->31305

                                                          Executed Functions

                                                          Function 07483D54 Relevance: 1.8, APIs: 1, Instructions: 250processCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 610 7483d54-7483d5e 611 7483d60-7483d64 610->611 612 7483d65-7483df5 610->612 611->612 614 7483e2e-7483e4e 612->614 615 7483df7-7483e01 612->615 622 7483e50-7483e5a 614->622 623 7483e87-7483eb6 614->623 615->614 616 7483e03-7483e05 615->616 617 7483e28-7483e2b 616->617 618 7483e07-7483e11 616->618 617->614 620 7483e13 618->620 621 7483e15-7483e24 618->621 620->621 621->621 624 7483e26 621->624 622->623 625 7483e5c-7483e5e 622->625 631 7483eb8-7483ec2 623->631 632 7483eef-7483fa9 CreateProcessA 623->632 624->617 626 7483e60-7483e6a 625->626 627 7483e81-7483e84 625->627 629 7483e6c 626->629 630 7483e6e-7483e7d 626->630 627->623 629->630 630->630 633 7483e7f 630->633 631->632 634 7483ec4-7483ec6 631->634 643 7483fab-7483fb1 632->643 644 7483fb2-7484038 632->644 633->627 636 7483ec8-7483ed2 634->636 637 7483ee9-7483eec 634->637 638 7483ed4 636->638 639 7483ed6-7483ee5 636->639 637->632 638->639 639->639 641 7483ee7 639->641 641->637 643->644 654 7484048-748404c 644->654 655 748403a-748403e 644->655 657 748405c-7484060 654->657 658 748404e-7484052 654->658 655->654 656 7484040 655->656 656->654 660 7484070-7484074 657->660 661 7484062-7484066 657->661 658->657 659 7484054 658->659 659->657 663 7484086-748408d 660->663 664 7484076-748407c 660->664 661->660 662 7484068 661->662 662->660 665 748408f-748409e 663->665 666 74840a4 663->666 664->663 665->666 668 74840a5 666->668 668->668
                                                          APIs
                                                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07483F96
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1575619048.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7480000_Adobe.jbxd
                                                          Similarity
                                                          • API ID: CreateProcess
                                                          • String ID:
                                                          • API String ID: 963392458-0
                                                          • Opcode ID: c30bbcb83dab9447e76e20df1faecfcf3616de92d9fb31cb25f848c38cad4ce9
                                                          • Instruction ID: a989afdfae52a1420daea16b44f1947de16b7331e4bf098abed6f66443f2cf6a
                                                          • Opcode Fuzzy Hash: c30bbcb83dab9447e76e20df1faecfcf3616de92d9fb31cb25f848c38cad4ce9
                                                          • Instruction Fuzzy Hash: 49A15CB1D0025EDFDF60DF68C8407EEBBB2BB49710F14856AE818A7280DB759985CF91
                                                          Function 07483D60 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 669 7483d60-7483df5 672 7483e2e-7483e4e 669->672 673 7483df7-7483e01 669->673 680 7483e50-7483e5a 672->680 681 7483e87-7483eb6 672->681 673->672 674 7483e03-7483e05 673->674 675 7483e28-7483e2b 674->675 676 7483e07-7483e11 674->676 675->672 678 7483e13 676->678 679 7483e15-7483e24 676->679 678->679 679->679 682 7483e26 679->682 680->681 683 7483e5c-7483e5e 680->683 689 7483eb8-7483ec2 681->689 690 7483eef-7483fa9 CreateProcessA 681->690 682->675 684 7483e60-7483e6a 683->684 685 7483e81-7483e84 683->685 687 7483e6c 684->687 688 7483e6e-7483e7d 684->688 685->681 687->688 688->688 691 7483e7f 688->691 689->690 692 7483ec4-7483ec6 689->692 701 7483fab-7483fb1 690->701 702 7483fb2-7484038 690->702 691->685 694 7483ec8-7483ed2 692->694 695 7483ee9-7483eec 692->695 696 7483ed4 694->696 697 7483ed6-7483ee5 694->697 695->690 696->697 697->697 699 7483ee7 697->699 699->695 701->702 712 7484048-748404c 702->712 713 748403a-748403e 702->713 715 748405c-7484060 712->715 716 748404e-7484052 712->716 713->712 714 7484040 713->714 714->712 718 7484070-7484074 715->718 719 7484062-7484066 715->719 716->715 717 7484054 716->717 717->715 721 7484086-748408d 718->721 722 7484076-748407c 718->722 719->718 720 7484068 719->720 720->718 723 748408f-748409e 721->723 724 74840a4 721->724 722->721 723->724 726 74840a5 724->726 726->726
                                                          APIs
                                                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07483F96
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1575619048.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7480000_Adobe.jbxd
                                                          Similarity
                                                          • API ID: CreateProcess
                                                          • String ID:
                                                          • API String ID: 963392458-0
                                                          • Opcode ID: 6e2b4644a7b08e5f4ca5db4affdde70395c40ad774c15de64298df5f5bb5ea47
                                                          • Instruction ID: f44a4898c7506330f8b36fdafc6e3a73e3e886a20b6b15cb63d05f110d6cc088
                                                          • Opcode Fuzzy Hash: 6e2b4644a7b08e5f4ca5db4affdde70395c40ad774c15de64298df5f5bb5ea47
                                                          • Instruction Fuzzy Hash: DE915BB1D0025ECFDF60DF68C8407EEBBB2BB49710F14856AE818A7280DB759985CF91
                                                          Function 05181370 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 727 5181370-5181fb6 730 5181fb8-5181fbe 727->730 731 5181fc1-5181fc8 727->731 730->731 732 5181fca-5181fd0 731->732 733 5181fd3-518200b 731->733 732->733 734 5182013-5182072 CreateWindowExW 733->734 735 518207b-51820b3 734->735 736 5182074-518207a 734->736 740 51820c0 735->740 741 51820b5-51820b8 735->741 736->735 742 51820c1 740->742 741->740 742->742
                                                          APIs
                                                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05182062
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1572293752.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_5180000_Adobe.jbxd
                                                          Similarity
                                                          • API ID: CreateWindow
                                                          • String ID:
                                                          • API String ID: 716092398-0
                                                          • Opcode ID: a1bd34f1727ffa7e6e998cce18e0593f836b16612a34d7fae2f8b8800b415f86
                                                          • Instruction ID: c0bba4b188a6f15767941da046db067ff94cbbb647b121be57a3df2a11659a21
                                                          • Opcode Fuzzy Hash: a1bd34f1727ffa7e6e998cce18e0593f836b16612a34d7fae2f8b8800b415f86
                                                          • Instruction Fuzzy Hash: FF51C0B5D00349EFDB24DF99C884AEEBBB5FF48310F64812AE819AB250D7759845CF90
                                                          Function 05181F47 Relevance: 1.6, APIs: 1, Instructions: 114COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 743 5181f47-5181f4d 744 5181f4f-5181f5e 743->744 745 5181f61-5181fb6 743->745 744->745 746 5181fb8-5181fbe 745->746 747 5181fc1-5181fc8 745->747 746->747 748 5181fca-5181fd0 747->748 749 5181fd3-5182072 CreateWindowExW 747->749 748->749 751 518207b-51820b3 749->751 752 5182074-518207a 749->752 756 51820c0 751->756 757 51820b5-51820b8 751->757 752->751 758 51820c1 756->758 757->756 758->758
                                                          APIs
                                                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05182062
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1572293752.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_5180000_Adobe.jbxd
                                                          Similarity
                                                          • API ID: CreateWindow
                                                          • String ID:
                                                          • API String ID: 716092398-0
                                                          • Opcode ID: a1e4f4a4c833a0f548532ce81af8fd1672101be6de14b720957d57e9eeb0b345
                                                          • Instruction ID: 4cd136ab2c300d64a6b755d46f690ef876fb42a1730059a433d9e04ee9e1288f
                                                          • Opcode Fuzzy Hash: a1e4f4a4c833a0f548532ce81af8fd1672101be6de14b720957d57e9eeb0b345
                                                          • Instruction Fuzzy Hash: 1D51C0B5D00309EFDB25DF99C984AEEBBB5FF48310F64812AE819AB210D7759845CF90
                                                          Function 051814C4 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 759 51814c4-518455c 762 518460c-518462c call 518139c 759->762 763 5184562-5184567 759->763 770 518462f-518463c 762->770 764 5184569-51845a0 763->764 765 51845ba-51845f2 CallWindowProcW 763->765 773 51845a9-51845b8 764->773 774 51845a2-51845a8 764->774 767 51845fb-518460a 765->767 768 51845f4-51845fa 765->768 767->770 768->767 773->770 774->773
                                                          APIs
                                                          • CallWindowProcW.USER32(?,?,?,?,?), ref: 051845E1
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1572293752.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_5180000_Adobe.jbxd
                                                          Similarity
                                                          • API ID: CallProcWindow
                                                          • String ID:
                                                          • API String ID: 2714655100-0
                                                          • Opcode ID: 1f1ac702892fb2d660d6ee9883403d8596503c07dec52d4bb266d2e107b35b5e
                                                          • Instruction ID: 2042a1fee97a09519c9381adbeff465a102965027a3eeb4b0858d9de023753b4
                                                          • Opcode Fuzzy Hash: 1f1ac702892fb2d660d6ee9883403d8596503c07dec52d4bb266d2e107b35b5e
                                                          • Instruction Fuzzy Hash: 2F4148B49003098FDB24DF85C448BAEBBF6FB88314F258459E519AB361D7B4A845CFA0
                                                          Function 050744B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 776 50744b4-50759d9 CreateActCtxA 779 50759e2-5075a3c 776->779 780 50759db-50759e1 776->780 787 5075a3e-5075a41 779->787 788 5075a4b-5075a4f 779->788 780->779 787->788 789 5075a51-5075a5d 788->789 790 5075a60 788->790 789->790 792 5075a61 790->792 792->792
                                                          APIs
                                                          • CreateActCtxA.KERNEL32(?), ref: 050759C9
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1570293523.0000000005070000.00000040.00000800.00020000.00000000.sdmp, Offset: 05070000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_5070000_Adobe.jbxd
                                                          Similarity
                                                          • API ID: Create
                                                          • String ID:
                                                          • API String ID: 2289755597-0
