Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
6122.scr.exe

Overview

General Information

Sample name:6122.scr.exe
renamed because original name is a hash value
Original sample name:DN ISF S CLS930 KHH-TOLEDO(VIA NYC) SO#66158152 WKH2406122.scr.exe
Analysis ID:1519258
MD5:784b07833fbdca10528dbeb3eb1daffe
SHA1:beee89b885546c0dc98f7931f097f9659bbb8419
SHA256:d99f687b6e744e9d9bdff2e59c273c85deff48dbaa52bf2d64009fd5ec4907ab
Tags:exeuser-threatcat_ch
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Contains functionality to bypass UAC (CMSTPLUA)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates autostart registry keys with suspicious names
Delayed program exit found
Drops executable to a common third party application directory
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Yara detected WebBrowserPassView password recovery tool
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evaded block containing many API calls
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 6122.scr.exe (PID: 1688 cmdline: "C:\Users\user\Desktop\6122.scr.exe" MD5: 784B07833FBDCA10528DBEB3EB1DAFFE)
    • 6122.scr.exe (PID: 4792 cmdline: "C:\Users\user\Desktop\6122.scr.exe" MD5: 784B07833FBDCA10528DBEB3EB1DAFFE)
    • 6122.scr.exe (PID: 1356 cmdline: "C:\Users\user\Desktop\6122.scr.exe" MD5: 784B07833FBDCA10528DBEB3EB1DAFFE)
      • Adobe.exe (PID: 2456 cmdline: "C:\ProgramData\Adobe\Adobe.exe" MD5: 784B07833FBDCA10528DBEB3EB1DAFFE)
        • Adobe.exe (PID: 6580 cmdline: "C:\ProgramData\Adobe\Adobe.exe" MD5: 784B07833FBDCA10528DBEB3EB1DAFFE)
          • Adobe.exe (PID: 4696 cmdline: C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\cwgifzhbfrxysfrhlq" MD5: 784B07833FBDCA10528DBEB3EB1DAFFE)
          • Adobe.exe (PID: 1072 cmdline: C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\cwgifzhbfrxysfrhlq" MD5: 784B07833FBDCA10528DBEB3EB1DAFFE)
          • Adobe.exe (PID: 6060 cmdline: C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\cwgifzhbfrxysfrhlq" MD5: 784B07833FBDCA10528DBEB3EB1DAFFE)
          • Adobe.exe (PID: 5652 cmdline: C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\nytbgrrvtzplutnlvscrbj" MD5: 784B07833FBDCA10528DBEB3EB1DAFFE)
          • Adobe.exe (PID: 1616 cmdline: C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\nytbgrrvtzplutnlvscrbj" MD5: 784B07833FBDCA10528DBEB3EB1DAFFE)
          • Adobe.exe (PID: 5368 cmdline: C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\psylhkcxhhhqezbpmdxlmokhl" MD5: 784B07833FBDCA10528DBEB3EB1DAFFE)
          • Adobe.exe (PID: 3184 cmdline: C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\psylhkcxhhhqezbpmdxlmokhl" MD5: 784B07833FBDCA10528DBEB3EB1DAFFE)
          • Adobe.exe (PID: 3892 cmdline: C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\psylhkcxhhhqezbpmdxlmokhl" MD5: 784B07833FBDCA10528DBEB3EB1DAFFE)
            • WerFault.exe (PID: 1992 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3892 -s 12 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • Adobe.exe (PID: 3348 cmdline: "C:\ProgramData\Adobe\Adobe.exe" MD5: 784B07833FBDCA10528DBEB3EB1DAFFE)
    • Adobe.exe (PID: 2192 cmdline: "C:\ProgramData\Adobe\Adobe.exe" MD5: 784B07833FBDCA10528DBEB3EB1DAFFE)
  • Adobe.exe (PID: 3668 cmdline: "C:\ProgramData\Adobe\Adobe.exe" MD5: 784B07833FBDCA10528DBEB3EB1DAFFE)
    • Adobe.exe (PID: 4216 cmdline: "C:\ProgramData\Adobe\Adobe.exe" MD5: 784B07833FBDCA10528DBEB3EB1DAFFE)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "104.250.180.178:7902:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "Adobe.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Adobe-OTOIRK", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.1380972465.00000000011A7000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    00000014.00000002.1498365539.0000000000BD7000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
          00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
          • 0x6c4a8:$a1: Remcos restarted by watchdog!
          • 0x6ca20:$a3: %02i:%02i:%02i:%03i
          Click to see the 22 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          4.2.6122.scr.exe.400000.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
            4.2.6122.scr.exe.400000.0.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
              4.2.6122.scr.exe.400000.0.unpackWindows_Trojan_Remcos_b296e965unknownunknown
              • 0x6aaa8:$a1: Remcos restarted by watchdog!
              • 0x6b020:$a3: %02i:%02i:%02i:%03i
              4.2.6122.scr.exe.400000.0.unpackREMCOS_RAT_variantsunknownunknown
              • 0x64afc:$str_a1: C:\Windows\System32\cmd.exe
              • 0x64a78:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
              • 0x64a78:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
              • 0x64f78:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
              • 0x657a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
              • 0x64b6c:$str_b2: Executing file:
              • 0x65bec:$str_b3: GetDirectListeningPort
              • 0x65598:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
              • 0x65718:$str_b7: \update.vbs
              • 0x64b94:$str_b9: Downloaded file:
              • 0x64b80:$str_b10: Downloading file:
              • 0x64c24:$str_b12: Failed to upload file:
              • 0x65bb4:$str_b13: StartForward
              • 0x65bd4:$str_b14: StopForward
              • 0x65670:$str_b15: fso.DeleteFile "
              • 0x65604:$str_b16: On Error Resume Next
              • 0x656a0:$str_b17: fso.DeleteFolder "
              • 0x64c14:$str_b18: Uploaded file:
              • 0x64bd4:$str_b19: Unable to delete:
              • 0x65638:$str_b20: while fso.FileExists("
              • 0x650b1:$str_c0: [Firefox StoredLogins not found]
              4.2.6122.scr.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
              • 0x649e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
              • 0x6497c:$s1: CoGetObject
              • 0x64990:$s1: CoGetObject
              • 0x649ac:$s1: CoGetObject
              • 0x6e938:$s1: CoGetObject
              • 0x6493c:$s2: Elevation:Administrator!new:
              Click to see the 24 entries

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: CurrentVersion Autorun Keys Modification
              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\ProgramData\Adobe\Adobe.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\6122.scr.exe, ProcessId: 1356, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Adobe-OTOIRK
              Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\ProgramData\Adobe\Adobe.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\6122.scr.exe, ProcessId: 1356, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe-OTOIRK

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-09-26T09:22:04.558563+020020365941Malware Command and Control Activity Detected192.168.2.949709104.250.180.1787902TCP
              2024-09-26T09:22:07.464613+020020365941Malware Command and Control Activity Detected192.168.2.949711104.250.180.1787902TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-09-26T09:22:07.384134+020028033043Unknown Traffic192.168.2.949713178.237.33.5080TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Found malware configuration
              Source: 00000004.00000002.1380972465.00000000011A7000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "104.250.180.178:7902:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "Adobe.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Adobe-OTOIRK", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
              Multi AV Scanner detection for dropped file
              Source: C:\ProgramData\Adobe\Adobe.exeReversingLabs: Detection: 28%
              Multi AV Scanner detection for submitted file
              Source: 6122.scr.exeReversingLabs: Detection: 28%
              Yara detected Remcos RAT
              Source: Yara matchFile source: 4.2.6122.scr.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.6122.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.6122.scr.exe.41993e0.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.6122.scr.exe.375eab0.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.6122.scr.exe.41993e0.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.6122.scr.exe.375eab0.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000004.00000002.1380972465.00000000011A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000014.00000002.1498365539.0000000000BD7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.3826634389.0000000000C97000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000018.00000002.1577773134.0000000000C77000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1380614109.0000000004199000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1380614109.0000000003699000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: 6122.scr.exe PID: 1688, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: 6122.scr.exe PID: 1356, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 6580, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 2192, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 4216, type: MEMORYSTR
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for dropped file
              Source: C:\ProgramData\Adobe\Adobe.exeJoe Sandbox ML: detected
              Machine Learning detection for sample
              Source: 6122.scr.exeJoe Sandbox ML: detected
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 4_2_00433837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,4_2_00433837
              Source: 6122.scr.exe, 00000000.00000002.1380614109.0000000003699000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_d1f63d59-8

              Exploits

              barindex
              Yara detected UAC Bypass using CMSTP
              Source: Yara matchFile source: 4.2.6122.scr.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.6122.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.6122.scr.exe.41993e0.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.6122.scr.exe.375eab0.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.6122.scr.exe.41993e0.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.6122.scr.exe.375eab0.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1380614109.0000000004199000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1380614109.0000000003699000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: 6122.scr.exe PID: 1688, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: 6122.scr.exe PID: 1356, type: MEMORYSTR

              Privilege Escalation

              barindex
              Contains functionality to bypass UAC (CMSTPLUA)
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 4_2_004074FD _wcslen,CoGetObject,4_2_004074FD
              Source: 6122.scr.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: 6122.scr.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 4_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,4_2_00409253
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 4_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,4_2_0041C291
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 4_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,4_2_0040C34D
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 4_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,4_2_00409665
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 4_2_0044E879 FindFirstFileExA,4_2_0044E879
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 4_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,4_2_0040880C
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 4_2_0040783C FindFirstFileW,FindNextFileW,4_2_0040783C
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 4_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,4_2_00419AF5
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 4_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,4_2_0040BB30
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 4_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,4_2_0040BD37
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 6_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,6_2_100010F1
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 6_2_10006580 FindFirstFileExA,6_2_10006580
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 10_2_0040AE51 FindFirstFileW,FindNextFileW,10_2_0040AE51
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 12_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,12_2_00407EF8
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 4_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,4_2_00407C97

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49711 -> 104.250.180.178:7902
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49709 -> 104.250.180.178:7902
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: 104.250.180.178
              Source: global trafficTCP traffic: 192.168.2.9:49709 -> 104.250.180.178:7902
              Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
              Source: Joe Sandbox ViewIP Address: 104.250.180.178 104.250.180.178
              Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
              Source: Joe Sandbox ViewASN Name: M247GB M247GB
              Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.9:49713 -> 178.237.33.50:80
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 4_2_0041B380 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,4_2_0041B380
              Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
              Source: Adobe.exe, 0000000A.00000002.1495781169.000000000189D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ://192.168.2.1/all/install/setup.au3file:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
              Source: Adobe.exe, 0000000A.00000002.1495781169.000000000189D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ://192.168.2.1/all/install/setup.au3file:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
              Source: Adobe.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
              Source: Adobe.exe, 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
              Source: Adobe.exe, 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
              Source: global trafficDNS traffic detected: DNS query: geoplugin.net
              Source: bhv8F7C.tmp.10.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
              Source: bhv8F7C.tmp.10.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
              Source: bhv8F7C.tmp.10.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
              Source: bhv8F7C.tmp.10.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
              Source: bhv8F7C.tmp.10.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
              Source: 6122.scr.exe, Adobe.exe, 00000006.00000002.3826866437.0000000000CE5000.00000004.00000020.00020000.00000000.sdmp, Adobe.exe, 00000006.00000002.3826866437.0000000000CD2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
              Source: 6122.scr.exe, 00000000.00000002.1380614109.0000000003699000.00000004.00000800.00020000.00000000.sdmp, 6122.scr.exe, 00000000.00000002.1380614109.0000000004199000.00000004.00000800.00020000.00000000.sdmp, 6122.scr.exe, 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
              Source: bhv8F7C.tmp.10.drString found in binary or memory: http://ocsp.digicert.com0
              Source: Amcache.hve.19.drString found in binary or memory: http://upx.sf.net
              Source: Adobe.exe, 0000000A.00000002.1494930404.0000000001383000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net
              Source: Adobe.exe, 0000000C.00000002.1477890338.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/
              Source: Adobe.exe, 0000000A.00000002.1495781169.000000000189D000.00000004.00000020.00020000.00000000.sdmp, Adobe.exe, 0000000A.00000002.1495044627.00000000013FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
              Source: Adobe.exe, 0000000A.00000002.1495044627.00000000013FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop
              Source: Adobe.exe, 0000000A.00000002.1495044627.00000000013FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
              Source: Adobe.exe, 0000000A.00000002.1495044627.00000000013FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
              Source: Adobe.exeString found in binary or memory: https://login.yahoo.com/config/login
              Source: Adobe.exeString found in binary or memory: https://www.google.com/accounts/servicelogin

              Key, Mouse, Clipboard, Microphone and Screen Capturing

              barindex
              Contains functionality to register a low level keyboard hook
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 4_2_0040A2B8 SetWindowsHookExA 0000000D,0040A2A4,000000004_2_0040A2B8
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 4_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard,4_2_0040B70E
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 4_2_004168C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,4_2_004168C1
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 10_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,10_2_0040987A
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 10_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,10_2_004098E2
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 12_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,12_2_00406DFC
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 12_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,12_2_00406E9F
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 4_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard,4_2_0040B70E
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 4_2_0040A3E0 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,4_2_0040A3E0

              E-Banking Fraud

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 4.2.6122.scr.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.6122.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.6122.scr.exe.41993e0.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.6122.scr.exe.375eab0.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.6122.scr.exe.41993e0.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.6122.scr.exe.375eab0.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000004.00000002.1380972465.00000000011A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000014.00000002.1498365539.0000000000BD7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.3826634389.0000000000C97000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000018.00000002.1577773134.0000000000C77000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1380614109.0000000004199000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1380614109.0000000003699000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: 6122.scr.exe PID: 1688, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: 6122.scr.exe PID: 1356, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 6580, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 2192, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 4216, type: MEMORYSTR

              Spam, unwanted Advertisements and Ransom Demands

              barindex
              Contains functionalty to change the wallpaper
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 4_2_0041C9E2 SystemParametersInfoW,4_2_0041C9E2

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 4.2.6122.scr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 4.2.6122.scr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 4.2.6122.scr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 4.2.6122.scr.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 4.2.6122.scr.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 4.2.6122.scr.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 0.2.6122.scr.exe.41993e0.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 0.2.6122.scr.exe.41993e0.6.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 0.2.6122.scr.exe.41993e0.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 0.2.6122.scr.exe.375eab0.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 0.2.6122.scr.exe.375eab0.4.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 0.2.6122.scr.exe.375eab0.4.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 0.2.6122.scr.exe.41993e0.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 0.2.6122.scr.exe.41993e0.6.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 0.2.6122.scr.exe.41993e0.6.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 0.2.6122.scr.exe.375eab0.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 0.2.6122.scr.exe.375eab0.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 00000000.00000002.1380614109.0000000004199000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000000.00000002.1380614109.0000000003699000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: Process Memory Space: 6122.scr.exe PID: 1688, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: Process Memory Space: 6122.scr.exe PID: 1356, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: C:\ProgramData\Adobe\Adobe.exeProcess Stats: CPU usage > 49%
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 10_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,10_2_0040DD85
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 10_2_00401806 NtdllDefWindowProc_W,10_2_00401806
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 10_2_004018C0 NtdllDefWindowProc_W,10_2_004018C0
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 12_2_004016FD NtdllDefWindowProc_A,12_2_004016FD
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 12_2_004017B7 NtdllDefWindowProc_A,12_2_004017B7
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 4_2_004167B4 ExitWindowsEx,LoadLibraryA,GetProcAddress,4_2_004167B4
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 0_2_00B7DA4C0_2_00B7DA4C
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 0_2_068624480_2_06862448
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 0_2_068604780_2_06860478
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 0_2_06866AF80_2_06866AF8
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 0_2_06861B700_2_06861B70
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 4_2_0043E0CC4_2_0043E0CC
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 4_2_0041F0FA4_2_0041F0FA
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 4_2_004541594_2_00454159
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 4_2_004381684_2_00438168
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 4_2_004461F04_2_004461F0
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 4_2_0043E2FB4_2_0043E2FB
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 4_2_0045332B4_2_0045332B
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 4_2_0042739D4_2_0042739D
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 4_2_004374E64_2_004374E6
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 4_2_0043E5584_2_0043E558
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 4_2_004387704_2_00438770
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 4_2_004378FE4_2_004378FE
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 4_2_004339464_2_00433946
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 4_2_0044D9C94_2_0044D9C9
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 4_2_00427A464_2_00427A46
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 4_2_0041DB624_2_0041DB62
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 4_2_00427BAF4_2_00427BAF
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 4_2_00437D334_2_00437D33
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 4_2_00435E5E4_2_00435E5E
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 4_2_00426E0E4_2_00426E0E
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 4_2_0043DE9D4_2_0043DE9D
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 4_2_00413FCA4_2_00413FCA
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 4_2_00436FEA4_2_00436FEA
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 5_2_018EDA4C5_2_018EDA4C
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 5_2_077C04785_2_077C0478
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 5_2_077C24485_2_077C2448
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 5_2_077C1B705_2_077C1B70
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 5_2_077C69F85_2_077C69F8
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 6_2_100171946_2_10017194
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 6_2_1000B5C16_2_1000B5C1
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 10_2_0044B04010_2_0044B040
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 10_2_0043610D10_2_0043610D
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 10_2_0044731010_2_00447310
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 10_2_0044A49010_2_0044A490
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 10_2_0040755A10_2_0040755A
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 10_2_0043C56010_2_0043C560
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 10_2_0044B61010_2_0044B610
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 10_2_0044D6C010_2_0044D6C0
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 10_2_004476F010_2_004476F0
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 10_2_0044B87010_2_0044B870
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 10_2_0044081D10_2_0044081D
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 10_2_0041495710_2_00414957
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 10_2_004079EE10_2_004079EE
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 10_2_00407AEB10_2_00407AEB
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 10_2_0044AA8010_2_0044AA80
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 10_2_00412AA910_2_00412AA9
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 10_2_00404B7410_2_00404B74
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 10_2_00404B0310_2_00404B03
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 10_2_0044BBD810_2_0044BBD8
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 10_2_00404BE510_2_00404BE5
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 10_2_00404C7610_2_00404C76
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 10_2_00415CFE10_2_00415CFE
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 10_2_00416D7210_2_00416D72
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 10_2_00446D3010_2_00446D30
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 10_2_00446D8B10_2_00446D8B
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 10_2_00406E8F10_2_00406E8F
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 12_2_0040503812_2_00405038
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 12_2_0041208C12_2_0041208C
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 12_2_004050A912_2_004050A9
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 12_2_0040511A12_2_0040511A
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 12_2_0043C13A12_2_0043C13A
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 12_2_004051AB12_2_004051AB
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 12_2_0044930012_2_00449300
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 12_2_0040D32212_2_0040D322
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 12_2_0044A4F012_2_0044A4F0
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 12_2_0043A5AB12_2_0043A5AB
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 12_2_0041363112_2_00413631
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 12_2_0044669012_2_00446690
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 12_2_0044A73012_2_0044A730
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 12_2_004398D812_2_004398D8
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 12_2_004498E012_2_004498E0
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 12_2_0044A88612_2_0044A886
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 12_2_0043DA0912_2_0043DA09
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 12_2_00438D5E12_2_00438D5E
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 12_2_00449ED012_2_00449ED0
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 12_2_0041FE8312_2_0041FE83
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 12_2_00430F5412_2_00430F54
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 17_2_02D3DA4C17_2_02D3DA4C
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 17_2_077F047817_2_077F0478
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 17_2_077F244817_2_077F2448
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 17_2_077F1B7017_2_077F1B70
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 17_2_077F69F817_2_077F69F8
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 23_2_011CDA4C23_2_011CDA4C
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: String function: 004169A7 appears 87 times
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: String function: 0044DB70 appears 41 times
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: String function: 004165FF appears 35 times
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: String function: 00422297 appears 42 times
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: String function: 00444B5A appears 37 times
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: String function: 00413025 appears 79 times
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: String function: 00416760 appears 69 times
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: String function: 00434E10 appears 54 times
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: String function: 00402093 appears 50 times
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: String function: 00434770 appears 41 times
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: String function: 00401E65 appears 34 times
              Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3892 -s 12
              Source: 6122.scr.exe, 00000000.00000000.1359166140.0000000000332000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameYwPH.exe0 vs 6122.scr.exe
              Source: 6122.scr.exe, 00000000.00000002.1370862192.0000000002691000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs 6122.scr.exe
              Source: 6122.scr.exe, 00000000.00000002.1384177620.0000000007830000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs 6122.scr.exe
              Source: 6122.scr.exe, 00000000.00000002.1380614109.0000000003699000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs 6122.scr.exe
              Source: 6122.scr.exe, 00000000.00000002.1369862711.000000000088E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 6122.scr.exe
              Source: 6122.scr.exe, 00000004.00000002.1380972465.00000000011CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameYwPH vs 6122.scr.exe
              Source: 6122.scr.exeBinary or memory string: OriginalFilenameYwPH.exe0 vs 6122.scr.exe
              Source: 6122.scr.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: 4.2.6122.scr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 4.2.6122.scr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 4.2.6122.scr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 4.2.6122.scr.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 4.2.6122.scr.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 4.2.6122.scr.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 0.2.6122.scr.exe.41993e0.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 0.2.6122.scr.exe.41993e0.6.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 0.2.6122.scr.exe.41993e0.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 0.2.6122.scr.exe.375eab0.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 0.2.6122.scr.exe.375eab0.4.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 0.2.6122.scr.exe.375eab0.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 0.2.6122.scr.exe.41993e0.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 0.2.6122.scr.exe.41993e0.6.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 0.2.6122.scr.exe.41993e0.6.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 0.2.6122.scr.exe.375eab0.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 0.2.6122.scr.exe.375eab0.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 00000000.00000002.1380614109.0000000004199000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000000.00000002.1380614109.0000000003699000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: Process Memory Space: 6122.scr.exe PID: 1688, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: Process Memory Space: 6122.scr.exe PID: 1356, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 6122.scr.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: Adobe.exe.4.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: 0.2.6122.scr.exe.3818cd0.5.raw.unpack, cbk110oAvLBaHPT8aa.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 0.2.6122.scr.exe.3818cd0.5.raw.unpack, D2jrkHYqNBgKEKOjhw.csSecurity API names: _0020.SetAccessControl
              Source: 0.2.6122.scr.exe.3818cd0.5.raw.unpack, D2jrkHYqNBgKEKOjhw.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 0.2.6122.scr.exe.3818cd0.5.raw.unpack, D2jrkHYqNBgKEKOjhw.csSecurity API names: _0020.AddAccessRule
              Source: 0.2.6122.scr.exe.7830000.8.raw.unpack, D2jrkHYqNBgKEKOjhw.csSecurity API names: _0020.SetAccessControl
              Source: 0.2.6122.scr.exe.7830000.8.raw.unpack, D2jrkHYqNBgKEKOjhw.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 0.2.6122.scr.exe.7830000.8.raw.unpack, D2jrkHYqNBgKEKOjhw.csSecurity API names: _0020.AddAccessRule
              Source: 0.2.6122.scr.exe.7830000.8.raw.unpack, cbk110oAvLBaHPT8aa.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: classification engineClassification label: mal100.rans.phis.troj.spyw.expl.evad.winEXE@32/12@1/2
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 10_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,10_2_004182CE
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 4_2_00417952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,4_2_00417952
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 10_2_00418758 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,10_2_00418758
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 4_2_0040F474 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,4_2_0040F474
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 4_2_0041B4A8 FindResourceA,LoadResource,LockResource,SizeofResource,4_2_0041B4A8
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 4_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,4_2_0041AA4A
              Source: C:\Users\user\Desktop\6122.scr.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\6122.scr.exe.logJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeMutant created: \Sessions\1\BaseNamedObjects\Adobe-OTOIRK
              Source: C:\ProgramData\Adobe\Adobe.exeMutant created: NULL
              Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3892
              Source: C:\ProgramData\Adobe\Adobe.exeFile created: C:\Users\user\AppData\Local\Temp\bhv8F7C.tmpJump to behavior
              Source: 6122.scr.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: 6122.scr.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
              Source: C:\ProgramData\Adobe\Adobe.exeSystem information queried: HandleInformationJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: Adobe.exe, Adobe.exe, 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
              Source: Adobe.exe, Adobe.exe, 0000000C.00000002.1477890338.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
              Source: Adobe.exe, 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
              Source: Adobe.exe, Adobe.exe, 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
              Source: Adobe.exe, Adobe.exe, 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
              Source: Adobe.exe, Adobe.exe, 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
              Source: Adobe.exe, 0000000A.00000002.1496245697.0000000003151000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: Adobe.exe, Adobe.exe, 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
              Source: 6122.scr.exeReversingLabs: Detection: 28%
              Source: C:\Users\user\Desktop\6122.scr.exeFile read: C:\Users\user\Desktop\6122.scr.exeJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeEvasive API call chain: __getmainargs,DecisionNodes,exit
              Source: unknownProcess created: C:\Users\user\Desktop\6122.scr.exe "C:\Users\user\Desktop\6122.scr.exe"
              Source: C:\Users\user\Desktop\6122.scr.exeProcess created: C:\Users\user\Desktop\6122.scr.exe "C:\Users\user\Desktop\6122.scr.exe"
              Source: C:\Users\user\Desktop\6122.scr.exeProcess created: C:\Users\user\Desktop\6122.scr.exe "C:\Users\user\Desktop\6122.scr.exe"
              Source: C:\Users\user\Desktop\6122.scr.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
              Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
              Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\cwgifzhbfrxysfrhlq"
              Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\cwgifzhbfrxysfrhlq"
              Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\cwgifzhbfrxysfrhlq"
              Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\nytbgrrvtzplutnlvscrbj"
              Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\nytbgrrvtzplutnlvscrbj"
              Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\psylhkcxhhhqezbpmdxlmokhl"
              Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\psylhkcxhhhqezbpmdxlmokhl"
              Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\psylhkcxhhhqezbpmdxlmokhl"
              Source: unknownProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
              Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3892 -s 12
              Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
              Source: unknownProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
              Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
              Source: C:\Users\user\Desktop\6122.scr.exeProcess created: C:\Users\user\Desktop\6122.scr.exe "C:\Users\user\Desktop\6122.scr.exe"Jump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeProcess created: C:\Users\user\Desktop\6122.scr.exe "C:\Users\user\Desktop\6122.scr.exe"Jump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe" Jump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"Jump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\cwgifzhbfrxysfrhlq"Jump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\cwgifzhbfrxysfrhlq"Jump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\cwgifzhbfrxysfrhlq"Jump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\nytbgrrvtzplutnlvscrbj"Jump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\nytbgrrvtzplutnlvscrbj"Jump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\psylhkcxhhhqezbpmdxlmokhl"Jump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\psylhkcxhhhqezbpmdxlmokhl"Jump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\psylhkcxhhhqezbpmdxlmokhl"Jump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"Jump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: dwrite.dllJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: riched20.dllJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: usp10.dllJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: msls31.dllJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: windowscodecs.dllJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: slc.dllJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: version.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: wldp.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: profapi.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: dwrite.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: riched20.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: usp10.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: msls31.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: windowscodecs.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: amsi.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: userenv.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: winmm.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: netutils.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: wininet.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: wldp.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: profapi.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: version.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: wininet.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: wldp.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: profapi.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: pstorec.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: vaultcli.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: wldp.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: pstorec.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: version.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: wldp.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: profapi.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: dwrite.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: riched20.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: usp10.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: msls31.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: windowscodecs.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: amsi.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: userenv.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: winmm.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: wininet.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: netutils.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: mscoree.dll
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: kernel.appcore.dll
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: version.dll
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: uxtheme.dll
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: windows.storage.dll
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: wldp.dll
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: profapi.dll
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: cryptsp.dll
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: rsaenh.dll
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: cryptbase.dll
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: dwrite.dll
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: riched20.dll
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: usp10.dll
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: msls31.dll
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: windowscodecs.dll
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: amsi.dll
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: userenv.dll
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: msasn1.dll
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: gpapi.dll
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: winmm.dll
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: urlmon.dll
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: wininet.dll
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: iertutil.dll
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: srvcli.dll
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: netutils.dll
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: iphlpapi.dll
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: rstrtmgr.dll
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: ncrypt.dll
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: ntasn1.dll
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: kernel.appcore.dll
              Source: C:\Users\user\Desktop\6122.scr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Users\user\Desktop\6122.scr.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
              Source: 6122.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: 6122.scr.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