                                                          • Opcode ID: 772fb7a39d141156ed8c165ade9ad96fe041f954b5fd37f19baa41a531bd7d80
                                                          • Instruction ID: 53599af6c192554cf5d7fe183e7cbc87e870071e5595fed1bcb6303754d6f080
                                                          • Opcode Fuzzy Hash: 772fb7a39d141156ed8c165ade9ad96fe041f954b5fd37f19baa41a531bd7d80
                                                          • Instruction Fuzzy Hash: 2A41AE71C0072DCBDB24DFA9C884BDDBBF5BB48314F20816AD409AB251DBB56946CF90
                                                          Function 0507590F Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 793 507590f-50759d9 CreateActCtxA 795 50759e2-5075a3c 793->795 796 50759db-50759e1 793->796 803 5075a3e-5075a41 795->803 804 5075a4b-5075a4f 795->804 796->795 803->804 805 5075a51-5075a5d 804->805 806 5075a60 804->806 805->806 808 5075a61 806->808 808->808
                                                          APIs
                                                          • CreateActCtxA.KERNEL32(?), ref: 050759C9
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1570293523.0000000005070000.00000040.00000800.00020000.00000000.sdmp, Offset: 05070000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_5070000_Adobe.jbxd
                                                          Similarity
                                                          • API ID: Create
                                                          • String ID:
                                                          • API String ID: 2289755597-0
                                                          • Opcode ID: ca9f09ee39c43abf6f3db953393681a86641885b9f2e0502237ccfa4c68e5f34
                                                          • Instruction ID: 4f5679965ccf2aaf7f6657b3034f284fcc3b750152b91b0fb9aca25020d0fd70
                                                          • Opcode Fuzzy Hash: ca9f09ee39c43abf6f3db953393681a86641885b9f2e0502237ccfa4c68e5f34
                                                          • Instruction Fuzzy Hash: 3041CEB1C01719CBDB24DFA9C8857CDBBF5BF48304F20816AD408AB251DBB55946CF50
                                                          Function 07483AD1 Relevance: 1.6, APIs: 1, Instructions: 78injectionCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 809 7483ad1-7483ad4 810 7483b1c-7483b26 809->810 811 7483ad6 809->811 814 7483b36-7483b75 WriteProcessMemory 810->814 815 7483b27-7483b34 810->815 812 7483ad8-7483adc 811->812 813 7483add-7483b26 811->813 812->813 813->814 818 7483b28-7483b34 813->818 819 7483b7e-7483bae 814->819 820 7483b77-7483b7d 814->820 815->814 818->814 820->819
                                                          APIs
                                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07483B68
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1575619048.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7480000_Adobe.jbxd
                                                          Similarity
                                                          • API ID: MemoryProcessWrite
                                                          • String ID:
                                                          • API String ID: 3559483778-0
                                                          • Opcode ID: 4e5adefca8da953d6cb948d38dbfeaddf14a91c6b7a4b8a79727a8d7d199206c
                                                          • Instruction ID: 39cb305ffb83176e4cfeaa714b37f1854f991fb9f6dc5f66d5becb18bb05564a
                                                          • Opcode Fuzzy Hash: 4e5adefca8da953d6cb948d38dbfeaddf14a91c6b7a4b8a79727a8d7d199206c
                                                          • Instruction Fuzzy Hash: 323127B19003499FDB10DFAAC885BEEBBF5FF48310F50842AE918A7341D7789941CB54
                                                          Function 07483AD8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 824 7483ad8-7483b26 827 7483b28-7483b34 824->827 828 7483b36-7483b75 WriteProcessMemory 824->828 827->828 830 7483b7e-7483bae 828->830 831 7483b77-7483b7d 828->831 831->830
                                                          APIs
                                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07483B68
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1575619048.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7480000_Adobe.jbxd
                                                          Similarity
                                                          • API ID: MemoryProcessWrite
                                                          • String ID:
                                                          • API String ID: 3559483778-0
                                                          • Opcode ID: 2dea27a0aaf7178c9bd3e38e9692c2cd8d0105a6cc7869bb6bbbe64409ff9fca
                                                          • Instruction ID: fbdfd305aff17065dcdded7d46763b6eada1321dde0646fca3c74207b407b5f0
                                                          • Opcode Fuzzy Hash: 2dea27a0aaf7178c9bd3e38e9692c2cd8d0105a6cc7869bb6bbbe64409ff9fca
                                                          • Instruction Fuzzy Hash: 452102B1D003599FDB10DFAAC881BEEBBF5FB48310F50842AE919A7341D7789941CBA4
                                                          Function 07483938 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 835 7483938-748393e 837 7483940-7483944 835->837 838 7483945-748398b 835->838 837->838 840 748399b-74839cb Wow64SetThreadContext 838->840 841 748398d-7483999 838->841 843 74839cd-74839d3 840->843 844 74839d4-7483a04 840->844 841->840 843->844
                                                          APIs
                                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 074839BE
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1575619048.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7480000_Adobe.jbxd
                                                          Similarity
                                                          • API ID: ContextThreadWow64
                                                          • String ID:
                                                          • API String ID: 983334009-0
                                                          • Opcode ID: d47c024f5923e8ca2acf9b265657504b48823c357b497d0f9e1e93bb6a457c0e
                                                          • Instruction ID: f1bc6c7d9ca29b1d54d76663163d9507d0a20146915d72bab10aac8677f5d284
                                                          • Opcode Fuzzy Hash: d47c024f5923e8ca2acf9b265657504b48823c357b497d0f9e1e93bb6a457c0e
                                                          • Instruction Fuzzy Hash: 132159B1D003098FDB10DFAAC4857EEBBF4EB49724F14842AD459A7340CB789945CFA1
                                                          Function 07483BC0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 854 7483bc0-7483c55 ReadProcessMemory 857 7483c5e-7483c8e 854->857 858 7483c57-7483c5d 854->858 858->857
                                                          APIs
                                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07483C48
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1575619048.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7480000_Adobe.jbxd
                                                          Similarity
                                                          • API ID: MemoryProcessRead
                                                          • String ID:
                                                          • API String ID: 1726664587-0
                                                          • Opcode ID: 9e99860c2bc1c43c70b68728f2443fa9d37808682b822f5834c8a4dfc3e547ed
                                                          • Instruction ID: 7c5e2fe16e7cbb9d7dc3c2421303a024f91d375e2cf2ba477e58c92f35a72e24
                                                          • Opcode Fuzzy Hash: 9e99860c2bc1c43c70b68728f2443fa9d37808682b822f5834c8a4dfc3e547ed
                                                          • Instruction Fuzzy Hash: 112148B5C003499FDB10DFA9C941BEEBBF5FF48320F50882AE518A7240C7399901CBA4
                                                          Function 0507B374 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 848 507b374-507d9fc DuplicateHandle 850 507da05-507da22 848->850 851 507d9fe-507da04 848->851 851->850
                                                          APIs
                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0507D92E,?,?,?,?,?), ref: 0507D9EF
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1570293523.0000000005070000.00000040.00000800.00020000.00000000.sdmp, Offset: 05070000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_5070000_Adobe.jbxd
                                                          Similarity
                                                          • API ID: DuplicateHandle
                                                          • String ID:
                                                          • API String ID: 3793708945-0
                                                          • Opcode ID: 2658e5e3bc43d5d46606dc0b6f13aad1bc40720a545cacba1ba8608adc66ee10
                                                          • Instruction ID: 9473ab5b9c95009ffd12d19e55c104c486f2bd9e1f762f4be1860b03232418d0
                                                          • Opcode Fuzzy Hash: 2658e5e3bc43d5d46606dc0b6f13aad1bc40720a545cacba1ba8608adc66ee10
                                                          • Instruction Fuzzy Hash: DA21D2B5D04248AFDB10CF9AD984ADEBBF9FB48310F14841AE955A7350D378A940CFA4
                                                          Function 07483BC8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07483C48
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1575619048.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7480000_Adobe.jbxd
                                                          Similarity
                                                          • API ID: MemoryProcessRead
                                                          • String ID:
                                                          • API String ID: 1726664587-0
                                                          • Opcode ID: 7b5d4f5a5b2f5696610b5babff9c15d275933db76f69d8095251c59c8cf9efcd
                                                          • Instruction ID: 2d3db7b12bb9a851027027a545ef35c65196663ccbe6d54478a984b526ce0270
                                                          • Opcode Fuzzy Hash: 7b5d4f5a5b2f5696610b5babff9c15d275933db76f69d8095251c59c8cf9efcd
                                                          • Instruction Fuzzy Hash: D121F8B1C003599FDB10DFAAC841BEEBBF5FF48320F50842AE959A7240C7799941DBA5
                                                          Function 07483940 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 862 7483940-748398b 865 748399b-74839cb Wow64SetThreadContext 862->865 866 748398d-7483999 862->866 868 74839cd-74839d3 865->868 869 74839d4-7483a04 865->869 866->865 868->869
                                                          APIs
                                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 074839BE
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1575619048.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7480000_Adobe.jbxd