              Data Obfuscation

              barindex
              .NET source code contains potential unpacker
              Source: 6122.scr.exe, Form1.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
              Source: 0.2.6122.scr.exe.7830000.8.raw.unpack, D2jrkHYqNBgKEKOjhw.cs.Net Code: EDsCA9Q1J1 System.Reflection.Assembly.Load(byte[])
              Source: 0.2.6122.scr.exe.3818cd0.5.raw.unpack, D2jrkHYqNBgKEKOjhw.cs.Net Code: EDsCA9Q1J1 System.Reflection.Assembly.Load(byte[])
              Source: 0.2.6122.scr.exe.7820000.7.raw.unpack, JK.cs.Net Code: ve System.Reflection.Assembly.Load(byte[])
              Source: 0.2.6122.scr.exe.26c5a1c.3.raw.unpack, JK.cs.Net Code: ve System.Reflection.Assembly.Load(byte[])
              Source: 0.2.6122.scr.exe.2716468.1.raw.unpack, JK.cs.Net Code: ve System.Reflection.Assembly.Load(byte[])
              Source: 0.2.6122.scr.exe.26cf034.0.raw.unpack, JK.cs.Net Code: ve System.Reflection.Assembly.Load(byte[])
              Source: 0.2.6122.scr.exe.271fa80.2.raw.unpack, JK.cs.Net Code: ve System.Reflection.Assembly.Load(byte[])
              Source: Adobe.exe.4.dr, Form1.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
              Source: 5.2.Adobe.exe.336fa30.0.raw.unpack, JK.cs.Net Code: ve System.Reflection.Assembly.Load(byte[])
              Source: 5.2.Adobe.exe.331f008.2.raw.unpack, JK.cs.Net Code: ve System.Reflection.Assembly.Load(byte[])
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 4_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,4_2_0041CB50
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 4_2_00457106 push ecx; ret 4_2_00457119
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 4_2_0045B11A push esp; ret 4_2_0045B141
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 4_2_0045E54D push esi; ret 4_2_0045E556
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 4_2_00457A28 push eax; ret 4_2_00457A46
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 4_2_00434E56 push ecx; ret 4_2_00434E69
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 6_2_10002806 push ecx; ret 6_2_10002819
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 10_2_0044693D push ecx; ret 10_2_0044694D
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 10_2_0044DB70 push eax; ret 10_2_0044DB84
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 10_2_0044DB70 push eax; ret 10_2_0044DBAC
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 10_2_00451D54 push eax; ret 10_2_00451D61
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 12_2_0044B090 push eax; ret 12_2_0044B0A4
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 12_2_0044B090 push eax; ret 12_2_0044B0CC
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 12_2_00451D34 push eax; ret 12_2_00451D41
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 12_2_00444E71 push ecx; ret 12_2_00444E81
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 23_2_011C5821 push ecx; iretd 23_2_011C583F
              Source: 6122.scr.exeStatic PE information: section name: .text entropy: 7.923349764605857
              Source: Adobe.exe.4.drStatic PE information: section name: .text entropy: 7.923349764605857
              Source: 0.2.6122.scr.exe.7830000.8.raw.unpack, D2jrkHYqNBgKEKOjhw.csHigh entropy of concatenated method names: 'foeKSOqDHb', 'L6qK5u2RTV', 'qw3Kuevtd2', 'GISKqtXWXm', 'MbgKrwKVS4', 'LxSK7DkyPP', 'FFWKEyrult', 'EHbK1AfPBO', 'OVSKQwDnrD', 'TnKK3Uy8X2'
              Source: 0.2.6122.scr.exe.7830000.8.raw.unpack, qNjwJd4yLjVJUk1Fsk.csHigh entropy of concatenated method names: 'HUF7SSPCYu', 'dsU7uEyYWq', 'sTB7rRpTLA', 'Xro7EZlGna', 'ame718EoPk', 'g0FrNAOI4h', 'W0er02AZjk', 'jZPrF71i37', 'lPyriQlorM', 'FoprWRVJqx'
              Source: 0.2.6122.scr.exe.7830000.8.raw.unpack, Df7BXN1EfZVFokF374.csHigh entropy of concatenated method names: 'KmGUbbUqXP', 'ny3UJ8hh77', 'XvcUVS3ZQf', 'iGLUnWFGHe', 'wMeU6u3Yvg', 'yb1U9BCamC', 'CvTUB4mkH0', 'hMmUhWF1wD', 'Yo0UTqFNkP', 'gHMUXdmKqh'
              Source: 0.2.6122.scr.exe.7830000.8.raw.unpack, x5iIppNvHamdI4BbNZ.csHigh entropy of concatenated method names: 'JmWrMLnBci', 'osUrY9qQav', 'ioUqj5QguU', 'cDtq6hhrR6', 'vLPq9m0m3n', 'mJ3qs0t2Mv', 'LmfqB0qnCg', 'O2aqhPEpI2', 'Q17qkaWmRp', 'ktaqToaLfb'
              Source: 0.2.6122.scr.exe.7830000.8.raw.unpack, g0hkbRZ0hm4i0cG9Cxg.csHigh entropy of concatenated method names: 'PMhIojd8K7', 'qkHIRs8Sj9', 'MDQIAp4oNT', 'y38IlAX3Jc', 'eMIIMokGET', 'CSCIayOlOI', 'KvfIY3Kgi9', 'WaPIbVOGIG', 'jDgIJXKSSv', 'lwBIgMrWqg'
              Source: 0.2.6122.scr.exe.7830000.8.raw.unpack, liBBsJ6SvvQt5seSlk.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'CU8cWEQl9v', 'T7pcdvAEyC', 'af5czhxIWV', 'Rs0KtGbc9C', 'KOAKxvbdZf', 'rG8Kcxc3IB', 'arbKKlkMcf', 'zMKGfpBBiwXlkjEnE7p'
              Source: 0.2.6122.scr.exe.7830000.8.raw.unpack, fci8Z4kfFpULb7ue3y.csHigh entropy of concatenated method names: 'FAM255Mlr1', 'NS92u3XKJO', 'Hvy2qVL3SJ', 'Udv2rkch9W', 'yoj27iGrAk', 'wag2ECKYnn', 'hGo21F63uw', 'Vn02QStwP5', 'IdH23ycL5d', 'EZR2H1GnZL'
              Source: 0.2.6122.scr.exe.7830000.8.raw.unpack, X9Hfu6hsGiN6h6sbjR.csHigh entropy of concatenated method names: 'cCeIx19fQd', 'U79IKoD4gO', 'gX2ICYXIDa', 'n4CI55gv1t', 'jG0Iu9dGrW', 'GhvIrihMQ8', 'L5qI7rgLvP', 'wwU2FuMV0Y', 'b9v2ig3xdb', 'Q6r2WOD0bm'
              Source: 0.2.6122.scr.exe.7830000.8.raw.unpack, GBEQZkzaQxhhrbJRCw.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'UFPIUYoHEH', 'J30IwVuPKi', 'g5rIeloX3x', 'L53IOhruFr', 'T58I29HIJN', 'jjoIIJu9A6', 'cT8IvLd3Vo'
              Source: 0.2.6122.scr.exe.7830000.8.raw.unpack, uS5LG8Ogclty2uX6Jo.csHigh entropy of concatenated method names: 'yBXACfY2x', 'pRalA1C5n', 'gsKaGCHcI', 'dDTYPa8n1', 'UnmJX7SRI', 'uY0guWfb5', 'XWeiKF4MX2mg9GaR6P', 'WOaBCng7YdUReFA1Od', 'tgb2fnqwO', 'OUvvkyG7M'
              Source: 0.2.6122.scr.exe.7830000.8.raw.unpack, YN7GFZZi2V1r8gbZi7O.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'qRZvp5ilM9', 'nt2v88aF1h', 'HeDvZMDKqu', 'aZjvLbmQI0', 'JD3vNXbHUS', 'iWFv09sbfZ', 'hjGvFTQXZq'
              Source: 0.2.6122.scr.exe.7830000.8.raw.unpack, tlELirD2HNZujQlrCU.csHigh entropy of concatenated method names: 'g2ZxE7QFfw', 'roTx1Hcqsb', 'jrAx3kHVty', 'jcBxHL6jyg', 'PA0xwK2nQE', 'gnhxe3q1wh', 'UGFE7r2LaECkvLX5iU', 'c5gr5GZYkBgYv6yJeZ', 'Fw3hSW9PMhoeT40h1h', 'aNkxxoowoY'
              Source: 0.2.6122.scr.exe.7830000.8.raw.unpack, ghnLVRJAY1YAQewB72.csHigh entropy of concatenated method names: 'e3jO3B3sG5', 'X0JOH9AitO', 'ToString', 'ORtO5q3pa5', 'UlVOutaLtk', 'dvJOq6CpVG', 'inBOrTBuyP', 'taOO7fGPut', 'mtmOEZAbTW', 'DBFO1g9ZoB'
              Source: 0.2.6122.scr.exe.7830000.8.raw.unpack, XMxCLWb5jvH97KF4hJ.csHigh entropy of concatenated method names: 'BfCEouxdvP', 'iVYER4474W', 'r6lEATsYNe', 'XokEldBsYK', 'PBqEMvH48G', 'GWDEae5nkV', 'fwSEYr2lh9', 'F9lEbbTKYI', 'HeiEJ9QsPx', 'MLREgixqOJ'
              Source: 0.2.6122.scr.exe.7830000.8.raw.unpack, KHFsaRPoNPjLwP1jAo.csHigh entropy of concatenated method names: 'HBwql3qEm7', 'BbuqaZu1hO', 'PxRqbRFkls', 'tdYqJdHVUT', 'r4xqwiUcOR', 'DyPqeqmJKq', 'tcPqOUMBth', 'ueaq2f2PnM', 'ldWqIPHYQc', 'TTaqvwDsOP'
              Source: 0.2.6122.scr.exe.7830000.8.raw.unpack, WjWEnrUCZNp1gG5YGj.csHigh entropy of concatenated method names: 'tNg2V5ysT0', 'hod2nZOviU', 't5O2j8MxaQ', 'hZg268FCwd', 'ppi2pPyEhx', 'RVn299pcFs', 'Next', 'Next', 'Next', 'NextBytes'
              Source: 0.2.6122.scr.exe.7830000.8.raw.unpack, DfJ0dCRFAshMGEKW91.csHigh entropy of concatenated method names: 'EQXOiTMP1u', 'WuoOdpkFcB', 'usZ2tiwTtk', 'ORZ2xgPRc5', 'ns8OXNx8yb', 'q0iO4McRj9', 'co3OmPT83P', 'JCOOp2nVye', 'oaKO8sEsvQ', 'fPsOZT3RCl'
              Source: 0.2.6122.scr.exe.7830000.8.raw.unpack, hhPdIVLeiktwu2CyKq.csHigh entropy of concatenated method names: 'C4OE5h3qFG', 'vISEq0CnVg', 'MqVE7FV7Li', 'u487d0Sbbo', 'eVg7zURS6p', 'agkEta6yBA', 'KUiExQvuFn', 'buJEc8OP7G', 'fMGEKBYQSZ', 'mklECo1nk4'
              Source: 0.2.6122.scr.exe.7830000.8.raw.unpack, TOUuoi2iFYVqAMgZ5Y.csHigh entropy of concatenated method names: 'Dispose', 'XZvxWKoSao', 'klHcnNZek4', 'yYvPPOlGR8', 'blBxdptgjc', 'MU9xz5ZVKk', 'ProcessDialogKey', 'vBnctwif6T', 'HUccxJlBWh', 'viuccVaLOK'
              Source: 0.2.6122.scr.exe.7830000.8.raw.unpack, cbk110oAvLBaHPT8aa.csHigh entropy of concatenated method names: 'mA3upnSV7U', 'Fmhu8Bn1F6', 'kvDuZMyGni', 'IXyuLQp8Vo', 'ImGuNvuXsb', 'Sbwu0oCNMk', 'JKMuFIAaja', 'mqBuiXr1BM', 'ynjuWGsf8g', 'v3Uud4Qslt'
              Source: 0.2.6122.scr.exe.3818cd0.5.raw.unpack, D2jrkHYqNBgKEKOjhw.csHigh entropy of concatenated method names: 'foeKSOqDHb', 'L6qK5u2RTV', 'qw3Kuevtd2', 'GISKqtXWXm', 'MbgKrwKVS4', 'LxSK7DkyPP', 'FFWKEyrult', 'EHbK1AfPBO', 'OVSKQwDnrD', 'TnKK3Uy8X2'
              Source: 0.2.6122.scr.exe.3818cd0.5.raw.unpack, qNjwJd4yLjVJUk1Fsk.csHigh entropy of concatenated method names: 'HUF7SSPCYu', 'dsU7uEyYWq', 'sTB7rRpTLA', 'Xro7EZlGna', 'ame718EoPk', 'g0FrNAOI4h', 'W0er02AZjk', 'jZPrF71i37', 'lPyriQlorM', 'FoprWRVJqx'
              Source: 0.2.6122.scr.exe.3818cd0.5.raw.unpack, Df7BXN1EfZVFokF374.csHigh entropy of concatenated method names: 'KmGUbbUqXP', 'ny3UJ8hh77', 'XvcUVS3ZQf', 'iGLUnWFGHe', 'wMeU6u3Yvg', 'yb1U9BCamC', 'CvTUB4mkH0', 'hMmUhWF1wD', 'Yo0UTqFNkP', 'gHMUXdmKqh'
              Source: 0.2.6122.scr.exe.3818cd0.5.raw.unpack, x5iIppNvHamdI4BbNZ.csHigh entropy of concatenated method names: 'JmWrMLnBci', 'osUrY9qQav', 'ioUqj5QguU', 'cDtq6hhrR6', 'vLPq9m0m3n', 'mJ3qs0t2Mv', 'LmfqB0qnCg', 'O2aqhPEpI2', 'Q17qkaWmRp', 'ktaqToaLfb'
              Source: 0.2.6122.scr.exe.3818cd0.5.raw.unpack, g0hkbRZ0hm4i0cG9Cxg.csHigh entropy of concatenated method names: 'PMhIojd8K7', 'qkHIRs8Sj9', 'MDQIAp4oNT', 'y38IlAX3Jc', 'eMIIMokGET', 'CSCIayOlOI', 'KvfIY3Kgi9', 'WaPIbVOGIG', 'jDgIJXKSSv', 'lwBIgMrWqg'
              Source: 0.2.6122.scr.exe.3818cd0.5.raw.unpack, liBBsJ6SvvQt5seSlk.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'CU8cWEQl9v', 'T7pcdvAEyC', 'af5czhxIWV', 'Rs0KtGbc9C', 'KOAKxvbdZf', 'rG8Kcxc3IB', 'arbKKlkMcf', 'zMKGfpBBiwXlkjEnE7p'
              Source: 0.2.6122.scr.exe.3818cd0.5.raw.unpack, fci8Z4kfFpULb7ue3y.csHigh entropy of concatenated method names: 'FAM255Mlr1', 'NS92u3XKJO', 'Hvy2qVL3SJ', 'Udv2rkch9W', 'yoj27iGrAk', 'wag2ECKYnn', 'hGo21F63uw', 'Vn02QStwP5', 'IdH23ycL5d', 'EZR2H1GnZL'
              Source: 0.2.6122.scr.exe.3818cd0.5.raw.unpack, X9Hfu6hsGiN6h6sbjR.csHigh entropy of concatenated method names: 'cCeIx19fQd', 'U79IKoD4gO', 'gX2ICYXIDa', 'n4CI55gv1t', 'jG0Iu9dGrW', 'GhvIrihMQ8', 'L5qI7rgLvP', 'wwU2FuMV0Y', 'b9v2ig3xdb', 'Q6r2WOD0bm'
              Source: 0.2.6122.scr.exe.3818cd0.5.raw.unpack, GBEQZkzaQxhhrbJRCw.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'UFPIUYoHEH', 'J30IwVuPKi', 'g5rIeloX3x', 'L53IOhruFr', 'T58I29HIJN', 'jjoIIJu9A6', 'cT8IvLd3Vo'
              Source: 0.2.6122.scr.exe.3818cd0.5.raw.unpack, uS5LG8Ogclty2uX6Jo.csHigh entropy of concatenated method names: 'yBXACfY2x', 'pRalA1C5n', 'gsKaGCHcI', 'dDTYPa8n1', 'UnmJX7SRI', 'uY0guWfb5', 'XWeiKF4MX2mg9GaR6P', 'WOaBCng7YdUReFA1Od', 'tgb2fnqwO', 'OUvvkyG7M'
              Source: 0.2.6122.scr.exe.3818cd0.5.raw.unpack, YN7GFZZi2V1r8gbZi7O.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'qRZvp5ilM9', 'nt2v88aF1h', 'HeDvZMDKqu', 'aZjvLbmQI0', 'JD3vNXbHUS', 'iWFv09sbfZ', 'hjGvFTQXZq'
              Source: 0.2.6122.scr.exe.3818cd0.5.raw.unpack, tlELirD2HNZujQlrCU.csHigh entropy of concatenated method names: 'g2ZxE7QFfw', 'roTx1Hcqsb', 'jrAx3kHVty', 'jcBxHL6jyg', 'PA0xwK2nQE', 'gnhxe3q1wh', 'UGFE7r2LaECkvLX5iU', 'c5gr5GZYkBgYv6yJeZ', 'Fw3hSW9PMhoeT40h1h', 'aNkxxoowoY'
              Source: 0.2.6122.scr.exe.3818cd0.5.raw.unpack, ghnLVRJAY1YAQewB72.csHigh entropy of concatenated method names: 'e3jO3B3sG5', 'X0JOH9AitO', 'ToString', 'ORtO5q3pa5', 'UlVOutaLtk', 'dvJOq6CpVG', 'inBOrTBuyP', 'taOO7fGPut', 'mtmOEZAbTW', 'DBFO1g9ZoB'
              Source: 0.2.6122.scr.exe.3818cd0.5.raw.unpack, XMxCLWb5jvH97KF4hJ.csHigh entropy of concatenated method names: 'BfCEouxdvP', 'iVYER4474W', 'r6lEATsYNe', 'XokEldBsYK', 'PBqEMvH48G', 'GWDEae5nkV', 'fwSEYr2lh9', 'F9lEbbTKYI', 'HeiEJ9QsPx', 'MLREgixqOJ'
              Source: 0.2.6122.scr.exe.3818cd0.5.raw.unpack, KHFsaRPoNPjLwP1jAo.csHigh entropy of concatenated method names: 'HBwql3qEm7', 'BbuqaZu1hO', 'PxRqbRFkls', 'tdYqJdHVUT', 'r4xqwiUcOR', 'DyPqeqmJKq', 'tcPqOUMBth', 'ueaq2f2PnM', 'ldWqIPHYQc', 'TTaqvwDsOP'
              Source: 0.2.6122.scr.exe.3818cd0.5.raw.unpack, WjWEnrUCZNp1gG5YGj.csHigh entropy of concatenated method names: 'tNg2V5ysT0', 'hod2nZOviU', 't5O2j8MxaQ', 'hZg268FCwd', 'ppi2pPyEhx', 'RVn299pcFs', 'Next', 'Next', 'Next', 'NextBytes'
              Source: 0.2.6122.scr.exe.3818cd0.5.raw.unpack, DfJ0dCRFAshMGEKW91.csHigh entropy of concatenated method names: 'EQXOiTMP1u', 'WuoOdpkFcB', 'usZ2tiwTtk', 'ORZ2xgPRc5', 'ns8OXNx8yb', 'q0iO4McRj9', 'co3OmPT83P', 'JCOOp2nVye', 'oaKO8sEsvQ', 'fPsOZT3RCl'
              Source: 0.2.6122.scr.exe.3818cd0.5.raw.unpack, hhPdIVLeiktwu2CyKq.csHigh entropy of concatenated method names: 'C4OE5h3qFG', 'vISEq0CnVg', 'MqVE7FV7Li', 'u487d0Sbbo', 'eVg7zURS6p', 'agkEta6yBA', 'KUiExQvuFn', 'buJEc8OP7G', 'fMGEKBYQSZ', 'mklECo1nk4'
              Source: 0.2.6122.scr.exe.3818cd0.5.raw.unpack, TOUuoi2iFYVqAMgZ5Y.csHigh entropy of concatenated method names: 'Dispose', 'XZvxWKoSao', 'klHcnNZek4', 'yYvPPOlGR8', 'blBxdptgjc', 'MU9xz5ZVKk', 'ProcessDialogKey', 'vBnctwif6T', 'HUccxJlBWh', 'viuccVaLOK'
              Source: 0.2.6122.scr.exe.3818cd0.5.raw.unpack, cbk110oAvLBaHPT8aa.csHigh entropy of concatenated method names: 'mA3upnSV7U', 'Fmhu8Bn1F6', 'kvDuZMyGni', 'IXyuLQp8Vo', 'ImGuNvuXsb', 'Sbwu0oCNMk', 'JKMuFIAaja', 'mqBuiXr1BM', 'ynjuWGsf8g', 'v3Uud4Qslt'
              Source: 0.2.6122.scr.exe.7820000.7.raw.unpack, JK.csHigh entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'
              Source: 0.2.6122.scr.exe.26c5a1c.3.raw.unpack, JK.csHigh entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'
              Source: 0.2.6122.scr.exe.2716468.1.raw.unpack, JK.csHigh entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'
              Source: 0.2.6122.scr.exe.26cf034.0.raw.unpack, JK.csHigh entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'
              Source: 0.2.6122.scr.exe.271fa80.2.raw.unpack, JK.csHigh entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'
              Source: 5.2.Adobe.exe.336fa30.0.raw.unpack, JK.csHigh entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'
              Source: 5.2.Adobe.exe.331f008.2.raw.unpack, JK.csHigh entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'

              Persistence and Installation Behavior

              barindex
              Drops executable to a common third party application directory
              Source: C:\Users\user\Desktop\6122.scr.exeFile written: C:\ProgramData\Adobe\Adobe.exeJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 4_2_00406EB0 ShellExecuteW,URLDownloadToFileW,4_2_00406EB0
              Source: C:\Users\user\Desktop\6122.scr.exeFile created: C:\ProgramData\Adobe\Adobe.exeJump to dropped file
              Source: C:\Users\user\Desktop\6122.scr.exeFile created: C:\ProgramData\Adobe\Adobe.exeJump to dropped file

              Boot Survival

              barindex
              Creates autostart registry keys with suspicious names
              Source: C:\Users\user\Desktop\6122.scr.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Adobe-OTOIRKJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 4_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,4_2_0041AA4A
              Source: C:\Users\user\Desktop\6122.scr.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Adobe-OTOIRKJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Adobe-OTOIRKJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Adobe-OTOIRKJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Adobe-OTOIRKJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 4_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,4_2_0041CB50
              Source: C:\Users\user\Desktop\6122.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion

              barindex
              Yara detected AntiVM3
              Source: Yara matchFile source: Process Memory Space: 6122.scr.exe PID: 1688, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 2456, type: MEMORYSTR
              Delayed program exit found
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 4_2_0040F7A7 Sleep,ExitProcess,4_2_0040F7A7
              Source: C:\Users\user\Desktop\6122.scr.exeMemory allocated: B60000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeMemory allocated: 2690000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeMemory allocated: 4690000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeMemory allocated: 79F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeMemory allocated: 89F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeMemory allocated: 8BB0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeMemory allocated: 9BB0000 memory reserve | memory write watchJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 18A0000 memory reserve | memory write watchJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 32E0000 memory reserve | memory write watchJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 52E0000 memory reserve | memory write watchJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 81F0000 memory reserve | memory write watchJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 91F0000 memory reserve | memory write watchJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 93A0000 memory reserve | memory write watchJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: A3A0000 memory reserve | memory write watchJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 2D30000 memory reserve | memory write watchJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 2F20000 memory reserve | memory write watchJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 4F20000 memory reserve | memory write watchJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 7DB0000 memory reserve | memory write watchJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 8DB0000 memory reserve | memory write watchJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 8F60000 memory reserve | memory write watchJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 9F60000 memory reserve | memory write watchJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 11C0000 memory reserve | memory write watch
              Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 2C30000 memory reserve | memory write watch
              Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 4C30000 memory reserve | memory write watch
              Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 7AA0000 memory reserve | memory write watch
              Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 8AA0000 memory reserve | memory write watch
              Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 8C50000 memory reserve | memory write watch
              Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 9C50000 memory reserve | memory write watch
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 10_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,10_2_0040DD85
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,4_2_0041A748
              Source: C:\Users\user\Desktop\6122.scr.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeThread delayed: delay time: 922337203685477
              Source: C:\ProgramData\Adobe\Adobe.exeWindow / User API: threadDelayed 2164Jump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeWindow / User API: threadDelayed 7817Jump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeEvaded block: after key decisiongraph_4-47650
              Source: C:\Users\user\Desktop\6122.scr.exeEvaded block: after key decisiongraph_4-47673
              Source: C:\Users\user\Desktop\6122.scr.exeAPI coverage: 6.3 %
              Source: C:\ProgramData\Adobe\Adobe.exeAPI coverage: 9.6 %
              Source: C:\Users\user\Desktop\6122.scr.exe TID: 6424Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exe TID: 1464Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exe TID: 6828Thread sleep count: 2164 > 30Jump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exe TID: 6828Thread sleep time: -6492000s >= -30000sJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exe TID: 6828Thread sleep count: 7817 > 30Jump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exe TID: 6828Thread sleep time: -23451000s >= -30000sJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exe TID: 1824Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exe TID: 5336Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 4_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,4_2_00409253
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 4_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,4_2_0041C291
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 4_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,4_2_0040C34D
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 4_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,4_2_00409665
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 4_2_0044E879 FindFirstFileExA,4_2_0044E879
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 4_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,4_2_0040880C
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 4_2_0040783C FindFirstFileW,FindNextFileW,4_2_0040783C
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 4_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,4_2_00419AF5
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 4_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,4_2_0040BB30
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 4_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,4_2_0040BD37
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 6_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,6_2_100010F1
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 6_2_10006580 FindFirstFileExA,6_2_10006580
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 10_2_0040AE51 FindFirstFileW,FindNextFileW,10_2_0040AE51
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 12_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,12_2_00407EF8
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 4_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,4_2_00407C97
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 10_2_00418981 memset,GetSystemInfo,10_2_00418981
              Source: C:\Users\user\Desktop\6122.scr.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeThread delayed: delay time: 922337203685477
              Source: Amcache.hve.19.drBinary or memory string: VMware
              Source: Amcache.hve.19.drBinary or memory string: VMware Virtual USB Mouse
              Source: Amcache.hve.19.drBinary or memory string: vmci.syshbin
              Source: Amcache.hve.19.drBinary or memory string: VMware, Inc.
              Source: Amcache.hve.19.drBinary or memory string: VMware20,1hbin@
              Source: Amcache.hve.19.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
              Source: Amcache.hve.19.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
              Source: Amcache.hve.19.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
              Source: Adobe.exe, 00000006.00000002.3827115775.0000000000D0D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: Amcache.hve.19.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
              Source: Amcache.hve.19.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
              Source: Amcache.hve.19.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
              Source: Amcache.hve.19.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
              Source: Amcache.hve.19.drBinary or memory string: vmci.sys
              Source: Amcache.hve.19.drBinary or memory string: vmci.syshbin`
              Source: Amcache.hve.19.drBinary or memory string: \driver\vmci,\driver\pci
              Source: Amcache.hve.19.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
              Source: Adobe.exe, 00000006.00000002.3826634389.0000000000C97000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWH[
              Source: Amcache.hve.19.drBinary or memory string: VMware20,1
              Source: Amcache.hve.19.drBinary or memory string: Microsoft Hyper-V Generation Counter
              Source: Amcache.hve.19.drBinary or memory string: NECVMWar VMware SATA CD00
              Source: Amcache.hve.19.drBinary or memory string: VMware Virtual disk SCSI Disk Device
              Source: Amcache.hve.19.drBinary or memory string: VMware-42 27 c7 3b 45 a3 e4 a4-61 bc 19 7c 28 5c 10 19
              Source: Amcache.hve.19.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
              Source: Amcache.hve.19.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
              Source: Amcache.hve.19.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
              Source: Amcache.hve.19.drBinary or memory string: VMware PCI VMCI Bus Device
              Source: Amcache.hve.19.drBinary or memory string: VMware VMCI Bus Device
              Source: Amcache.hve.19.drBinary or memory string: VMware Virtual RAM
              Source: Amcache.hve.19.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
              Source: Amcache.hve.19.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
              Source: C:\ProgramData\Adobe\Adobe.exeAPI call chain: ExitProcess graph end node
              Source: C:\Users\user\Desktop\6122.scr.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess queried: DebugPortJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 4_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_004349F9
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 10_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,10_2_0040DD85
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 4_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,4_2_0041CB50
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 4_2_004432B5 mov eax, dword ptr fs:[00000030h]4_2_004432B5
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 6_2_10004AB4 mov eax, dword ptr fs:[00000030h]6_2_10004AB4
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 4_2_00412077 GetProcessHeap,HeapFree,4_2_00412077
              Source: C:\Users\user\Desktop\6122.scr.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 4_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_004349F9
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 4_2_00434B47 SetUnhandledExceptionFilter,4_2_00434B47
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 4_2_0043BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_0043BB22
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 4_2_00434FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_00434FDC
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 6_2_100060E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_100060E2
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 6_2_10002639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_10002639
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 6_2_10002B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_10002B1C
              Source: C:\Users\user\Desktop\6122.scr.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Injects a PE file into a foreign processes
              Source: C:\Users\user\Desktop\6122.scr.exeMemory written: C:\Users\user\Desktop\6122.scr.exe base: 400000 value starts with: 4D5AJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeMemory written: C:\ProgramData\Adobe\Adobe.exe base: 400000 value starts with: 4D5AJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeMemory written: C:\ProgramData\Adobe\Adobe.exe base: 400000 value starts with: 4D5AJump to behavior
              Maps a DLL or memory area into another process
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: NULL target: C:\ProgramData\Adobe\Adobe.exe protection: execute and read and writeJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: NULL target: C:\ProgramData\Adobe\Adobe.exe protection: execute and read and writeJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: NULL target: C:\ProgramData\Adobe\Adobe.exe protection: execute and read and writeJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe4_2_004120F7
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 4_2_00419627 mouse_event,4_2_00419627
              Source: C:\Users\user\Desktop\6122.scr.exeProcess created: C:\Users\user\Desktop\6122.scr.exe "C:\Users\user\Desktop\6122.scr.exe"Jump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeProcess created: C:\Users\user\Desktop\6122.scr.exe "C:\Users\user\Desktop\6122.scr.exe"Jump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe" Jump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"Jump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\cwgifzhbfrxysfrhlq"Jump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\cwgifzhbfrxysfrhlq"Jump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\cwgifzhbfrxysfrhlq"Jump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\nytbgrrvtzplutnlvscrbj"Jump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\nytbgrrvtzplutnlvscrbj"Jump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\psylhkcxhhhqezbpmdxlmokhl"Jump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\psylhkcxhhhqezbpmdxlmokhl"Jump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\psylhkcxhhhqezbpmdxlmokhl"Jump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"Jump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
              Source: Adobe.exe, 00000006.00000002.3826866437.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
              Source: Adobe.exe, 00000006.00000002.3826866437.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager]d
              Source: Adobe.exe, 00000006.00000002.3826866437.0000000000CE5000.00000004.00000020.00020000.00000000.sdmp, Adobe.exe, 00000006.00000002.3826866437.0000000000CD2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 4_2_00434C52 cpuid 4_2_00434C52
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: EnumSystemLocalesW,4_2_00452036
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,4_2_004520C3
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: GetLocaleInfoW,4_2_00452313
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: EnumSystemLocalesW,4_2_00448404
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,4_2_0045243C
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: GetLocaleInfoW,4_2_00452543
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,4_2_00452610
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: GetLocaleInfoA,4_2_0040F8D1
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: GetLocaleInfoW,4_2_004488ED
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,4_2_00451CD8
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: EnumSystemLocalesW,4_2_00451F50
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: EnumSystemLocalesW,4_2_00451F9B
              Source: C:\Users\user\Desktop\6122.scr.exeQueries volume information: C:\Users\user\Desktop\6122.scr.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\ProgramData\Adobe\Adobe.exe VolumeInformationJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\ProgramData\Adobe\Adobe.exe VolumeInformationJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\ProgramData\Adobe\Adobe.exe VolumeInformation
              Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
              Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 4_2_0040B164 GetLocalTime,wsprintfW,4_2_0040B164
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 4_2_0041B60D GetUserNameW,4_2_0041B60D
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 4_2_00449190 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,4_2_00449190
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 10_2_0041739B GetVersionExW,10_2_0041739B
              Source: C:\Users\user\Desktop\6122.scr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: Amcache.hve.19.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
              Source: Amcache.hve.19.drBinary or memory string: msmpeng.exe
              Source: Amcache.hve.19.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
              Source: Amcache.hve.19.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
              Source: Amcache.hve.19.drBinary or memory string: MsMpEng.exe

              Stealing of Sensitive Information

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 4.2.6122.scr.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.6122.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.6122.scr.exe.41993e0.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.6122.scr.exe.375eab0.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.6122.scr.exe.41993e0.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.6122.scr.exe.375eab0.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000004.00000002.1380972465.00000000011A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000014.00000002.1498365539.0000000000BD7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.3826634389.0000000000C97000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000018.00000002.1577773134.0000000000C77000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1380614109.0000000004199000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1380614109.0000000003699000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: 6122.scr.exe PID: 1688, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: 6122.scr.exe PID: 1356, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 6580, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 2192, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 4216, type: MEMORYSTR
              Contains functionality to steal Chrome passwords or cookies
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data4_2_0040BA12
              Contains functionality to steal Firefox passwords or cookies
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\4_2_0040BB30
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: \key3.db4_2_0040BB30
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\ProgramData\Adobe\Adobe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\places.sqliteJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\key4.dbJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Tries to steal Instant Messenger accounts or passwords
              Source: C:\ProgramData\Adobe\Adobe.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
              Tries to steal Mail credentials (via file / registry access)
              Source: C:\ProgramData\Adobe\Adobe.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
              Tries to steal Mail credentials (via file registry)
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: ESMTPPassword12_2_004033F0
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword12_2_00402DB3
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword12_2_00402DB3
              Yara detected WebBrowserPassView password recovery tool
              Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 6060, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 4.2.6122.scr.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.6122.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.6122.scr.exe.41993e0.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.6122.scr.exe.375eab0.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.6122.scr.exe.41993e0.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.6122.scr.exe.375eab0.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000004.00000002.1380972465.00000000011A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000014.00000002.1498365539.0000000000BD7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.3826634389.0000000000C97000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000018.00000002.1577773134.0000000000C77000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1380614109.0000000004199000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1380614109.0000000003699000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: 6122.scr.exe PID: 1688, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: 6122.scr.exe PID: 1356, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 6580, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 2192, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 4216, type: MEMORYSTR
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: cmd.exe4_2_0040569A

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts21
              Native API              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		1
              Disable or Modify Tools              		2
              OS Credential Dumping              		2
              System Time Discovery              		Remote Services11
              Archive Collected Data              		12
              Ingress Tool Transfer              		Exfiltration Over Other Network Medium1
              System Shutdown/Reboot
              CredentialsDomainsDefault Accounts12
              Command and Scripting Interpreter              		1
              Windows Service              		1
              Bypass User Account Control              		1
              Deobfuscate/Decode Files or Information              		111
              Input Capture              		1
              Account Discovery              		Remote Desktop Protocol1
              Data from Local System              		2
              Encrypted Channel              		Exfiltration Over Bluetooth1
              Defacement
              Email AddressesDNS ServerDomain Accounts2
              Service Execution              		11
              Registry Run Keys / Startup Folder              		1
              Access Token Manipulation              		3
              Obfuscated Files or Information              		2
              Credentials in Registry              		1
              System Service Discovery              		SMB/Windows Admin Shares1
              Email Collection              		1
              Non-Standard Port              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
              Windows Service              		12
              Software Packing              		3
              Credentials In Files              		3
              File and Directory Discovery              		Distributed Component Object Model111
              Input Capture              		2
              Non-Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script222
              Process Injection              		1
              DLL Side-Loading              		LSA Secrets38
              System Information Discovery              		SSH3
              Clipboard Data              		12
              Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts11
              Registry Run Keys / Startup Folder              		1
              Bypass User Account Control              		Cached Domain Credentials151
              Security Software Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
              Masquerading              		DCSync41
              Virtualization/Sandbox Evasion              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job41
              Virtualization/Sandbox Evasion              		Proc Filesystem4
              Process Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
              Access Token Manipulation              		/etc/passwd and /etc/shadow1
              Application Window Discovery              		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
              IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron222
              Process Injection              		Network Sniffing1
              System Owner/User Discovery              		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1519258 Sample: 6122.scr.exe Startdate: 26/09/2024 Architecture: WINDOWS Score: 100 57 geoplugin.net 2->57 61 Suricata IDS alerts for network traffic 2->61 63 Found malware configuration 2->63 65 Malicious sample detected (through community Yara rule) 2->65 67 9 other signatures 2->67 11 6122.scr.exe 3 2->11         started        15 Adobe.exe 2 2->15         started        17 Adobe.exe 2->17         started        signatures3 process4 file5 51 C:\Users\user\AppData\...\6122.scr.exe.log, ASCII 11->51 dropped 79 Contains functionality to bypass UAC (CMSTPLUA) 11->79 81 Contains functionalty to change the wallpaper 11->81 83 Contains functionality to steal Chrome passwords or cookies 11->83 87 3 other signatures 11->87 19 6122.scr.exe 2 4 11->19         started        23 6122.scr.exe 11->23         started        85 Injects a PE file into a foreign processes 15->85 25 Adobe.exe 15->25         started        27 Adobe.exe 17->27         started        signatures6 process7 file8 47 C:\ProgramData\Adobe\Adobe.exe, PE32 19->47 dropped 49 C:\ProgramData\...\Adobe.exe:Zone.Identifier, ASCII 19->49 dropped 69 Creates autostart registry keys with suspicious names 19->69 71 Drops executable to a common third party application directory 19->71 29 Adobe.exe 3 19->29         started        signatures9 process10 signatures11 89 Multi AV Scanner detection for dropped file 29->89 91 Tries to steal Mail credentials (via file registry) 29->91 93 Machine Learning detection for dropped file 29->93 95 Injects a PE file into a foreign processes 29->95 32 Adobe.exe 3 14 29->32         started        process12 dnsIp13 53 104.250.180.178, 49709, 49711, 7902 M247GB United States 32->53 55 geoplugin.net 178.237.33.50, 49713, 80 ATOM86-ASATOM86NL Netherlands 32->55 59 Maps a DLL or memory area into another process 32->59 36 Adobe.exe 1 32->36         started        39 Adobe.exe 14 32->39         started        41 Adobe.exe 32->41         started        43 5 other processes 32->43 signatures14 process15 signatures16 73 Tries to steal Instant Messenger accounts or passwords 36->73 75 Tries to steal Mail credentials (via file / registry access) 36->75 77 Tries to harvest and steal browser information (history, passwords, etc) 39->77 45 WerFault.exe 19 18 41->45         started        process17

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              6122.scr.exe29%ReversingLabsWin32.Trojan.CrypterX
              6122.scr.exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\ProgramData\Adobe\Adobe.exe100%Joe Sandbox ML
              C:\ProgramData\Adobe\Adobe.exe29%ReversingLabsWin32.Trojan.CrypterX

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://geoplugin.net/json.gp0%URL Reputationsafe
              http://upx.sf.net0%URL Reputationsafe
              http://geoplugin.net/json.gp/C0%URL Reputationsafe
              104.250.180.1780%Avira URL Cloudsafe
              http://www.nirsoft.net0%Avira URL Cloudsafe
              https://www.google.com/accounts/servicelogin0%Avira URL Cloudsafe
              http://www.nirsoft.net/0%Avira URL Cloudsafe
              https://login.yahoo.com/config/login0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              geoplugin.net
              		178.237.33.50
              		truefalse
                		unknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://geoplugin.net/json.gpfalse
                • URL Reputation: safe
                		unknown
                104.250.180.178true
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                https://www.google.com/accounts/serviceloginAdobe.exefalse
                • Avira URL Cloud: safe
                		unknown
                http://upx.sf.netAmcache.hve.19.drfalse
                • URL Reputation: safe
                		unknown
                https://login.yahoo.com/config/loginAdobe.exefalse
                • Avira URL Cloud: safe
                		unknown
                http://www.nirsoft.netAdobe.exe, 0000000A.00000002.1494930404.0000000001383000.00000004.00000010.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.nirsoft.net/Adobe.exe, 0000000C.00000002.1477890338.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://geoplugin.net/json.gp/C6122.scr.exe, 00000000.00000002.1380614109.0000000003699000.00000004.00000800.00020000.00000000.sdmp, 6122.scr.exe, 00000000.00000002.1380614109.0000000004199000.00000004.00000800.00020000.00000000.sdmp, 6122.scr.exe, 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                104.250.180.178
                		unknownUnited States
                		9009M247GBtrue
                178.237.33.50
                		geoplugin.netNetherlands
                		8455ATOM86-ASATOM86NLfalse

                General Information

                Joe Sandbox version:41.0.0 Charoite
                Analysis ID:1519258
                Start date and time:2024-09-26 09:21:07 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 10m 43s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:28
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:6122.scr.exe
                renamed because original name is a hash value
                Original Sample Name:DN ISF S CLS930 KHH-TOLEDO(VIA NYC) SO#66158152 WKH2406122.scr.exe
                Detection:MAL
                Classification:mal100.rans.phis.troj.spyw.expl.evad.winEXE@32/12@1/2
                EGA Information:
                • Successful, ratio: 100%
                HCA Information:
                • Successful, ratio: 98%
                • Number of executed functions: 160
                • Number of non-executed functions: 346
                Cookbook Comments:
                • Found application associated with file extension: .exe
                • Override analysis time to 240000 for current running targets taking high CPU consumption

                Warnings

                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                • Excluded IPs from analysis (whitelisted): 20.42.73.29
                • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                • Not all processes where analyzed, report is missing behavior information
                • Report size exceeded maximum capacity and may have missing behavior information.
                • Report size exceeded maximum capacity and may have missing disassembly code.
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.
                • VT rate limit hit for: 6122.scr.exe

                Simulations

                Behavior and APIs

                TimeTypeDescription
                03:22:00API Interceptor1x Sleep call for process: 6122.scr.exe modified
                03:22:02API Interceptor4822441x Sleep call for process: Adobe.exe modified
                03:22:24API Interceptor1x Sleep call for process: WerFault.exe modified
                08:22:03AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Adobe-OTOIRK "C:\ProgramData\Adobe\Adobe.exe"
                08:22:11AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Adobe-OTOIRK "C:\ProgramData\Adobe\Adobe.exe"
                08:22:20AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Adobe-OTOIRK "C:\ProgramData\Adobe\Adobe.exe"

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                104.250.180.178DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exeGet hashmaliciousXWormBrowse
                  BNE400266900B - RLS SO# W317pdf.scr.exeGet hashmaliciousRemcosBrowse
                    BNE400266900A - BL NO.BNE400266900.pdf.scr.exeGet hashmaliciousXWormBrowse
                      (Draft) - SO# L539-SE2409060 Cut off #Uff19-15 - CHR# 487700191.scr.exeGet hashmaliciousRemcosBrowse
                        SEA - SO#L539 (SO+INV+PKG+ISF+VGM).scr.exeGet hashmaliciousXWormBrowse
                          rSO3315RCOHBLKHRTMP249013CO240913.pdf.scr.exeGet hashmaliciousRemcosBrowse
                            rBLNO.KHRTMP249013-SINGAPOREEXPRESSV.002W.scr.exeGet hashmaliciousXWormBrowse
                              SO#5087 (SO+INV+PKG+ISF+VGM) #U8acb#U67e5#U6536.scr.exeGet hashmaliciousRemcosBrowse
                                BOOKING CLS 817 by SEA - CFS FM KHH TO FL (#U6cf0#U967d).scr.exeGet hashmaliciousXWormBrowse
                                  A_N-#U555f#U7881-TSNCNC17066-0721-LCL..scr.exeGet hashmaliciousRemcosBrowse
                                    178.237.33.50SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeGet hashmaliciousRemcosBrowse
                                    • geoplugin.net/json.gp
                                    https://maveuve.github.io/frlpodf/marynewreleasefax.htmlGet hashmaliciousRemcosBrowse
                                    • geoplugin.net/json.gp
                                    file.exeGet hashmaliciousRemcosBrowse
                                    • geoplugin.net/json.gp
                                    SDWLLRJcsY.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                    • geoplugin.net/json.gp
                                    BL.xlsGet hashmaliciousRemcos, PureLog StealerBrowse
                                    • geoplugin.net/json.gp
                                    z65orderrequest.bat.exeGet hashmaliciousGuLoader, RemcosBrowse
                                    • geoplugin.net/json.gp
                                    Fwo62RjOqH.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                                    • geoplugin.net/json.gp
                                    1DUCJGrpyb.exeGet hashmaliciousRemcosBrowse
                                    • geoplugin.net/json.gp
                                    1zbL83sqmd.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                                    • geoplugin.net/json.gp
                                    XjPA2pnUhC.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                    • geoplugin.net/json.gp

                                    Domains

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    geoplugin.netSecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeGet hashmaliciousRemcosBrowse
                                    • 178.237.33.50
                                    Marys Organizer 2023 Release.zipGet hashmaliciousRemcosBrowse
                                    • 178.237.33.50
                                    https://maveuve.github.io/frlpodf/marynewreleasefax.htmlGet hashmaliciousRemcosBrowse
                                    • 178.237.33.50
                                    file.exeGet hashmaliciousRemcosBrowse
                                    • 178.237.33.50
                                    SDWLLRJcsY.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                    • 178.237.33.50
                                    BL.xlsGet hashmaliciousRemcos, PureLog StealerBrowse
                                    • 178.237.33.50
                                    z65orderrequest.bat.exeGet hashmaliciousGuLoader, RemcosBrowse
                                    • 178.237.33.50
                                    Fwo62RjOqH.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                                    • 178.237.33.50
                                    1DUCJGrpyb.exeGet hashmaliciousRemcosBrowse
                                    • 178.237.33.50
                                    1zbL83sqmd.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                                    • 178.237.33.50

                                    ASNs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    M247GBDRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exeGet hashmaliciousXWormBrowse
                                    • 104.250.180.178
                                    file.exeGet hashmaliciousLummaC, Amadey, Clipboard Hijacker, CryptOne, Cryptbot, LummaC Stealer, PureLog StealerBrowse
                                    • 91.202.233.158
                                    file.exeGet hashmaliciousAmadey, CryptOne, PureLog Stealer, RedLine, Stealc, Vidar, Zhark RATBrowse
                                    • 91.202.233.158
                                    SecuriteInfo.com.Linux.Siggen.9999.31454.15725.elfGet hashmaliciousUnknownBrowse
                                    • 158.46.140.169
                                    BNE400266900B - RLS SO# W317pdf.scr.exeGet hashmaliciousRemcosBrowse
                                    • 104.250.180.178
                                    BNE400266900A - BL NO.BNE400266900.pdf.scr.exeGet hashmaliciousXWormBrowse
                                    • 104.250.180.178
                                    jD6b7MZOhT.exeGet hashmaliciousAmadey, Clipboard Hijacker, CryptOne, Cryptbot, LummaC Stealer, PureLog Stealer, RedLineBrowse
                                    • 91.202.233.158
                                    aL8prAD2gL.jsGet hashmaliciousXWormBrowse
                                    • 82.102.27.171
                                    Ref_5010_103.exeGet hashmaliciousAgentTeslaBrowse
                                    • 172.86.66.70
                                    Ship_Doc_18505.exeGet hashmaliciousAgentTeslaBrowse
                                    • 172.86.66.70
                                    ATOM86-ASATOM86NLSecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeGet hashmaliciousRemcosBrowse
                                    • 178.237.33.50
                                    Marys Organizer 2023 Release.zipGet hashmaliciousRemcosBrowse
                                    • 178.237.33.50
                                    https://maveuve.github.io/frlpodf/marynewreleasefax.htmlGet hashmaliciousRemcosBrowse
                                    • 178.237.33.50
                                    file.exeGet hashmaliciousRemcosBrowse
                                    • 178.237.33.50
                                    SDWLLRJcsY.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                    • 178.237.33.50
                                    BL.xlsGet hashmaliciousRemcos, PureLog StealerBrowse
                                    • 178.237.33.50
                                    z65orderrequest.bat.exeGet hashmaliciousGuLoader, RemcosBrowse
                                    • 178.237.33.50
                                    Fwo62RjOqH.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                                    • 178.237.33.50
                                    1DUCJGrpyb.exeGet hashmaliciousRemcosBrowse
                                    • 178.237.33.50
                                    1zbL83sqmd.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                                    • 178.237.33.50

                                    JA3 Fingerprints

                                    No context

                                    Dropped Files

                                    No context

                                    Created / dropped Files

                                    C:\ProgramData\Adobe\Adobe.exe

                                    Download File
                                    Process:C:\Users\user\Desktop\6122.scr.exe
                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):923136
                                    Entropy (8bit):7.918674012391725
                                    Encrypted:false
                                    SSDEEP:24576:pSl++842srFVCeJ8E5WryTL/8bTAWrtCh:pSl++842srfp+EW4oAQtU
                                    MD5:784B07833FBDCA10528DBEB3EB1DAFFE
                                    SHA1:BEEE89B885546C0DC98F7931F097F9659BBB8419
                                    SHA-256:D99F687B6E744E9D9BDFF2E59C273C85DEFF48DBAA52BF2D64009FD5EC4907AB
                                    SHA-512:459916B828FCEF6F3EB9AA2E123078A33907281AC47AAB71BB3140CE446A6694BDB6347B1DEC6678A96368768697A4045BD31B9110B2D87306A011296264DC4B
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    • Antivirus: ReversingLabs, Detection: 29%
                                    Reputation:low
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f..............0......$........... ... ....@.. ....................................@.....................................O.... ... ...................`....................................................... ............... ..H............text........ ...................... ..`.rsrc.... ... ..."..................@..@.reloc.......`......................@..B........................H........Y..\5..........,...p............................................0..|........(..........(....}......{....(....}........(....}........(....}........(....}........(....}........(....}........(....}....*.0..!..........(.... l...Y m...Z..(....X.+..*....0..m........s....}..... ....}.....#......cA}..... .ig.}.....#......c.}..... .'....s....}........s....}......}......}.....(.......(.......8..........>...%..,.o....s.......{.....{....(....}......{.....{....( ...}......{.....{

                                    C:\ProgramData\Adobe\Adobe.exe:Zone.Identifier

                                    Download File
                                    Process:C:\Users\user\Desktop\6122.scr.exe
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:modified
                                    Size (bytes):26
                                    Entropy (8bit):3.95006375643621
                                    Encrypted:false
                                    SSDEEP:3:ggPYV:rPYV
                                    MD5:187F488E27DB4AF347237FE461A079AD
                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                    Malicious:true
                                    Reputation:high, very likely benign file
                                    Preview:[ZoneTransfer]....ZoneId=0

                                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_bad_module_info_dcd3242e9fa4189184df4216daa4e4c7cdf1959_85207d7d_ef1be9b8-efe4-4319-8697-d6ea45f9ec8a\Report.wer

                                    Download File
                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):65536
                                    Entropy (8bit):0.5810724436728646
                                    Encrypted:false
                                    SSDEEP:96:4uFjrYD7JsQhMov7JYqQXIDcQ4c6fcE+cw3tZAX/d5FMT2SlPkpXmTA/f/VXT5Nm:XVYD7Jk0WbkQzuiFHZ24IO8b
                                    MD5:2265C8044F6977FDB00D431D2E4B8E91
                                    SHA1:3B787036AB64BAE1AC0C7DF136BC290820A68358
                                    SHA-256:E6E4DA800376CEA8BE6F4FE6DECFDC410A4BF3603AA5168CBCD6D9434D0CF39B
                                    SHA-512:EF971649234634F662126CD855D96C644B1775C7F1AFFF5801691BF130C30B58DA5C7B2EEDE70298880BDEAF418055F698013C0EB827B147CE4BDDE0B133DCE5
                                    Malicious:false
                                    Reputation:low
                                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.1.8.0.8.9.3.3.3.3.4.3.3.3.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.1.8.0.8.9.3.7.8.9.6.8.0.5.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.f.1.b.e.9.b.8.-.e.f.e.4.-.4.3.1.9.-.8.6.9.7.-.d.6.e.a.4.5.f.9.e.c.8.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.4.b.5.8.7.0.0.-.1.d.f.7.-.4.5.6.0.-.9.0.2.8.-.e.3.9.d.3.1.7.8.4.4.5.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.b.a.d._.m.o.d.u.l.e._.i.n.f.o.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.f.3.4.-.0.0.0.1.-.0.0.1.4.-.5.7.d.5.-.a.7.c.d.e.4.0.f.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.4.7.c.8.8.4.1.b.2.b.f.d.9.c.4.5.c.2.0.8.2.1.b.1.b.f.e.f.e.a.2.8.0.0.0.0.0.0.0.0.!.0.0.0.0.b.e.e.e.8.9.b.8.8.5.5.4.6.c.0.d.c.9.8.f.7.9.3.1.f.0.9.7.f.9.6.5.9.b.b.b.8.4.1.9.!.A.d.o.b.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.

                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERA642.tmp.WERInternalMetadata.xml

                                    Download File
                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):8240
                                    Entropy (8bit):3.675479573953139
                                    Encrypted:false
                                    SSDEEP:192:R6l7wVeJ6ZJ6u6YRZY6AH+pgmfUwpx289bi0sfcS2m:R6lXJa6u6YQ6AHogmfUginfca
                                    MD5:0477337C67274388556D48951F0C17FF
                                    SHA1:B3645B5C10BBEA2AEF7E0336995CD37D268FBD4C
                                    SHA-256:6E06C58BA5748277FF4A9F91A2B24199ED7F9CFD1D8616E2C31DE672070350BF
                                    SHA-512:5D0811FB6DB793FB83BC587AA5342988AEE68A1B8FC926524DBA42485C8C4BC2ABE370B7E55A599409D8D5430980B5B57572B4784FE430DDB96511C3A6F7775D
                                    Malicious:false
                                    Reputation:low
                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.8.9.2.<./.P.i.

                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERA71E.tmp.xml

                                    Download File
                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):4568
                                    Entropy (8bit):4.438159587719802
                                    Encrypted:false
                                    SSDEEP:48:cvIwWl8zsUJg77aI95OWpW8VYjOYm8M4JTHFo2+q87Ng0rl3eed:uIjfSI7zv7V2J+2bml3eed
                                    MD5:47A6CB08F9A04551AFAA96A11A431E85
                                    SHA1:CD51F2EF0102DFF1B5BB775658B29BEBF6AB53C0
                                    SHA-256:046CBA8E4847AB713B16E6CFDBA2528635C61C1B909B263A2AB8ADF4DE1C4627
                                    SHA-512:3A5E0B495B8F70E72DBDDD23BDE1783058722585B3D9474A9D6AEADBB5EDA36A055963E369BB3E5DAAAAE9F3E2D5A84B0A20B693560CA976104D4F9B17F1DA90
                                    Malicious:false
                                    Reputation:low
                                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="516864" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\6122.scr.exe.log

                                    Download File
                                    Process:C:\Users\user\Desktop\6122.scr.exe
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):1216
                                    Entropy (8bit):5.34331486778365
                                    Encrypted:false
                                    SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                    MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                    SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                    SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                    SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                    Malicious:true
                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Adobe.exe.log

                                    Download File
                                    Process:C:\ProgramData\Adobe\Adobe.exe
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):1216
                                    Entropy (8bit):5.34331486778365
                                    Encrypted:false
                                    SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                    MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                    SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                    SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                    SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                    Malicious:false
                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\json[1].json

                                    Download File
                                    Process:C:\ProgramData\Adobe\Adobe.exe
                                    File Type:JSON data
                                    Category:dropped
                                    Size (bytes):962
                                    Entropy (8bit):5.012309356796613
                                    Encrypted:false
                                    SSDEEP:12:tklu+mnd66GkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkwV:qlu+KdbauKyGX85jvXhNlT3/7AcV9Wro
                                    MD5:14B479958E659C5A4480548A393022AC
                                    SHA1:CD0766C1DAB80656D469ABDB22917BE668622015
                                    SHA-256:0F92BDD807D2F5C9947E1775A20231233043C171F62E1AFA705A7E7938909BFE
                                    SHA-512:4E87CA47392DD9710F9E3D4A2124A34B41938986A4F43D50A48623DB1838C0D6CFF05FD2A23792DCD5A974A94416C97DC04ECEF85025FC785F3393B69A0B1DC5
                                    Malicious:false
                                    Preview:{. "geoplugin_request":"8.46.123.33",. "geoplugin_status":200,. "geoplugin_delay":"0ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                    C:\Users\user\AppData\Local\Temp\WER9672.tmp.WERDataCollectionStatus.txt

                                    Download File
                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):4736
                                    Entropy (8bit):3.243223963991253
                                    Encrypted:false
                                    SSDEEP:96:pwpIiYkXkkXfkuguWN0QT0Qi0QgF0QXL0QW0QAH9g/XeLszeuzSzbxGQI5kmYMs5:pFle+u+SyoeyOkN4
                                    MD5:D7944BB48A46300F19AA8EA2DE5C9045
                                    SHA1:C335FA3AED09611321200981FD39CD2491872A61
                                    SHA-256:3DFA082E887EE671203A7E570F92FA8B40973737C4AEA8B07B61DAEC27FE6E57
                                    SHA-512:6AE5193FDD9409EE0B265DA9A99FB3E65176F5F3476DB552910FA3C6AE1565F77E26DBC908EE641CC82BB00B856AC48CB1CE6D84A71767CE5F0B68A6690E470B
                                    Malicious:false
                                    Preview:......S.n.a.p.s.h.o.t. .s.t.a.t.i.s.t.i.c.s.:.....-. .S.i.g.n.a.t.u.r.e. . . . . . . . . . . . . . . . .:. .P.S.S.D.......-. .F.l.a.g.s./.C.a.p.t.u.r.e.F.l.a.g.s. . . . . . . .:. .0.0.0.0.0.0.0.1./.d.0.0.0.3.9.f.f.......-. .A.u.x. .p.a.g.e.s. . . . . . . . . . . . . . . . .:. .1. .e.n.t.r.i.e.s. .l.o.n.g.......-. .V.A. .s.p.a.c.e. .s.t.r.e.a.m. . . . . . . . . . .:. .2.5.9.2. .b.y.t.e.s. .i.n. .s.i.z.e.......-. .H.a.n.d.l.e. .t.r.a.c.e. .s.t.r.e.a.m. . . . . . .:. .0. .b.y.t.e.s. .i.n. .s.i.z.e.......-. .H.a.n.d.l.e. .s.t.r.e.a.m. . . . . . . . . . . . .:. .6.4.0. .b.y.t.e.s. .i.n. .s.i.z.e.......-. .T.h.r.e.a.d.s. . . . . . . . . . . . . . . . . . .:. .1. .t.h.r.e.a.d.s.......-. .T.h.r.e.a.d. .s.t.r.e.a.m. . . . . . . . . . . . .:. .8.3.2. .b.y.t.e.s. .i.n. .s.i.z.e...........S.n.a.p.s.h.o.t. .p.e.r.f.o.r.m.a.n.c.e. .c.o.u.n.t.e.r.s.:.....-. .T.o.t.a.l.C.y.c.l.e.C.o.u.n.t. . . . . . . . . . .:. .2.7.5.9.4.5.8. .c.y.c.l.e.s.......-. .V.a.C.l.o.n.e.C.y.c.l.e.C.o.u.n.t. . . . . . . . .:.

                                    C:\Users\user\AppData\Local\Temp\bhv8F7C.tmp

                                    Download File
                                    Process:C:\ProgramData\Adobe\Adobe.exe
                                    File Type:Extensible storage engine DataBase, version 0x620, checksum 0x0155ffb7, page size 32768, DirtyShutdown, Windows version 10.0
                                    Category:dropped
                                    Size (bytes):15728640
                                    Entropy (8bit):0.10807997132117475
                                    Encrypted:false
                                    SSDEEP:1536:GSB2jpSB2jFSjlK/gw/ZweshzbOlqVqww/ZXesozbElqVqgesKzbdzb+zb6:Ga6amUueqaJEeqv7tW
                                    MD5:40D660B4AE3EF5A4D0EDCE7216A746FD
                                    SHA1:4725EF64323F955EFE529DA3EE8F7DC0EA1E8626
                                    SHA-256:D264158F0DB89FF6E751CF3697F21AD1B462A3866A737B0836194672AE24B67A
                                    SHA-512:91044A1F5380FB982FAE2ACA51AF917C239E6A1D04798E3262037B5670EA37DBB7A7C5AA4197C8A7C7514790EE465B3183504A152F501F37729617DE898F8E22
                                    Malicious:false
                                    Preview:.U..... ...................':...{........................L..........{#. ....{M.h.N.........................-.1.':...{..........................................................................................................eJ......n........................................................................................................... .......':...{..............................................................................................................................................................................................,....{..................................Jc|. ....{M.................... ....{M..........................#......h.N.....................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\cwgifzhbfrxysfrhlq

                                    Download File
                                    Process:C:\ProgramData\Adobe\Adobe.exe
                                    File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                    Category:dropped
                                    Size (bytes):2
                                    Entropy (8bit):1.0
                                    Encrypted:false
                                    SSDEEP:3:Qn:Qn
                                    MD5:F3B25701FE362EC84616A93A45CE9998
                                    SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                    SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                    SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                    Malicious:false
                                    Preview:..

                                    C:\Windows\appcompat\Programs\Amcache.hve

                                    Download File
                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                    File Type:MS Windows registry file, NT/2000 or above
                                    Category:dropped
                                    Size (bytes):1835008
                                    Entropy (8bit):4.3940289939958594
                                    Encrypted:false
                                    SSDEEP:6144:El4fiJoH0ncNXiUjt10q0G/gaocYGBoaUMMhA2NX4WABlBuN/ROBSqa:84vF0MYQUMM6VFYlRU
                                    MD5:68C3448E673D4976124B3237E582750B
                                    SHA1:64492011D7E21E2598CF93A2250B650D8726AC4E
                                    SHA-256:82FCC0329CAFEB2BEC730B3E4F43D82ADF45F3F8BFEB8374BDDFAEA76B55BC9F
                                    SHA-512:D095AFB55AADE4A505CC4C40A3A887DAAD4A25C4A4FBA03FEDE8DB5AD605196BFF54511CBABAA5BD9909CC2CA912B61AE754321A5D7C63805205679ACAAD707B
                                    Malicious:false
                                    Preview:regfG...G....\.Z.................... ....`......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.<..................................................................................................................................................................................................................................................................................................................................................H9..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    Static File Info

                                    General

                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Entropy (8bit):7.918674012391725
                                    TrID:
                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                    • Win32 Executable (generic) a (10002005/4) 49.78%
                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                    • DOS Executable Generic (2002/1) 0.01%
                                    File name:6122.scr.exe
                                    File size:923'136 bytes
                                    MD5:784b07833fbdca10528dbeb3eb1daffe
                                    SHA1:beee89b885546c0dc98f7931f097f9659bbb8419
                                    SHA256:d99f687b6e744e9d9bdff2e59c273c85deff48dbaa52bf2d64009fd5ec4907ab
                                    SHA512:459916b828fcef6f3eb9aa2e123078a33907281ac47aab71bb3140ce446a6694bdb6347b1dec6678a96368768697a4045bd31b9110b2d87306a011296264dc4b
                                    SSDEEP:24576:pSl++842srFVCeJ8E5WryTL/8bTAWrtCh:pSl++842srfp+EW4oAQtU
                                    TLSH:EA1522802625D21BC4520FF85B61E0F523FA4FDD9A22E6038FE72CEFB6A5B50155136B
                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f..............0......$........... ... ....@.. ....................................@................................

                                    File Icon

                                    Icon Hash:1e77fe7273f0311e

                                    Static PE Info

                                    General

                                    Entrypoint:0x4e0fee
                                    Entrypoint Section:.text
                                    Digitally signed:false
                                    Imagebase:0x400000
                                    Subsystem:windows gui
                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                    Time Stamp:0x66F4E2D1 [Thu Sep 26 04:28:01 2024 UTC]
                                    TLS Callbacks:
                                    CLR (.Net) Version:
                                    OS Version Major:4
                                    OS Version Minor:0
                                    File Version Major:4
                                    File Version Minor:0
                                    Subsystem Version Major:4
                                    Subsystem Version Minor:0
                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                    Entrypoint Preview

                                    Instruction
                                    jmp dword ptr [00402000h]
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al

                                    Data Directories

                                    NameVirtual AddressVirtual Size Is in Section
                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xe0f9c0x4f.text
                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xe20000x20ac.rsrc
                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0xe60000xc.reloc
                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                    Sections

                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                    .text0x20000xdeff40xdf000fc164ea8afcad502a21731b982257a64False0.9400694979680493data7.923349764605857IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    .rsrc0xe20000x20ac0x2200d5696c7b3b849f9e258e42139c0fa19eFalse0.8969439338235294data7.497992094592602IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .reloc0xe60000xc0x200f0f8a690675af66a1fda267e316bb424False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                    Resources

                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                    RT_ICON0xe20c80x1cbbPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.996057104010877
                                    RT_GROUP_ICON0xe3d940x14data1.05
                                    RT_VERSION0xe3db80x2f0SysEx File - IDP0.44813829787234044

                                    Imports

                                    DLLImport
                                    mscoree.dll_CorExeMain

                                    Network Behavior

                                    Suricata IDS Alerts

                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                    2024-09-26T09:22:04.558563+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.949709104.250.180.1787902TCP
                                    2024-09-26T09:22:07.384134+02002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.949713178.237.33.5080TCP
                                    2024-09-26T09:22:07.464613+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.949711104.250.180.1787902TCP

                                    Network Port Distribution

                                    TCP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Sep 26, 2024 09:22:03.568031073 CEST497097902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:03.572946072 CEST790249709104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:03.573050976 CEST497097902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:03.581741095 CEST497097902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:03.586540937 CEST790249709104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:04.518474102 CEST790249709104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:04.558562994 CEST497097902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:04.983577013 CEST790249709104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:04.992530107 CEST497097902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:04.997463942 CEST790249709104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:05.099159002 CEST497097902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:05.104129076 CEST790249709104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:05.104183912 CEST497097902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:05.109054089 CEST790249709104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:05.859491110 CEST790249709104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:05.861151934 CEST497097902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:05.866024017 CEST790249709104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:06.278871059 CEST790249709104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:06.280760050 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:06.285886049 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:06.285991907 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:06.289858103 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:06.294684887 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:06.323975086 CEST497097902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:06.777920961 CEST4971380192.168.2.9178.237.33.50
                                    Sep 26, 2024 09:22:06.782876015 CEST8049713178.237.33.50192.168.2.9
                                    Sep 26, 2024 09:22:06.783169031 CEST4971380192.168.2.9178.237.33.50
                                    Sep 26, 2024 09:22:06.783169031 CEST4971380192.168.2.9178.237.33.50
                                    Sep 26, 2024 09:22:06.788084030 CEST8049713178.237.33.50192.168.2.9
                                    Sep 26, 2024 09:22:07.383943081 CEST8049713178.237.33.50192.168.2.9
                                    Sep 26, 2024 09:22:07.384134054 CEST4971380192.168.2.9178.237.33.50
                                    Sep 26, 2024 09:22:07.404767036 CEST497097902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:07.411258936 CEST790249709104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:07.412990093 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:07.464612961 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:07.816210032 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:07.869916916 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:07.874844074 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:07.895406008 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:07.900223017 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:07.900302887 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:07.905101061 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:08.383800030 CEST8049713178.237.33.50192.168.2.9
                                    Sep 26, 2024 09:22:08.383871078 CEST4971380192.168.2.9178.237.33.50
                                    Sep 26, 2024 09:22:08.831986904 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:08.832027912 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:08.832144976 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:08.841260910 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:08.841285944 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:08.841305017 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:08.841351032 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:08.851166010 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:08.851310015 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:08.851360083 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:08.851377010 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:08.851444006 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:08.861155033 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:08.861188889 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:08.861206055 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:08.861248016 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:08.876326084 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:08.876403093 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:08.876467943 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:08.876482010 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:08.876565933 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:08.920614958 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:08.920644045 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:08.920726061 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:09.201172113 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.201201916 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.201404095 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:09.201531887 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.201576948 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.201590061 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.201617956 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.201621056 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:09.201936007 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:09.241589069 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.241621971 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.241641045 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.241656065 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.241674900 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.241718054 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:09.241718054 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:09.285262108 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.285304070 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.285331011 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:09.288043022 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.288093090 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.288105011 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.288115025 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:09.288172007 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:09.301130056 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.301145077 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.301168919 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.301215887 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:09.330180883 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.330198050 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.330315113 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:09.335992098 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.336038113 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.336049080 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.336106062 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:09.336132050 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:09.341120958 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.341166973 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.341176033 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.341242075 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:09.346468925 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.346563101 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.346575975 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.346607924 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:09.346631050 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:09.373825073 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.373837948 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.373907089 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:09.671145916 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.671163082 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.671267986 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:09.691477060 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.691607952 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.691622972 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.691648960 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.691694021 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:09.691734076 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:09.710931063 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.710961103 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.710997105 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.711009979 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.711016893 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:09.711121082 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:09.721106052 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.721369982 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.721385002 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.721414089 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.721453905 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:09.721453905 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:09.761167049 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.761190891 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.761225939 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.761373997 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:09.771365881 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.771397114 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.771430016 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.771452904 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.771486998 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:09.771536112 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:09.776315928 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.776351929 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.776418924 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:09.776431084 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.776446104 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.776496887 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:09.791641951 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.791666985 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.791682959 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.791795969 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:09.791987896 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:09.806173086 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.806229115 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.806242943 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.806310892 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:09.816199064 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.816221952 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.816247940 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.816297054 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:09.816329002 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:09.826174021 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.826191902 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.826216936 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.826277971 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:09.831284046 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.831331968 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.831346989 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.831449032 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:09.849591970 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.849630117 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.849740028 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:09.859843016 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.859879017 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.859952927 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:09.861273050 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.861296892 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.861360073 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.861362934 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:09.861391068 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.861495972 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:09.871773005 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.871788025 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.871834040 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.871848106 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.871865034 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:09.871915102 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:09.876357079 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.876379013 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.876405001 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.876441956 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:09.894743919 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.894761086 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.894843102 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:09.901477098 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.901499033 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.901523113 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.901567936 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:09.901634932 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:09.904736996 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.904752016 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.904896975 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:09.906121016 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.906155109 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.906171083 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.906229973 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:09.917088985 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.917117119 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.917140961 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.917179108 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:09.917217970 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:09.938385963 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.938421965 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:09.938561916 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:10.323894024 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.323915958 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.324080944 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:10.331864119 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.331880093 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.331899881 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.331995010 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:10.366341114 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.366363049 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.366388083 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.366497040 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:10.366584063 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:10.371031046 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.371061087 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.371069908 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.371243000 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:10.376534939 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.376569033 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.376579046 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.376741886 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:10.391318083 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.391335011 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.391365051 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.391376019 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.391475916 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:10.391475916 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:10.396403074 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.396431923 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.396441936 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.396509886 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:10.410383940 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.410401106 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.410526037 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:10.426229000 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.426362038 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.426373959 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.426381111 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.426521063 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:10.482151985 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.482167959 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.482311010 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:10.483515024 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.483572006 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.483582973 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.483807087 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:10.487010956 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.487137079 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:10.487152100 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.487162113 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.487351894 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:10.507003069 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.507055998 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.507066965 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.507196903 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:10.522697926 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.522716045 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.522753954 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.522767067 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.522795916 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.522808075 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.522835970 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:10.522911072 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:10.551595926 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.551613092 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.551635981 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.551692009 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:10.551826954 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:10.556601048 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.556628942 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.556638956 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.556699991 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:10.566243887 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.566273928 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.566284895 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.566323042 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:10.566553116 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:10.572043896 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.572118044 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.572364092 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:10.611139059 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.611175060 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.611278057 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:10.616677046 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.616712093 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.616724014 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.616765976 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:10.616880894 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.617007017 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:10.621474981 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.621510029 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.621526957 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.621553898 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:10.621556044 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.621707916 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:10.631062984 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.631114960 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.631125927 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.631148100 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.631185055 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:10.631185055 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:10.631247997 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.631297112 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.631305933 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.631397963 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:10.640119076 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.640147924 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.640203953 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:10.681133986 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.681164980 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.681178093 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.681227922 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:10.681360006 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:10.691052914 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.691087961 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.691097975 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.691230059 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:10.696068048 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.696114063 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.696125031 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.696192026 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:10.696192026 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:10.699511051 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.699539900 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.699589968 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:10.705243111 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.705255032 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.705296040 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:10.711616993 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.711630106 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.711653948 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.711685896 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:10.728547096 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.728558064 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.728993893 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:10.731587887 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.731616974 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.731626987 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.731704950 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:10.731704950 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:10.782700062 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.782712936 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.782741070 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.782762051 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:10.804368019 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.804379940 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.804399967 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.804413080 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:10.804582119 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:10.805556059 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.847717047 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.847728968 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.847750902 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.847764969 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.847805977 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:10.861659050 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.861705065 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:10.861706018 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.861721992 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.861762047 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:10.871186972 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.871248007 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.871330976 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:10.892942905 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.892955065 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.893018961 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:10.898163080 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.898206949 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.898216963 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.898302078 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:10.911081076 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.911093950 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.911138058 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:10.911174059 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.911184072 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.911276102 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:10.926644087 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.926698923 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.926702023 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:10.926709890 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.926747084 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:10.941229105 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.941257954 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.941267014 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.941314936 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:10.959825039 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.959872007 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.959880114 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:10.981532097 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.981565952 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.981575966 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.981585979 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:10.981657982 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:10.999725103 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.999777079 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:10.999831915 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.021723986 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.021749020 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.021770954 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.021786928 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.021836996 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.021894932 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.029809952 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.029839993 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.029979944 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.036735058 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.036767960 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.036778927 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.036811113 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.036842108 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.036879063 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.036885977 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.036890984 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.036967993 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.046436071 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.046451092 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.046473026 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.046550035 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.056632996 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.056646109 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.056667089 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.056749105 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.056809902 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.086018085 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.086052895 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.086064100 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.086178064 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.088176012 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.088205099 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.088251114 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.110038996 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.110070944 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.110155106 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.115863085 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.115920067 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.115967035 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.115977049 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.115983009 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.116064072 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.140953064 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.140969038 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.140996933 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.141027927 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.141134977 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.141161919 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.141200066 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.141254902 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.141283035 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.141315937 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.141385078 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.150974989 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.150989056 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.151010036 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.151083946 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.156096935 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.156162024 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.156172991 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.156183958 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.156260014 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.174674034 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.174685955 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.174834967 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.190958023 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.191001892 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.191011906 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.191112995 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.211025000 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.211040020 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.211064100 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.211076975 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.211139917 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.211252928 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.239470959 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.239531994 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.239671946 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.244591951 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.244604111 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.244708061 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.271023035 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.271151066 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.271161079 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.271173000 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.271276951 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.281176090 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.281224966 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.281234026 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.281284094 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.291115046 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.291129112 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.291151047 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.291243076 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.291243076 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.306832075 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.306845903 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.306874990 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.306888103 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.306958914 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.308501005 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.321304083 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.321331978 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.321341991 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.321400881 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.333142996 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.333153963 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.333303928 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.359611988 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.359633923 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.359766006 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.361402988 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.361427069 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.361455917 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.361479044 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.361524105 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.379805088 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.379826069 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.379884005 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.386394024 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.386432886 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.386457920 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.386511087 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.391041040 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.391062975 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.391088009 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.391124010 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.391191006 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.401014090 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.401083946 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.401098013 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.401141882 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.416188955 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.416220903 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.416260004 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.416282892 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.416304111 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.416306973 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.421221972 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.421255112 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.421267986 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.421312094 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.421408892 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.431195974 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.431229115 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.431318998 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.431328058 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.431343079 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.431422949 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.431520939 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.431535006 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.431643963 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.431663036 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.431734085 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.431787968 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.456269979 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.456357956 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.456372976 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.456487894 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.461137056 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.461155891 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.461184978 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.461200953 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.461253881 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.466005087 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.466038942 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.466054916 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.466130018 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.468147039 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.468163967 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.468215942 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.471210957 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.471261024 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.471271992 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.471278906 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.471333981 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.476044893 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.476078987 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.476093054 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.476183891 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.504730940 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.504746914 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.504810095 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.519742966 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.519757986 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.519845963 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.536041021 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.536106110 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.536118984 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.536254883 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.541127920 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.541151047 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.541177034 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.541251898 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.541302919 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.576055050 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.576107979 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.576122046 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.576195002 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.585994005 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.586010933 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.586038113 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.586069107 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.586128950 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.590980053 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.591010094 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.591099977 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.591106892 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.591121912 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.591228008 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.608306885 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.608340979 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.608402014 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.624533892 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.624548912 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.624613047 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.629657030 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.629703045 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.629796028 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.631292105 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.631361008 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.631373882 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.631406069 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.651309013 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.651336908 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.651361942 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.651421070 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.651457071 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.661083937 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.661098957 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.661134005 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.661184072 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.670984030 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.671000957 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.671026945 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.671060085 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.671124935 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.679501057 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.679516077 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.679593086 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.685956955 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.685971975 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.686002016 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.686037064 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.686052084 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.686156034 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.696810007 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.696825027 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.696907043 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.706445932 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.706479073 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.706490993 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.706581116 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.713175058 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.713188887 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.713249922 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.731440067 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.731456041 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.731484890 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.731524944 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.731579065 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.745980978 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.746033907 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.746046066 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.746099949 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.759489059 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.759524107 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.759632111 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.768158913 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.768229961 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.768264055 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.774460077 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.774487972 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.774579048 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.785356998 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.785372019 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.785553932 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.798192024 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.798207998 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.798321009 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.806632042 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.806646109 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.806693077 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.806705952 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.806742907 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.806771040 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.819873095 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.819888115 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.819973946 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.831103086 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.831116915 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.831160069 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.831172943 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.831180096 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.831403971 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.856748104 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.856779099 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.856815100 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.856836081 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.856863022 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.856880903 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.856880903 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.861144066 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.861171007 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.861190081 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.861237049 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.861237049 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.863097906 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.863140106 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.863198042 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.873800993 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.873832941 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.873879910 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.881203890 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.881238937 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.881252050 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.881443024 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.886569023 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.886600971 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.886725903 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.901210070 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.901232004 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.901262999 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.901283979 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.901324987 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.908329964 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.908344030 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.908416033 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.915874958 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.915909052 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.915935040 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.916004896 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.931065083 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.931099892 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.931149006 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.931159973 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.931219101 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.931248903 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.945453882 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.945470095 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.945581913 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.951675892 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.951714039 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.951741934 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.962459087 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.962471962 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.962529898 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.975132942 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.975150108 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.975347996 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.987221003 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.987236977 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.987261057 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.987324953 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.987324953 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.989927053 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.989942074 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.990005016 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.991482973 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.991535902 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.991548061 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.991586924 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:11.996937037 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.996956110 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:11.996995926 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:12.017035007 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.017079115 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.017091990 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.017091990 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:12.017153025 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:12.017153025 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.032004118 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.032023907 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.032046080 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.032068014 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.032093048 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:12.032093048 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:12.040227890 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.040244102 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.040308952 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:12.046345949 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.046387911 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.046399117 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.046401024 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:12.046468973 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:12.056297064 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.056337118 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.056370974 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.056405067 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:12.061674118 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.061690092 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.061723948 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.061738968 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.061758995 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.061764956 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:12.061825037 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:12.061825037 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:12.072638988 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.072654009 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.072676897 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.072725058 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:12.078140020 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.078152895 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.078346968 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:12.101566076 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.101583958 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.101592064 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.101836920 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:12.116126060 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.116168022 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.116178036 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.116199017 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.116342068 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:12.116342068 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:12.120477915 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.120492935 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.120582104 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:12.128696918 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.128711939 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.128768921 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:12.131607056 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.131645918 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.131659031 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.131711006 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:12.136604071 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.136647940 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.136657000 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.136668921 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:12.136811972 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:12.141448975 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.141469002 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.141489983 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.141535044 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:12.150177002 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.150218964 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.150285006 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:12.157727957 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.157768965 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.157778978 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.157793999 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:12.157802105 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.157835007 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:12.176609039 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.176685095 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.176697016 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.176713943 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:12.176723003 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.176742077 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.176764011 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:12.176776886 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:12.181305885 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.181322098 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.181344986 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.183403015 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:12.186382055 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.186394930 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.186429977 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.186460018 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:12.186505079 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:12.191318989 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.191344976 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.191354990 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.191391945 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:12.202462912 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.202478886 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.202500105 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.202558041 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:12.202591896 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:12.202615023 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.202627897 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.202697039 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:12.204570055 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.204582930 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.204626083 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:12.208875895 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.208890915 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.208934069 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:12.217078924 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.217091084 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.217139006 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:12.219963074 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.219974041 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.220046043 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:12.225224972 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.225249052 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.225322962 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:12.229938030 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.229996920 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.230068922 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:12.236057997 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.236082077 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.236103058 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.236156940 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:12.265213013 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.265233040 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.265321016 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:12.269686937 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.269753933 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:12.269850969 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.279869080 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.279890060 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.279933929 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:12.284610033 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.284629107 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.284662962 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:12.297446012 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.297465086 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.297502041 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:12.305568933 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.305587053 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.305639982 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:12.308466911 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.308484077 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.308525085 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:12.313530922 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.313575029 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.313594103 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:12.324562073 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.324582100 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.324620962 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:12.326031923 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.326076031 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.326083899 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:12.326088905 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.326128960 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:12.336294889 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.336350918 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.336360931 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.336410999 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:12.336735964 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.336776972 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.336779118 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:12.336791992 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.336850882 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:12.353451014 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:12.402103901 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:18.099927902 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:18.104939938 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:18.104963064 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:18.104978085 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:18.104989052 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:18.105004072 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:18.105015039 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:18.105046988 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:18.105046988 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:18.105108023 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:18.105117083 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:18.105135918 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:18.105218887 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:18.109988928 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:18.110044956 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:18.110126972 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:18.110165119 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:18.110205889 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:18.110243082 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:18.110377073 CEST790249711104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:18.110447884 CEST497117902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:24.748523951 CEST790249709104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:24.749721050 CEST497097902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:24.754640102 CEST790249709104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:54.779642105 CEST790249709104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:22:54.793960094 CEST497097902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:22:54.798933983 CEST790249709104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:23:24.789249897 CEST790249709104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:23:24.796525002 CEST497097902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:23:24.801461935 CEST790249709104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:23:54.819097042 CEST790249709104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:23:54.839708090 CEST497097902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:23:54.844571114 CEST790249709104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:23:56.730607033 CEST4971380192.168.2.9178.237.33.50
                                    Sep 26, 2024 09:23:57.042946100 CEST4971380192.168.2.9178.237.33.50
                                    Sep 26, 2024 09:23:57.652249098 CEST4971380192.168.2.9178.237.33.50
                                    Sep 26, 2024 09:23:58.855389118 CEST4971380192.168.2.9178.237.33.50
                                    Sep 26, 2024 09:24:01.261574984 CEST4971380192.168.2.9178.237.33.50
                                    Sep 26, 2024 09:24:06.074245930 CEST4971380192.168.2.9178.237.33.50
                                    Sep 26, 2024 09:24:15.683536053 CEST4971380192.168.2.9178.237.33.50
                                    Sep 26, 2024 09:24:24.849028111 CEST790249709104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:24:24.851159096 CEST497097902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:24:24.856081963 CEST790249709104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:24:54.869882107 CEST790249709104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:24:54.872936964 CEST497097902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:24:54.877717972 CEST790249709104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:25:24.883600950 CEST790249709104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:25:24.885052919 CEST497097902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:25:24.889877081 CEST790249709104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:25:54.898149967 CEST790249709104.250.180.178192.168.2.9
                                    Sep 26, 2024 09:25:54.899902105 CEST497097902192.168.2.9104.250.180.178
                                    Sep 26, 2024 09:25:54.905148029 CEST790249709104.250.180.178192.168.2.9