                                                          Similarity
                                                          • API ID: ContextThreadWow64
                                                          • String ID:
                                                          • API String ID: 983334009-0
                                                          • Opcode ID: fd480ba359ff87812987a6861807017590a7ff390c29e8e22bb31981366b04cd
                                                          • Instruction ID: a4b8c077418622bc5a70af09482c55e58688f6ccf975ad7708c04aadf171f9a9
                                                          • Opcode Fuzzy Hash: fd480ba359ff87812987a6861807017590a7ff390c29e8e22bb31981366b04cd
                                                          • Instruction Fuzzy Hash: 9A2137B1D003098FDB10DFAAC4857EEBBF4AB48324F14842AD459A7340CB789945CFA4
                                                          Function 07483A10 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07483A86
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1575619048.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7480000_Adobe.jbxd
                                                          Similarity
                                                          • API ID: AllocVirtual
                                                          • String ID:
                                                          • API String ID: 4275171209-0
                                                          • Opcode ID: ac66d06b038e2511d17134e170d7d844199f9da128aef75d47477a03815bf8a5
                                                          • Instruction ID: 16f9be038832eb29127f5c1d87286d680d2d05eb30852d5b64f04106b0ac2a49
                                                          • Opcode Fuzzy Hash: ac66d06b038e2511d17134e170d7d844199f9da128aef75d47477a03815bf8a5
                                                          • Instruction Fuzzy Hash: F8115971C003499FDB20DFAAC845BEFBBF5EB48320F14881AE519A7250CB759941CFA4
                                                          Function 07483450 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1575619048.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7480000_Adobe.jbxd
                                                          Similarity
                                                          • API ID: ResumeThread
                                                          • String ID:
                                                          • API String ID: 947044025-0
                                                          • Opcode ID: 31dfb7ad655589aa8081475d926cd133230552452605108082730a6fd91ec257
                                                          • Instruction ID: f93a2d89a4526976b8e940d387274c8972481138e9163c850536b7d2fbb67d60
                                                          • Opcode Fuzzy Hash: 31dfb7ad655589aa8081475d926cd133230552452605108082730a6fd91ec257
                                                          • Instruction Fuzzy Hash: 451137B1D003498BDB20EFAAD8457DEBBF4EB48220F14881AD419A7240CB75A945CB95
                                                          Function 07483A18 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07483A86
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1575619048.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7480000_Adobe.jbxd
                                                          Similarity
                                                          • API ID: AllocVirtual
                                                          • String ID:
                                                          • API String ID: 4275171209-0
                                                          • Opcode ID: 1b1024aa890bcf2218836d2be8e7b9116e6debe7fbef739190d057ea56e0f611
                                                          • Instruction ID: ece954fc690562a6be73147ad9d5331776c5ffe9d8f67ca5f8d06a712a6cebcf
                                                          • Opcode Fuzzy Hash: 1b1024aa890bcf2218836d2be8e7b9116e6debe7fbef739190d057ea56e0f611
                                                          • Instruction Fuzzy Hash: 82112671C003499FDB20DFAAC845BDEBBF5EB48320F14841AE919A7250CB75A941CFA0
                                                          Function 07486501 Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • PostMessageW.USER32(?,?,?,?), ref: 07486565
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1575619048.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7480000_Adobe.jbxd
                                                          Similarity
                                                          • API ID: MessagePost
                                                          • String ID:
                                                          • API String ID: 410705778-0
                                                          • Opcode ID: 5b56a1abcf37a92174e0ae642098b859ff283a59328db63c1cd0d8183b050c32
                                                          • Instruction ID: d757b8a70d0d0755b4bf10736207d9eca29fe01b3a62a9fc78a1a8b9288450e1
                                                          • Opcode Fuzzy Hash: 5b56a1abcf37a92174e0ae642098b859ff283a59328db63c1cd0d8183b050c32
                                                          • Instruction Fuzzy Hash: EF11F2B58003499FDB60EF9AD885BDEBBF8EB48320F11841AE518A7241C375A944CFA5
                                                          Function 07483458 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1575619048.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7480000_Adobe.jbxd
                                                          Similarity
                                                          • API ID: ResumeThread
                                                          • String ID:
                                                          • API String ID: 947044025-0
                                                          • Opcode ID: 4143065269e7eeb56bbd86d5b5148860bdb00653b57c8095075f37b8ee2ee107
                                                          • Instruction ID: 9b33c4a19b52f3cc55dd388738afc197d036a8a625b8f18da05de4a0b4892c57
                                                          • Opcode Fuzzy Hash: 4143065269e7eeb56bbd86d5b5148860bdb00653b57c8095075f37b8ee2ee107
                                                          • Instruction Fuzzy Hash: 0E1128B1D003498FDB20DFAAC8457DEFBF5AB48624F14841AD519A7340CB79A945CB94
                                                          Function 051895DC Relevance: 1.5, APIs: 1, Instructions: 47timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetTimer.USER32(?,050D6428,?,?), ref: 05189E9D
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1572293752.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_5180000_Adobe.jbxd
                                                          Similarity
                                                          • API ID: Timer
                                                          • String ID:
                                                          • API String ID: 2870079774-0
                                                          • Opcode ID: 4c074b90e2367d0e63cefd0c65542e7f59221bd0a7071ece0526ae9d3aa19e4b
                                                          • Instruction ID: c86f2e106974a6a8f552827055643eeda731f9430998d4475a73cd0e00aa09a1
                                                          • Opcode Fuzzy Hash: 4c074b90e2367d0e63cefd0c65542e7f59221bd0a7071ece0526ae9d3aa19e4b
                                                          • Instruction Fuzzy Hash: 5D11F5B58043499FDB20DF9AD585BEEBFF8EB48320F108459E515A7240C375A944CFA5
                                                          Function 0507B678 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 0507B6DE
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1570293523.0000000005070000.00000040.00000800.00020000.00000000.sdmp, Offset: 05070000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_5070000_Adobe.jbxd
                                                          Similarity
                                                          • API ID: HandleModule
                                                          • String ID:
                                                          • API String ID: 4139908857-0
                                                          • Opcode ID: 57bcac83f66fe220dad2c70997dfc1588dad0e1662b0f488da1752120f9d9a1f
                                                          • Instruction ID: 02dd51ba7b4d772763897c0f875353620014df7d691bff5fa730b5ba651004a2
                                                          • Opcode Fuzzy Hash: 57bcac83f66fe220dad2c70997dfc1588dad0e1662b0f488da1752120f9d9a1f
                                                          • Instruction Fuzzy Hash: F811DFB5C002498FDB20DF9AD444BDEFBF4AB88224F10842AD569A7610D379A545CFA9
                                                          Function 05189E3A Relevance: 1.5, APIs: 1, Instructions: 45timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetTimer.USER32(?,050D6428,?,?), ref: 05189E9D
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1572293752.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_5180000_Adobe.jbxd
                                                          Similarity
                                                          • API ID: Timer
                                                          • String ID:
                                                          • API String ID: 2870079774-0
                                                          • Opcode ID: 47a97eecafef1ea3705ed527ac9aa4c783da17b53289dec897e40207805d645f
                                                          • Instruction ID: 9435e259934eb35bb482dc1c1233d4b20a5f2345452d224a0531601c8cb9c506
                                                          • Opcode Fuzzy Hash: 47a97eecafef1ea3705ed527ac9aa4c783da17b53289dec897e40207805d645f
                                                          • Instruction Fuzzy Hash: 5A11D3B58003499FDB20DF9AD985BEEBFF8FB48320F108459E558A7240C375A984CFA5
                                                          Function 07486508 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • PostMessageW.USER32(?,?,?,?), ref: 07486565
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1575619048.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7480000_Adobe.jbxd
                                                          Similarity
                                                          • API ID: MessagePost
                                                          • String ID:
                                                          • API String ID: 410705778-0
                                                          • Opcode ID: f90a27e185ad4f2c07f990fed2df0250c1f6e2ad2647f06ae3b8440c3977c401
                                                          • Instruction ID: 07b2ea07df6c106c28934388ea144e1fa9e90b471e22b2e65731a7c5949409bf
                                                          • Opcode Fuzzy Hash: f90a27e185ad4f2c07f990fed2df0250c1f6e2ad2647f06ae3b8440c3977c401
                                                          • Instruction Fuzzy Hash: 0D11D0B58003499FDB20DF9AD885BDEBBF8EB48320F11841AE558A7240C375A944CFA5
                                                          Function 05189E12 Relevance: 1.5, APIs: 1, Instructions: 29timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetTimer.USER32(?,050D6428,?,?), ref: 05189E9D