                                    UDP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Sep 26, 2024 09:22:06.760513067 CEST5390053192.168.2.91.1.1.1
                                    Sep 26, 2024 09:22:06.768431902 CEST53539001.1.1.1192.168.2.9

                                    DNS Queries

                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                    Sep 26, 2024 09:22:06.760513067 CEST192.168.2.91.1.1.10x82afStandard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                    DNS Answers

                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                    Sep 26, 2024 09:22:06.768431902 CEST1.1.1.1192.168.2.90x82afNo error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                    HTTP Request Dependency Graph

                                    • geoplugin.net

                                    HTTP Packets

                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    0192.168.2.949713178.237.33.50806580C:\ProgramData\Adobe\Adobe.exe
                                    TimestampBytes transferredDirectionData
                                    Sep 26, 2024 09:22:06.783169031 CEST71OUTGET /json.gp HTTP/1.1
                                    Host: geoplugin.net
                                    Cache-Control: no-cache
                                    Sep 26, 2024 09:22:07.383943081 CEST1170INHTTP/1.1 200 OK
                                    date: Thu, 26 Sep 2024 07:22:07 GMT
                                    server: Apache
                                    content-length: 962
                                    content-type: application/json; charset=utf-8
                                    cache-control: public, max-age=300
                                    access-control-allow-origin: *
                                    Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 30 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f [TRUNCATED]
                                    Data Ascii: { "geoplugin_request":"8.46.123.33", "geoplugin_status":200, "geoplugin_delay":"0ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                    Statistics

                                    CPU Usage

                                    Click to jump to process

                                    Memory Usage

                                    Click to jump to process

                                    High Level Behavior Distribution

                                    Click to dive into process behavior distribution

                                    Behavior

                                    Click to jump to process

                                    System Behavior

                                    General

                                    Target ID:0
                                    Start time:03:21:59
                                    Start date:26/09/2024
                                    Path:C:\Users\user\Desktop\6122.scr.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\Desktop\6122.scr.exe"
                                    Imagebase:0x250000
                                    File size:923'136 bytes
                                    MD5 hash:784B07833FBDCA10528DBEB3EB1DAFFE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.1380614109.0000000004199000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1380614109.0000000004199000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.1380614109.0000000004199000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.1380614109.0000000003699000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1380614109.0000000003699000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.1380614109.0000000003699000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:3
                                    Start time:03:22:00
                                    Start date:26/09/2024
                                    Path:C:\Users\user\Desktop\6122.scr.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Users\user\Desktop\6122.scr.exe"
                                    Imagebase:0x430000
                                    File size:923'136 bytes
                                    MD5 hash:784B07833FBDCA10528DBEB3EB1DAFFE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:4
                                    Start time:03:22:00
                                    Start date:26/09/2024
                                    Path:C:\Users\user\Desktop\6122.scr.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\Desktop\6122.scr.exe"
                                    Imagebase:0xc00000
                                    File size:923'136 bytes
                                    MD5 hash:784B07833FBDCA10528DBEB3EB1DAFFE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000004.00000002.1380972465.00000000011A7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                    • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                    • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:5
                                    Start time:03:22:00
                                    Start date:26/09/2024
                                    Path:C:\ProgramData\Adobe\Adobe.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\ProgramData\Adobe\Adobe.exe"
                                    Imagebase:0xf60000
                                    File size:923'136 bytes
                                    MD5 hash:784B07833FBDCA10528DBEB3EB1DAFFE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Antivirus matches:
                                    • Detection: 100%, Joe Sandbox ML
                                    • Detection: 29%, ReversingLabs
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:6
                                    Start time:03:22:02
                                    Start date:26/09/2024
                                    Path:C:\ProgramData\Adobe\Adobe.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\ProgramData\Adobe\Adobe.exe"
                                    Imagebase:0x700000
                                    File size:923'136 bytes
                                    MD5 hash:784B07833FBDCA10528DBEB3EB1DAFFE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000006.00000002.3826634389.0000000000C97000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    Reputation:low
                                    Has exited:false

                                    General

                                    Target ID:8
                                    Start time:03:22:11
                                    Start date:26/09/2024
                                    Path:C:\ProgramData\Adobe\Adobe.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\cwgifzhbfrxysfrhlq"
                                    Imagebase:0x2f0000
                                    File size:923'136 bytes
                                    MD5 hash:784B07833FBDCA10528DBEB3EB1DAFFE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:9
                                    Start time:03:22:11
                                    Start date:26/09/2024
                                    Path:C:\ProgramData\Adobe\Adobe.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\cwgifzhbfrxysfrhlq"
                                    Imagebase:0x200000
                                    File size:923'136 bytes
                                    MD5 hash:784B07833FBDCA10528DBEB3EB1DAFFE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:10
                                    Start time:03:22:11
                                    Start date:26/09/2024
                                    Path:C:\ProgramData\Adobe\Adobe.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\cwgifzhbfrxysfrhlq"
                                    Imagebase:0xf10000
                                    File size:923'136 bytes
                                    MD5 hash:784B07833FBDCA10528DBEB3EB1DAFFE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:11
                                    Start time:03:22:11
                                    Start date:26/09/2024
                                    Path:C:\ProgramData\Adobe\Adobe.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\nytbgrrvtzplutnlvscrbj"
                                    Imagebase:0x90000
                                    File size:923'136 bytes
                                    MD5 hash:784B07833FBDCA10528DBEB3EB1DAFFE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:12
                                    Start time:03:22:11
                                    Start date:26/09/2024
                                    Path:C:\ProgramData\Adobe\Adobe.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\nytbgrrvtzplutnlvscrbj"
                                    Imagebase:0xe00000
                                    File size:923'136 bytes
                                    MD5 hash:784B07833FBDCA10528DBEB3EB1DAFFE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:13
                                    Start time:03:22:11
                                    Start date:26/09/2024
                                    Path:C:\ProgramData\Adobe\Adobe.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\psylhkcxhhhqezbpmdxlmokhl"
                                    Imagebase:0x50000
                                    File size:923'136 bytes
                                    MD5 hash:784B07833FBDCA10528DBEB3EB1DAFFE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:14
                                    Start time:03:22:11
                                    Start date:26/09/2024
                                    Path:C:\ProgramData\Adobe\Adobe.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\psylhkcxhhhqezbpmdxlmokhl"
                                    Imagebase:0x30000
                                    File size:923'136 bytes
                                    MD5 hash:784B07833FBDCA10528DBEB3EB1DAFFE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:15
                                    Start time:03:22:11
                                    Start date:26/09/2024
                                    Path:C:\ProgramData\Adobe\Adobe.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\psylhkcxhhhqezbpmdxlmokhl"
                                    Imagebase:0x390000
                                    File size:923'136 bytes
                                    MD5 hash:784B07833FBDCA10528DBEB3EB1DAFFE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:low
                                    Has exited:false

                                    General

                                    Target ID:17
                                    Start time:03:22:11
                                    Start date:26/09/2024
                                    Path:C:\ProgramData\Adobe\Adobe.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\ProgramData\Adobe\Adobe.exe"
                                    Imagebase:0xb80000
                                    File size:923'136 bytes
                                    MD5 hash:784B07833FBDCA10528DBEB3EB1DAFFE
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:19
                                    Start time:03:22:13
                                    Start date:26/09/2024
                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 3892 -s 12
                                    Imagebase:0x5f0000
                                    File size:483'680 bytes
                                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:20
                                    Start time:03:22:13
                                    Start date:26/09/2024
                                    Path:C:\ProgramData\Adobe\Adobe.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\ProgramData\Adobe\Adobe.exe"
                                    Imagebase:0x640000
                                    File size:923'136 bytes
                                    MD5 hash:784B07833FBDCA10528DBEB3EB1DAFFE
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000014.00000002.1498365539.0000000000BD7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:23
                                    Start time:03:22:19
                                    Start date:26/09/2024
                                    Path:C:\ProgramData\Adobe\Adobe.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\ProgramData\Adobe\Adobe.exe"
                                    Imagebase:0x8b0000
                                    File size:923'136 bytes
                                    MD5 hash:784B07833FBDCA10528DBEB3EB1DAFFE
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:24
                                    Start time:03:22:21
                                    Start date:26/09/2024
                                    Path:C:\ProgramData\Adobe\Adobe.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\ProgramData\Adobe\Adobe.exe"
                                    Imagebase:0x5b0000
                                    File size:923'136 bytes
                                    MD5 hash:784B07833FBDCA10528DBEB3EB1DAFFE
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000018.00000002.1577773134.0000000000C77000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    Reputation:low
                                    Has exited:true

                                    Disassembly

                                    Reset < >

                                      Execution Graph

                                      Execution Coverage:9.4%
                                      Dynamic/Decrypted Code Coverage:100%
                                      Signature Coverage:0%
                                      Total number of Nodes:214
                                      Total number of Limit Nodes:14
                                      execution_graph 18083 6863144 18084 68630bc 18083->18084 18085 686341d 18084->18085 18090 6863ad0 18084->18090 18108 6863b7e 18084->18108 18126 6863b20 18084->18126 18143 6863b10 18084->18143 18091 6863adf 18090->18091 18092 6863b3b 18090->18092 18091->18085 18093 6863b5e 18092->18093 18160 6863fe2 18092->18160 18165 686421b 18092->18165 18170 6864231 18092->18170 18175 6864853 18092->18175 18180 6864493 18092->18180 18185 6863f32 18092->18185 18191 6863f17 18092->18191 18196 68640c9 18092->18196 18200 68644e8 18092->18200 18205 68646ac 18092->18205 18210 68641a0 18092->18210 18218 6864343 18092->18218 18227 6864102 18092->18227 18232 6864602 18092->18232 18093->18085 18109 6863b0c 18108->18109 18111 6863b81 18108->18111 18110 6863b5e 18109->18110 18112 6863fe2 2 API calls 18109->18112 18113 6864602 2 API calls 18109->18113 18114 6864102 2 API calls 18109->18114 18115 6864343 4 API calls 18109->18115 18116 68641a0 4 API calls 18109->18116 18117 68646ac 2 API calls 18109->18117 18118 68644e8 2 API calls 18109->18118 18119 68640c9 2 API calls 18109->18119 18120 6863f17 2 API calls 18109->18120 18121 6863f32 2 API calls 18109->18121 18122 6864493 2 API calls 18109->18122 18123 6864853 2 API calls 18109->18123 18124 6864231 2 API calls 18109->18124 18125 686421b 2 API calls 18109->18125 18110->18085 18111->18085 18112->18110 18113->18110 18114->18110 18115->18110 18116->18110 18117->18110 18118->18110 18119->18110 18120->18110 18121->18110 18122->18110 18123->18110 18124->18110 18125->18110 18127 6863b3a 18126->18127 18128 6863b5e 18127->18128 18129 6863fe2 2 API calls 18127->18129 18130 6864602 2 API calls 18127->18130 18131 6864102 2 API calls 18127->18131 18132 6864343 4 API calls 18127->18132 18133 68641a0 4 API calls 18127->18133 18134 68646ac 2 API calls 18127->18134 18135 68644e8 2 API calls 18127->18135 18136 68640c9 2 API calls 18127->18136 18137 6863f17 2 API calls 18127->18137 18138 6863f32 2 API calls 18127->18138 18139 6864493 2 API calls 18127->18139 18140 6864853 2 API calls 18127->18140 18141 6864231 2 API calls 18127->18141 18142 686421b 2 API calls 18127->18142 18128->18085 18129->18128 18130->18128 18131->18128 18132->18128 18133->18128 18134->18128 18135->18128 18136->18128 18137->18128 18138->18128 18139->18128 18140->18128 18141->18128 18142->18128 18144 6863b20 18143->18144 18145 6863b5e 18144->18145 18146 6863fe2 2 API calls 18144->18146 18147 6864602 2 API calls 18144->18147 18148 6864102 2 API calls 18144->18148 18149 6864343 4 API calls 18144->18149 18150 68641a0 4 API calls 18144->18150 18151 68646ac 2 API calls 18144->18151 18152 68644e8 2 API calls 18144->18152 18153 68640c9 2 API calls 18144->18153 18154 6863f17 2 API calls 18144->18154 18155 6863f32 2 API calls 18144->18155 18156 6864493 2 API calls 18144->18156 18157 6864853 2 API calls 18144->18157 18158 6864231 2 API calls 18144->18158 18159 686421b 2 API calls 18144->18159 18145->18085 18146->18145 18147->18145 18148->18145 18149->18145 18150->18145 18151->18145 18152->18145 18153->18145 18154->18145 18155->18145 18156->18145 18157->18145 18158->18145 18159->18145 18161 6863f25 18160->18161 18237 6862c94 18161->18237 18242 6862ca0 18161->18242 18162 6864085 18162->18162 18166 686422b 18165->18166 18246 6865197 18166->18246 18251 68651a8 18166->18251 18167 686475d 18171 686423a 18170->18171 18172 686462a 18171->18172 18264 6862a13 18171->18264 18268 6862a18 18171->18268 18176 68640b0 18175->18176 18177 68640c2 18176->18177 18178 6862a13 WriteProcessMemory 18176->18178 18179 6862a18 WriteProcessMemory 18176->18179 18177->18093 18178->18176 18179->18176 18181 68640b0 18180->18181 18182 68640c2 18181->18182 18183 6862a13 WriteProcessMemory 18181->18183 18184 6862a18 WriteProcessMemory 18181->18184 18182->18093 18183->18181 18184->18181 18188 6863f25 18185->18188 18186 6864085 18187 6863f60 18187->18093 18188->18187 18189 6862c94 CreateProcessA 18188->18189 18190 6862ca0 CreateProcessA 18188->18190 18189->18186 18190->18186 18192 6863f78 18191->18192 18194 6862c94 CreateProcessA 18192->18194 18195 6862ca0 CreateProcessA 18192->18195 18193 6864085 18193->18193 18194->18193 18195->18193 18272 6862880 18196->18272 18276 6862878 18196->18276 18197 68640e3 18197->18093 18201 68644f6 18200->18201 18203 6862a13 WriteProcessMemory 18201->18203 18204 6862a18 WriteProcessMemory 18201->18204 18202 686489c 18203->18202 18204->18202 18206 68646b2 18205->18206 18280 6862b01 18206->18280 18284 6862b08 18206->18284 18207 68646db 18211 68641a6 18210->18211 18288 6862950 18211->18288 18292 6862958 18211->18292 18212 68640b0 18213 68640c2 18212->18213 18216 6862a13 WriteProcessMemory 18212->18216 18217 6862a18 WriteProcessMemory 18212->18217 18213->18093 18213->18213 18216->18212 18217->18212 18219 68645ae 18218->18219 18225 6862880 Wow64SetThreadContext 18219->18225 18226 6862878 Wow64SetThreadContext 18219->18226 18220 6864119 18221 6864789 18220->18221 18223 6865197 2 API calls 18220->18223 18224 68651a8 2 API calls 18220->18224 18222 686475d 18223->18222 18224->18222 18225->18220 18226->18220 18228 6864108 18227->18228 18230 6865197 2 API calls 18228->18230 18231 68651a8 2 API calls 18228->18231 18229 686475d 18230->18229 18231->18229 18233 6864609 18232->18233 18235 6862a13 WriteProcessMemory 18233->18235 18236 6862a18 WriteProcessMemory 18233->18236 18234 686462a 18235->18234 18236->18234 18238 6862c42 18237->18238 18239 6862c9a CreateProcessA 18237->18239 18238->18162 18241 6862eeb 18239->18241 18243 6862d29 CreateProcessA 18242->18243 18245 6862eeb 18243->18245 18247 68651a8 18246->18247 18256 6862393 18247->18256 18260 6862398 18247->18260 18248 68651d0 18248->18167 18252 68651bd 18251->18252 18254 6862393 ResumeThread 18252->18254 18255 6862398 ResumeThread 18252->18255 18253 68651d0 18253->18167 18254->18253 18255->18253 18257 6862398 ResumeThread 18256->18257 18259 6862409 18257->18259 18259->18248 18261 68623d8 ResumeThread 18260->18261 18263 6862409 18261->18263 18263->18248 18265 6862a18 WriteProcessMemory 18264->18265 18267 6862ab7 18265->18267 18267->18172 18269 6862a60 WriteProcessMemory 18268->18269 18271 6862ab7 18269->18271 18271->18172 18273 68628c5 Wow64SetThreadContext 18272->18273 18275 686290d 18273->18275 18275->18197 18277 6862880 Wow64SetThreadContext 18276->18277 18279 686290d 18277->18279 18279->18197 18281 6862b08 ReadProcessMemory 18280->18281 18283 6862b97 18281->18283 18283->18207 18285 6862b53 ReadProcessMemory 18284->18285 18287 6862b97 18285->18287 18287->18207 18289 6862958 VirtualAllocEx 18288->18289 18291 68629d5 18289->18291 18291->18212 18293 6862998 VirtualAllocEx 18292->18293 18295 68629d5 18293->18295 18295->18212 18310 68651f0 18311 686537b 18310->18311 18312 6865216 18310->18312 18312->18311 18314 6864cc4 18312->18314 18315 6865470 PostMessageW 18314->18315 18316 68654dc 18315->18316 18316->18312 18317 b7d380 DuplicateHandle 18318 b7d416 18317->18318 18319 686331e 18320 68630bc 18319->18320 18321 686341d 18320->18321 18322 6863ad0 12 API calls 18320->18322 18323 6863b10 12 API calls 18320->18323 18324 6863b20 12 API calls 18320->18324 18325 6863b7e 12 API calls 18320->18325 18322->18321 18323->18321 18324->18321 18325->18321 18326 6867258 CloseHandle 18327 68672bf 18326->18327 18296 b7d138 18297 b7d17e GetCurrentProcess 18296->18297 18299 b7d1d0 GetCurrentThread 18297->18299 18300 b7d1c9 18297->18300 18301 b7d206 18299->18301 18302 b7d20d GetCurrentProcess 18299->18302 18300->18299 18301->18302 18304 b7d243 18302->18304 18303 b7d26b GetCurrentThreadId 18305 b7d29c 18303->18305 18304->18303 18306 b7b378 18307 b7b3c0 GetModuleHandleW 18306->18307 18308 b7b3ba 18306->18308 18309 b7b3ed 18307->18309 18308->18307 18328 b74668 18329 b7467a 18328->18329 18330 b74686 18329->18330 18332 b74779 18329->18332 18333 b7479d 18332->18333 18337 b74878 18333->18337 18341 b74888 18333->18341 18338 b748af 18337->18338 18339 b7498c 18338->18339 18345 b74248 18338->18345 18342 b748af 18341->18342 18343 b7498c 18342->18343 18344 b74248 CreateActCtxA 18342->18344 18344->18343 18346 b75918 CreateActCtxA 18345->18346 18348 b759db 18346->18348