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1572293752.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_5180000_Adobe.jbxd
                                                          Similarity
                                                          • API ID: Timer
                                                          • String ID:
                                                          • API String ID: 2870079774-0
                                                          • Opcode ID: 0367b45a6d27a0f758105a8d449bf53137fa77ba81e4ec7932a5c0f8e960fe1a
                                                          • Instruction ID: e04b07b0b744b8a6ad54dbaef87ef21985f975087fcf7d5165606ebf92e003fd
                                                          • Opcode Fuzzy Hash: 0367b45a6d27a0f758105a8d449bf53137fa77ba81e4ec7932a5c0f8e960fe1a
                                                          • Instruction Fuzzy Hash: 3EF0E272814348CED731EF99E4463AEFFF4AB44324F24848AD108A7191C37965C9CFA1
                                                          Function 011BD3D8 Relevance: .1, Instructions: 75COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1543938421.00000000011BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011BD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_11bd000_Adobe.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b109b9fdffb5f3d3b4bb2b164a5cf1f09ba8f52005bf8be6e414a227bda91e04
                                                          • Instruction ID: ceb1898edeeabac2d9230f70384bb0422c8763e348ed2b33f6275a42e58d4fb2
                                                          • Opcode Fuzzy Hash: b109b9fdffb5f3d3b4bb2b164a5cf1f09ba8f52005bf8be6e414a227bda91e04
                                                          • Instruction Fuzzy Hash: 3B210671504204DFDF1DDF54E9C0B96BB65FB88328F20C5A9E9090B656C33AE456CBA2
                                                          Function 011CD01C Relevance: .1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1544012618.00000000011CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_11cd000_Adobe.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 890415d7cf81c9c0dc6f3347001604b197d0d13ef8b665f3025c67d99c2468b8
                                                          • Instruction ID: 741c9245b3d5a106915b7a7fe28f659e282c96d5887e7706025daf2c4d356d58
                                                          • Opcode Fuzzy Hash: 890415d7cf81c9c0dc6f3347001604b197d0d13ef8b665f3025c67d99c2468b8
                                                          • Instruction Fuzzy Hash: 48210371604300DFDF19DF58E9C4B16BB61EB94714F20C5BDD84A0B246C336D417CAA2
                                                          Function 011CD1D4 Relevance: .1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1544012618.00000000011CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_11cd000_Adobe.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 98c4322249b5afb1f81ce695255b790c72c47b50ba13cfd64e3811742d061180
                                                          • Instruction ID: 92ba9d71cc9419c20ca8a73c85454a3e88f4df93f3bdad9ace8f208376fa9359
                                                          • Opcode Fuzzy Hash: 98c4322249b5afb1f81ce695255b790c72c47b50ba13cfd64e3811742d061180
                                                          • Instruction Fuzzy Hash: 68210771604300DFDF19DF94E9C4B26BB66FB94724F20C57DE8494B252C336D446CAA2
                                                          Function 011CD006 Relevance: .1, Instructions: 63COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1544012618.00000000011CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_11cd000_Adobe.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 23c56f0aba3dc07c6d0f4ed5282c4a9c06b7ce724983b07003d4f567deaf05a8
                                                          • Instruction ID: f7d20c32ac81d2a4eeb32d9615306afbedb87c86ccc6a8e6e7947bdab530aa95
                                                          • Opcode Fuzzy Hash: 23c56f0aba3dc07c6d0f4ed5282c4a9c06b7ce724983b07003d4f567deaf05a8
                                                          • Instruction Fuzzy Hash: 1B2180755083809FCB06CF58D994715BF71EB56214F28C5EAD8498B2A7C33A9816CBA2
                                                          Function 011BD3D3 Relevance: .1, Instructions: 56COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1543938421.00000000011BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011BD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_11bd000_Adobe.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                                                          • Instruction ID: 81957079b924a857a2ca0dbfc4de948fa3fbcd832256dfa9a7e308b4ba079af5
                                                          • Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                                                          • Instruction Fuzzy Hash: D311CD76504240CFCF0ACF44D5C0B96BF62FB84324F2486A9D8090A656C33AE45ACBA2
                                                          Function 011CD1CF Relevance: .1, Instructions: 53COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1544012618.00000000011CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_11cd000_Adobe.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                                                          • Instruction ID: ef965f38528b0fc55afa2271ae8eeeb09ff2e75d2af4c5a141538d266b2ba7e4
                                                          • Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                                                          • Instruction Fuzzy Hash: F011BE75504240DFCB06CF54D5C0B15BB62FB84724F24C6ADD8494B296C33AD40ACB92
                                                          Function 011BD745 Relevance: .0, Instructions: 45COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1543938421.00000000011BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011BD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_11bd000_Adobe.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 73cabefe04bf44b47a54998c6647d9b22b8c4ea172cd9c848658432ec8e77218
                                                          • Instruction ID: aa5a89655114a20241b91c0e8f1df41a5afb2e87b5eea804612002ea456c0078
                                                          • Opcode Fuzzy Hash: 73cabefe04bf44b47a54998c6647d9b22b8c4ea172cd9c848658432ec8e77218
                                                          • Instruction Fuzzy Hash: BD01F7310047809AEB2C5A95ECC4BE6BF98DF4122DF14C55AED180A282C3799841CBB6
                                                          Function 011BD744 Relevance: .0, Instructions: 36COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1543938421.00000000011BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011BD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_11bd000_Adobe.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 86cb28251104fdf9b7d7674ceb63f1dfabed014367f7b6e2da986176ccfa96ba
                                                          • Instruction ID: 9bf43dddda6db156b760d3b193af505aa99f61f7baf7f93d9ccd13b77d2cbbbd
                                                          • Opcode Fuzzy Hash: 86cb28251104fdf9b7d7674ceb63f1dfabed014367f7b6e2da986176ccfa96ba
                                                          • Instruction Fuzzy Hash: AEF0C8310047809EEB149E59D8C4BA2FF98EB41238F14C05AED084A287C3755840CB71

                                                          Execution Graph

                                                          Execution Coverage:10.4%
                                                          Dynamic/Decrypted Code Coverage:100%
                                                          Signature Coverage:0%
                                                          Total number of Nodes:208
                                                          Total number of Limit Nodes:12
                                                          execution_graph 33952 76f423e 33953 76f4179 33952->33953 33954 76f4387 33953->33954 33958 76f4c68 33953->33958 33977 76f4c10 33953->33977 33995 76f4c20 33953->33995 33959 76f4c0c 33958->33959 33961 76f4c80 33959->33961 34013 76f50af 33959->34013 34017 76f5852 33959->34017 34022 76f5632 33959->34022 34027 76f5253 33959->34027 34032 76f5033 33959->34032 34037 76f51d4 33959->34037 34042 76f5215 33959->34042 34047 76f5317 33959->34047 34052 76f52b7 33959->34052 34061 76f51fc 33959->34061 34067 76f54dd 33959->34067 34072 76f527f 33959->34072 34077 76f5687 33959->34077 34082 76f596e 33959->34082 34087 76f53af 33959->34087 33960 76f4c5e 33960->33953 33961->33953 33978 76f4c14 33977->33978 33980 76f50af 2 API calls 33978->33980 33981 76f53af 2 API calls 33978->33981 33982 76f596e 2 API calls 33978->33982 33983 76f5687 2 API calls 33978->33983 33984 76f527f 2 API calls 33978->33984 33985 76f54dd 2 API calls 33978->33985 33986 76f51fc 2 API calls 33978->33986 33987 76f52b7 4 API calls 33978->33987 33988 76f5317 2 API calls 33978->33988 33989 76f5215 2 API calls 33978->33989 33990 76f51d4 2 API calls 33978->33990 33991 76f5033 2 API calls 33978->33991 33992 76f5253 2 API calls 33978->33992 33993 76f5632 2 API calls 33978->33993 33994 76f5852 2 API calls 33978->33994 33979 76f4c5e 33979->33953 33980->33979 33981->33979 33982->33979 33983->33979 33984->33979 33985->33979 33986->33979 33987->33979 33988->33979 33989->33979 33990->33979 33991->33979 33992->33979 33993->33979 33994->33979 33996 76f4c23 33995->33996 33998 76f50af 2 API calls 33996->33998 33999 76f53af 2 API calls 33996->33999 34000 76f596e 2 API calls 33996->34000 34001 76f5687 2 API calls 33996->34001 34002 76f527f 2 API calls 33996->34002 34003 76f54dd 2 API calls 33996->34003 34004 76f51fc 2 API calls 33996->34004 34005 76f52b7 4 API calls 33996->34005 34006 76f5317 2 API calls 33996->34006 34007 76f5215 2 API calls 33996->34007 34008 76f51d4 2 API calls 33996->34008 34009 76f5033 2 API calls 33996->34009 34010 76f5253 2 API calls 33996->34010 34011 76f5632 2 API calls 33996->34011 34012 76f5852 2 API calls 33996->34012 33997 76f4c5e 33997->33953 33998->33997 33999->33997 34000->33997 34001->33997 34002->33997 34003->33997 34004->33997 34005->33997 34006->33997 34007->33997 34008->33997 34009->33997 34010->33997 34011->33997 34012->33997 34014 76f50eb 34013->34014 34092 76f3d60 34013->34092 34096 76f3d54 34013->34096 34014->33960 34018 76f5792 34017->34018 34100 76f3458 34018->34100 34104 76f3450 34018->34104 34019 76f54c3 34019->33960 34023 76f57c5 34022->34023 34108 76f5c60 34023->34108 34113 76f5c70 34023->34113 34024 76f5478 34024->33960 34028 76f5259 34027->34028 34126 76f3a18 34028->34126 34130 76f3a10 34028->34130 34029 76f5aa1 34033 76f5041 34032->34033 34035 76f3d54 CreateProcessA 34033->34035 34036 76f3d60 CreateProcessA 34033->34036 34034 76f50eb 34034->33960 34035->34034 34036->34034 34038 76f51e4 34037->34038 34134 76f3ad8 34038->34134 34138 76f3ad1 34038->34138 34039 76f5922 34043 76f58b0 34042->34043 34045 76f3ad8 WriteProcessMemory 34043->34045 34046 76f3ad1 WriteProcessMemory 34043->34046 34044 76f58d4 34045->34044 34046->34044 34048 76f525a 34047->34048 34050 76f3a18 VirtualAllocEx 34048->34050 34051 76f3a10 VirtualAllocEx 34048->34051 34049 76f5aa1 34050->34049 34051->34049 34053 76f52bc 34052->34053 34054 76f554c 34053->34054 34056 76f540e 34053->34056 34057 76f3938 Wow64SetThreadContext 34054->34057 34058 76f3940 Wow64SetThreadContext 34054->34058 34055 76f54c3 