                                      Executed Functions

                                      Function 00B7D128 Relevance: 6.1, APIs: 4, Instructions: 131threadCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • GetCurrentProcess.KERNEL32 ref: 00B7D1B6
                                      • GetCurrentThread.KERNEL32 ref: 00B7D1F3
                                      • GetCurrentProcess.KERNEL32 ref: 00B7D230
                                      • GetCurrentThreadId.KERNEL32 ref: 00B7D289
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1370139708.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b70000_6122.jbxd
                                      Similarity
                                      • API ID: Current$ProcessThread
                                      • String ID:
                                      • API String ID: 2063062207-0
                                      • Opcode ID: 27819591ca9cdec3391f1e8bf171dbe53e450f506c8f4656dec30ef4931630f8
                                      • Instruction ID: 9b1db37a7f08ee1a0c668ec3a1fa02dfbe935e66b95b3183851066f380146eaa
                                      • Opcode Fuzzy Hash: 27819591ca9cdec3391f1e8bf171dbe53e450f506c8f4656dec30ef4931630f8
                                      • Instruction Fuzzy Hash: 345187B0901749CFDB04CFA9D548B9EBBF1EF88304F20849AE418A7391D7749984CB61
                                      Function 00B7D138 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • GetCurrentProcess.KERNEL32 ref: 00B7D1B6
                                      • GetCurrentThread.KERNEL32 ref: 00B7D1F3
                                      • GetCurrentProcess.KERNEL32 ref: 00B7D230
                                      • GetCurrentThreadId.KERNEL32 ref: 00B7D289
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1370139708.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b70000_6122.jbxd
                                      Similarity
                                      • API ID: Current$ProcessThread
                                      • String ID:
                                      • API String ID: 2063062207-0
                                      • Opcode ID: 29540236c9a818bb327492b67d775f6156b2d8591c9b26fe356f656cb939be53
                                      • Instruction ID: c5da938a399f66fbaeb252b4991609ae3b3bb9d4cd92f785ebab5acf86bd083f
                                      • Opcode Fuzzy Hash: 29540236c9a818bb327492b67d775f6156b2d8591c9b26fe356f656cb939be53
                                      • Instruction Fuzzy Hash: BE5176B0900749CFDB14CFAAD548B9EBBF1FF88314F208499E419A7391D774A984CB65
                                      Function 06862C94 Relevance: 1.8, APIs: 1, Instructions: 274processCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 44 6862c94-6862c98 45 6862c42-6862c5a 44->45 46 6862c9a-6862d35 44->46 49 6862c63-6862c88 45->49 50 6862c5c-6862c62 45->50 52 6862d37-6862d41 46->52 53 6862d6e-6862d8e 46->53 50->49 52->53 54 6862d43-6862d45 52->54 63 6862dc7-6862df6 53->63 64 6862d90-6862d9a 53->64 57 6862d47-6862d51 54->57 58 6862d68-6862d6b 54->58 60 6862d55-6862d64 57->60 61 6862d53 57->61 58->53 60->60 65 6862d66 60->65 61->60 70 6862e2f-6862ee9 CreateProcessA 63->70 71 6862df8-6862e02 63->71 64->63 66 6862d9c-6862d9e 64->66 65->58 68 6862da0-6862daa 66->68 69 6862dc1-6862dc4 66->69 72 6862dae-6862dbd 68->72 73 6862dac 68->73 69->63 84 6862ef2-6862f78 70->84 85 6862eeb-6862ef1 70->85 71->70 74 6862e04-6862e06 71->74 72->72 75 6862dbf 72->75 73->72 76 6862e08-6862e12 74->76 77 6862e29-6862e2c 74->77 75->69 79 6862e16-6862e25 76->79 80 6862e14 76->80 77->70 79->79 81 6862e27 79->81 80->79 81->77 95 6862f7a-6862f7e 84->95 96 6862f88-6862f8c 84->96 85->84 95->96 99 6862f80 95->99 97 6862f8e-6862f92 96->97 98 6862f9c-6862fa0 96->98 97->98 100 6862f94 97->100 101 6862fa2-6862fa6 98->101 102 6862fb0-6862fb4 98->102 99->96 100->98 101->102 103 6862fa8 101->103 104 6862fc6-6862fcd 102->104 105 6862fb6-6862fbc 102->105 103->102 106 6862fe4 104->106 107 6862fcf-6862fde 104->107 105->104 108 6862fe5 106->108 107->106 108->108
                                      APIs
                                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06862ED6
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1383678143.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6860000_6122.jbxd
                                      Similarity
                                      • API ID: CreateProcess
                                      • String ID:
                                      • API String ID: 963392458-0
                                      • Opcode ID: 89b52b01de657419285ffa8b8ab3f2e2c546cc78399db68871e055cc438aa108
                                      • Instruction ID: b3f22efc9fc0fe047351aaf85fcc2c543979a99f119e39ada8ca3b9f25846f51
                                      • Opcode Fuzzy Hash: 89b52b01de657419285ffa8b8ab3f2e2c546cc78399db68871e055cc438aa108
                                      • Instruction Fuzzy Hash: D1A17D71D003198FEB60DFA9C851BDEBBB2BF44314F1485AAE809E7240DB749A85CF91
                                      Function 06862CA0 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 110 6862ca0-6862d35 112 6862d37-6862d41 110->112 113 6862d6e-6862d8e 110->113 112->113 114 6862d43-6862d45 112->114 120 6862dc7-6862df6 113->120 121 6862d90-6862d9a 113->121 115 6862d47-6862d51 114->115 116 6862d68-6862d6b 114->116 118 6862d55-6862d64 115->118 119 6862d53 115->119 116->113 118->118 122 6862d66 118->122 119->118 127 6862e2f-6862ee9 CreateProcessA 120->127 128 6862df8-6862e02 120->128 121->120 123 6862d9c-6862d9e 121->123 122->116 125 6862da0-6862daa 123->125 126 6862dc1-6862dc4 123->126 129 6862dae-6862dbd 125->129 130 6862dac 125->130 126->120 141 6862ef2-6862f78 127->141 142 6862eeb-6862ef1 127->142 128->127 131 6862e04-6862e06 128->131 129->129 132 6862dbf 129->132 130->129 133 6862e08-6862e12 131->133 134 6862e29-6862e2c 131->134 132->126 136 6862e16-6862e25 133->136 137 6862e14 133->137 134->127 136->136 138 6862e27 136->138 137->136 138->134 152 6862f7a-6862f7e 141->152 153 6862f88-6862f8c 141->153 142->141 152->153 156 6862f80 152->156 154 6862f8e-6862f92 153->154 155 6862f9c-6862fa0 153->155 154->155 157 6862f94 154->157 158 6862fa2-6862fa6 155->158 159 6862fb0-6862fb4 155->159 156->153 157->155 158->159 160 6862fa8 158->160 161 6862fc6-6862fcd 159->161 162 6862fb6-6862fbc 159->162 160->159 163 6862fe4 161->163 164 6862fcf-6862fde 161->164 162->161 165 6862fe5 163->165 164->163 165->165
                                      APIs
                                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06862ED6
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1383678143.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6860000_6122.jbxd
                                      Similarity
                                      • API ID: CreateProcess
                                      • String ID:
                                      • API String ID: 963392458-0
                                      • Opcode ID: a2a3d2c67eba5df796be1902dfc758a95cdfa0a51c647a92531a6988a59b37ee
                                      • Instruction ID: fc4bdd92bd75d05e85c7cdf4546ee84a5a7baa0ef5547850f92fb4539c193d63
                                      • Opcode Fuzzy Hash: a2a3d2c67eba5df796be1902dfc758a95cdfa0a51c647a92531a6988a59b37ee
                                      • Instruction Fuzzy Hash: 59914B71D007198FEB60DFA9C851BDEBBB2BF48314F1485A9E809E7240DB749A85CF91
                                      Function 00B74248 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 167 b74248-b759d9 CreateActCtxA 170 b759e2-b75a3c 167->170 171 b759db-b759e1 167->171 178 b75a3e-b75a41 170->178 179 b75a4b-b75a4f 170->179 171->170 178->179 180 b75a51-b75a5d 179->180 181 b75a60 179->181 180->181 183 b75a61 181->183 183->183
                                      APIs
                                      • CreateActCtxA.KERNEL32(?), ref: 00B759C9
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1370139708.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b70000_6122.jbxd
                                      Similarity
                                      • API ID: Create
                                      • String ID:
                                      • API String ID: 2289755597-0
                                      • Opcode ID: 2ba674c07c7852cb5b582c6efd6409f92a2bbf8f7944c82a55472e53d624d9ca
                                      • Instruction ID: 940fb8b6863b2cad3c83f5ab341d3a11c023429ccf5028da9ffda9e1e6a7dc84
                                      • Opcode Fuzzy Hash: 2ba674c07c7852cb5b582c6efd6409f92a2bbf8f7944c82a55472e53d624d9ca
                                      • Instruction Fuzzy Hash: 7741B070C00719CBEB24DFA9C88479EBBF5FF48704F60816AD419AB251DBB56945CF90
                                      Function 00B7590D Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 184 b7590d-b759d9 CreateActCtxA 186 b759e2-b75a3c 184->186 187 b759db-b759e1 184->187 194 b75a3e-b75a41 186->194 195 b75a4b-b75a4f 186->195 187->186 194->195 196 b75a51-b75a5d 195->196 197 b75a60 195->197 196->197 199 b75a61 197->199 199->199
                                      APIs
                                      • CreateActCtxA.KERNEL32(?), ref: 00B759C9
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1370139708.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b70000_6122.jbxd
                                      Similarity
                                      • API ID: Create
                                      • String ID:
                                      • API String ID: 2289755597-0
                                      • Opcode ID: 91a6ef3efc5a49695608f09ba8023c50ddf1d4f402a71e950679b3cfe8aaff94
                                      • Instruction ID: 2b68c690eab1ef7798a8f76d8fc3466d6b77944542e3eeab8e6bf8b576c13b93
                                      • Opcode Fuzzy Hash: 91a6ef3efc5a49695608f09ba8023c50ddf1d4f402a71e950679b3cfe8aaff94
                                      • Instruction Fuzzy Hash: 8541CF70C00759CBEB24CFA9C8847DEBBB5FF48304F20816AD419AB251DBB56946CF50
                                      Function 06862A13 Relevance: 1.6, APIs: 1, Instructions: 73injectionCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 200 6862a13-6862a66 203 6862a76-6862ab5 WriteProcessMemory 200->203 204 6862a68-6862a74 200->204 206 6862ab7-6862abd 203->206 207 6862abe-6862aee 203->207 204->203 206->207
                                      APIs
                                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06862AA8
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1383678143.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6860000_6122.jbxd
                                      Similarity
                                      • API ID: MemoryProcessWrite
                                      • String ID:
                                      • API String ID: 3559483778-0
                                      • Opcode ID: 6fe7dc2c01600332716c9c1c2007d96d7cecca811fb4d9d7829de4806a99aa76
                                      • Instruction ID: 4e86c71b7cac3a938395f5d9ba409a548ebb599bf5a0e4f8a319044f3e9aec25
                                      • Opcode Fuzzy Hash: 6fe7dc2c01600332716c9c1c2007d96d7cecca811fb4d9d7829de4806a99aa76
                                      • Instruction Fuzzy Hash: 93215A75D003099FDB10CFAAD885BEEBBF5FF48310F10842AE918A7240D7789A44CBA1
                                      Function 06862A18 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 211 6862a18-6862a66 213 6862a76-6862ab5 WriteProcessMemory 211->213 214 6862a68-6862a74 211->214 216 6862ab7-6862abd 213->216 217 6862abe-6862aee 213->217 214->213 216->217
                                      APIs
                                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06862AA8
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1383678143.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6860000_6122.jbxd
                                      Similarity
                                      • API ID: MemoryProcessWrite
                                      • String ID:
                                      • API String ID: 3559483778-0
                                      • Opcode ID: efe358569ddbda639ca0f5ceb7a5679efb6460c41af5d3092f598cfd1fcba33e
                                      • Instruction ID: d4a5bebb75b35edc877cb08f654146496c842bf0554b486f90ab73bd35b47e9a
                                      • Opcode Fuzzy Hash: efe358569ddbda639ca0f5ceb7a5679efb6460c41af5d3092f598cfd1fcba33e
                                      • Instruction Fuzzy Hash: 192127759003099FDB10DFAAC885BDEBBF5FF48310F10842AE919A7240D7789A44CBA1
                                      Function 06864CD0 Relevance: 1.6, APIs: 1, Instructions: 68windowCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 241 6864cd0-6864cd8 243 6864cc3-6864ccb 241->243 244 6864cda-6864cfb 241->244 245 6865470-68654da PostMessageW 243->245 244->245 246 68654e3-68654f7 245->246 247 68654dc-68654e2 245->247 247->246
                                      APIs
                                      • PostMessageW.USER32(?,00000010,00000000,?), ref: 068654CD
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1383678143.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6860000_6122.jbxd
                                      Similarity
                                      • API ID: MessagePost
                                      • String ID:
                                      • API String ID: 410705778-0
                                      • Opcode ID: 3c648a94675eaadbbf0f2947b6a27d8a3c398a9c936e680560a0aeb949cd2fac
                                      • Instruction ID: a0bbbaac1acf65977ebff1c6a33a2edd67ab53cbc70addfc4aa7e41998cbfad2
                                      • Opcode Fuzzy Hash: 3c648a94675eaadbbf0f2947b6a27d8a3c398a9c936e680560a0aeb949cd2fac
                                      • Instruction Fuzzy Hash: F621B0B18093988FDB11DFAAD854BDEBFF4EF49220F04808BD154AB652C2745548CBE6
                                      Function 06862B01 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 232 6862b01-6862b95 ReadProcessMemory 236 6862b97-6862b9d 232->236 237 6862b9e-6862bce 232->237 236->237
                                      APIs
                                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06862B88
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1383678143.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6860000_6122.jbxd
                                      Similarity
                                      • API ID: MemoryProcessRead
                                      • String ID:
                                      • API String ID: 1726664587-0
                                      • Opcode ID: 9df6300c74f4f0a51b93411b34f6dee3502734c6d0e739a01e76647b735126de
                                      • Instruction ID: 898010b2aa3a3196d9c2c776da04e95fd36e624bbe0191459033059da195a4e8
                                      • Opcode Fuzzy Hash: 9df6300c74f4f0a51b93411b34f6dee3502734c6d0e739a01e76647b735126de
                                      • Instruction Fuzzy Hash: C22136B6C003499FDB10DFAAD881BEEBBF5FF48320F10842AE519A7240C7789541CBA1
                                      Function 06862878 Relevance: 1.6, APIs: 1, Instructions: 68threadCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 221 6862878-68628cb 224 68628cd-68628d9 221->224 225 68628db-686290b Wow64SetThreadContext 221->225 224->225 227 6862914-6862944 225->227 228 686290d-6862913 225->228 228->227
                                      APIs
                                      • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 068628FE
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1383678143.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6860000_6122.jbxd
                                      Similarity
                                      • API ID: ContextThreadWow64
                                      • String ID:
                                      • API String ID: 983334009-0
                                      • Opcode ID: aa3ceb15305174f497c51c0f537ad7441516b04a3f6f264f4413f51ae40ecf03
                                      • Instruction ID: 46f2763d8f38e184f0bd3594b22eb2a75d898d07974781b2548aa8e3546d8a3d
                                      • Opcode Fuzzy Hash: aa3ceb15305174f497c51c0f537ad7441516b04a3f6f264f4413f51ae40ecf03
                                      • Instruction Fuzzy Hash: 10212571D003099FDB10DFAAC485BEEBBF4AF48324F14842AD559A7241DB789A85CBA1
                                      Function 06862B08 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 273 6862b08-6862b95 ReadProcessMemory 276 6862b97-6862b9d 273->276 277 6862b9e-6862bce 273->277 276->277
                                      APIs
                                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06862B88
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1383678143.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6860000_6122.jbxd
                                      Similarity
                                      • API ID: MemoryProcessRead
                                      • String ID:
                                      • API String ID: 1726664587-0
                                      • Opcode ID: d066507c0639d1a857499df7167831cde9e02fc1da85e13e8e7fe6a0b3503686
                                      • Instruction ID: 8c9468a16eaa80da2e63327b89ab2ec6f8aa26f422e9485bc8247ea68b01e82c
                                      • Opcode Fuzzy Hash: d066507c0639d1a857499df7167831cde9e02fc1da85e13e8e7fe6a0b3503686
                                      • Instruction Fuzzy Hash: 2C2125B1C003499FDB10DFAAD880BEEBBF5FF48320F50842AE519A7240D7789944CBA1
                                      Function 06862880 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 263 6862880-68628cb 265 68628cd-68628d9 263->265 266 68628db-686290b Wow64SetThreadContext 263->266 265->266 268 6862914-6862944 266->268 269 686290d-6862913 266->269 269->268
                                      APIs
                                      • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 068628FE
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1383678143.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6860000_6122.jbxd
                                      Similarity
                                      • API ID: ContextThreadWow64
                                      • String ID:
                                      • API String ID: 983334009-0
                                      • Opcode ID: d456725b5b3f5cc4ef974beb583af62ab4323bbfd7fb7608acf1f39d501eaf93
                                      • Instruction ID: 72878c5e4217f9e03075563682bb03075c02ea3aa8598800a4b24658a8eafb1f
                                      • Opcode Fuzzy Hash: d456725b5b3f5cc4ef974beb583af62ab4323bbfd7fb7608acf1f39d501eaf93
                                      • Instruction Fuzzy Hash: F6211571D003098FDB10DFAAC485BEEBBF4EF88324F14842AD559A7240DB789A45CFA1
                                      Function 00B7D37A Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 258 b7d37a-b7d414 DuplicateHandle 259 b7d416-b7d41c 258->259 260 b7d41d-b7d43a 258->260 259->260
                                      APIs
                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00B7D407
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1370139708.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b70000_6122.jbxd
                                      Similarity
                                      • API ID: DuplicateHandle
                                      • String ID:
                                      • API String ID: 3793708945-0
                                      • Opcode ID: d89fa4e746418ca6fe74341c163d5b1107496ce75ffbaee877cd0151674b8dde
                                      • Instruction ID: 902ef2990f7dbe62b3785ceec33d152811a1e087c1297c788cabc8c9ed61d04a
                                      • Opcode Fuzzy Hash: d89fa4e746418ca6fe74341c163d5b1107496ce75ffbaee877cd0151674b8dde
                                      • Instruction Fuzzy Hash: AF2116B5900248DFDB10CFAAE484AEEBFF4EF48320F14845AE958A3310D374A955CF60
                                      Function 00B7B34B Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 251 b7b34b-b7b3b8 253 b7b3c0-b7b3eb GetModuleHandleW 251->253 254 b7b3ba-b7b3bd 251->254 255 b7b3f4-b7b408 253->255 256 b7b3ed-b7b3f3 253->256 254->253 256->255
                                      APIs
                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 00B7B3DE
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1370139708.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b70000_6122.jbxd
                                      Similarity
                                      • API ID: HandleModule
                                      • String ID:
                                      • API String ID: 4139908857-0
                                      • Opcode ID: fbafc57014413c2b990a1cce799a7eb6e0057b7a20005c5474d9ba04888bd7f0
                                      • Instruction ID: 59463b86455d08f0be75a33fc59081ded507b67d281514ee4d61717d48873287
                                      • Opcode Fuzzy Hash: fbafc57014413c2b990a1cce799a7eb6e0057b7a20005c5474d9ba04888bd7f0
                                      • Instruction Fuzzy Hash: 76218BB1C093888FDB11CFAAD450BDEBFF0EF4A214F05809AC499A7252C3395445CFA5
                                      Function 00B7D380 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                      Download Yara Rule
                                      APIs
                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00B7D407
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1370139708.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b70000_6122.jbxd
                                      Similarity
                                      • API ID: DuplicateHandle
                                      • String ID:
                                      • API String ID: 3793708945-0
                                      • Opcode ID: d45e8c62530ccbcd69213fb13e20074daeb746eea67631c9922b9dac81a54001
                                      • Instruction ID: f67859190c6e30be2c645f6d86f2d932545b94a17495e4178f4d2dfeeee075b8
                                      • Opcode Fuzzy Hash: d45e8c62530ccbcd69213fb13e20074daeb746eea67631c9922b9dac81a54001
                                      • Instruction Fuzzy Hash: 7E21E4B5900209DFDB10CF9AD884ADEBBF4EB48320F14845AE918A3350D374A940CF61
                                      Function 06862950 Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 068629C6
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1383678143.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6860000_6122.jbxd
                                      Similarity
                                      • API ID: AllocVirtual
                                      • String ID:
                                      • API String ID: 4275171209-0
                                      • Opcode ID: 0ef1cf06bb61ca7c0d3d0de23cb55ce656d6f6c13e4202368a73924b64f0cd7b
                                      • Instruction ID: e29b95281a13d2b3771415a5f72aee21061298f28f9a1d88794fba6b4d0db578
                                      • Opcode Fuzzy Hash: 0ef1cf06bb61ca7c0d3d0de23cb55ce656d6f6c13e4202368a73924b64f0cd7b
                                      • Instruction Fuzzy Hash: 441189728003499FDB10DFAAD844BDEBFF5EF88324F14881AE955A7240C775A544CFA1
                                      Function 06862393 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1383678143.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6860000_6122.jbxd
                                      Similarity
                                      • API ID: ResumeThread
                                      • String ID:
                                      • API String ID: 947044025-0
                                      • Opcode ID: ad726bdfec4d76bb275e294e3ea76aa76a7dd409981dce74040ab056f9407ec6
                                      • Instruction ID: 3e9f81c2f8995685492b04abee67da78ab8ae00662f61e2b16dc52ead5cf0436
                                      • Opcode Fuzzy Hash: ad726bdfec4d76bb275e294e3ea76aa76a7dd409981dce74040ab056f9407ec6
                                      • Instruction Fuzzy Hash: 561158B1D003488BDB20DFAAD8457EFFBF4EF48224F14842AD519A7640C7796544CBA5
                                      Function 06862958 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 068629C6
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1383678143.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6860000_6122.jbxd
                                      Similarity
                                      • API ID: AllocVirtual
                                      • String ID:
                                      • API String ID: 4275171209-0
                                      • Opcode ID: a43c6a3904aeff2bab2b0116da1582cb8dab44ffc6db8682637cd70a1062f1d9
                                      • Instruction ID: 77da75e883b13bfed58503b0c3c34405336d05b376d3a4e0774833d343eb37a5
                                      • Opcode Fuzzy Hash: a43c6a3904aeff2bab2b0116da1582cb8dab44ffc6db8682637cd70a1062f1d9
                                      • Instruction Fuzzy Hash: C11179728003098FDB10DFAAD844BDFBBF5EF88320F14881AE515A7250C775A540CFA0
                                      Function 06862398 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1383678143.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6860000_6122.jbxd
                                      Similarity
                                      • API ID: ResumeThread
                                      • String ID:
                                      • API String ID: 947044025-0
                                      • Opcode ID: 9ae08bb63ca909a874d55fad0218240a4868152bc26813ad53fcf30dead0dc02
                                      • Instruction ID: c5a2836348fb62df33341143a8c4b13b4c072c2d80d55a11e5c93e19009707f1
                                      • Opcode Fuzzy Hash: 9ae08bb63ca909a874d55fad0218240a4868152bc26813ad53fcf30dead0dc02
                                      • Instruction Fuzzy Hash: D6113AB1D003498FDB10DFAAD4457DEFBF4EF48324F14842AD519A7240C7796544CBA5
                                      Function 06864CC4 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • PostMessageW.USER32(?,00000010,00000000,?), ref: 068654CD
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1383678143.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6860000_6122.jbxd
                                      Similarity
                                      • API ID: MessagePost
                                      • String ID:
                                      • API String ID: 410705778-0
                                      • Opcode ID: 19b0c6b098b73cef8acb2362379c96236a7f81e658038b36b22b8a876006b6f9
                                      • Instruction ID: a95ff7c43f32ca7ae0bb679ebb76b94d93f33b6daf1f8584b51ca26b15137f21
                                      • Opcode Fuzzy Hash: 19b0c6b098b73cef8acb2362379c96236a7f81e658038b36b22b8a876006b6f9
                                      • Instruction Fuzzy Hash: 8A1136B5800348DFDB20DF9AD444BDEBBF8EB48320F10845AE558A3300C3B5A944CFA1
                                      Function 00B7B378 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 00B7B3DE
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1370139708.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b70000_6122.jbxd
                                      Similarity
                                      • API ID: HandleModule
                                      • String ID:
                                      • API String ID: 4139908857-0
                                      • Opcode ID: 09abc63b72aa82086b6d849ef8b357a8d17d19abee25126b6ad826d272c44fc6
                                      • Instruction ID: 4e7b03d69c2b5b0a224e1680c4cd97ea89b43d50d91fc96e52a687f0fd883250
                                      • Opcode Fuzzy Hash: 09abc63b72aa82086b6d849ef8b357a8d17d19abee25126b6ad826d272c44fc6
                                      • Instruction Fuzzy Hash: CB111DB6C002498FDB10CF9AD444BDEFBF4EF88324F11846AD829A7240D379A585CFA5
                                      Function 06865468 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • PostMessageW.USER32(?,00000010,00000000,?), ref: 068654CD
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1383678143.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6860000_6122.jbxd
                                      Similarity
                                      • API ID: MessagePost
                                      • String ID:
                                      • API String ID: 410705778-0
                                      • Opcode ID: 1c3993e5700a5684f10d9b33e8f6d5093a30d20fc1bc96f4a187b1a93babfccd
                                      • Instruction ID: a1eb7bd6fce40d507686b8a2e47483c011b9431b59e7d10c0e22c02ae5cdaddc
                                      • Opcode Fuzzy Hash: 1c3993e5700a5684f10d9b33e8f6d5093a30d20fc1bc96f4a187b1a93babfccd
                                      • Instruction Fuzzy Hash: 8F1136B5800748DFDB20DF9AD884BDEBBF4FB48320F14845AE559A3200C375A544CFA1
                                      Function 06867251 Relevance: 1.3, APIs: 1, Instructions: 50COMMON
                                      Download Yara Rule
                                      APIs
                                      • CloseHandle.KERNELBASE(?), ref: 068672B0
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1383678143.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6860000_6122.jbxd
                                      Similarity
                                      • API ID: CloseHandle
                                      • String ID:
                                      • API String ID: 2962429428-0
                                      • Opcode ID: 610de2dd5f5b599b7466a260a7fb2ad40f3ef27efbe63a21d6df1dff563d613b
                                      • Instruction ID: dbc1100fbf4f811f21b3ed0f61785f1e30e81c8db62cc12c37719c9a0687afa1
                                      • Opcode Fuzzy Hash: 610de2dd5f5b599b7466a260a7fb2ad40f3ef27efbe63a21d6df1dff563d613b
                                      • Instruction Fuzzy Hash: 2F1146B58002498FDB20CF9AD444BEEBBF0AB48324F14841AE598A3340D338A544CBA0
                                      Function 06867258 Relevance: 1.3, APIs: 1, Instructions: 47COMMON
                                      Download Yara Rule
                                      APIs
                                      • CloseHandle.KERNELBASE(?), ref: 068672B0
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1383678143.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6860000_6122.jbxd
                                      Similarity
                                      • API ID: CloseHandle
                                      • String ID:
                                      • API String ID: 2962429428-0
                                      • Opcode ID: 16875623808c1e9ffc12263472ae9b5d365bd9d9255751472526f31704fc3579
                                      • Instruction ID: b95751597ece27d248a19323ca56d662d9e32821daa601801af3f1af2abe300a
                                      • Opcode Fuzzy Hash: 16875623808c1e9ffc12263472ae9b5d365bd9d9255751472526f31704fc3579
                                      • Instruction Fuzzy Hash: 921145B5800349CFDB10DF9AD444BDEBBF4EB48324F10842AE959A7340D378A544CFA5
                                      Function 0083D3D8 Relevance: .1, Instructions: 75COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1369694268.000000000083D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0083D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_83d000_6122.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0c4f82947fd5ab673371ecdf65e86e243859edbeb76fa38e39693c2672819a61
                                      • Instruction ID: 4ad7c7b54002d646c39e5a470fc727ef39ecf7deb8f33c11a54d55a297832175
                                      • Opcode Fuzzy Hash: 0c4f82947fd5ab673371ecdf65e86e243859edbeb76fa38e39693c2672819a61
                                      • Instruction Fuzzy Hash: 43210771504344DFDB05DF10E9C0B26BB65FBD8324F24C569E90A8B256C33AE856CBE6
                                      Function 0084D01C Relevance: .1, Instructions: 72COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1369738639.000000000084D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0084D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_84d000_6122.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b3b0129a22e572a4a567c75f04f24795c083bb068a12018f8510c10a3f27f32b
                                      • Instruction ID: d31acb72db634b27ceac00d060255f2b9f12de66e8a676713ace2a29c23284be
                                      • Opcode Fuzzy Hash: b3b0129a22e572a4a567c75f04f24795c083bb068a12018f8510c10a3f27f32b
                                      • Instruction Fuzzy Hash: A3210471604748DFDB14DF10D9C4B26BB65FB84318F24C5ADD80A8B386C33AD847CA62
                                      Function 0083D3D3 Relevance: .1, Instructions: 56COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1369694268.000000000083D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0083D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_83d000_6122.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f4ddf6aab7a4ec5fdcafc4d9db3305c30ac7726daeb53e4266b93089bec5e780
                                      • Instruction ID: 7e4f67369d5e2c201cf2cb2c2fffd5e6dd7c42d33bf6865cd6cf211b93ef5071
                                      • Opcode Fuzzy Hash: f4ddf6aab7a4ec5fdcafc4d9db3305c30ac7726daeb53e4266b93089bec5e780
                                      • Instruction Fuzzy Hash: 7E11B176504340DFCB16CF10E5C4B56BF71FB94324F24C6A9D8494B656C33AE856CBA1
                                      Function 0084D017 Relevance: .1, Instructions: 53COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1369738639.000000000084D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0084D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_84d000_6122.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
                                      • Instruction ID: 637af5103e42fa6bd3d14e3e6132b35441e1c387372b1b814544ad7b2005bf90
                                      • Opcode Fuzzy Hash: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
                                      • Instruction Fuzzy Hash: 1F118B75504784DFCB15CF14D5C4B15BBA2FB84314F28C6AAD8498B696C33AD84ACBA2

                                      Non-executed Functions

                                      Function 06866AF8 Relevance: .4, Instructions: 395COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1383678143.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6860000_6122.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: eda057db9488a84443c7b515d923cf6455ba551110d24355f8c6de94b726cf0a
                                      • Instruction ID: ebcb5cf1b960c9bcdc1a19e36439716f35bacfccfda99cd009331fb7751a1289
                                      • Opcode Fuzzy Hash: eda057db9488a84443c7b515d923cf6455ba551110d24355f8c6de94b726cf0a
                                      • Instruction Fuzzy Hash: 06E19F31B016408BDB99DB7AC85076EB7F6AF89300F14846DE25ADB391DF35E841CB92
                                      Function 06862448 Relevance: .3, Instructions: 312COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1383678143.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6860000_6122.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9228cc45aa8d9a78738ae77c709613cd6ed9ab5f9415f4f2580464eec7e95d91
                                      • Instruction ID: feb46a566b56055ef231e47e9bd06087a4eaf7b357f1a3fbe8370eaf48f9d4f9
                                      • Opcode Fuzzy Hash: 9228cc45aa8d9a78738ae77c709613cd6ed9ab5f9415f4f2580464eec7e95d91
                                      • Instruction Fuzzy Hash: C0E11C74E002198FDB54DFA9C590AAEFBB2FF89305F2481A9E514AB359D730AD41CF60
                                      Function 06860478 Relevance: .3, Instructions: 312COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1383678143.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6860000_6122.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: baaa5e7d530c8b3b654b1e004e75aa901c0b54cba5980ca27b0966f712892e18
                                      • Instruction ID: ddbda5e6072735b766b46073abd9b87ad329b727a61c46a4a13f44d1f316f217
                                      • Opcode Fuzzy Hash: baaa5e7d530c8b3b654b1e004e75aa901c0b54cba5980ca27b0966f712892e18
                                      • Instruction Fuzzy Hash: 74E10A74E002198FDB14DFA9C580AAEFBB2FF89305F248169E514AB359D731AD41CFA4
                                      Function 06861B70 Relevance: .3, Instructions: 312COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1383678143.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6860000_6122.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9c0c7371a5b46bf468cbb6ab0fb32ce152f3c639843a7b4a0ad56fe66364b713
                                      • Instruction ID: a56c3aa1e2c7abf7ce9d009dd4ad71de3549b94bc98a63b2f7dda298a20a2c80
                                      • Opcode Fuzzy Hash: 9c0c7371a5b46bf468cbb6ab0fb32ce152f3c639843a7b4a0ad56fe66364b713
                                      • Instruction Fuzzy Hash: E1E11A74E002198FDB54DFA9C584AAEFBB2FF89305F248169E454AB35AD730AD41CF60
                                      Function 00B7DA4C Relevance: .3, Instructions: 264COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1370139708.0000000000B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b70000_6122.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4d96e1f55d6ecf97fbbcd2524fd82f92aaa34142a984247ed81f6941a2022cb0
                                      • Instruction ID: 50a610a95bd232664e2f9e9f8d83bc746dc6938ee99f94cbae62a1d06486eda8
                                      • Opcode Fuzzy Hash: 4d96e1f55d6ecf97fbbcd2524fd82f92aaa34142a984247ed81f6941a2022cb0
                                      • Instruction Fuzzy Hash: 99A16132E002068FCF15DFB5C8445AEB7F2FF85300B1585BAE919AB265DB71E956CB40