34055->33960 34059 76f3458 ResumeThread 34056->34059 34060 76f3450 ResumeThread 34056->34060 34057->34055 34058->34055 34059->34055 34060->34055 34062 76f5205 34061->34062 34063 76f51d3 34061->34063 34062->33960 34065 76f3ad8 WriteProcessMemory 34063->34065 34066 76f3ad1 WriteProcessMemory 34063->34066 34064 76f5922 34065->34064 34066->34064 34068 76f54ea 34067->34068 34142 76f3bc8 34068->34142 34146 76f3bc0 34068->34146 34069 76f550d 34073 76f52a4 34072->34073 34075 76f3ad8 WriteProcessMemory 34073->34075 34076 76f3ad1 WriteProcessMemory 34073->34076 34074 76f5390 34074->33960 34075->34074 34076->34074 34078 76f525a 34077->34078 34080 76f3a18 VirtualAllocEx 34078->34080 34081 76f3a10 VirtualAllocEx 34078->34081 34079 76f5aa1 34080->34079 34081->34079 34083 76f5792 34082->34083 34084 76f54c3 34083->34084 34085 76f3458 ResumeThread 34083->34085 34086 76f3450 ResumeThread 34083->34086 34084->33960 34085->34084 34086->34084 34089 76f525a 34087->34089 34088 76f5aa1 34090 76f3a18 VirtualAllocEx 34089->34090 34091 76f3a10 VirtualAllocEx 34089->34091 34090->34088 34091->34088 34093 76f3d63 CreateProcessA 34092->34093 34095 76f3fab 34093->34095 34095->34095 34097 76f3d5c CreateProcessA 34096->34097 34099 76f3fab 34097->34099 34099->34099 34101 76f345b ResumeThread 34100->34101 34103 76f34c9 34101->34103 34103->34019 34105 76f3454 ResumeThread 34104->34105 34107 76f34c9 34105->34107 34107->34019 34109 76f5c64 34108->34109 34118 76f3940 34109->34118 34122 76f3938 34109->34122 34110 76f5c9b 34110->34024 34114 76f5c77 34113->34114 34116 76f3938 Wow64SetThreadContext 34114->34116 34117 76f3940 Wow64SetThreadContext 34114->34117 34115 76f5c9b 34115->34024 34116->34115 34117->34115 34119 76f3985 Wow64SetThreadContext 34118->34119 34121 76f39cd 34119->34121 34121->34110 34123 76f393d Wow64SetThreadContext 34122->34123 34125 76f39cd 34123->34125 34125->34110 34127 76f3a58 VirtualAllocEx 34126->34127 34129 76f3a95 34127->34129 34129->34029 34131 76f3a18 VirtualAllocEx 34130->34131 34133 76f3a95 34131->34133 34133->34029 34135 76f3adb WriteProcessMemory 34134->34135 34137 76f3b77 34135->34137 34137->34039 34139 76f3ad4 WriteProcessMemory 34138->34139 34141 76f3b77 34139->34141 34141->34039 34143 76f3bcb ReadProcessMemory 34142->34143 34145 76f3c57 34143->34145 34145->34069 34147 76f3bc4 ReadProcessMemory 34146->34147 34149 76f3c57 34147->34149 34149->34069 33919 16bd968 DuplicateHandle 33920 16bd9fe 33919->33920 33921 16b4668 33922 16b467a 33921->33922 33923 16b4686 33922->33923 33925 16b4778 33922->33925 33926 16b479d 33925->33926 33930 16b4879 33926->33930 33934 16b4888 33926->33934 33932 16b48af 33930->33932 33931 16b498c 33931->33931 33932->33931 33938 16b44b4 33932->33938 33935 16b48af 33934->33935 33936 16b44b4 CreateActCtxA 33935->33936 33937 16b498c 33935->33937 33936->33937 33939 16b5918 CreateActCtxA 33938->33939 33941 16b59db 33939->33941 34150 76f5d88 34151 76f5f13 34150->34151 34152 76f5dae 34150->34152 34152->34151 34155 76f6008 34152->34155 34158 76f6000 34152->34158 34156 76f600b PostMessageW 34155->34156 34157 76f6074 34156->34157 34157->34152 34159 76f600b PostMessageW 34158->34159 34160 76f6004 34158->34160 34161 76f6074 34159->34161 34160->34159 34161->34152 33942 16bd720 33943 16bd766 GetCurrentProcess 33942->33943 33945 16bd7b8 GetCurrentThread 33943->33945 33946 16bd7b1 33943->33946 33947 16bd7ee 33945->33947 33948 16bd7f5 GetCurrentProcess 33945->33948 33946->33945 33947->33948 33949 16bd82b GetCurrentThreadId 33948->33949 33951 16bd884 33949->33951 34162 16bb390 34165 16bb478 34162->34165 34163 16bb39f 34166 16bb499 34165->34166 34167 16bb4bc 34165->34167 34166->34167 34168 16bb6c0 GetModuleHandleW 34166->34168 34167->34163 34169 16bb6ed 34168->34169 34169->34163 34170 77d0840 34171 77d0847 34170->34171 34175 77d0878 34171->34175 34179 77d0870 34171->34179 34172 77d085d 34176 77d08c6 DrawTextExW 34175->34176 34178 77d091e 34176->34178 34178->34172 34180 77d0878 DrawTextExW 34179->34180 34182 77d091e 34180->34182 34182->34172 34183 77d2ac2 34184 77d2ac8 CloseHandle 34183->34184 34185 77d2b2f 34184->34185

                                                          Executed Functions

                                                          Function 016BD720 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • GetCurrentProcess.KERNEL32 ref: 016BD79E
                                                          • GetCurrentThread.KERNEL32 ref: 016BD7DB
                                                          • GetCurrentProcess.KERNEL32 ref: 016BD818
                                                          • GetCurrentThreadId.KERNEL32 ref: 016BD871
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.1619696261.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_16b0000_Adobe.jbxd
                                                          Similarity
                                                          • API ID: Current$ProcessThread
                                                          • String ID:
                                                          • API String ID: 2063062207-0
                                                          • Opcode ID: 824ffb454500260fb09572658e090527348c379420062a3494f708471b4b87e1
                                                          • Instruction ID: 9f37f113b7dbb21532e4adba8ae7f3c26b5ead6ffcacac2062fa3f12fb585ea7
                                                          • Opcode Fuzzy Hash: 824ffb454500260fb09572658e090527348c379420062a3494f708471b4b87e1
                                                          • Instruction Fuzzy Hash: EC5136B09003498FEB58DFAAD988BEEBFF1EB48314F208459E419A7260DB345945CB61
                                                          Function 076F3D54 Relevance: 1.7, APIs: 1, Instructions: 249processCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 193 76f3d54-76f3d5a 194 76f3d5c-76f3d61 193->194 195 76f3d63-76f3df5 193->195 194->195 198 76f3e2e-76f3e4e 195->198 199 76f3df7-76f3e01 195->199 206 76f3e87-76f3eb6 198->206 207 76f3e50-76f3e5a 198->207 199->198 200 76f3e03-76f3e05 199->200 201 76f3e28-76f3e2b 200->201 202 76f3e07-76f3e11 200->202 201->198 204 76f3e15-76f3e24 202->204 205 76f3e13 202->205 204->204 208 76f3e26 204->208 205->204 213 76f3eef-76f3fa9 CreateProcessA 206->213 214 76f3eb8-76f3ec2 206->214 207->206 209 76f3e5c-76f3e5e 207->209 208->201 211 76f3e81-76f3e84 209->211 212 76f3e60-76f3e6a 209->212 211->206 215 76f3e6e-76f3e7d 212->215 216 76f3e6c 212->216 227 76f3fab-76f3fb1 213->227 228 76f3fb2-76f4038 213->228 214->213 218 76f3ec4-76f3ec6 214->218 215->215 217 76f3e7f 215->217 216->215 217->211 219 76f3ee9-76f3eec 218->219 220 76f3ec8-76f3ed2 218->220 219->213 222 76f3ed6-76f3ee5 220->222 223 76f3ed4 220->223 222->222 225 76f3ee7 222->225 223->222 225->219 227->228 238 76f403a-76f403e 228->238 239 76f4048-76f404c 228->239 238->239 242 76f4040 238->242 240 76f404e-76f4052 239->240 241 76f405c-76f4060 239->241 240->241 243 76f4054 240->243 244 76f4062-76f4066 241->244 245 76f4070-76f4074 241->245 242->239 243->241 244->245 246 76f4068 244->246 247 76f4086-76f408d 245->247 248 76f4076-76f407c 245->248 246->245 249 76f408f-76f409e 247->249 250 76f40a4 247->250 248->247 249->250 251 76f40a5 250->251 251->251
                                                          APIs
                                                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 076F3F96
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.1648364490.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_76f0000_Adobe.jbxd
                                                          Similarity
                                                          • API ID: CreateProcess
                                                          • String ID:
                                                          • API String ID: 963392458-0
                                                          • Opcode ID: 3bf3f097bae668d0cd81927aa4a32b80e391592db14a7451954317b648fdfbe1
                                                          • Instruction ID: 42e4e88ec73f0672693008c030548a373f9a72e9a9d552bdb872f8c228c50d7d
                                                          • Opcode Fuzzy Hash: 3bf3f097bae668d0cd81927aa4a32b80e391592db14a7451954317b648fdfbe1
                                                          • Instruction Fuzzy Hash: D1A15BB1D0065ADFDB20DF69C840BEEBBB2BF48310F14816AE909A7350DB759985CF91
                                                          Function 076F3D60 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 253 76f3d60-76f3df5 256 76f3e2e-76f3e4e 253->256 257 76f3df7-76f3e01 253->257 264 76f3e87-76f3eb6 256->264 265 76f3e50-76f3e5a 256->265 257->256 258 76f3e03-76f3e05 257->258 259 76f3e28-76f3e2b 258->259 260 76f3e07-76f3e11 258->260 259->256 262 76f3e15-76f3e24 260->262 263 76f3e13 260->263 262->262 266 76f3e26 262->266 263->262 271 76f3eef-76f3fa9 CreateProcessA 264->271 272 76f3eb8-76f3ec2 264->272 265->264 267 76f3e5c-76f3e5e 265->267 266->259 269 76f3e81-76f3e84 267->269 270 76f3e60-76f3e6a 267->270 269->264 273 76f3e6e-76f3e7d 270->273 274 76f3e6c 270->274 285 76f3fab-76f3fb1 271->285 286 76f3fb2-76f4038 271->286 272->271 276 76f3ec4-76f3ec6 272->276 273->273 275 76f3e7f 273->275 274->273 275->269 277 76f3ee9-76f3eec 276->277 278 76f3ec8-76f3ed2 276->278 277->271 280 76f3ed6-76f3ee5 278->280 281 76f3ed4 278->281 280->280 283 76f3ee7 280->283 281->280 283->277 285->286 296 76f403a-76f403e 286->296 297 76f4048-76f404c 286->297 296->297 300 76f4040 296->300 298 76f404e-76f4052 297->298 299 76f405c-76f4060 297->299 298->299 301 76f4054 298->301 302 76f4062-76f4066 299->302 303 76f4070-76f4074 299->303 300->297 301->299 302->303 304 76f4068 302->304 305 76f4086-76f408d 303->305 306 76f4076-76f407c 303->306 304->303 307 76f408f-76f409e 305->307 308 76f40a4 305->308 306->305 307->308 309 76f40a5 308->309 309->309
                                                          APIs
                                                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 076F3F96
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.1648364490.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_76f0000_Adobe.jbxd
                                                          Similarity
                                                          • API ID: CreateProcess
                                                          • String ID:
                                                          • API String ID: 963392458-0
                                                          • Opcode ID: 4178b3a1b8c4ef4127fb216340002cd9eb2531f645443cd6fae1b42fc1e0d515
                                                          • Instruction ID: b8d74bb7cdbea548abfbf02fbed295b89c3491bf46bc198da1ef3c2ad401204b
                                                          • Opcode Fuzzy Hash: 4178b3a1b8c4ef4127fb216340002cd9eb2531f645443cd6fae1b42fc1e0d515
                                                          • Instruction Fuzzy Hash: A4914AB1D0061ADFDB20CF69C840BEEBBB2BF48310F14816AE909A7350DB759985CF91