                                      Execution Graph

                                      Execution Coverage:2%
                                      Dynamic/Decrypted Code Coverage:0%
                                      Signature Coverage:1.9%
                                      Total number of Nodes:742
                                      Total number of Limit Nodes:17
                                      execution_graph 47111 434887 47112 434893 ___scrt_is_nonwritable_in_current_image 47111->47112 47138 434596 47112->47138 47114 43489a 47116 4348c3 47114->47116 47426 4349f9 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 47114->47426 47125 434902 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 47116->47125 47427 444251 5 API calls __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 47116->47427 47118 4348dc 47120 4348e2 ___scrt_is_nonwritable_in_current_image 47118->47120 47428 4441f5 5 API calls __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 47118->47428 47121 434962 47149 434b14 47121->47149 47125->47121 47429 4433e7 35 API calls 6 library calls 47125->47429 47131 434984 47132 43498e 47131->47132 47431 44341f 28 API calls _Atexit 47131->47431 47134 434997 47132->47134 47432 4433c2 28 API calls _Atexit 47132->47432 47433 43470d 13 API calls 2 library calls 47134->47433 47137 43499f 47137->47120 47139 43459f 47138->47139 47434 434c52 IsProcessorFeaturePresent 47139->47434 47141 4345ab 47435 438f31 10 API calls 4 library calls 47141->47435 47143 4345b0 47144 4345b4 47143->47144 47436 4440bf IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 47143->47436 47144->47114 47146 4345bd 47147 4345cb 47146->47147 47437 438f5a 8 API calls 3 library calls 47146->47437 47147->47114 47438 436e90 47149->47438 47152 434968 47153 4441a2 47152->47153 47440 44f059 47153->47440 47155 4441ab 47156 434971 47155->47156 47444 446815 35 API calls 47155->47444 47158 40e9c5 47156->47158 47446 41cb50 LoadLibraryA GetProcAddress 47158->47446 47160 40e9e1 GetModuleFileNameW 47451 40f3c3 47160->47451 47162 40e9fd 47466 4020f6 47162->47466 47165 4020f6 28 API calls 47166 40ea1b 47165->47166 47472 41be1b 47166->47472 47170 40ea2d 47498 401e8d 47170->47498 47172 40ea36 47173 40ea93 47172->47173 47174 40ea49 47172->47174 47504 401e65 47173->47504 47703 40fbb3 116 API calls 47174->47703 47177 40eaa3 47181 401e65 22 API calls 47177->47181 47178 40ea5b 47179 401e65 22 API calls 47178->47179 47180 40ea67 47179->47180 47704 410f37 36 API calls __EH_prolog 47180->47704 47182 40eac2 47181->47182 47509 40531e 47182->47509 47185 40ead1 47514 406383 47185->47514 47186 40ea79 47705 40fb64 77 API calls 47186->47705 47190 40ea82 47706 40f3b0 70 API calls 47190->47706 47196 401fd8 11 API calls 47198 40eefb 47196->47198 47197 401fd8 11 API calls 47199 40eafb 47197->47199 47430 4432f6 GetModuleHandleW 47198->47430 47200 401e65 22 API calls 47199->47200 47201 40eb04 47200->47201 47531 401fc0 47201->47531 47203 40eb0f 47204 401e65 22 API calls 47203->47204 47205 40eb28 47204->47205 47206 401e65 22 API calls 47205->47206 47207 40eb43 47206->47207 47208 40ebae 47207->47208 47707 406c1e 28 API calls 47207->47707 47209 401e65 22 API calls 47208->47209 47216 40ebbb 47209->47216 47211 40eb70 47212 401fe2 28 API calls 47211->47212 47213 40eb7c 47212->47213 47214 401fd8 11 API calls 47213->47214 47217 40eb85 47214->47217 47215 40ec02 47535 40d069 47215->47535 47216->47215 47220 413549 3 API calls 47216->47220 47708 413549 RegOpenKeyExA 47217->47708 47219 40ec08 47221 40ea8b 47219->47221 47538 41b2c3 47219->47538 47227 40ebe6 47220->47227 47221->47196 47225 40ec23 47228 40ec76 47225->47228 47555 407716 47225->47555 47226 40f34f 47745 4139a9 30 API calls 47226->47745 47227->47215 47711 4139a9 30 API calls 47227->47711 47230 401e65 22 API calls 47228->47230 47233 40ec7f 47230->47233 47242 40ec90 47233->47242 47243 40ec8b 47233->47243 47235 40f365 47746 412475 65 API calls ___scrt_fastfail 47235->47746 47236 40ec42 47712 407738 30 API calls 47236->47712 47237 40ec4c 47240 401e65 22 API calls 47237->47240 47250 40ec55 47240->47250 47241 41bc5e 28 API calls 47245 40f37f 47241->47245 47248 401e65 22 API calls 47242->47248 47715 407755 CreateProcessA CloseHandle CloseHandle ___scrt_fastfail 47243->47715 47244 40ec47 47713 407260 97 API calls 47244->47713 47747 413a23 RegOpenKeyExW RegDeleteValueW 47245->47747 47249 40ec99 47248->47249 47559 41bc5e 47249->47559 47250->47228 47255 40ec71 47250->47255 47252 40eca4 47563 401f13 47252->47563 47714 407260 97 API calls 47255->47714 47256 40f392 47259 401f09 11 API calls 47256->47259 47261 40f39c 47259->47261 47263 401f09 11 API calls 47261->47263 47265 40f3a5 47263->47265 47264 401e65 22 API calls 47266 40ecc1 47264->47266 47748 40dd42 27 API calls 47265->47748 47270 401e65 22 API calls 47266->47270 47268 40f3aa 47749 414f2a 167 API calls _strftime 47268->47749 47272 40ecdb 47270->47272 47273 401e65 22 API calls 47272->47273 47274 40ecf5 47273->47274 47275 401e65 22 API calls 47274->47275 47277 40ed0e 47275->47277 47276 40ed7b 47279 40ed8a 47276->47279 47284 40ef06 ___scrt_fastfail 47276->47284 47277->47276 47278 401e65 22 API calls 47277->47278 47282 40ed23 _wcslen 47278->47282 47280 401e65 22 API calls 47279->47280 47286 40ee0f 47279->47286 47281 40ed9c 47280->47281 47283 401e65 22 API calls 47281->47283 47282->47276 47287 401e65 22 API calls 47282->47287 47285 40edae 47283->47285 47718 4136f8 RegOpenKeyExA RegQueryValueExA RegCloseKey 47284->47718 47290 401e65 22 API calls 47285->47290 47308 40ee0a ___scrt_fastfail 47286->47308 47288 40ed3e 47287->47288 47291 401e65 22 API calls 47288->47291 47292 40edc0 47290->47292 47293 40ed53 47291->47293 47295 401e65 22 API calls 47292->47295 47575 40da34 47293->47575 47294 40ef51 47296 401e65 22 API calls 47294->47296 47298 40ede9 47295->47298 47299 40ef76 47296->47299 47304 401e65 22 API calls 47298->47304 47719 402093 47299->47719 47301 401f13 28 API calls 47303 40ed72 47301->47303 47306 401f09 11 API calls 47303->47306 47307 40edfa 47304->47307 47305 40ef88 47725 41376f 14 API calls 47305->47725 47306->47276 47633 40cdf9 47307->47633 47308->47286 47716 413947 31 API calls 47308->47716 47312 40ef9e 47314 401e65 22 API calls 47312->47314 47313 40eea3 ctype 47316 401e65 22 API calls 47313->47316 47315 40efaa 47314->47315 47726 43baac 39 API calls _strftime 47315->47726 47319 40eeba 47316->47319 47318 40efb7 47320 40efe4 47318->47320 47727 41cd9b 86 API calls ___scrt_fastfail 47318->47727 47319->47294 47321 401e65 22 API calls 47319->47321 47325 402093 28 API calls 47320->47325 47323 40eed7 47321->47323 47326 41bc5e 28 API calls 47323->47326 47324 40efc8 CreateThread 47324->47320 48027 41d45d 10 API calls 47324->48027 47327 40eff9 47325->47327 47328 40eee3 47326->47328 47329 402093 28 API calls 47327->47329 47717 40f474 103 API calls 47328->47717 47331 40f008 47329->47331 47728 41b4ef 79 API calls 47331->47728 47332 40eee8 47332->47294 47334 40eeef 47332->47334 47334->47221 47335 40f00d 47336 401e65 22 API calls 47335->47336 47337 40f019 47336->47337 47338 401e65 22 API calls 47337->47338 47339 40f02b 47338->47339 47340 401e65 22 API calls 47339->47340 47341 40f04b 47340->47341 47729 43baac 39 API calls _strftime 47341->47729 47343 40f058 47344 401e65 22 API calls 47343->47344 47345 40f063 47344->47345 47346 401e65 22 API calls 47345->47346 47347 40f074 47346->47347 47348 401e65 22 API calls 47347->47348 47349 40f089 47348->47349 47350 401e65 22 API calls 47349->47350 47351 40f09a 47350->47351 47352 40f0a1 StrToIntA 47351->47352 47730 409de4 169 API calls _wcslen 47352->47730 47354 40f0b3 47355 401e65 22 API calls 47354->47355 47357 40f0bc 47355->47357 47356 40f101 47360 401e65 22 API calls 47356->47360 47357->47356 47731 4344ea 47357->47731 47365 40f111 47360->47365 47361 401e65 22 API calls 47362 40f0e4 47361->47362 47363 40f0eb CreateThread 47362->47363 47363->47356 48023 419fb4 102 API calls 2 library calls 47363->48023 47364 40f159 47366 401e65 22 API calls 47364->47366 47365->47364 47367 4344ea new 22 API calls 47365->47367 47372 40f162 47366->47372 47368 40f126 47367->47368 47369 401e65 22 API calls 47368->47369 47370 40f138 47369->47370 47373 40f13f CreateThread 47370->47373 47371 40f1cc 47374 401e65 22 API calls 47371->47374 47372->47371 47375 401e65 22 API calls 47372->47375 47373->47364 48028 419fb4 102 API calls 2 library calls 47373->48028 47377 40f1d5 47374->47377 47376 40f17e 47375->47376 47379 401e65 22 API calls 47376->47379 47378 40f21a 47377->47378 47381 401e65 22 API calls 47377->47381 47741 41b60d 79 API calls 47378->47741 47382 40f193 47379->47382 47384 40f1ea 47381->47384 47738 40d9e8 31 API calls 47382->47738 47383 40f223 47385 401f13 28 API calls 47383->47385 47388 401e65 22 API calls 47384->47388 47387 40f22e 47385->47387 47390 401f09 11 API calls 47387->47390 47391 40f1ff 47388->47391 47389 40f1a6 47392 401f13 28 API calls 47389->47392 47393 40f237 CreateThread 47390->47393 47739 43baac 39 API calls _strftime 47391->47739 47395 40f1b2 47392->47395 47396 40f264 47393->47396 47397 40f258 CreateThread 47393->47397 48022 40f7a7 120 API calls 47393->48022 47398 401f09 11 API calls 47395->47398 47399 40f279 47396->47399 47400 40f26d CreateThread 47396->47400 47397->47396 48024 4120f7 137 API calls 47397->48024 47402 40f1bb CreateThread 47398->47402 47404 40f2cc 47399->47404 47406 402093 28 API calls 47399->47406 47400->47399 48025 4126db 38 API calls ___scrt_fastfail 47400->48025 47402->47371 48026 401be9 49 API calls _strftime 47402->48026 47403 40f20c 47740 40c162 7 API calls 47403->47740 47743 4134ff RegOpenKeyExA RegQueryValueExA RegCloseKey 47404->47743 47407 40f29c 47406->47407 47742 4052fd 28 API calls 47407->47742 47410 40f2e4 47410->47265 47414 41bc5e 28 API calls 47410->47414 47416 40f2fd 47414->47416 47744 41361b 31 API calls 47416->47744 47420 40f313 47421 401f09 11 API calls 47420->47421 47424 40f31e 47421->47424 47422 40f346 DeleteFileW 47423 40f34d 47422->47423 47422->47424 47423->47241 47424->47422 47424->47423 47425 40f334 Sleep 47424->47425 47425->47424 47426->47114 47427->47118 47428->47125 47429->47121 47430->47131 47431->47132 47432->47134 47433->47137 47434->47141 47435->47143 47436->47146 47437->47144 47439 434b27 GetStartupInfoW 47438->47439 47439->47152 47441 44f06b 47440->47441 47442 44f062 47440->47442 47441->47155 47445 44ef58 48 API calls 4 library calls 47442->47445 47444->47155 47445->47441 47447 41cb8f LoadLibraryA GetProcAddress 47446->47447 47448 41cb7f GetModuleHandleA GetProcAddress 47446->47448 47449 41cbb8 44 API calls 47447->47449 47450 41cba8 LoadLibraryA GetProcAddress 47447->47450 47448->47447 47449->47160 47450->47449 47750 41b4a8 FindResourceA 47451->47750 47455 40f3ed ctype 47760 4020b7 47455->47760 47458 401fe2 28 API calls 47459 40f413 47458->47459 47460 401fd8 11 API calls 47459->47460 47461 40f41c 47460->47461 47462 43bd51 ___std_exception_copy 21 API calls 47461->47462 47463 40f42d ctype 47462->47463 47766 406dd8 47463->47766 47465 40f460 47465->47162 47467 40210c 47466->47467 47468 4023ce 11 API calls 47467->47468 47469 402126 47468->47469 47470 402569 28 API calls 47469->47470 47471 402134 47470->47471 47471->47165 47820 4020df 47472->47820 47474 401fd8 11 API calls 47475 41bed0 47474->47475 47477 401fd8 11 API calls 47475->47477 47476 41bea0 47826 4041a2 28 API calls 47476->47826 47480 41bed8 47477->47480 47482 401fd8 11 API calls 47480->47482 47481 41beac 47483 401fe2 28 API calls 47481->47483 47485 40ea24 47482->47485 47486 41beb5 47483->47486 47484 401fe2 28 API calls 47490 41be2e 47484->47490 47494 40fb17 47485->47494 47487 401fd8 11 API calls 47486->47487 47489 41bebd 47487->47489 47488 401fd8 11 API calls 47488->47490 47827 41ce34 28 API calls 47489->47827 47490->47476 47490->47484 47490->47488 47493 41be9e 47490->47493 47824 4041a2 28 API calls 47490->47824 47825 41ce34 28 API calls 47490->47825 47493->47474 47495 40fb23 47494->47495 47497 40fb2a 47494->47497 47828 402163 11 API calls 47495->47828 47497->47170 47499 402163 47498->47499 47500 40219f 47499->47500 47829 402730 11 API calls 47499->47829 47500->47172 47502 402184 47830 402712 11 API calls std::_Deallocate 47502->47830 47505 401e6d 47504->47505 47507 401e75 47505->47507 47831 402158 22 API calls 47505->47831 47507->47177 47510 4020df 11 API calls 47509->47510 47511 40532a 47510->47511 47832 4032a0 47511->47832 47513 405346 47513->47185 47836 4051ef 47514->47836 47516 406391 47840 402055 47516->47840 47519 401fe2 47520 401ff1 47519->47520 47527 402039 47519->47527 47521 4023ce 11 API calls 47520->47521 47522 401ffa 47521->47522 47523 40203c 47522->47523 47525 402015 47522->47525 47524 40267a 11 API calls 47523->47524 47524->47527 47855 403098 28 API calls 47525->47855 47528 401fd8 47527->47528 47529 4023ce 11 API calls 47528->47529 47530 401fe1 47529->47530 47530->47197 47532 401fd2 47531->47532 47533 401fc9 47531->47533 47532->47203 47856 4025e0 28 API calls 47533->47856 47857 401fab 47535->47857 47537 40d073 CreateMutexA GetLastError 47537->47219 47858 41bfb7 47538->47858 47543 401fe2 28 API calls 47544 41b2ff 47543->47544 47545 401fd8 11 API calls 47544->47545 47547 41b307 47545->47547 47546 41b35d 47546->47225 47547->47546 47548 4135a6 31 API calls 47547->47548 47549 41b330 47548->47549 47550 41b33b StrToIntA 47549->47550 47551 41b352 47550->47551 47552 41b349 47550->47552 47554 401fd8 11 API calls 47551->47554 47866 41cf69 22 API calls 47552->47866 47554->47546 47556 40772a 47555->47556 47557 413549 3 API calls 47556->47557 47558 407731 47557->47558 47558->47236 47558->47237 47560 41bc72 47559->47560 47867 40b904 47560->47867 47562 41bc7a 47562->47252 47564 401f22 47563->47564 47565 401f6a 47563->47565 47566 402252 11 API calls 47564->47566 47572 401f09 47565->47572 47567 401f2b 47566->47567 47568 401f6d 47567->47568 47569 401f46 47567->47569 47900 402336 47568->47900 47899 40305c 28 API calls 47569->47899 47573 402252 11 API calls 47572->47573 47574 401f12 47573->47574 47574->47264 47904 401f86 47575->47904 47578 40da70 47914 41b5b4 29 API calls 47578->47914 47579 40daa5 47583 41bfb7 GetCurrentProcess 47579->47583 47580 40da66 47582 40db99 GetLongPathNameW 47580->47582 47908 40417e 47582->47908 47586 40daaa 47583->47586 47584 40da79 47589 401f13 28 API calls 47584->47589 47587 40db00 47586->47587 47588 40daae 47586->47588 47591 40417e 28 API calls 47587->47591 47592 40417e 28 API calls 47588->47592 47593 40da83 47589->47593 47595 40db0e 47591->47595 47596 40dabc 47592->47596 47599 401f09 11 API calls 47593->47599 47594 40417e 28 API calls 47597 40dbbd 47594->47597 47602 40417e 28 API calls 47595->47602 47603 40417e 28 API calls 47596->47603 47917 40ddd1 28 API calls 47597->47917 47599->47580 47600 40dbd0 47918 402fa5 28 API calls 47600->47918 47605 40db24 47602->47605 47606 40dad2 47603->47606 47604 40dbdb 47919 402fa5 28 API calls 47604->47919 47916 402fa5 28 API calls 47605->47916 47915 402fa5 28 API calls 47606->47915 47610 40dbe5 47613 401f09 11 API calls 47610->47613 47611 40db2f 47614 401f13 28 API calls 47611->47614 47612 40dadd 47615 401f13 28 API calls 47612->47615 47616 40dbef 47613->47616 47617 40db3a 47614->47617 47618 40dae8 47615->47618 47619 401f09 11 API calls 47616->47619 47620 401f09 11 API calls 47617->47620 47621 401f09 11 API calls 47618->47621 47622 40dbf8 47619->47622 47623 40db43 47620->47623 47624 40daf1 47621->47624 47625 401f09 11 API calls 47622->47625 47626 401f09 11 API calls 47623->47626 47627 401f09 11 API calls 47624->47627 47628 40dc01 47625->47628 47626->47593 47627->47593 47629 401f09 11 API calls 47628->47629 47630 40dc0a 47629->47630 47631 401f09 11 API calls 47630->47631 47632 40dc13 47631->47632 47632->47301 47634 40ce0c _wcslen 47633->47634 47635 40ce60 47634->47635 47636 40ce16 47634->47636 47637 40da34 31 API calls 47635->47637 47639 40ce1f CreateDirectoryW 47636->47639 47638 40ce72 47637->47638 47640 401f13 28 API calls 47638->47640 47921 40915b 47639->47921 47642 40ce5e 47640->47642 47644 401f09 11 API calls 47642->47644 47643 40ce3b 47955 403014 47643->47955 47650 40ce89 47644->47650 47647 401f13 28 API calls 47648 40ce55 47647->47648 47649 401f09 11 API calls 47648->47649 47649->47642 47651 40cea2 47650->47651 47652 40cebf 47650->47652 47654 40cd0d 31 API calls 47651->47654 47653 40cec8 CopyFileW 47652->47653 47655 40cf99 47653->47655 47656 40ceda _wcslen 47653->47656 47687 40ceb3 47654->47687 47928 40cd0d 47655->47928 47656->47655 47658 40cef6 47656->47658 47659 40cf49 47656->47659 47662 40da34 31 API calls 47658->47662 47661 40da34 31 API calls 47659->47661 47666 40cf4f 47661->47666 47667 40cefc 47662->47667 47663 40cfb3 47672 40cfbc SetFileAttributesW 47663->47672 47664 40cfdf 47665 40d027 CloseHandle 47664->47665 47669 40417e 28 API calls 47664->47669 47954 401f04 47665->47954 47670 401f13 28 API calls 47666->47670 47671 401f13 28 API calls 47667->47671 47674 40cff5 47669->47674 47702 40cf43 47670->47702 47675 40cf08 47671->47675 47686 40cfcb _wcslen 47672->47686 47673 40d043 ShellExecuteW 47676 40d060 ExitProcess 47673->47676 47677 40d056 47673->47677 47678 41bc5e 28 API calls 47674->47678 47679 401f09 11 API calls 47675->47679 47681 40d069 CreateMutexA GetLastError 47677->47681 47682 40d008 47678->47682 47680 40cf11 47679->47680 47685 40915b 28 API calls 47680->47685 47681->47687 47961 413814 RegCreateKeyW 47682->47961 47683 401f09 11 API calls 47684 40cf61 47683->47684 47690 40cf6d CreateDirectoryW 47684->47690 47688 40cf25 47685->47688 47686->47664 47689 40cfdc SetFileAttributesW 47686->47689 47687->47308 47691 403014 28 API calls 47688->47691 47689->47664 47960 401f04 47690->47960 47694 40cf31 47691->47694 47697 401f13 28 API calls 47694->47697 47699 40cf3a 47697->47699 47698 401f09 11 API calls 47698->47665 47701 401f09 11 API calls 47699->47701 47701->47702 47702->47683 47703->47178 47704->47186 47705->47190 47707->47211 47709 40eba4 47708->47709 47710 413573 RegQueryValueExA RegCloseKey 47708->47710 47709->47208 47709->47226 47710->47709 47711->47215 47712->47244 47713->47237 47714->47228 47715->47242 47716->47313 47717->47332 47718->47294 47720 40209b 47719->47720 47721 4023ce 11 API calls 47720->47721 47722 4020a6 47721->47722 48014 4024ed 47722->48014 47725->47312 47726->47318 47727->47324 47728->47335 47729->47343 47730->47354 47737 4344ef 47731->47737 47732 43bd51 ___std_exception_copy 21 API calls 47732->47737 47733 40f0d1 47733->47361 47737->47732 47737->47733 48018 442f80 7 API calls 2 library calls 47737->48018 48019 434c35 RaiseException Concurrency::cancel_current_task __CxxThrowException@8 47737->48019 48020 43526e RaiseException Concurrency::cancel_current_task __CxxThrowException@8 47737->48020 47738->47389 47739->47403 47740->47378 47741->47383 47743->47410 47744->47420 47745->47235 47747->47256 47748->47268 48021 41ad17 104 API calls 47749->48021 47751 41b4c5 LoadResource LockResource SizeofResource 47750->47751 47752 40f3de 47750->47752 47751->47752 47753 43bd51 47752->47753 47758 446137 __Getctype 47753->47758 47754 446175 47770 4405dd 20 API calls __dosmaperr 47754->47770 47756 446160 RtlAllocateHeap 47757 446173 47756->47757 47756->47758 47757->47455 47758->47754 47758->47756 47769 442f80 7 API calls 2 library calls 47758->47769 47761 4020bf 47760->47761 47771 4023ce 47761->47771 47763 4020ca 47775 40250a 47763->47775 47765 4020d9 47765->47458 47767 4020b7 28 API calls 47766->47767 47768 406dec 47767->47768 47768->47465 47769->47758 47770->47757 47772 402428 47771->47772 47773 4023d8 47771->47773 47772->47763 47773->47772 47782 4027a7 11 API calls std::_Deallocate 47773->47782 47776 40251a 47775->47776 47777 402520 47776->47777 47778 402535 47776->47778 47783 402569 47777->47783 47793 4028e8 47778->47793 47781 402533 47781->47765 47782->47772 47804 402888 47783->47804 47785 40257d 47786 402592 47785->47786 47787 4025a7 47785->47787 47809 402a34 22 API calls 47786->47809 47789 4028e8 28 API calls 47787->47789 47792 4025a5 47789->47792 47790 40259b 47810 4029da 22 API calls 47790->47810 47792->47781 47794 4028f1 47793->47794 47795 402953 47794->47795 47796 4028fb 47794->47796 47818 4028a4 22 API calls 47795->47818 47799 402917 47796->47799 47800 402904 47796->47800 47802 402915 47799->47802 47803 4023ce 11 API calls 47799->47803 47812 402cae 47800->47812 47802->47781 47803->47802 47806 402890 47804->47806 47805 402898 47805->47785 47806->47805 47811 402ca3 22 API calls 47806->47811 47809->47790 47810->47792 47813 402cb8 __EH_prolog 47812->47813 47819 402e54 22 API calls 47813->47819 47815 4023ce 11 API calls 47817 402d92 47815->47817 47816 402d24 47816->47815 47817->47802 47819->47816 47821 4020e7 47820->47821 47822 4023ce 11 API calls 47821->47822 47823 4020f2 47822->47823 47823->47490 47824->47490 47825->47490 47826->47481 47827->47493 47828->47497 47829->47502 47830->47500 47833 4032aa 47832->47833 47834 4028e8 28 API calls 47833->47834 47835 4032c9 47833->47835 47834->47835 47835->47513 47837 4051fb 47836->47837 47846 405274 47837->47846 47839 405208 47839->47516 47841 402061 47840->47841 47842 4023ce 11 API calls 47841->47842 47843 40207b 47842->47843 47851 40267a 47843->47851 47847 405282 47846->47847 47850 4028a4 22 API calls 47847->47850 47852 40268b 47851->47852 47853 4023ce 11 API calls 47852->47853 47854 40208d 47853->47854 47854->47519 47855->47527 47856->47532 47859 41bfc4 GetCurrentProcess 47858->47859 47860 41b2d1 47858->47860 47859->47860 47861 4135a6 RegOpenKeyExA 47860->47861 47862 4135d4 RegQueryValueExA RegCloseKey 47861->47862 47863 4135fe 47861->47863 47862->47863 47864 402093 28 API calls 47863->47864 47865 413613 47864->47865 47865->47543 47866->47551 47868 40b90c 47867->47868 47873 402252 47868->47873 47870 40b917 47877 40b92c 47870->47877 47872 40b926 47872->47562 47874 4022ac 47873->47874 47875 40225c 47873->47875 47874->47870 47875->47874 47884 402779 11 API calls std::_Deallocate 47875->47884 47878 40b966 47877->47878 47879 40b938 47877->47879 47896 4028a4 22 API calls 47878->47896 47885 4027e6 47879->47885 47883 40b942 47883->47872 47884->47874 47886 4027ef 47885->47886 47887 402851 47886->47887 47888 4027f9 47886->47888 47898 4028a4 22 API calls 47887->47898 47891 402802 47888->47891 47892 402815 47888->47892 47897 402aea 28 API calls __EH_prolog 47891->47897 47893 402813 47892->47893 47895 402252 11 API calls 47892->47895 47893->47883 47895->47893 47897->47893 47899->47565 47901 402347 47900->47901 47902 402252 11 API calls 47901->47902 47903 4023c7 47902->47903 47903->47565 47905 401f8e 47904->47905 47906 402252 11 API calls 47905->47906 47907 401f99 47906->47907 47907->47578 47907->47579 47907->47580 47909 404186 47908->47909 47910 402252 11 API calls 47909->47910 47911 404191 47910->47911 47920 4041bc 28 API calls 47911->47920 47913 40419c 47913->47594 47914->47584 47915->47612 47916->47611 47917->47600 47918->47604 47919->47610 47920->47913 47922 401f86 11 API calls 47921->47922 47923 409167 47922->47923 47967 40314c 47923->47967 47925 409184 47971 40325d 47925->47971 47927 40918c 47927->47643 47929 40cd33 47928->47929 47930 40cd6f 47928->47930 47985 40b97c 47929->47985 47931 40cdb0 47930->47931 47933 40b97c 28 API calls 47930->47933 47934 40cdf1 47931->47934 47937 40b97c 28 API calls 47931->47937 47936 40cd86 47933->47936 47934->47663 47934->47664 47939 403014 28 API calls 47936->47939 47940 40cdc7 47937->47940 47938 403014 28 API calls 47941 40cd4f 47938->47941 47944 40cd90 47939->47944 47942 403014 28 API calls 47940->47942 47943 413814 14 API calls 47941->47943 47945 40cdd1 47942->47945 47946 40cd63 47943->47946 47947 413814 14 API calls 47944->47947 47948 413814 14 API calls 47945->47948 47949 401f09 11 API calls 47946->47949 47950 40cda4 47947->47950 47951 40cde5 47948->47951 47949->47930 47952 401f09 11 API calls 47950->47952 47953 401f09 11 API calls 47951->47953 47952->47931 47953->47934 47992 403222 47955->47992 47957 403022 47996 403262 47957->47996 47962 413866 47961->47962 47965 413829 47961->47965 47963 401f09 11 API calls 47962->47963 47964 40d01b 47963->47964 47964->47698 47966 413842 RegSetValueExW RegCloseKey 47965->47966 47966->47962 47968 403156 47967->47968 47969 4027e6 28 API calls 47968->47969 47970 403175 47968->47970 47969->47970 47970->47925 47972 40323f 47971->47972 47975 4036a6 47972->47975 47974 40324c 47974->47927 47976 402888 22 API calls 47975->47976 47977 4036b9 47976->47977 47978 40372c 47977->47978 47979 4036de 47977->47979 47984 4028a4 22 API calls 47978->47984 47982 4027e6 28 API calls 47979->47982 47983 4036f0 47979->47983 47982->47983 47983->47974 47986 401f86 11 API calls 47985->47986 47987 40b988 47986->47987 47988 40314c 28 API calls 47987->47988 47989 40b9a4 47988->47989 47990 40325d 28 API calls 47989->47990 47991 40b9b7 47990->47991 47991->47938 47993 40322e 47992->47993 48002 403618 47993->48002 47995 40323b 47995->47957 47997 40326e 47996->47997 47998 402252 11 API calls 47997->47998 47999 403288 47998->47999 48000 402336 11 API calls 47999->48000 48001 403031 48000->48001 48001->47647 48003 403626 48002->48003 48004 403644 48003->48004 48005 40362c 48003->48005 48007 40365c 48004->48007 48008 40369e 48004->48008 48006 4036a6 28 API calls 48005->48006 48012 403642 48006->48012 48010 4027e6 28 API calls 48007->48010 48007->48012 48013 4028a4 22 API calls 48008->48013 48010->48012 48012->47995 48015 4024f9 48014->48015 48016 40250a 28 API calls 48015->48016 48017 4020b1 48016->48017 48017->47305 48018->47737 48029 4127ee 61 API calls 48024->48029 48030 43be58 48032 43be64 _swprintf ___scrt_is_nonwritable_in_current_image 48030->48032 48031 43be72 48046 4405dd 20 API calls __dosmaperr 48031->48046 48032->48031 48034 43be9c 48032->48034 48041 445888 EnterCriticalSection 48034->48041 48036 43be77 ___scrt_is_nonwritable_in_current_image _strftime 48037 43bea7 48042 43bf48 48037->48042 48041->48037 48043 43bf56 48042->48043 48045 43beb2 48043->48045 48048 44976c 36 API calls 2 library calls 48043->48048 48047 43becf LeaveCriticalSection std::_Lockit::~_Lockit 48045->48047 48046->48036 48047->48036 48048->48043 48049 40165e 48050 401666 48049->48050 48051 401669 48049->48051 48052 4016a8 48051->48052 48054 401696 48051->48054 48053 4344ea new 22 API calls 48052->48053 48055 40169c 48053->48055 48056 4344ea new 22 API calls 48054->48056 48056->48055

                                      Executed Functions

                                      Function 0041CB50 Relevance: 148.9, APIs: 52, Strings: 33, Instructions: 176libraryloaderCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB65
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CB6E
                                      • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB85
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CB88
                                      • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CB9A
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CB9D
                                      • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CBAE
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CBB1
                                      • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040E9E1), ref: 0041CBC3
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CBC6
                                      • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040E9E1), ref: 0041CBD2
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CBD5
                                      • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040E9E1), ref: 0041CBE6
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CBE9
                                      • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040E9E1), ref: 0041CBFA
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CBFD
                                      • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040E9E1), ref: 0041CC0E
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CC11
                                      • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040E9E1), ref: 0041CC22
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CC25
                                      • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040E9E1), ref: 0041CC36
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CC39
                                      • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040E9E1), ref: 0041CC4A
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CC4D
                                      • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040E9E1), ref: 0041CC5E
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CC61
                                      • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040E9E1), ref: 0041CC72
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CC75
                                      • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040E9E1), ref: 0041CC83
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CC86
                                      • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040E9E1), ref: 0041CC97
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CC9A
                                      • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040E9E1), ref: 0041CCA7
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CCAA
                                      • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040E9E1), ref: 0041CCB7
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CCBA
                                      • LoadLibraryA.KERNELBASE(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040E9E1), ref: 0041CCCC
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CCCF
                                      • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040E9E1), ref: 0041CCDC
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CCDF
                                      • GetModuleHandleA.KERNEL32(ntdll,NtQueryInformationProcess,?,?,?,?,0040E9E1), ref: 0041CCF0
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CCF3
                                      • GetModuleHandleA.KERNEL32(kernel32,GetFinalPathNameByHandleW,?,?,?,?,0040E9E1), ref: 0041CD04
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CD07
                                      • LoadLibraryA.KERNELBASE(Rstrtmgr,RmStartSession,?,?,?,?,0040E9E1), ref: 0041CD19
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CD1C
                                      • LoadLibraryA.KERNEL32(Rstrtmgr,RmRegisterResources,?,?,?,?,0040E9E1), ref: 0041CD29
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CD2C
                                      • LoadLibraryA.KERNEL32(Rstrtmgr,RmGetList,?,?,?,?,0040E9E1), ref: 0041CD39
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CD3C
                                      • LoadLibraryA.KERNEL32(Rstrtmgr,RmEndSession,?,?,?,?,0040E9E1), ref: 0041CD49
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CD4C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressProc$LibraryLoad$HandleModule
                                      • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetFinalPathNameByHandleW$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtQueryInformationProcess$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$RmEndSession$RmGetList$RmRegisterResources$RmStartSession$Rstrtmgr$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                      • API String ID: 4236061018-3687161714
                                      • Opcode ID: d30ec231acb52cdcc59a2b6b3fe3a558d95728f00a5c8bab653e1e11384c1c5d
                                      • Instruction ID: 43d5c3d51f8f0173c8b3474e0c84bdc355f07b7b5b23ff39ae26555794408ecb
                                      • Opcode Fuzzy Hash: d30ec231acb52cdcc59a2b6b3fe3a558d95728f00a5c8bab653e1e11384c1c5d
                                      • Instruction Fuzzy Hash: 31419EA0EC035879DA107BB66DCDE3B3E5CD9857953214837B15CA7150EBBCD8408EAE
                                      Function 0040E9C5 Relevance: 84.8, APIs: 14, Strings: 34, Instructions: 795COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 5 40e9c5-40ea47 call 41cb50 GetModuleFileNameW call 40f3c3 call 4020f6 * 2 call 41be1b call 40fb17 call 401e8d call 43fd00 22 40ea93-40eb5b call 401e65 call 401fab call 401e65 call 40531e call 406383 call 401fe2 call 401fd8 * 2 call 401e65 call 401fc0 call 405aa6 call 401e65 call 4051e3 call 401e65 call 4051e3 5->22 23 40ea49-40ea8e call 40fbb3 call 401e65 call 401fab call 410f37 call 40fb64 call 40f3b0 5->23 69 40eb5d-40eba8 call 406c1e call 401fe2 call 401fd8 call 401fab call 413549 22->69 70 40ebae-40ebc9 call 401e65 call 40b9bd 22->70 49 40eef2-40ef03 call 401fd8 23->49 69->70 102 40f34f-40f36a call 401fab call 4139a9 call 412475 69->102 80 40ec03-40ec0a call 40d069 70->80 81 40ebcb-40ebea call 401fab call 413549 70->81 90 40ec13-40ec1a 80->90 91 40ec0c-40ec0e 80->91 81->80 97 40ebec-40ec02 call 401fab call 4139a9 81->97 95 40ec1c 90->95 96 40ec1e-40ec2a call 41b2c3 90->96 94 40eef1 91->94 94->49 95->96 103 40ec33-40ec37 96->103 104 40ec2c-40ec2e 96->104 97->80 126 40f36f-40f3a0 call 41bc5e call 401f04 call 413a23 call 401f09 * 2 102->126 107 40ec76-40ec89 call 401e65 call 401fab 103->107 108 40ec39 call 407716 103->108 104->103 128 40ec90-40ed18 call 401e65 call 41bc5e call 401f13 call 401f09 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab 107->128 129 40ec8b call 407755 107->129 117 40ec3e-40ec40 108->117 120 40ec42-40ec47 call 407738 call 407260 117->120 121 40ec4c-40ec5f call 401e65 call 401fab 117->121 120->121 121->107 140 40ec61-40ec67 121->140 157 40f3a5-40f3af call 40dd42 call 414f2a 126->157 177 40ed80-40ed84 128->177 178 40ed1a-40ed33 call 401e65 call 401fab call 43bad6 128->178 129->128 140->107 144 40ec69-40ec6f 140->144 144->107 147 40ec71 call 407260 144->147 147->107 180 40ef06-40ef66 call 436e90 call 40247c call 401fab * 2 call 4136f8 call 409057 177->180 181 40ed8a-40ed91 177->181 178->177 205 40ed35-40ed61 call 401e65 call 401fab call 401e65 call 401fab call 40da34 178->205 236 40ef6b-40efbf call 401e65 call 401fab call 402093 call 401fab call 41376f call 401e65 call 401fab call 43baac 180->236 184 40ed93-40ee05 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 40cdf9 181->184 185 40ee0f-40ee19 call 409057 181->185 271 40ee0a-40ee0d 184->271 191 40ee1e-40ee42 call 40247c call 434798 185->191 212 40ee51 191->212 213 40ee44-40ee4f call 436e90 191->213 247 40ed66-40ed7b call 401f13 call 401f09 205->247 218 40ee53-40eec8 call 401f04 call 43f809 call 40247c call 401fab call 40247c call 401fab call 413947 call 4347a1 call 401e65 call 40b9bd 212->218 213->218 218->236 286 40eece-40eeed call 401e65 call 41bc5e call 40f474 218->286 287 40efc1 236->287 288 40efdc-40efde 236->288 247->177 271->191 286->236 306 40eeef 286->306 292 40efc3-40efda call 41cd9b CreateThread 287->292 289 40efe0-40efe2 288->289 290 40efe4 288->290 289->292 294 40efea-40f0c6 call 402093 * 2 call 41b4ef call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 43baac call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab StrToIntA call 409de4 call 401e65 call 401fab 290->294 292->294 344 40f101 294->344 345 40f0c8-40f0ff call 4344ea call 401e65 call 401fab CreateThread 294->345 306->94 347 40f103-40f11b call 401e65 call 401fab 344->347 345->347 357 40f159-40f16c call 401e65 call 401fab 347->357 358 40f11d-40f154 call 4344ea call 401e65 call 401fab CreateThread 347->358 368 40f1cc-40f1df call 401e65 call 401fab 357->368 369 40f16e-40f1c7 call 401e65 call 401fab call 401e65 call 401fab call 40d9e8 call 401f13 call 401f09 CreateThread 357->369 358->357 379 40f1e1-40f215 call 401e65 call 401fab call 401e65 call 401fab call 43baac call 40c162 368->379 380 40f21a-40f23e call 41b60d call 401f13 call 401f09 368->380 369->368 379->380 400 40f240 380->400 401 40f243-40f256 CreateThread 380->401 400->401 404 40f264-40f26b 401->404 405 40f258-40f262 CreateThread 401->405 408 40f279-40f280 404->408 409 40f26d-40f277 CreateThread 404->409 405->404 412 40f282-40f285 408->412 413 40f28e 408->413 409->408 415 40f287-40f28c 412->415 416 40f2cc-40f2e7 call 401fab call 4134ff 412->416 418 40f293-40f2c7 call 402093 call 4052fd call 402093 call 41b4ef call 401fd8 413->418 415->418 416->157 427 40f2ed-40f32d call 41bc5e call 401f04 call 41361b call 401f09 call 401f04 416->427 418->416 443 40f346-40f34b DeleteFileW 427->443 444 40f34d 443->444 445 40f32f-40f332 443->445 444->126 445->126 446 40f334-40f341 Sleep call 401f04 445->446 446->443
                                      APIs
                                        • Part of subcall function 0041CB50: LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB65
                                        • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CB6E
                                        • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB85
                                        • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CB88
                                        • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CB9A
                                        • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CB9D
                                        • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CBAE
                                        • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBB1
                                        • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040E9E1), ref: 0041CBC3
                                        • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBC6
                                        • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040E9E1), ref: 0041CBD2
                                        • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBD5
                                        • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040E9E1), ref: 0041CBE6
                                        • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBE9
                                        • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040E9E1), ref: 0041CBFA
                                        • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBFD
                                        • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040E9E1), ref: 0041CC0E
                                        • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC11
                                        • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040E9E1), ref: 0041CC22
                                        • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC25
                                        • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040E9E1), ref: 0041CC36
                                        • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC39
                                        • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040E9E1), ref: 0041CC4A
                                        • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC4D
                                        • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040E9E1), ref: 0041CC5E
                                        • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC61
                                        • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040E9E1), ref: 0041CC72
                                        • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC75
                                        • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040E9E1), ref: 0041CC83
                                      • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\6122.scr.exe,00000104), ref: 0040E9EE
                                        • Part of subcall function 00410F37: __EH_prolog.LIBCMT ref: 00410F3C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                      • String ID: SG$ SG$8SG$8SG$Access Level: $Administrator$C:\Users\user\Desktop\6122.scr.exe$Exe$Inj$PSG$Remcos Agent initialized$Software\$User$dMG$del$del$exepath$licence$license_code.txt$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG
                                      • API String ID: 2830904901-2122722577
                                      • Opcode ID: 6b788d8bef068796558963f7ecebd42bb934510d76b3b9a953e2bf2f734d2ff5
                                      • Instruction ID: d4e128c763ae9979da4f7e35a5cae12564b96cb69b39ecb6445d524eb2b23fe8
                                      • Opcode Fuzzy Hash: 6b788d8bef068796558963f7ecebd42bb934510d76b3b9a953e2bf2f734d2ff5
                                      • Instruction Fuzzy Hash: 6332D860B043412BDA24B7729C67B6E26994F81748F50483FB9467B2E3EFBC4D45839E
                                      Function 0040CDF9 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 203fileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • _wcslen.LIBCMT ref: 0040CE07
                                      • CreateDirectoryW.KERNELBASE(00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040CE20
                                      • CopyFileW.KERNELBASE(C:\Users\user\Desktop\6122.scr.exe,00000000,00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040CED0
                                      • _wcslen.LIBCMT ref: 0040CEE6
                                      • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040CF6E
                                      • CopyFileW.KERNEL32(C:\Users\user\Desktop\6122.scr.exe,00000000,00000000), ref: 0040CF84
                                      • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFC3
                                      • _wcslen.LIBCMT ref: 0040CFC6
                                      • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFDD
                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004750E4,0000000E), ref: 0040D02D
                                      • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000001), ref: 0040D04B
                                      • ExitProcess.KERNEL32 ref: 0040D062
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                      • String ID: 6$C:\Users\user\Desktop\6122.scr.exe$del$open
                                      • API String ID: 1579085052-2592771163
                                      • Opcode ID: 814849405574f27cdfff210f7d5faa9ce691f1cc33a2f2159ed20f1a2e65d6c6
                                      • Instruction ID: 6918cae47ac4af68ec004dabb58255b0e3542cbe00f5913d2fcd66cab837b2ae
                                      • Opcode Fuzzy Hash: 814849405574f27cdfff210f7d5faa9ce691f1cc33a2f2159ed20f1a2e65d6c6
                                      • Instruction Fuzzy Hash: CA51A620208302ABD605B7659C92A6F679D9F84719F10443FF609A62E3EFBC9D05866E
                                      Function 0040DA34 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • GetLongPathNameW.KERNELBASE(00000000,?,00000208), ref: 0040DB9A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: LongNamePath
                                      • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                      • API String ID: 82841172-425784914
                                      • Opcode ID: 46d901405b7c4f1817ae1d48af55330febbd656c9bbb3008c43cf957afa3439e
                                      • Instruction ID: 0cc8b9c4d8a16f3fd89327f32322cd7e2fd47b59120d3573c9b2d8a81569e3eb
                                      • Opcode Fuzzy Hash: 46d901405b7c4f1817ae1d48af55330febbd656c9bbb3008c43cf957afa3439e
                                      • Instruction Fuzzy Hash: FB414F715082019AC215FB61DC52DAEB3F8AE90718F10053FB546A60E2FFB8AE49C65F
                                      Function 0041B2C3 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                        • Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
                                        • Part of subcall function 004135A6: RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 004135CA
                                        • Part of subcall function 004135A6: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 004135E7
                                        • Part of subcall function 004135A6: RegCloseKey.KERNELBASE(?), ref: 004135F2
                                      • StrToIntA.SHLWAPI(00000000,0046C9F8,00000000,00000000,00000000,004750E4,00000003,Exe,00000000,0000000E,00000000,004660BC,00000003,00000000), ref: 0041B33C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseCurrentOpenProcessQueryValue
                                      • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                      • API String ID: 1866151309-2070987746
                                      • Opcode ID: b004e89fecfca72c60d0d2d1a8fce3e40073890883e7b2a8564e183fd8eeb87f
                                      • Instruction ID: 0537cd1ef0e49ffa1b211e53375311a7de90e31f2ded896f28e78de68f6ce99c
                                      • Opcode Fuzzy Hash: b004e89fecfca72c60d0d2d1a8fce3e40073890883e7b2a8564e183fd8eeb87f
                                      • Instruction Fuzzy Hash: 42112370A4010566C704B3668C87EFF77198B95314F94013BF856A21E2FB6C599683AE
                                      Function 00413814 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 656 413814-413827 RegCreateKeyW 657 413866 656->657 658 413829-413864 call 40247c call 401f04 RegSetValueExW RegCloseKey 656->658 659 413868-413876 call 401f09 657->659 658->659
                                      APIs
                                      • RegCreateKeyW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,?), ref: 0041381F
                                      • RegSetValueExW.KERNELBASE(?,00000000,00000000,00000001,00000000,00000000,?,?,?,?,00000000,004752D8,76F937E0,?), ref: 0041384D
                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,004752D8,76F937E0,?,?,?,?,?,0040CFAA,?,00000000), ref: 00413858
                                      Strings
                                      • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0041381D
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseCreateValue
                                      • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                      • API String ID: 1818849710-1051519024
                                      • Opcode ID: 3da2de30dd2e4c2ff773a1c969aacac889c14d245fa7b83563a43fe4ea506f1b
                                      • Instruction ID: 91b44a8789fefabe47d0aed0b401f4e945a8dec35bb1902c17c37083bf943f80
                                      • Opcode Fuzzy Hash: 3da2de30dd2e4c2ff773a1c969aacac889c14d245fa7b83563a43fe4ea506f1b
                                      • Instruction Fuzzy Hash: 83F0C271440218FBDF10AFA1EC45FEE376CEF00B56F10452AF905A61A1E7359F04DA94
                                      Function 0040D069 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 666 40d069-40d095 call 401fab CreateMutexA GetLastError
                                      APIs
                                      • CreateMutexA.KERNELBASE(00000000,00000001,00000000,0040EC08,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,004660BC,00000003,00000000), ref: 0040D078
                                      • GetLastError.KERNEL32 ref: 0040D083
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CreateErrorLastMutex
                                      • String ID: SG
                                      • API String ID: 1925916568-3189917014
                                      • Opcode ID: 801f4fab6620dad4192684c1acb97daf4a6912092659b95b34e50827bd09c0e4
                                      • Instruction ID: 95155ffd2f5cf2c34283977deb482d2843c3ccfb5002447f486bda260673b364
                                      • Opcode Fuzzy Hash: 801f4fab6620dad4192684c1acb97daf4a6912092659b95b34e50827bd09c0e4
                                      • Instruction Fuzzy Hash: 18D012B0604701EBD7181770ED5975839959744702F40487AB50BD99F1CBAC88908519
                                      Function 004135A6 Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 669 4135a6-4135d2 RegOpenKeyExA 670 4135d4-4135fc RegQueryValueExA RegCloseKey 669->670 671 413607 669->671 672 413609 670->672 673 4135fe-413605 670->673 671->672 674 41360e-41361a call 402093 672->674 673->674
                                      APIs
                                      • RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 004135CA
                                      • RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 004135E7
                                      • RegCloseKey.KERNELBASE(?), ref: 004135F2
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseOpenQueryValue
                                      • String ID:
                                      • API String ID: 3677997916-0
                                      • Opcode ID: 2c354c38eb467919e259a426341f00e1060616e4a77f0ac470f93c7e2a8fe8f5
                                      • Instruction ID: 357f89d7cd1c8cc036c5e31f86fe90e90b696c4569df010e686479b524d11f87
                                      • Opcode Fuzzy Hash: 2c354c38eb467919e259a426341f00e1060616e4a77f0ac470f93c7e2a8fe8f5
                                      • Instruction Fuzzy Hash: 5A01D676900228BBCF209B91DC09DEF7FBDDB84751F000066BB09E2240DA748E45DBA4
                                      Function 00413549 Relevance: 4.5, APIs: 3, Instructions: 37registryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 677 413549-413571 RegOpenKeyExA 678 4135a0 677->678 679 413573-41359e RegQueryValueExA RegCloseKey 677->679 680 4135a2-4135a5 678->680 679->680
                                      APIs
                                      • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,00000000,00000000), ref: 00413569
                                      • RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 00413587
                                      • RegCloseKey.ADVAPI32(00000000), ref: 00413592
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseOpenQueryValue
                                      • String ID:
                                      • API String ID: 3677997916-0
                                      • Opcode ID: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                                      • Instruction ID: df0ca7b2621da3f23a966dc0a7f3323316399916f3769291e5945d4ebcba47cd
                                      • Opcode Fuzzy Hash: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                                      • Instruction Fuzzy Hash: E8F01776900218FFDF109FA0DC05FEEBBBCEB04B11F1040A6BA09E6191E2359F54AB94
                                      Function 0040165E Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 681 40165e-401664 682 401666-401668 681->682 683 401669-401674 681->683 684 401676 683->684 685 40167b-401685 683->685 684->685 686 401687-40168d 685->686 687 4016a8-4016a9 call 4344ea 685->687 686->687 689 40168f-401694 686->689 690 4016ae-4016af 687->690 689->684 691 401696-4016a6 call 4344ea 689->691 692 4016b1-4016b3 690->692 691->692
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: dd3aabd753e8fbc850dd588cbaeb9a0baf8afa37155383fde8690b9b823aeb90
                                      • Instruction ID: 20740d68f627359004b4f50e822579efa7e6dd26000e0d34fcfb16e84f8f3500
                                      • Opcode Fuzzy Hash: dd3aabd753e8fbc850dd588cbaeb9a0baf8afa37155383fde8690b9b823aeb90
                                      • Instruction Fuzzy Hash: 6EF0E2706042015BDB1C8B34CD60B2A36955B84315F288F3FF01AD61E0C73EC8918A0D
                                      Function 00446137 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 723 446137-446143 724 446175-446180 call 4405dd 723->724 725 446145-446147 723->725 732 446182-446184 724->732 727 446160-446171 RtlAllocateHeap 725->727 728 446149-44614a 725->728 729 446173 727->729 730 44614c-446153 call 445545 727->730 728->727 729->732 730->724 735 446155-44615e call 442f80 730->735 735->724 735->727
                                      APIs
                                      • RtlAllocateHeap.NTDLL(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AllocateHeap
                                      • String ID:
                                      • API String ID: 1279760036-0
                                      • Opcode ID: 091c80118a57d95ebc2facbedd4e69ebcf5b938ae1e913472e35806a21779949
                                      • Instruction ID: 4903450aafda00484806ba385278610c2731405ed8485190d5fd86014b6ab98c
                                      • Opcode Fuzzy Hash: 091c80118a57d95ebc2facbedd4e69ebcf5b938ae1e913472e35806a21779949
                                      • Instruction Fuzzy Hash: 92E0ED3120062577FB2226669D05B5B365D9F033A2F160127EC0AA2283DF7CCC0081EF