                                                          Function 016BB478 Relevance: 1.7, APIs: 1, Instructions: 202COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 311 16bb478-16bb497 312 16bb499-16bb4a6 call 16b9ef8 311->312 313 16bb4c3-16bb4c7 311->313 318 16bb4a8 312->318 319 16bb4bc 312->319 314 16bb4db-16bb51c 313->314 315 16bb4c9-16bb4d3 313->315 322 16bb529-16bb537 314->322 323 16bb51e-16bb526 314->323 315->314 366 16bb4ae call 16bb720 318->366 367 16bb4ae call 16bb710 318->367 319->313 325 16bb55b-16bb55d 322->325 326 16bb539-16bb53e 322->326 323->322 324 16bb4b4-16bb4b6 324->319 329 16bb5f8-16bb6b8 324->329 330 16bb560-16bb567 325->330 327 16bb549 326->327 328 16bb540-16bb547 call 16bb140 326->328 332 16bb54b-16bb559 327->332 328->332 361 16bb6ba-16bb6bd 329->361 362 16bb6c0-16bb6eb GetModuleHandleW 329->362 333 16bb569-16bb571 330->333 334 16bb574-16bb57b 330->334 332->330 333->334 336 16bb588-16bb591 call 16bb150 334->336 337 16bb57d-16bb585 334->337 342 16bb59e-16bb5a3 336->342 343 16bb593-16bb59b 336->343 337->336 345 16bb5c1-16bb5ce 342->345 346 16bb5a5-16bb5ac 342->346 343->342 352 16bb5f1-16bb5f7 345->352 353 16bb5d0-16bb5ee 345->353 346->345 347 16bb5ae-16bb5be call 16bb160 call 16bb170 346->347 347->345 353->352 361->362 363 16bb6ed-16bb6f3 362->363 364 16bb6f4-16bb708 362->364 363->364 366->324 367->324
                                                          APIs
                                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 016BB6DE
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.1619696261.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_16b0000_Adobe.jbxd
                                                          Similarity
                                                          • API ID: HandleModule
                                                          • String ID:
                                                          • API String ID: 4139908857-0
                                                          • Opcode ID: 36b9dd83dfe477b380c40962671ab903bf2ea2b72b50891169c10384151204da
                                                          • Instruction ID: 044f2b07c20cf9b1872d60496df55fa53c121125e3dc5a025ec224faee19a8a7
                                                          • Opcode Fuzzy Hash: 36b9dd83dfe477b380c40962671ab903bf2ea2b72b50891169c10384151204da
                                                          • Instruction Fuzzy Hash: 94815570A00B098FD725CF2AD89479ABBF1BF88304F04892ED596D7B50D774E886CB91
                                                          Function 016B590C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 368 16b590c-16b59d9 CreateActCtxA 370 16b59db-16b59e1 368->370 371 16b59e2-16b5a3c 368->371 370->371 378 16b5a4b-16b5a4f 371->378 379 16b5a3e-16b5a41 371->379 380 16b5a51-16b5a5d 378->380 381 16b5a60 378->381 379->378 380->381 383 16b5a61 381->383 383->383
                                                          APIs
                                                          • CreateActCtxA.KERNEL32(?), ref: 016B59C9
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.1619696261.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_16b0000_Adobe.jbxd
                                                          Similarity
                                                          • API ID: Create
                                                          • String ID:
                                                          • API String ID: 2289755597-0
                                                          • Opcode ID: dc7fb9ffb0610fca397b68db17d659f144375f22f80ae376ca11d4a95abd575f
                                                          • Instruction ID: 59016c5d0e3040807103c23c23165bced3aa60073e29254bc2889bfcd089725f
                                                          • Opcode Fuzzy Hash: dc7fb9ffb0610fca397b68db17d659f144375f22f80ae376ca11d4a95abd575f
                                                          • Instruction Fuzzy Hash: 524100B1C0076ECBEB24CFA9C8847CDBBB1BF49314F20815AD409AB251DB756986CF50
                                                          Function 016B44B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 384 16b44b4-16b59d9 CreateActCtxA 387 16b59db-16b59e1 384->387 388 16b59e2-16b5a3c 384->388 387->388 395 16b5a4b-16b5a4f 388->395 396 16b5a3e-16b5a41 388->396 397 16b5a51-16b5a5d 395->397 398 16b5a60 395->398 396->395 397->398 400 16b5a61 398->400 400->400
                                                          APIs
                                                          • CreateActCtxA.KERNEL32(?), ref: 016B59C9
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.1619696261.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_16b0000_Adobe.jbxd
                                                          Similarity
                                                          • API ID: Create
                                                          • String ID:
                                                          • API String ID: 2289755597-0
                                                          • Opcode ID: 014a99aa8b9b3db9bf073bc5c678b7754b46cb0162a0a01c14666b9c01578f98
                                                          • Instruction ID: bb9d586a5e7296610785155b7b45f97f588672bb90f3824aaaaca0bcf780cd53
                                                          • Opcode Fuzzy Hash: 014a99aa8b9b3db9bf073bc5c678b7754b46cb0162a0a01c14666b9c01578f98
                                                          • Instruction Fuzzy Hash: E441F271C0072DCBDB24DFA9C884BCDBBB5BF49304F20806AD409AB251DB756986CF90
                                                          Function 076F3AD1 Relevance: 1.6, APIs: 1, Instructions: 77injectionCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 401 76f3ad1-76f3ad2 402 76f3adb-76f3b26 401->402 403 76f3ad4 401->403 409 76f3b36-76f3b75 WriteProcessMemory 402->409 410 76f3b28-76f3b34 402->410 404 76f3b1c-76f3b26 403->404 405 76f3ad6-76f3ad9 403->405 408 76f3b27-76f3b34 404->408 404->409 405->402 408->409 412 76f3b7e-76f3bae 409->412 413 76f3b77-76f3b7d 409->413 410->409 413->412
                                                          APIs
                                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 076F3B68
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.1648364490.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_76f0000_Adobe.jbxd
                                                          Similarity
                                                          • API ID: MemoryProcessWrite
                                                          • String ID:
                                                          • API String ID: 3559483778-0
                                                          • Opcode ID: 55cb6e0ead830bd3c5f82a6d1c4cd2c45a805497b6027bf99ba5b6908be625da
                                                          • Instruction ID: 6a603845edbf23bb5fed5353f35255e1944d2049963ae5fb161b1103425ae82a
                                                          • Opcode Fuzzy Hash: 55cb6e0ead830bd3c5f82a6d1c4cd2c45a805497b6027bf99ba5b6908be625da
                                                          • Instruction Fuzzy Hash: 743187B18003499FDB10CFAAC880BDEBBF1FF48310F508429E959A7340C7799941CBA0
                                                          Function 077D0870 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 417 77d0870-77d08c4 419 77d08cf-77d08de 417->419 420 77d08c6-77d08cc 417->420 421 77d08e0 419->421 422 77d08e3-77d091c DrawTextExW 419->422 420->419 421->422 423 77d091e-77d0924 422->423 424 77d0925-77d0942 422->424 423->424
                                                          APIs
                                                          • DrawTextExW.USER32(?,?,?,?,?,?), ref: 077D090F
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.1648684589.00000000077D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_77d0000_Adobe.jbxd
                                                          Similarity
                                                          • API ID: DrawText
                                                          • String ID:
                                                          • API String ID: 2175133113-0
                                                          • Opcode ID: 29386f4c7568b65b6bfcabadcdec378ac2f9f74abfbf583b6f43fc857af2790b
                                                          • Instruction ID: 64f2d9a832ffda87800e7cdabda90d86c686afaf49eb1fecf579e62fbf7952ea
                                                          • Opcode Fuzzy Hash: 29386f4c7568b65b6bfcabadcdec378ac2f9f74abfbf583b6f43fc857af2790b
                                                          • Instruction Fuzzy Hash: F331E2B5D003499FDB10CF9AD884A9EBBF5FB48320F54842AE819A7210D775A945CFA0
                                                          Function 076F3AD8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 427 76f3ad8-76f3b26 430 76f3b28-76f3b34 427->430 431 76f3b36-76f3b75 WriteProcessMemory 427->431 430->431 433 76f3b7e-76f3bae 431->433 434 76f3b77-76f3b7d 431->434 434->433
                                                          APIs
                                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 076F3B68
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.1648364490.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_76f0000_Adobe.jbxd
                                                          Similarity
                                                          • API ID: MemoryProcessWrite
                                                          • String ID:
                                                          • API String ID: 3559483778-0
                                                          • Opcode ID: 1498bb9452c6fba3926237aa8ecbd8078af51b7b1ef0c040a881b092bdeaa1de
                                                          • Instruction ID: 138293a74be11182887f68c612f04fb2431f38a42f55a72eeb9be194528b1893
                                                          • Opcode Fuzzy Hash: 1498bb9452c6fba3926237aa8ecbd8078af51b7b1ef0c040a881b092bdeaa1de
                                                          • Instruction Fuzzy Hash: 7B2115B59003599FDB10DFAAC881BDEBBF5FF48310F508429E919A7340D7799941CBA4
                                                          Function 077D0878 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 438 77d0878-77d08c4 439 77d08cf-77d08de 438->439 440 77d08c6-77d08cc 438->440 441 77d08e0 439->441 442 77d08e3-77d091c DrawTextExW 439->442 440->439 441->442 443 77d091e-77d0924 442->443 444 77d0925-77d0942 442->444 443->444
                                                          APIs
                                                          • DrawTextExW.USER32(?,?,?,?,?,?), ref: 077D090F
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.1648684589.00000000077D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_77d0000_Adobe.jbxd
                                                          Similarity
                                                          • API ID: DrawText
                                                          • String ID:
                                                          • API String ID: 2175133113-0
                                                          • Opcode ID: b04fa73364c0028c166fa52e4e88ba9159aed53beb491f7cde8c793f6b8ef93d
                                                          • Instruction ID: c477f83567bc97d1d548042f7602630b712eda19d6e0b49994c95047f419cbd3
                                                          • Opcode Fuzzy Hash: b04fa73364c0028c166fa52e4e88ba9159aed53beb491f7cde8c793f6b8ef93d
                                                          • Instruction Fuzzy Hash: 0421D2B5D003099FDB10CF9AD884A9EFBF5FF48320F54842AE919A7210D775A945CFA0
                                                          Function 076F3BC0 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 447 76f3bc0-76f3bc2 448 76f3bcb-76f3c55 ReadProcessMemory 447->448 449 76f3bc4-76f3bc9 447->449 453 76f3c5e-76f3c8e 448->453 454 76f3c57-76f3c5d 448->454 449->448 454->453
                                                          APIs
                                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 076F3C48
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.1648364490.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_76f0000_Adobe.jbxd
                                                          Similarity
                                                          • API ID: MemoryProcessRead
                                                          • String ID:
                                                          • API String ID: 1726664587-0
                                                          • Opcode ID: 8370dd00443c64c806112591e81b9aff84ef16c29609ccfe0f241f0a65c1acb7
                                                          • Instruction ID: b6fa227350e71aa0e7bd331fdb8a86b9885ec13608f40de51e1e7039c3e34d9e
                                                          • Opcode Fuzzy Hash: 8370dd00443c64c806112591e81b9aff84ef16c29609ccfe0f241f0a65c1acb7
                                                          • Instruction Fuzzy Hash: 1C213BB1C003599FDB10DFAAC881BEEBBF5FF48320F508429E519A7240C7359541CBA5
                                                          Function 076F3938 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 458 76f3938-76f398b 462 76f398d-76f3999 458->462 463 76f399b-76f39cb Wow64SetThreadContext 458->463 462->463 465 76f39cd-76f39d3 463->465 466 76f39d4-76f3a04 463->466 465->466
                                                          APIs
                                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 076F39BE
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.1648364490.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_76f0000_Adobe.jbxd
                                                          Similarity
                                                          • API ID: ContextThreadWow64
                                                          • String ID:
                                                          • API String ID: 983334009-0
                                                          • Opcode ID: 54a6d86cd67d4d89bad45c37eb31d9af21a5e3ad175aec10c54fe921859db7ed
                                                          • Instruction ID: f8b3bd320c59c35b9f315af116d5919a6a970d43cad2efd0f81d72429405f896
                                                          • Opcode Fuzzy Hash: 54a6d86cd67d4d89bad45c37eb31d9af21a5e3ad175aec10c54fe921859db7ed
                                                          • Instruction Fuzzy Hash: 932159B1D003098FDB10DFAAC485BAEBBF4EF48220F54842AD959A7340DB789945CFA4
                                                          Function 076F3BC8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 076F3C48
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.1648364490.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_76f0000_Adobe.jbxd
                                                          Similarity
                                                          • API ID: MemoryProcessRead
                                                          • String ID:
                                                          • API String ID: 1726664587-0
                                                          • Opcode ID: 9ef61a21fa7b97569848a631635564b66461dae84488006fe67864f88c69df39
                                                          • Instruction ID: 1fd1f53c770c52164df3af5df8264d458c25f01da73a5c1588845e3b2435ad22
                                                          • Opcode Fuzzy Hash: 9ef61a21fa7b97569848a631635564b66461dae84488006fe67864f88c69df39
                                                          • Instruction Fuzzy Hash: 9A2119B1C003499FDB10DFAAC841BDEBBF5FF48310F508429E519A7240C7399541CBA0
                                                          Function 076F3940 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 076F39BE
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.1648364490.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_76f0000_Adobe.jbxd
                                                          Similarity
                                                          • API ID: ContextThreadWow64
                                                          • String ID:
                                                          • API String ID: 983334009-0
                                                          • Opcode ID: 46ec1ab41b9b5f27cc0a8f592bf1abc3def5402b51055e19c544282584354789
                                                          • Instruction ID: ba33a6ed9e9cde3f1cbfe2491a1ba9cd30b6051c40565b896f29bc8ca2278f32
                                                          • Opcode Fuzzy Hash: 46ec1ab41b9b5f27cc0a8f592bf1abc3def5402b51055e19c544282584354789
                                                          • Instruction Fuzzy Hash: E62138B1D003098FDB10DFAAC485BAEBBF4EF48324F54842AD559A7340DB789945CFA0
                                                          Function 016BD968 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 016BD9EF
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.1619696261.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_16b0000_Adobe.jbxd
                                                          Similarity
                                                          • API ID: DuplicateHandle
                                                          • String ID:
                                                          • API String ID: 3793708945-0
                                                          • Opcode ID: 5bfdba33edf6b241e08bf22615462e94abf47e9e5e18272ca9d2a5f080d09df2
                                                          • Instruction ID: e4d3e5f8139e106fa9643ad74680048cfa966f01ee2b376609b5c286d5cd46aa
                                                          • Opcode Fuzzy Hash: 5bfdba33edf6b241e08bf22615462e94abf47e9e5e18272ca9d2a5f080d09df2
                                                          • Instruction Fuzzy Hash: C621E4B5D002489FDB10CF9AD884ADEBFF5EB48310F14801AE914A7350D379A941CFA0
                                                          Function 076F3A10 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 076F3A86
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.1648364490.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_76f0000_Adobe.jbxd
                                                          Similarity
                                                          • API ID: AllocVirtual
                                                          • String ID:
                                                          • API String ID: 4275171209-0
                                                          • Opcode ID: 8059c825cc0d117310d0e0f95a3842e6cc66466b3f2a830222772c77d9dcb900
                                                          • Instruction ID: c6ad69060d4db33ffb6074c7c470c5b6263e0ad6906ea47bedff7c3a0b48beff
                                                          • Opcode Fuzzy Hash: 8059c825cc0d117310d0e0f95a3842e6cc66466b3f2a830222772c77d9dcb900
                                                          • Instruction Fuzzy Hash: F21147718003499FDB21DFAAC844BDEBBF5AF48320F14881AE555A7250CB75A941CFA0
                                                          Function 076F3A18 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 076F3A86
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.1648364490.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_76f0000_Adobe.jbxd
                                                          Similarity
                                                          • API ID: AllocVirtual
                                                          • String ID:
                                                          • API String ID: 4275171209-0
                                                          • Opcode ID: 2621410b00a0cb8342903bce8b1653d09416c182a4921fe50bdfd746b0f19c6e
                                                          • Instruction ID: e9f9c65481bd4e79b8e9bb61f445f09f954217be5ebcf1a8c75e2fe669e00382
                                                          • Opcode Fuzzy Hash: 2621410b00a0cb8342903bce8b1653d09416c182a4921fe50bdfd746b0f19c6e
                                                          • Instruction Fuzzy Hash: 18110775D003499FDB20DFAAC845BDEBBF5EF48320F148419E519A7250CB76A941CFA1
                                                          Function 076F3450 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.1648364490.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_76f0000_Adobe.jbxd
                                                          Similarity
                                                          • API ID: ResumeThread
                                                          • String ID:
                                                          • API String ID: 947044025-0
                                                          • Opcode ID: 2468b813e15e3e2af8f06cf2da3af3f1832630234482d079a6cc8dc619ba6683
                                                          • Instruction ID: 9792f6ae904e3ce6d3e52b0d96cf66a1962901888a9d9a45acd1f9f03439bd0c
                                                          • Opcode Fuzzy Hash: 2468b813e15e3e2af8f06cf2da3af3f1832630234482d079a6cc8dc619ba6683
                                                          • Instruction Fuzzy Hash: 571149B1D003498FDB20DFAAC84579EFBF5AF88324F148419D519A7740CB39A945CB95
                                                          Function 076F3458 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.1648364490.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_76f0000_Adobe.jbxd
                                                          Similarity
                                                          • API ID: ResumeThread
                                                          • String ID:
                                                          • API String ID: 947044025-0
                                                          • Opcode ID: 5c620bf3675520bc49094f9f713e85e90c1fe4a253655f20bf29569854a917af
                                                          • Instruction ID: c4794dc583bc59ac2ec35fefa8928fb5f139367615f77f39bdace2bb6dfb9ccf
                                                          • Opcode Fuzzy Hash: 5c620bf3675520bc49094f9f713e85e90c1fe4a253655f20bf29569854a917af
                                                          • Instruction Fuzzy Hash: D81128B1D003498FDB20DFAAC84579EFBF5AF48224F148419D519A7340CA79A945CB94
                                                          Function 076F6000 Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • PostMessageW.USER32(?,?,?,?), ref: 076F6065
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.1648364490.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_76f0000_Adobe.jbxd
                                                          Similarity
                                                          • API ID: MessagePost
                                                          • String ID:
                                                          • API String ID: 410705778-0
                                                          • Opcode ID: 6c7e32e0a8c3f6d9815925eb56c059818fa5f630b913ff9eff883f66050631cf
                                                          • Instruction ID: c78164a1329ec59d404e5a03c7aac94d81cabf7d332e46bd998696320003eab6