                                      Non-executed Functions

                                      Function 00407C97 Relevance: 44.6, APIs: 10, Strings: 15, Instructions: 835filesleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SetEvent.KERNEL32(?,?), ref: 00407CB9
                                      • GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 00407D87
                                      • DeleteFileW.KERNEL32(00000000), ref: 00407DA9
                                        • Part of subcall function 0041C291: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00474EE0,?), ref: 0041C2EC
                                        • Part of subcall function 0041C291: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,00474EE0,?), ref: 0041C31C
                                        • Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00474EE0,?), ref: 0041C371
                                        • Part of subcall function 0041C291: FindClose.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C3D2
                                        • Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C3D9
                                        • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                        • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                        • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(?,00000000,00401A45,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000), ref: 00404B47
                                        • Part of subcall function 00404AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000,?,?,?,?,?,00401A45), ref: 00404B75
                                      • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00408197
                                      • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 00408278
                                      • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 004084C4
                                      • DeleteFileA.KERNEL32(?), ref: 00408652
                                        • Part of subcall function 0040880C: __EH_prolog.LIBCMT ref: 00408811
                                        • Part of subcall function 0040880C: FindFirstFileW.KERNEL32(00000000,?,00466608,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088CA
                                        • Part of subcall function 0040880C: __CxxThrowException@8.LIBVCRUNTIME ref: 004088F2
                                        • Part of subcall function 0040880C: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088FF
                                      • Sleep.KERNEL32(000007D0), ref: 004086F8
                                      • StrToIntA.SHLWAPI(00000000,00000000), ref: 0040873A
                                        • Part of subcall function 0041C9E2: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CAD7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$Find$AttributesDeleteDirectoryEventFirstNextRemove$CloseDriveException@8ExecuteH_prologInfoLocalLogicalObjectParametersShellSingleSleepStringsSystemThrowTimeWaitsend
                                      • String ID: (PG$Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$XPG$XPG$XPG$XPG$open$NG
                                      • API String ID: 1067849700-181434739
                                      • Opcode ID: b08ec038c843015cc658e55876cd7923d244435ed02f080ae07065bd7f36788e
                                      • Instruction ID: 75e26f7f6c3f3dbd7fc3c9379f58c72dc3a715cd35b24c1fb8b7d51949cc7e38
                                      • Opcode Fuzzy Hash: b08ec038c843015cc658e55876cd7923d244435ed02f080ae07065bd7f36788e
                                      • Instruction Fuzzy Hash: FE427F71A043016BC604FB76C95B9AE77A5AF91348F40093FF542671E2EE7C9A08879B
                                      Function 0040569A Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 278pipesleepfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • __Init_thread_footer.LIBCMT ref: 004056E6
                                        • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                      • __Init_thread_footer.LIBCMT ref: 00405723
                                      • CreatePipe.KERNEL32(00476CCC,00476CB4,00476BD8,00000000,004660BC,00000000), ref: 004057B6
                                      • CreatePipe.KERNEL32(00476CB8,00476CD4,00476BD8,00000000), ref: 004057CC
                                      • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00476BE8,00476CBC), ref: 0040583F
                                      • Sleep.KERNEL32(0000012C,00000093,?), ref: 00405897
                                      • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004058BC
                                      • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058E9
                                        • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                                      • WriteFile.KERNEL32(00000000,00000000,?,00000000,00474F90,004660C0,00000062,004660A4), ref: 004059E4
                                      • Sleep.KERNEL32(00000064,00000062,004660A4), ref: 004059FE
                                      • TerminateProcess.KERNEL32(00000000), ref: 00405A17
                                      • CloseHandle.KERNEL32 ref: 00405A23
                                      • CloseHandle.KERNEL32 ref: 00405A2B
                                      • CloseHandle.KERNEL32 ref: 00405A3D
                                      • CloseHandle.KERNEL32 ref: 00405A45
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                      • String ID: 0lG$0lG$0lG$0lG$0lG$SystemDrive$cmd.exe$kG
                                      • API String ID: 2994406822-18413064
                                      • Opcode ID: 571d00232e179bb951c66cd8803b4e008ff3c83704949425b7cea3626c9ba2d0
                                      • Instruction ID: 70e6a120cd26ef4d63fea04585a98dfb86eec3f3f3d93349c630b188a9e88b71
                                      • Opcode Fuzzy Hash: 571d00232e179bb951c66cd8803b4e008ff3c83704949425b7cea3626c9ba2d0
                                      • Instruction Fuzzy Hash: 8891E471604604AFD711FB36ED42A6F369AEB84308F01443FF989A62E2DB7D9C448B5D
                                      Function 004120F7 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 238threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentProcessId.KERNEL32 ref: 00412106
                                        • Part of subcall function 00413877: RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
                                        • Part of subcall function 00413877: RegSetValueExA.ADVAPI32(004660A4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138A0
                                        • Part of subcall function 00413877: RegCloseKey.ADVAPI32(004660A4,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138AB
                                      • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00412146
                                      • CloseHandle.KERNEL32(00000000), ref: 00412155
                                      • CreateThread.KERNEL32(00000000,00000000,004127EE,00000000,00000000,00000000), ref: 004121AB
                                      • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0041241A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
                                      • String ID: Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe
                                      • API String ID: 3018269243-13974260
                                      • Opcode ID: 7579134408927576322ff34649d0b5464798f67aa42af6ea2314acf5978c42f8
                                      • Instruction ID: 8205490d34a3093c97c97cf0412c87f535f0d81ed9353c04b1464aab831027f3
                                      • Opcode Fuzzy Hash: 7579134408927576322ff34649d0b5464798f67aa42af6ea2314acf5978c42f8
                                      • Instruction Fuzzy Hash: 2671813160430167C614FB72CD579AE73A4AF90308F50057FB546A61E2FFBC9949C69E
                                      Function 0040BB30 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BBAF
                                      • FindClose.KERNEL32(00000000), ref: 0040BBC9
                                      • FindNextFileA.KERNEL32(00000000,?), ref: 0040BCEC
                                      • FindClose.KERNEL32(00000000), ref: 0040BD12
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find$CloseFile$FirstNext
                                      • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                      • API String ID: 1164774033-3681987949
                                      • Opcode ID: cc2b906fffab3f5d65509244bf78c58c3969fa81e43ac990ef7529a7089f2592
                                      • Instruction ID: 0369a90be492857ee26322cec2c2e6bc6ddf3692cf68474a737f8ca2a3b0d98c
                                      • Opcode Fuzzy Hash: cc2b906fffab3f5d65509244bf78c58c3969fa81e43ac990ef7529a7089f2592
                                      • Instruction Fuzzy Hash: 13516E3190421A9ADB14F7B2DC56DEEB739AF11304F10057FF406721E2EF785A89CA89
                                      Function 004168C1 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 80clipboardmemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenClipboard.USER32 ref: 004168C2
                                      • EmptyClipboard.USER32 ref: 004168D0
                                      • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 004168F0
                                      • GlobalLock.KERNEL32(00000000), ref: 004168F9
                                      • GlobalUnlock.KERNEL32(00000000), ref: 0041692F
                                      • SetClipboardData.USER32(0000000D,00000000), ref: 00416938
                                      • CloseClipboard.USER32 ref: 00416955
                                      • OpenClipboard.USER32 ref: 0041695C
                                      • GetClipboardData.USER32(0000000D), ref: 0041696C
                                      • GlobalLock.KERNEL32(00000000), ref: 00416975
                                      • GlobalUnlock.KERNEL32(00000000), ref: 0041697E
                                      • CloseClipboard.USER32 ref: 00416984
                                        • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                      • String ID: !D@
                                      • API String ID: 3520204547-604454484
                                      • Opcode ID: 3da19db2da9e38382dfa1a35b9112d29995025b8f82a0e1631b12ced5ccb0bf8
                                      • Instruction ID: 9e7c9e91df33a813dd3aefbd505e3631e00017b2d00f6ad0929271c723fa7fba
                                      • Opcode Fuzzy Hash: 3da19db2da9e38382dfa1a35b9112d29995025b8f82a0e1631b12ced5ccb0bf8
                                      • Instruction Fuzzy Hash: 9F212171604301DBD714BB71DC5DABE36A9AF88746F40043EF946921E2EF3C8D45C66A
                                      Function 0040BD37 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BDAF
                                      • FindClose.KERNEL32(00000000), ref: 0040BDC9
                                      • FindNextFileA.KERNEL32(00000000,?), ref: 0040BE89
                                      • FindClose.KERNEL32(00000000), ref: 0040BEAF
                                      • FindClose.KERNEL32(00000000), ref: 0040BED0
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find$Close$File$FirstNext
                                      • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                      • API String ID: 3527384056-432212279
                                      • Opcode ID: 10bf6c217e0b25296ff8c4f6571a9877a80f89d81c2766d0b614c08461d6f91f
                                      • Instruction ID: daa8673b40617291cefb90f55d029d970aaced9502edc59260dc825ad40fac9f
                                      • Opcode Fuzzy Hash: 10bf6c217e0b25296ff8c4f6571a9877a80f89d81c2766d0b614c08461d6f91f
                                      • Instruction Fuzzy Hash: 38417D3190021AAADB04F7A6DC5A9EEB769DF11704F50017FF506B20D2EF385A46CA9E
                                      Function 0040F474 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 210processCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,004750E4,?,00475338), ref: 0040F48E
                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00475338), ref: 0040F4B9
                                      • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040F4D5
                                      • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F554
                                      • CloseHandle.KERNEL32(00000000,?,00000000,?,?,00475338), ref: 0040F563
                                        • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
                                        • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
                                      • CloseHandle.KERNEL32(00000000,?,00475338), ref: 0040F66E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseHandleOpenProcessProcess32$CreateFileFirstModuleNameNextSnapshotToolhelp32
                                      • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe
                                      • API String ID: 3756808967-1743721670
                                      • Opcode ID: b1e1f41d80490b315896909958d9242b500036c9ac5089c02299af30cc885f9c
                                      • Instruction ID: b3f00c97eb68dcc530bbf6735eb7028ff3362e05d7342ed3a56d945b0ce45bff
                                      • Opcode Fuzzy Hash: b1e1f41d80490b315896909958d9242b500036c9ac5089c02299af30cc885f9c
                                      • Instruction Fuzzy Hash: F6715E705083419BC724FB21D8959AEB7A5AF90348F50083FF586631E3EF78994ECB5A
                                      Function 00419627 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 206COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: 0$1$2$3$4$5$6$7$VG
                                      • API String ID: 0-1861860590
                                      • Opcode ID: b5a7de883cd012ce8913fa8e37131401e824a11eb2676ecb59610ee39723a0e8
                                      • Instruction ID: 08acf1e0be570df0aadc768861284cd9b307e7e5fc43d41925289fb9f64992c1
                                      • Opcode Fuzzy Hash: b5a7de883cd012ce8913fa8e37131401e824a11eb2676ecb59610ee39723a0e8
                                      • Instruction Fuzzy Hash: A771B2709183019FD304EF21D862BAB7B94DF95310F10492FF5A26B2D1DF78AA49CB96
                                      Function 004074FD Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 56COMMON
                                      Download Yara Rule
                                      APIs
                                      • _wcslen.LIBCMT ref: 00407521
                                      • CoGetObject.OLE32(?,00000024,00466518,00000000), ref: 00407582
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Object_wcslen
                                      • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                      • API String ID: 240030777-3166923314
                                      • Opcode ID: a3f0521951bb9342bb967e70cc438d07290dcccf7f3efa3b8b817ec6fb2293fa
                                      • Instruction ID: 36c1a35fc662e139fbe0c3856e6c09b73c1590006896ac343f6f9e6a2f87480d
                                      • Opcode Fuzzy Hash: a3f0521951bb9342bb967e70cc438d07290dcccf7f3efa3b8b817ec6fb2293fa
                                      • Instruction Fuzzy Hash: 1D115172D04218BAD710E6959C45ADEB7A89B08714F15007BF904B2282E77CAA4486BA
                                      Function 0041A748 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004758E8), ref: 0041A75E
                                      • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 0041A7AD
                                      • GetLastError.KERNEL32 ref: 0041A7BB
                                      • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041A7F3
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                      • String ID:
                                      • API String ID: 3587775597-0
                                      • Opcode ID: 23e486b81d5319d6976a5705641320cfcad202a7a3e49a3714ee4dfbb4f6799a
                                      • Instruction ID: 0905bbee584710e72bd43cf86ffd47af08151029a50ddcda7611e9b1cb6672f7
                                      • Opcode Fuzzy Hash: 23e486b81d5319d6976a5705641320cfcad202a7a3e49a3714ee4dfbb4f6799a
                                      • Instruction Fuzzy Hash: A1815F71104305ABC304EB61D885DAFB7A8FF94749F50092FF585521A2EF78EE48CB9A
                                      Function 00452610 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 188COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                                        • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                        • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                                        • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                        • Part of subcall function 00448215: _free.LIBCMT ref: 00448274
                                        • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448281
                                      • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0045271C
                                      • IsValidCodePage.KERNEL32(00000000), ref: 00452777
                                      • IsValidLocale.KERNEL32(?,00000001), ref: 00452786
                                      • GetLocaleInfoW.KERNEL32(?,00001001,lJD,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 004527CE
                                      • GetLocaleInfoW.KERNEL32(?,00001002,00000000,00000040), ref: 004527ED
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                      • String ID: lJD$lJD$lJD
                                      • API String ID: 745075371-479184356
                                      • Opcode ID: be4990bb79c05073f0fe7f4ee341d14c88f356d0bde4897ead87a4f5288e3279
                                      • Instruction ID: 5597d49bf91f8be5c1e88387600e3254545b136a20640e737b6730ed74bf2304
                                      • Opcode Fuzzy Hash: be4990bb79c05073f0fe7f4ee341d14c88f356d0bde4897ead87a4f5288e3279
                                      • Instruction Fuzzy Hash: 87518371900205ABDF10DFA5CD41ABF77B8AF19702F14047BFD04E7292E7B899488B69
                                      Function 0040C34D Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040C39B
                                      • FindNextFileW.KERNEL32(00000000,?), ref: 0040C46E
                                      • FindClose.KERNEL32(00000000), ref: 0040C47D
                                      • FindClose.KERNEL32(00000000), ref: 0040C4A8
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find$CloseFile$FirstNext
                                      • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                      • API String ID: 1164774033-405221262
                                      • Opcode ID: b4ce1130c63f91c9a7bb924499f2ab22045580026bc8e52ab8eb9ef944069cc1
                                      • Instruction ID: 975c513e22faa42ee1994afe11ceef4a5d9ff9fa3a88a4f7cb3cdca8b35e8719
                                      • Opcode Fuzzy Hash: b4ce1130c63f91c9a7bb924499f2ab22045580026bc8e52ab8eb9ef944069cc1
                                      • Instruction Fuzzy Hash: 4131513150021AA6CB14E7A1DC9ADFE7778AF10718F10017FB105B20D2EF789A49CA4D
                                      Function 0041C291 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00474EE0,?), ref: 0041C2EC
                                      • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,00474EE0,?), ref: 0041C31C
                                      • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,00474EE0,?), ref: 0041C38E
                                      • DeleteFileW.KERNEL32(?,?,?,?,?,?,00474EE0,?), ref: 0041C39B
                                        • Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00474EE0,?), ref: 0041C371
                                      • GetLastError.KERNEL32(?,?,?,?,?,00474EE0,?), ref: 0041C3BC
                                      • FindClose.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C3D2
                                      • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C3D9
                                      • FindClose.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C3E2
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                      • String ID:
                                      • API String ID: 2341273852-0
                                      • Opcode ID: 5daa9100e03deb39a4691b7b17906df9641a5acb862147602035c05749f1dd0e
                                      • Instruction ID: c19bc5cae20e4253aafd1d57f534f4f4794eeb6ee7264df4fdb3445c687e6cd6
                                      • Opcode Fuzzy Hash: 5daa9100e03deb39a4691b7b17906df9641a5acb862147602035c05749f1dd0e
                                      • Instruction Fuzzy Hash: 1331827294031CAADB24E7A1DC88EDB736CAF04305F4405FBF955D2152EB39DAC88B68
                                      Function 00419AF5 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 245fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileW.KERNEL32(00000000,?), ref: 00419D4B
                                      • FindNextFileW.KERNEL32(00000000,?,?), ref: 00419E17
                                        • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C49E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$Find$CreateFirstNext
                                      • String ID: 8SG$PXG$PXG$NG$PG
                                      • API String ID: 341183262-3812160132
                                      • Opcode ID: 51c1bc0efb57238df8f343c385f4ca69313514bd3b1d4432c3fe4bb7cf6149f9
                                      • Instruction ID: 96038134cf9b6260143958ba34f432c8b7c7433700823f8ab46a3e18139dd1a2
                                      • Opcode Fuzzy Hash: 51c1bc0efb57238df8f343c385f4ca69313514bd3b1d4432c3fe4bb7cf6149f9
                                      • Instruction Fuzzy Hash: D48152315083415AC314FB22C856EEFB3A9AF90344F90493FF546671E2EF789A49C69A
                                      Function 0040A2B8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040A2D3
                                      • SetWindowsHookExA.USER32(0000000D,0040A2A4,00000000), ref: 0040A2E1
                                      • GetLastError.KERNEL32 ref: 0040A2ED
                                        • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                      • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040A33B
                                      • TranslateMessage.USER32(?), ref: 0040A34A
                                      • DispatchMessageA.USER32(?), ref: 0040A355
                                      Strings
                                      • Keylogger initialization failure: error , xrefs: 0040A301
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                      • String ID: Keylogger initialization failure: error
                                      • API String ID: 3219506041-952744263
                                      • Opcode ID: 4f13040d40fce51975cfbbc3673976c4dad95410904dfe41d9466c849e225161
                                      • Instruction ID: 26c2bdf112627336efb266b6f5317542b4ef4d62b82d8858756ad59ca9dca42a
                                      • Opcode Fuzzy Hash: 4f13040d40fce51975cfbbc3673976c4dad95410904dfe41d9466c849e225161
                                      • Instruction Fuzzy Hash: FA11BF32604301ABCB107F76DC0A86B77ECEA95716B10457EFC85E21D1EA38C910CBAA
                                      Function 0040A3E0 Relevance: 12.1, APIs: 8, Instructions: 112keyboardthreadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetForegroundWindow.USER32 ref: 0040A416
                                      • GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A422
                                      • GetKeyboardLayout.USER32(00000000), ref: 0040A429
                                      • GetKeyState.USER32(00000010), ref: 0040A433
                                      • GetKeyboardState.USER32(?), ref: 0040A43E
                                      • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A461
                                      • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4C1
                                      • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A4FA
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                      • String ID:
                                      • API String ID: 1888522110-0
                                      • Opcode ID: 4ba0a60493bf1cb7a04a280161e9af6e0206db9f66fbe83c406a8642f04fa518
                                      • Instruction ID: 5ff565fa5b8df07833abad56ec5ecbabe923af01fc99f1944a330f9e709d98a3
                                      • Opcode Fuzzy Hash: 4ba0a60493bf1cb7a04a280161e9af6e0206db9f66fbe83c406a8642f04fa518
                                      • Instruction Fuzzy Hash: AE316D72504308FFD710DF94DC45F9BB7ECAB88705F01083AB645D61A0E7B5E9488BA6
                                      Function 00413FCA Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 382registrylibraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 0041409D
                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004140A9
                                        • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                      • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 0041426A
                                      • GetProcAddress.KERNEL32(00000000), ref: 00414271
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressCloseCreateLibraryLoadProcsend
                                      • String ID: SHDeleteKeyW$Shlwapi.dll
                                      • API String ID: 2127411465-314212984
                                      • Opcode ID: 16d4d9f7d8e9d2946c9e71bc9a9cf1ed37fbcb6207445c9ca6b4d79b5acfd54f
                                      • Instruction ID: ad322413622673165c78a8c4b5f48079e939d646f467ca97d3bec1feacf55119
                                      • Opcode Fuzzy Hash: 16d4d9f7d8e9d2946c9e71bc9a9cf1ed37fbcb6207445c9ca6b4d79b5acfd54f
                                      • Instruction Fuzzy Hash: F9B1F971A0430066CA14FB76DC5B9AF36A86FD1748F40053FF942771E2EE7C9A4886DA
                                      Function 00449190 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 00449212
                                      • _free.LIBCMT ref: 00449236
                                      • _free.LIBCMT ref: 004493BD
                                      • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F234), ref: 004493CF
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 00449447
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 00449474
                                      • _free.LIBCMT ref: 00449589
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                      • String ID:
                                      • API String ID: 314583886-0
                                      • Opcode ID: e51e2b160430e069a94018d2a40d83d225257a5f61c10d126208887eb2308fed
                                      • Instruction ID: 779aab753f07af14b01adf3fce5c8211df4e7f9331a35af1166ddbde82723190
                                      • Opcode Fuzzy Hash: e51e2b160430e069a94018d2a40d83d225257a5f61c10d126208887eb2308fed
                                      • Instruction Fuzzy Hash: CAC15771900205ABFB24DF69CC41AAFBBA8EF46314F1405AFE89497381E7788E42D758
                                      Function 004167B4 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 97libraryloadershutdownCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00417952: GetCurrentProcess.KERNEL32(00000028,?), ref: 0041795F
                                        • Part of subcall function 00417952: OpenProcessToken.ADVAPI32(00000000), ref: 00417966
                                        • Part of subcall function 00417952: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00417978
                                        • Part of subcall function 00417952: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00417997
                                        • Part of subcall function 00417952: GetLastError.KERNEL32 ref: 0041799D
                                      • ExitWindowsEx.USER32(00000000,00000001), ref: 00416856
                                      • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 0041686B
                                      • GetProcAddress.KERNEL32(00000000), ref: 00416872
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                      • String ID: !D@$PowrProf.dll$SetSuspendState
                                      • API String ID: 1589313981-2876530381
                                      • Opcode ID: 518a98aa8e33dee1c4de961979bab0d7f2b6bdf321556802f5344010ded5f568
                                      • Instruction ID: 15d3ae9bc4d358b9de40311b9e813ebd0b85961e95f80c383f5c7d57e5fc9640
                                      • Opcode Fuzzy Hash: 518a98aa8e33dee1c4de961979bab0d7f2b6bdf321556802f5344010ded5f568
                                      • Instruction Fuzzy Hash: 6E21617060430256CB14FBB68856AAE63599F41788F41487FB442A72D3EF3CD845CBAE
                                      Function 0045243C Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 86COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetLocaleInfoW.KERNEL32(00000000,2000000B,00000000,00000002,00000000,?,?,?,0045275B,?,00000000), ref: 004524D5
                                      • GetLocaleInfoW.KERNEL32(00000000,20001004,00000000,00000002,00000000,?,?,?,0045275B,?,00000000), ref: 004524FE
                                      • GetACP.KERNEL32(?,?,0045275B,?,00000000), ref: 00452513
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: InfoLocale
                                      • String ID: ACP$OCP$['E
                                      • API String ID: 2299586839-2532616801
                                      • Opcode ID: 996ac876140471f7f335f389899e539d753f319036e5aa489baf53db5bb263cf
                                      • Instruction ID: 65f7b5195a5790e2d5819d7d4b0c6b76a8aa59636dcad79128a037cfc813d78c
                                      • Opcode Fuzzy Hash: 996ac876140471f7f335f389899e539d753f319036e5aa489baf53db5bb263cf
                                      • Instruction Fuzzy Hash: FD21F432600104A7DB348F54CF00AA773A6EB47B1AB168567EC09D7302F7BADD48C398
                                      Function 0041B380 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041B3A7
                                      • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041B3BD
                                      • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041B3D6
                                      • InternetCloseHandle.WININET(00000000), ref: 0041B41C
                                      • InternetCloseHandle.WININET(00000000), ref: 0041B41F
                                      Strings
                                      • http://geoplugin.net/json.gp, xrefs: 0041B3B7
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Internet$CloseHandleOpen$FileRead
                                      • String ID: http://geoplugin.net/json.gp
                                      • API String ID: 3121278467-91888290
                                      • Opcode ID: 93fb62275c9c30ece467367bc9d260af9d028c0859994e7c2f4e10a89ee4ed45
                                      • Instruction ID: bc766ab0241d3587a1949f89688fbc1c60562a782fd7f61c1deed4db1e92f461
                                      • Opcode Fuzzy Hash: 93fb62275c9c30ece467367bc9d260af9d028c0859994e7c2f4e10a89ee4ed45
                                      • Instruction Fuzzy Hash: E711EB311053126BD224AB269C49EBF7F9CEF86755F00043EF905A2292DB68DC45C6FA
                                      Function 0040BA12 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040BA4E
                                      • GetLastError.KERNEL32 ref: 0040BA58
                                      Strings
                                      • UserProfile, xrefs: 0040BA1E
                                      • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040BA19
                                      • [Chrome StoredLogins found, cleared!], xrefs: 0040BA7E
                                      • [Chrome StoredLogins not found], xrefs: 0040BA72
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: DeleteErrorFileLast
                                      • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                      • API String ID: 2018770650-1062637481
                                      • Opcode ID: 0e718a6ebf02f44b4289ad564225df6632aa7359f7d3b59aeb067c3ad082f2b5
                                      • Instruction ID: af402a2c9819bc64f7c9913ab42ffc044d60d1b3c88a69bbc3d4df1d4d30a246
                                      • Opcode Fuzzy Hash: 0e718a6ebf02f44b4289ad564225df6632aa7359f7d3b59aeb067c3ad082f2b5
                                      • Instruction Fuzzy Hash: 2D01A7B17801056AC70477B6CD5B9BE77249911704F50057FF802725E2FE7D59098ADE
                                      Function 00417952 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentProcess.KERNEL32(00000028,?), ref: 0041795F
                                      • OpenProcessToken.ADVAPI32(00000000), ref: 00417966
                                      • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00417978
                                      • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00417997
                                      • GetLastError.KERNEL32 ref: 0041799D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                      • String ID: SeShutdownPrivilege
                                      • API String ID: 3534403312-3733053543
                                      • Opcode ID: 57e92913f0a9f4d9b3a8183d8d88438ae359a92b07d5b7f7122e8f665953110d
                                      • Instruction ID: b599e5caaba2c857c5a7044ea86e3d1b9a306509f9612008a7a3a71442eb1233
                                      • Opcode Fuzzy Hash: 57e92913f0a9f4d9b3a8183d8d88438ae359a92b07d5b7f7122e8f665953110d
                                      • Instruction Fuzzy Hash: 1EF03AB1801229FBDB109BA0EC4DEEF7FBCEF05612F100461B809A1092D7388E04CAB5
                                      Function 00409253 Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 00409258
                                        • Part of subcall function 004048C8: connect.WS2_32(?,?,?), ref: 004048E0
                                        • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 004092F4
                                      • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 00409352
                                      • FindNextFileW.KERNEL32(00000000,?), ref: 004093AA
                                      • FindClose.KERNEL32(00000000), ref: 004093C1
                                        • Part of subcall function 00404E26: WaitForSingleObject.KERNEL32(?,000000FF,00000000,00474EF8,PkGNG,00000000,00474EF8,00404CA8,00000000,?,?,?,00474EF8,?), ref: 00404E38
                                        • Part of subcall function 00404E26: SetEvent.KERNEL32(?), ref: 00404E43
                                        • Part of subcall function 00404E26: CloseHandle.KERNEL32(?), ref: 00404E4C
                                      • FindClose.KERNEL32(00000000), ref: 004095B9
                                        • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(?,00000000,00401A45,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000), ref: 00404B47
                                        • Part of subcall function 00404AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000,?,?,?,?,?,00401A45), ref: 00404B75
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find$Close$EventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsend
                                      • String ID:
                                      • API String ID: 1824512719-0
                                      • Opcode ID: 27b22fca0a27779137ade02a72c9abe49e1240f26c7200fc68e50cf31d4d9716
                                      • Instruction ID: 125c9cc0036adb3739497efb01147483584b5989e706bb19fe9a4109aadf0594
                                      • Opcode Fuzzy Hash: 27b22fca0a27779137ade02a72c9abe49e1240f26c7200fc68e50cf31d4d9716
                                      • Instruction Fuzzy Hash: DCB18D32900109AACB14EBA1DD96AED7779AF04318F10417FF506B60E2EF785E49CB98
                                      Function 0041AA4A Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,0041A6A0,00000000), ref: 0041AA53
                                      • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,0041A6A0,00000000), ref: 0041AA68
                                      • CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA75
                                      • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,0041A6A0,00000000), ref: 0041AA80
                                      • CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA92
                                      • CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA95
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Service$CloseHandle$Open$ManagerStart
                                      • String ID:
                                      • API String ID: 276877138-0
                                      • Opcode ID: 9428b136f56b7ac5d2013585799c428180de648bb4d6702bc273cde58ba3a705
                                      • Instruction ID: 9fefcdd13c5f6832e1e8d6374d810b05479d45f16fba084c356bea358aebaaee
                                      • Opcode Fuzzy Hash: 9428b136f56b7ac5d2013585799c428180de648bb4d6702bc273cde58ba3a705
                                      • Instruction Fuzzy Hash: FCF08971101325AFD2119B619C88DFF2B6CDF85BA6B00082AF945921919B68CD49E9B9
                                      Function 00451CD8 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 236COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                                        • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                        • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                                        • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                      • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00444A73,?,?,?,?,004444CA,?,00000004), ref: 00451DBA
                                      • _wcschr.LIBVCRUNTIME ref: 00451E4A
                                      • _wcschr.LIBVCRUNTIME ref: 00451E58
                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,sJD,00000000,?), ref: 00451EFB
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                      • String ID: sJD
                                      • API String ID: 4212172061-3536923933
                                      • Opcode ID: 7ea90a810ccb8eded513053f15f94d45dc96679ac5d2c45bddb92c1ff4a69e8d
                                      • Instruction ID: 601d6103ecad0283333aca7e4f79148897faf6e4cefa34abd84194fcdbd45a0d
                                      • Opcode Fuzzy Hash: 7ea90a810ccb8eded513053f15f94d45dc96679ac5d2c45bddb92c1ff4a69e8d