                                                          • Opcode Fuzzy Hash: 6c7e32e0a8c3f6d9815925eb56c059818fa5f630b913ff9eff883f66050631cf
                                                          • Instruction Fuzzy Hash: 641106B58003499FDB10DF9AC985BDEFFF8EB49320F208419D559A3250D375A985CFA1
                                                          Function 016BB678 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 016BB6DE
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.1619696261.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_16b0000_Adobe.jbxd
                                                          Similarity
                                                          • API ID: HandleModule
                                                          • String ID:
                                                          • API String ID: 4139908857-0
                                                          • Opcode ID: a05c774b539c07f800d2f79eff6e71793547339fa17fccc3ecdceaa6cc1796dd
                                                          • Instruction ID: 75064b2f17556ee268ce36285afb2c6fb3d23bf83b23ee9494674ae93a3f9b00
                                                          • Opcode Fuzzy Hash: a05c774b539c07f800d2f79eff6e71793547339fa17fccc3ecdceaa6cc1796dd
                                                          • Instruction Fuzzy Hash: 981102B5C002498FDB10CF9AC884ADEFBF4EF48210F10841AD429A7610D379A545CFA1
                                                          Function 076F6008 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • PostMessageW.USER32(?,?,?,?), ref: 076F6065
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.1648364490.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_76f0000_Adobe.jbxd
                                                          Similarity
                                                          • API ID: MessagePost
                                                          • String ID:
                                                          • API String ID: 410705778-0
                                                          • Opcode ID: d297e425a6cff60ee65c0ac2098f0e078844ff8829d0f7d1b4109128bc341e8d
                                                          • Instruction ID: 3830950dfbb99c856465eb3e855da6b63af6cd77e1f6ed5c929734a17d0b8aa2
                                                          • Opcode Fuzzy Hash: d297e425a6cff60ee65c0ac2098f0e078844ff8829d0f7d1b4109128bc341e8d
                                                          • Instruction Fuzzy Hash: 8911E5B5800349DFDB20DF9AC985BDEFBF8EB49320F208419D519A7650C375A944CFA1
                                                          Function 077D1FBC Relevance: 1.3, APIs: 1, Instructions: 50COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,077D2979,?,?), ref: 077D2B20
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.1648684589.00000000077D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_77d0000_Adobe.jbxd
                                                          Similarity
                                                          • API ID: CloseHandle
                                                          • String ID:
                                                          • API String ID: 2962429428-0
                                                          • Opcode ID: f0df6701be2218738e50e743cd2783592ca870999bc000b2b677dc4a6f0f112f
                                                          • Instruction ID: 43bc14ad709fe2452d4ae209051e0c9ab78afa9025e98f292a009e83de879d96
                                                          • Opcode Fuzzy Hash: f0df6701be2218738e50e743cd2783592ca870999bc000b2b677dc4a6f0f112f
                                                          • Instruction Fuzzy Hash: 3E1143B5C003498FCB20DF9AC445BDEBBF4FB49320F10842AD958A7241D778A945CFA4
                                                          Function 077D2AC2 Relevance: 1.3, APIs: 1, Instructions: 49COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,077D2979,?,?), ref: 077D2B20
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.1648684589.00000000077D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_77d0000_Adobe.jbxd
                                                          Similarity
                                                          • API ID: CloseHandle
                                                          • String ID:
                                                          • API String ID: 2962429428-0
                                                          • Opcode ID: 2cd3d342720b01c4628752dcf4a06b601175736d14cb489f8c504ba397cded6f
                                                          • Instruction ID: 65b57973618acb29e7437ab03efa886bf72cf782e4130dc4b6abda8d6310978c
                                                          • Opcode Fuzzy Hash: 2cd3d342720b01c4628752dcf4a06b601175736d14cb489f8c504ba397cded6f
                                                          • Instruction Fuzzy Hash: 031125B58003498FDB20DF9AD445BDEBBF4EB48320F10841AD958A7640D779A985CFA5
                                                          Function 0145D3D8 Relevance: .1, Instructions: 75COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.1619207379.000000000145D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0145D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_145d000_Adobe.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: db99817f2e07fe87f19ab7174490d6eb3438ca5221abcdea8d91b15d6a9ef031
                                                          • Instruction ID: 1bfe9b61b312591522e78c38d145eea04a39d493a39dbd21b8d37deb60fef4af
                                                          • Opcode Fuzzy Hash: db99817f2e07fe87f19ab7174490d6eb3438ca5221abcdea8d91b15d6a9ef031
                                                          • Instruction Fuzzy Hash: A621E072A04204DFDB55DF54D9C0B66BF65EF88324F20C17AED090A267C336E456CAA2
                                                          Function 0146D1D4 Relevance: .1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.1619278310.000000000146D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_146d000_Adobe.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9778ce94a1b1b2dd5547a4f6cad2378818aef0c9573c9245862674c4b4d8d40a
                                                          • Instruction ID: d8ed1fd88818ba037f2cab7a93e7f03391d52b028631dbf70192f4787803bcb6
                                                          • Opcode Fuzzy Hash: 9778ce94a1b1b2dd5547a4f6cad2378818aef0c9573c9245862674c4b4d8d40a
                                                          • Instruction Fuzzy Hash: 7E21F571B04200DFDB15DF94D9C0B26BB69FB84328F24C56ED8894B362C336D847CA62
                                                          Function 0146D01C Relevance: .1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.1619278310.000000000146D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_146d000_Adobe.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9791f3886736bb43b25d61a020e152d2172f8127e22a9de108abe3cfd03a0733
                                                          • Instruction ID: d038972e7158dab781926a2dad3c2626d979e375819cfc9ee3bf4ce60adad232
                                                          • Opcode Fuzzy Hash: 9791f3886736bb43b25d61a020e152d2172f8127e22a9de108abe3cfd03a0733
                                                          • Instruction Fuzzy Hash: CA2103B5B04300DFDB15DF54D984B16BB69EB8431CF20C56ED88A0B366C336D407CA62
                                                          Function 0146D006 Relevance: .1, Instructions: 62COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.1619278310.000000000146D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_146d000_Adobe.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b6912c02d30d287554f2469f7bd922711951731fe12498fe185788ed54e5b54b
                                                          • Instruction ID: 464f3502d2d941e61f001ef4026220c5c57222bd4b2ad06c0d1139c93f2aa2de
                                                          • Opcode Fuzzy Hash: b6912c02d30d287554f2469f7bd922711951731fe12498fe185788ed54e5b54b
                                                          • Instruction Fuzzy Hash: 7F2180755093808FCB06CF24D590716BF71EB46218F28C5DBD8898B2A7C33A980ACB62
                                                          Function 0145D3D3 Relevance: .1, Instructions: 56COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.1619207379.000000000145D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0145D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_145d000_Adobe.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                                                          • Instruction ID: e8b1d0d3710280d615059e7813d578538b22ef88866dab67f194f1f985607b3d
                                                          • Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                                                          • Instruction Fuzzy Hash: 6811CD76904240CFDB06CF44D9C0B56BF62FB84324F24C2AADC490A267C33AE456CBA1
                                                          Function 0146D1CF Relevance: .1, Instructions: 53COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.1619278310.000000000146D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_146d000_Adobe.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                                                          • Instruction ID: 6d87c1171b18280ac87f707f1416044d947cdb6ac8c8d4018e08fcea09edfa86
                                                          • Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                                                          • Instruction Fuzzy Hash: 4E11BE75A04240DFCB16CF54C5C0B16BB61FB84328F28C6AED8894B3A6C33AD44ACB52
                                                          Function 0145D745 Relevance: .0, Instructions: 45COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.1619207379.000000000145D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0145D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_145d000_Adobe.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3277a681afe994c7d84baf2e5eb67059236e0e9b15c01a98c8cc5150d9fe0362
                                                          • Instruction ID: 94bb86544c34a58e45a3a03e6b6696f62a8ac63e995628973a8509338f02c4cd
                                                          • Opcode Fuzzy Hash: 3277a681afe994c7d84baf2e5eb67059236e0e9b15c01a98c8cc5150d9fe0362
                                                          • Instruction Fuzzy Hash: F101F7318043849BF7605A55CC84B67BF98DF45225F04C56BED080A293D2399841CAB1
                                                          Function 0145D744 Relevance: .0, Instructions: 36COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.1619207379.000000000145D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0145D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_145d000_Adobe.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 30de5d8e50d7f95c326958e928b0afee0aa73ce91a717b1edb8aa33cc64ee900
                                                          • Instruction ID: 62d7ff546264603bfcaa6ad1264f0d672bca4d4a04822fedc95536a94ecfb3bd
                                                          • Opcode Fuzzy Hash: 30de5d8e50d7f95c326958e928b0afee0aa73ce91a717b1edb8aa33cc64ee900
                                                          • Instruction Fuzzy Hash: 97F06D75404384AFE7619E1AC888B63FF98EF85634F18C55AED084A297C279A844CBB1