                                      • Instruction Fuzzy Hash: ED61FA35500606AAE724AB75CC86BBB73A8EF04316F14046FFD05D7292EB78ED48C769
                                      Function 0040F7A7 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00413549: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,00000000,00000000), ref: 00413569
                                        • Part of subcall function 00413549: RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 00413587
                                        • Part of subcall function 00413549: RegCloseKey.ADVAPI32(00000000), ref: 00413592
                                      • Sleep.KERNEL32(00000BB8), ref: 0040F85B
                                      • ExitProcess.KERNEL32 ref: 0040F8CA
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseExitOpenProcessQuerySleepValue
                                      • String ID: 5.1.0 Pro$override$pth_unenc
                                      • API String ID: 2281282204-182549033
                                      • Opcode ID: bc1be6459073602c737430f7b82db798cb6416b862091f8f7e094519bbbbbb63
                                      • Instruction ID: 07d0e0dc4205ecb16ec703249a4fc897915f305b32a2beb09604d1d6565ffe0f
                                      • Opcode Fuzzy Hash: bc1be6459073602c737430f7b82db798cb6416b862091f8f7e094519bbbbbb63
                                      • Instruction Fuzzy Hash: F821F371B0420167C604767A485B6AE35A95B80718F90403FF505676D7FF7C8E0583EF
                                      Function 0040B164 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B172
                                      • wsprintfW.USER32 ref: 0040B1F3
                                        • Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,00000000,0040B20A,00000000), ref: 0040A662
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: EventLocalTimewsprintf
                                      • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                                      • API String ID: 1497725170-248792730
                                      • Opcode ID: 48ae87abe5a633f6dbf757c3d9d37f4c5ebff31f90a39cbd1b197af817f8fe73
                                      • Instruction ID: 81b60f5d3581edaaac31e3e44e1e4f5c322996b2d8bf5e7d6f89c643b346fb92
                                      • Opcode Fuzzy Hash: 48ae87abe5a633f6dbf757c3d9d37f4c5ebff31f90a39cbd1b197af817f8fe73
                                      • Instruction Fuzzy Hash: 82117F72504118AACB18AB96EC558FE77BCEE48315B00012FF506A60E1FF7C9E46C6AC
                                      Function 0041B4A8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                      Download Yara Rule
                                      APIs
                                      • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041B4B9
                                      • LoadResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4CD
                                      • LockResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4D4
                                      • SizeofResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4E3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Resource$FindLoadLockSizeof
                                      • String ID: SETTINGS
                                      • API String ID: 3473537107-594951305
                                      • Opcode ID: 572f255012f9d3464d264dba9da87f940f43aba7d13ccaaee0753afa8a381888
                                      • Instruction ID: 65170a014006dd87783428e4339c5f85687a52ee3761dac8d56b05c0676c202a
                                      • Opcode Fuzzy Hash: 572f255012f9d3464d264dba9da87f940f43aba7d13ccaaee0753afa8a381888
                                      • Instruction Fuzzy Hash: 8AE01A36200B22EBEB311BA5AC4CD473E29F7C97637100075F90596232CB798840DAA8
                                      Function 00409665 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 0040966A
                                      • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 004096E2
                                      • FindNextFileW.KERNEL32(00000000,?), ref: 0040970B
                                      • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00409722
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find$File$CloseFirstH_prologNext
                                      • String ID:
                                      • API String ID: 1157919129-0
                                      • Opcode ID: f1abb1e18261a1922addd69d7cffa3ae5e96847022b02d1b31507e848c25f0fe
                                      • Instruction ID: bc6583c976318a9931a9d4e75bf6093b5b8d8c817350453c5398c0af4fd679c1
                                      • Opcode Fuzzy Hash: f1abb1e18261a1922addd69d7cffa3ae5e96847022b02d1b31507e848c25f0fe
                                      • Instruction Fuzzy Hash: 59812B329001199BCB15EBA1DC969EDB378AF14318F10417FE506B71E2EF78AE49CB58
                                      Function 0040880C Relevance: 7.7, APIs: 5, Instructions: 186fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 00408811
                                      • FindFirstFileW.KERNEL32(00000000,?,00466608,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088CA
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 004088F2
                                      • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088FF
                                      • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408A15
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                                      • String ID:
                                      • API String ID: 1771804793-0
                                      • Opcode ID: 9b645307c49ece523b116fa648223e4d0ed288365c05ee1dbdf173a36bd7f3be
                                      • Instruction ID: 1e810be39857a3d86828f92fa26e793a4655b35e172fafea17edde612d57cc14
                                      • Opcode Fuzzy Hash: 9b645307c49ece523b116fa648223e4d0ed288365c05ee1dbdf173a36bd7f3be
                                      • Instruction Fuzzy Hash: 16515F72900209AACF04FB61DD569ED7778AF11308F50417FB946B61E2EF389B48CB99
                                      Function 00406EB0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406FBC
                                      • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 004070A0
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: DownloadExecuteFileShell
                                      • String ID: C:\Users\user\Desktop\6122.scr.exe$open
                                      • API String ID: 2825088817-2859085855
                                      • Opcode ID: 2b237405c553a9a1b0e8afa968ba7ab87aca62d7634961c01fb43f6f663e2fce
                                      • Instruction ID: 27a8b34c094a82f854f2ee3e6b31e6014a71d41456184bc7540e3ceb6c1d0c01
                                      • Opcode Fuzzy Hash: 2b237405c553a9a1b0e8afa968ba7ab87aca62d7634961c01fb43f6f663e2fce
                                      • Instruction Fuzzy Hash: 6561A171B0830166CA24FB76C8569BE37A59F81748F50093FB942772D2EE3C9905C69B
                                      Function 0040783C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00407857
                                      • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 0040791F
                                        • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: FileFind$FirstNextsend
                                      • String ID: XPG$XPG
                                      • API String ID: 4113138495-1962359302
                                      • Opcode ID: ab691d252adf93a793db7f637d0c661f35909e30d32946a99fdb273c158dd0c5
                                      • Instruction ID: 6b6d716c6ecdfe6ec78918620e47e684a121d368db73a1555a51ac38f2ecb6eb
                                      • Opcode Fuzzy Hash: ab691d252adf93a793db7f637d0c661f35909e30d32946a99fdb273c158dd0c5
                                      • Instruction Fuzzy Hash: 212195325083419BC314FB61D855DEFB3ACAF90358F40493EF696621E1EF78AA09C65B
                                      Function 0041C9E2 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                      Download Yara Rule
                                      APIs
                                      • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CAD7
                                        • Part of subcall function 0041376F: RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,0046611C), ref: 0041377E
                                        • Part of subcall function 0041376F: RegSetValueExA.ADVAPI32(0046611C,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0041CAB1,WallpaperStyle,0046611C,00000001,00474EE0,00000000), ref: 004137A6
                                        • Part of subcall function 0041376F: RegCloseKey.ADVAPI32(0046611C,?,?,0041CAB1,WallpaperStyle,0046611C,00000001,00474EE0,00000000,?,0040875D,00000001), ref: 004137B1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseCreateInfoParametersSystemValue
                                      • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                      • API String ID: 4127273184-3576401099
                                      • Opcode ID: 3c2d205688c6346916b5703b91afcadbe5e4724bf31c27c5056ca6af97e88c58
                                      • Instruction ID: 1197cbbb31bb874c57b9e92d70abebba424d259215afdbf251ae70ffa4d9d73d
                                      • Opcode Fuzzy Hash: 3c2d205688c6346916b5703b91afcadbe5e4724bf31c27c5056ca6af97e88c58
                                      • Instruction Fuzzy Hash: 7B1184B2BC021473D419313E5DABBBE28029743B51F94416BF6123A6C6E8DF0A8102CF
                                      Function 004432B5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentProcess.KERNEL32(00000003,PkGNG,0044328B,00000003,0046E948,0000000C,004433E2,00000003,00000002,00000000,PkGNG,00446136,00000003), ref: 004432D6
                                      • TerminateProcess.KERNEL32(00000000), ref: 004432DD
                                      • ExitProcess.KERNEL32 ref: 004432EF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process$CurrentExitTerminate
                                      • String ID: PkGNG
                                      • API String ID: 1703294689-263838557
                                      • Opcode ID: fda3935ef75a9da2a187ce407300f3730e4ebfece79a37869d002a8a215f2f15
                                      • Instruction ID: 3be6e6b92543006147ef5d7b2afd166c5ab2c5ffe072a920593a5ac20c7500e8
                                      • Opcode Fuzzy Hash: fda3935ef75a9da2a187ce407300f3730e4ebfece79a37869d002a8a215f2f15
                                      • Instruction Fuzzy Hash: D6E0BF31400244FBDF126F55DD0AA993B69FB40757F044469F90946232CB7ADE42CA98
                                      Function 004461F0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 464COMMONLIBRARYCODE
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: PkGNG
                                      • API String ID: 0-263838557
                                      • Opcode ID: 3af37b45e0065d2a9e4b628ca9eba3ad08e75ba8402ba2670485150a8c7006c8
                                      • Instruction ID: a89a86a7c059f2ce1b75669fee0c4fca3fa64158462c9470c468cddaecc71d09
                                      • Opcode Fuzzy Hash: 3af37b45e0065d2a9e4b628ca9eba3ad08e75ba8402ba2670485150a8c7006c8
                                      • Instruction Fuzzy Hash: FB025D71E002199BEF14CFA9D8806AEBBF1FF49324F26416AD819E7344D734AE41CB85
                                      Function 004520C3 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                                        • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                        • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                                        • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                        • Part of subcall function 00448215: _free.LIBCMT ref: 00448274
                                        • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448281
                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452117
                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452168
                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452228
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorInfoLastLocale$_free$_abort
                                      • String ID:
                                      • API String ID: 2829624132-0
                                      • Opcode ID: b894af2e73636fd6e8af7e748ba09ab431642972e93d3e8eb2aea65845f920f8
                                      • Instruction ID: 4b80d7ab7a7ff47978e382ad652e238d088576b56b9f239e8998609391b98480
                                      • Opcode Fuzzy Hash: b894af2e73636fd6e8af7e748ba09ab431642972e93d3e8eb2aea65845f920f8
                                      • Instruction Fuzzy Hash: B961C1315006079BDB289F25CE82BBB77A8FF05306F1041ABED15C6642F7B89D89DB58
                                      Function 0043BB22 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • IsDebuggerPresent.KERNEL32 ref: 0043BC1A
                                      • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0043BC24
                                      • UnhandledExceptionFilter.KERNEL32(?), ref: 0043BC31
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                      • String ID:
                                      • API String ID: 3906539128-0
                                      • Opcode ID: a72bbe9f24da65e63e608425843f2cf14cbf2294963ef3e60e5c7cfd459546ed
                                      • Instruction ID: cbfc558a7ca4bb69983b526de44ffd1abc81b2e56a4044740c9350c1ecaeaada
                                      • Opcode Fuzzy Hash: a72bbe9f24da65e63e608425843f2cf14cbf2294963ef3e60e5c7cfd459546ed
                                      • Instruction Fuzzy Hash: E131C27590121DABCB21DF65DD89BCDBBB8AF08311F5051EAE80CA6251EB349F858F48
                                      Function 00433837 Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,?,004334BF,00000034,?,?,00000000), ref: 00433849
                                      • CryptGenRandom.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,PkGNG,00433552,?,?,?), ref: 0043385F
                                      • CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,?,?,PkGNG,00433552,?,?,?,0041E251), ref: 00433871
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Crypt$Context$AcquireRandomRelease
                                      • String ID:
                                      • API String ID: 1815803762-0
                                      • Opcode ID: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                      • Instruction ID: 864202151b2ab8ebdb17250bb7e2999cce5b6c404a207f59f2405eb254ca80c1
                                      • Opcode Fuzzy Hash: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                      • Instruction Fuzzy Hash: 83E09231308310FAFB341F25AC08F573AA5EB89B67F20093AF211E40E4D2568C018A5C
                                      Function 0040B70E Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenClipboard.USER32(00000000), ref: 0040B711
                                      • GetClipboardData.USER32(0000000D), ref: 0040B71D
                                      • CloseClipboard.USER32 ref: 0040B725
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Clipboard$CloseDataOpen
                                      • String ID:
                                      • API String ID: 2058664381-0
                                      • Opcode ID: c799312c980d18205df260c4494eeab96c1e87453cdfeac26beaa605c81e592b
                                      • Instruction ID: a9752f6e69e3a39ef1c6dae57fb9473311d117e3f10fa11c4aa70225693e5904
                                      • Opcode Fuzzy Hash: c799312c980d18205df260c4494eeab96c1e87453cdfeac26beaa605c81e592b
                                      • Instruction Fuzzy Hash: 4FE0EC31645320EFC2209B609C49B9A6754DF95F52F41843AB905AB2D5DB78CC40C6AD
                                      Function 00434C52 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134COMMON
                                      Download Yara Rule
                                      APIs
                                      • IsProcessorFeaturePresent.KERNEL32(0000000A,00000000), ref: 00434C6B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: FeaturePresentProcessor
                                      • String ID:
                                      • API String ID: 2325560087-3916222277
                                      • Opcode ID: e737252210e65bd7558355cab1b99ff1055998ec76fc21d90816c5055d8ae967
                                      • Instruction ID: b6e659610939bc40af268f25ffb2b9965a4fe426cdd66f7fc4435c5297b2c53a
                                      • Opcode Fuzzy Hash: e737252210e65bd7558355cab1b99ff1055998ec76fc21d90816c5055d8ae967
                                      • Instruction Fuzzy Hash: EE515471D002089BEB24CF69D9856DEBBF4FB48354F24956BD819EB350D378AA80CF94
                                      Function 0044E879 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: .
                                      • API String ID: 0-248832578
                                      • Opcode ID: 6d782d14881953f3dc1aa7198760a6549ba6db1eba9a251ec7cea06479966fa1
                                      • Instruction ID: 28de479bcd0ee174bbf7ea2f8c467f6584cf945aa63ddb2e5cfeaaf716254919
                                      • Opcode Fuzzy Hash: 6d782d14881953f3dc1aa7198760a6549ba6db1eba9a251ec7cea06479966fa1
                                      • Instruction Fuzzy Hash: 233106B2900149AFEB249E7ACC85EEB7BBDEF45304F1001AEE819D7291E6349D458B54
                                      Function 00451F9B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                                        • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                        • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                                        • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                      • EnumSystemLocalesW.KERNEL32(004520C3,00000001,00000000,?,lJD,?,004526F0,00000000,?,?,?), ref: 0045200D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                      • String ID: lJD
                                      • API String ID: 1084509184-3316369744
                                      • Opcode ID: 8fcc83528109b8aaf498f975bbbcb34ae0404b7acadb8afce226787919ce0173
                                      • Instruction ID: 7d3ee128790e63e9d167a680a676634a6e0759605f9449bc3b94779c572ada63
                                      • Opcode Fuzzy Hash: 8fcc83528109b8aaf498f975bbbcb34ae0404b7acadb8afce226787919ce0173
                                      • Instruction Fuzzy Hash: E51125372007019FDB189F39C8916BABB91FF8075AB14482EEE4687B41D7B9A946CB44
                                      Function 00452036 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                                        • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                        • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                                        • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                      • EnumSystemLocalesW.KERNEL32(00452313,00000001,?,?,lJD,?,004526B4,lJD,?,?,?,?,?,00444A6C,?,?), ref: 00452082
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                      • String ID: lJD
                                      • API String ID: 1084509184-3316369744
                                      • Opcode ID: acb24ebe04e4856a9c83d3494bcbe1da60fd92419c71b9527b23937778bf3cf5
                                      • Instruction ID: 5d4b7cb44ca553c54ae5d492338df10e7871f8ce083c0ea6e3a4370b1d871309
                                      • Opcode Fuzzy Hash: acb24ebe04e4856a9c83d3494bcbe1da60fd92419c71b9527b23937778bf3cf5
                                      • Instruction Fuzzy Hash: 44F0FF322003055FDB245F798881A7A7B95FB82769B14446EFE428B681D7F9AC02C604
                                      Function 004488ED Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,004444CA,?,00000004), ref: 00448940
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: InfoLocale
                                      • String ID: GetLocaleInfoEx
                                      • API String ID: 2299586839-2904428671
                                      • Opcode ID: 2d8ab5e4c08eb423885d267f31dc3d21c73ce0c4a0b39471804a4927225e8e03
                                      • Instruction ID: 280d24bb3358c3803ceca68c405fa8cd3b52f77a8ef21af096b961815111c089
                                      • Opcode Fuzzy Hash: 2d8ab5e4c08eb423885d267f31dc3d21c73ce0c4a0b39471804a4927225e8e03
                                      • Instruction Fuzzy Hash: D1F02B31A40308F7DB119F61DC02F7E7B15DF08751F10056EFC0926261CE399D159A9E
                                      Function 00412077 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F37), ref: 004120E7
                                      • HeapFree.KERNEL32(00000000), ref: 004120EE
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$FreeProcess
                                      • String ID:
                                      • API String ID: 3859560861-0
                                      • Opcode ID: bbc8ffc4057debe9872561f5e92b4f6919ce40f9ddced797a216f9a420f6d04b
                                      • Instruction ID: eee285bae3a3c664d400e4c5f5e220380537cd22e0998a3ce94cd1697e41dfe3
                                      • Opcode Fuzzy Hash: bbc8ffc4057debe9872561f5e92b4f6919ce40f9ddced797a216f9a420f6d04b
                                      • Instruction Fuzzy Hash: 16112A32000B11EFC7305F64DE85957BBE9FF08715314892EE29696921CB76FCA0CB58
                                      Function 00452313 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                                        • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                        • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                                        • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                        • Part of subcall function 00448215: _free.LIBCMT ref: 00448274
                                        • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448281
                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452367
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLast$_free$InfoLocale_abort
                                      • String ID:
                                      • API String ID: 1663032902-0
                                      • Opcode ID: 5e55e5787c0a8882e24d5b04e2b41f1e3a8b10b9440aec12057efb59017b927c
                                      • Instruction ID: a0857f467e030380fa261c038abb83aeded24e37e53cd803257bf99bba5c3bcd
                                      • Opcode Fuzzy Hash: 5e55e5787c0a8882e24d5b04e2b41f1e3a8b10b9440aec12057efb59017b927c
                                      • Instruction Fuzzy Hash: 0121B632550206ABDB249E35DD41BBA73A8EF05316F1001BFFD01D6242EBBC9D59CB58
                                      Function 00452543 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                                        • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                        • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                                        • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                      • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,004522E1,00000000,00000000,?), ref: 0045256F
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLast$InfoLocale_abort_free
                                      • String ID:
                                      • API String ID: 2692324296-0
                                      • Opcode ID: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                                      • Instruction ID: deb82abe2421a0f23b1c286da40711a82d27d1439ce4f734d0a93897c1f260ce
                                      • Opcode Fuzzy Hash: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                                      • Instruction Fuzzy Hash: 3EF0993290011ABBDB245A20C916BBB3768EB01316F04046BEC05A3241FBB8FD05C698
                                      Function 0041B60D Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetUserNameW.ADVAPI32(?,0040F223), ref: 0041B642
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: NameUser
                                      • String ID:
                                      • API String ID: 2645101109-0
                                      • Opcode ID: 3d7d98170efc6b6b629f93dc404fb63378f1138ab074e43b779f7395dc78dc1a
                                      • Instruction ID: 2f1a7eaa0fafc1393a04fa3680ad11d69711b7caddb5f837a5711c727b94ccef
                                      • Opcode Fuzzy Hash: 3d7d98170efc6b6b629f93dc404fb63378f1138ab074e43b779f7395dc78dc1a
                                      • Instruction Fuzzy Hash: 3B014F7190011CABCB01EBD5DC45EEDB7BCAF44309F10016AB505B61A1EFB46E88CBA8
                                      Function 00448404 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00445888: EnterCriticalSection.KERNEL32(?,?,00442FDB,00000000,0046E928,0000000C,00442F96,?,?,?,00445B26,?,?,004482CA,00000001,00000364), ref: 00445897
                                      • EnumSystemLocalesW.KERNEL32(004483BE,00000001,0046EAD0,0000000C), ref: 0044843C
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CriticalEnterEnumLocalesSectionSystem
                                      • String ID:
                                      • API String ID: 1272433827-0
                                      • Opcode ID: 804d43dbd68489efcf8f22bf06177096911cc4f1bd16e2c376f90d23019e8210
                                      • Instruction ID: 9543b0ab25bad403ee5e8d2735ec903229a0e0f586434e65d0c90a277242bfd4
                                      • Opcode Fuzzy Hash: 804d43dbd68489efcf8f22bf06177096911cc4f1bd16e2c376f90d23019e8210
                                      • Instruction Fuzzy Hash: 6FF0AF72A50204EFE700EF69D946B8D37E0FB04725F10856AF414DB2A2CBB889808F09
                                      Function 00451F50 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                                        • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                        • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                                        • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                      • EnumSystemLocalesW.KERNEL32(00451EA7,00000001,?,?,?,00452712,lJD,?,?,?,?,?,00444A6C,?,?,?), ref: 00451F87
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                      • String ID:
                                      • API String ID: 1084509184-0
                                      • Opcode ID: 4d0c5cba832e86d7a557150270e3ca6bc4d6d332941df2bd00d727cb77582ebf
                                      • Instruction ID: 7090a925995da140c065d9916092b781359a33e81ca1c933e4536b6f4f09cf03
                                      • Opcode Fuzzy Hash: 4d0c5cba832e86d7a557150270e3ca6bc4d6d332941df2bd00d727cb77582ebf
                                      • Instruction Fuzzy Hash: A7F0203674020597CB04AF75C809B6A7F90EBC272AB06009AEE058B662C7799842C754
                                      Function 0040F8D1 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,004154FC,00474EE0,00475A00,00474EE0,00000000,00474EE0,00000000,00474EE0,5.1.0 Pro), ref: 0040F8E5
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: InfoLocale
                                      • String ID:
                                      • API String ID: 2299586839-0
                                      • Opcode ID: 60ac6b383c0d02c34bbf412ad9b051435ec7f82dc161eda072fb95a07eb92a85
                                      • Instruction ID: 54543d52817102a935349e0949155b160d3bd36039d058f0142c014f19b14c2e
                                      • Opcode Fuzzy Hash: 60ac6b383c0d02c34bbf412ad9b051435ec7f82dc161eda072fb95a07eb92a85
                                      • Instruction Fuzzy Hash: D5D05B3074421C77D61096959D0AEAA779CD701B52F0001A6BB05D72C0D9E15E0087D1
                                      Function 00434B47 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetUnhandledExceptionFilter.KERNEL32(Function_00034B53,0043487A), ref: 00434B4C
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExceptionFilterUnhandled
                                      • String ID:
                                      • API String ID: 3192549508-0
                                      • Opcode ID: 94f820becb3d11eb86a2e9fe35426058ee7de7bf36e1f11b305b7456ad7b3320
                                      • Instruction ID: b2b6851a15331e9206a2225a79f218ff0d060d1473a4ca8ef9e7ab7021fb00da
                                      • Opcode Fuzzy Hash: 94f820becb3d11eb86a2e9fe35426058ee7de7bf36e1f11b305b7456ad7b3320
                                      • Instruction Fuzzy Hash:
                                      Function 00418E76 Relevance: 49.3, APIs: 27, Strings: 1, Instructions: 328windowmemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00418E90
                                      • CreateCompatibleDC.GDI32(00000000), ref: 00418E9D
                                        • Part of subcall function 00419325: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00419355
                                      • CreateCompatibleBitmap.GDI32(00000000,?), ref: 00418F13
                                      • DeleteDC.GDI32(00000000), ref: 00418F2A
                                      • DeleteDC.GDI32(00000000), ref: 00418F2D
                                      • DeleteObject.GDI32(00000000), ref: 00418F30
                                      • SelectObject.GDI32(00000000,00000000), ref: 00418F51
                                      • DeleteDC.GDI32(00000000), ref: 00418F62
                                      • DeleteDC.GDI32(00000000), ref: 00418F65
                                      • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00418F89
                                      • GetIconInfo.USER32(?,?), ref: 00418FBD
                                      • DeleteObject.GDI32(?), ref: 00418FEC
                                      • DeleteObject.GDI32(?), ref: 00418FF9
                                      • DrawIcon.USER32(00000000,?,?,?), ref: 00419006
                                      • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 0041903C
                                      • GetObjectA.GDI32(00000000,00000018,?), ref: 00419068
                                      • LocalAlloc.KERNEL32(00000040,00000001), ref: 004190D5
                                      • GlobalAlloc.KERNEL32(00000000,?), ref: 00419144
                                      • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00419168
                                      • DeleteDC.GDI32(?), ref: 0041917C
                                      • DeleteDC.GDI32(00000000), ref: 0041917F
                                      • DeleteObject.GDI32(00000000), ref: 00419182
                                      • GlobalFree.KERNEL32(?), ref: 0041918D
                                      • DeleteObject.GDI32(00000000), ref: 00419241
                                      • GlobalFree.KERNEL32(?), ref: 00419248
                                      • DeleteDC.GDI32(?), ref: 00419258
                                      • DeleteDC.GDI32(00000000), ref: 00419263
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIcon$BitmapBitsDisplayDrawEnumInfoLocalSelectSettingsStretch
                                      • String ID: DISPLAY
                                      • API String ID: 479521175-865373369
                                      • Opcode ID: eeea48b2f12328c67a7764adb0283258d44bef4919e0b7e4c041a6272c1fd371
                                      • Instruction ID: c224b28d618b709f2792c20de920cdabb9de4a917dc726d0ffe82d87ba3e906a
                                      • Opcode Fuzzy Hash: eeea48b2f12328c67a7764adb0283258d44bef4919e0b7e4c041a6272c1fd371
                                      • Instruction Fuzzy Hash: 75C14C71508301AFD720DF25DC44BABBBE9EB88715F00482EF98993291DB74ED45CB6A
                                      Function 004180EF Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 289libraryloaderthreadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00418136
                                      • GetProcAddress.KERNEL32(00000000), ref: 00418139
                                      • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 0041814A
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041814D
                                      • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 0041815E
                                      • GetProcAddress.KERNEL32(00000000), ref: 00418161
                                      • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 00418172
                                      • GetProcAddress.KERNEL32(00000000), ref: 00418175
                                      • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00418217
                                      • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041822F
                                      • GetThreadContext.KERNEL32(?,00000000), ref: 00418245
                                      • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 0041826B
                                      • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 004182ED
                                      • TerminateProcess.KERNEL32(?,00000000), ref: 00418301
                                      • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 00418341
                                      • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0041840B
                                      • SetThreadContext.KERNEL32(?,00000000), ref: 00418428
                                      • ResumeThread.KERNEL32(?), ref: 00418435
                                      • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041844C
                                      • GetCurrentProcess.KERNEL32(?), ref: 00418457
                                      • TerminateProcess.KERNEL32(?,00000000), ref: 00418472
                                      • GetLastError.KERNEL32 ref: 0041847A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                      • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                                      • API String ID: 4188446516-3035715614
                                      • Opcode ID: b936ea2c1396c7360966393650c98f262233681cd2418a1eb1ae5de04f4b839e
                                      • Instruction ID: 216cb1b436b1bb1c0a39989cd20dfb1fea14fcd849b5832ba41dfff5d3f22c39
                                      • Opcode Fuzzy Hash: b936ea2c1396c7360966393650c98f262233681cd2418a1eb1ae5de04f4b839e
                                      • Instruction Fuzzy Hash: EDA16E70604305AFDB208F64CC85BAB7BE8FF48705F04482EF595D6291EB78D844CB1A
                                      Function 0040D420 Relevance: 45.8, APIs: 6, Strings: 20, Instructions: 282registryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,?,0040D80F), ref: 00412860
                                        • Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF,?,0040D80F), ref: 00412873
                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040D51D
                                      • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D530
                                      • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040D549
                                      • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040D579
                                        • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A27D,00000000,00000000,?,0040D442,?,00000000), ref: 0040B8BB
                                        • Part of subcall function 0040B8AC: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B8C7
                                        • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A267,00000000,?,0040D442,?,00000000), ref: 0040B8D5
                                        • Part of subcall function 0041C3F1: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041C510,00000000,00000000,00000000), ref: 0041C430
                                      • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D7C4
                                      • ExitProcess.KERNEL32 ref: 0040D7D0
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                      • String ID: """, 0$")$0qF$0qF$8SG$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                                      • API String ID: 1861856835-332907002
                                      • Opcode ID: f06c0f3fe88489d0e2c5ffad4c1a0fc09fbad2280a0079c9fbc51da470a9490e
                                      • Instruction ID: f0dedf37b1d13a6a68a2ae87fd6fc042f686ba0b246118386f774540a9e6bc24
                                      • Opcode Fuzzy Hash: f06c0f3fe88489d0e2c5ffad4c1a0fc09fbad2280a0079c9fbc51da470a9490e
                                      • Instruction Fuzzy Hash: 2191A4716082005AC315FB62D8529AFB7A9AF91309F10443FB14AA71E3FF7C9D49C65E
                                      Function 0040D096 Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 260registryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,?,0040D80F), ref: 00412860
                                        • Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF,?,0040D80F), ref: 00412873
                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1A5
                                      • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D1B8
                                      • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1E8
                                      • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1F7
                                        • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A27D,00000000,00000000,?,0040D442,?,00000000), ref: 0040B8BB
                                        • Part of subcall function 0040B8AC: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B8C7
                                        • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A267,00000000,?,0040D442,?,00000000), ref: 0040B8D5
                                        • Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040407C), ref: 0041B99F
                                      • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D412
                                      • ExitProcess.KERNEL32 ref: 0040D419
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                      • String ID: ")$.vbs$8SG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$hpF$open$pth_unenc$wend$while fso.FileExists("
                                      • API String ID: 3797177996-2557013105
                                      • Opcode ID: a1a0741b8aa6907e639e806891c4818a969d9db6df5c1f8137be8dc9c05249f3
                                      • Instruction ID: d7bb7cf55c4450259501d0c3086a2d123ad94ece798773e978a9ab54bd012bbb
                                      • Opcode Fuzzy Hash: a1a0741b8aa6907e639e806891c4818a969d9db6df5c1f8137be8dc9c05249f3
                                      • Instruction Fuzzy Hash: 9081B0716082005BC715FB62D8529AF77A8AFD1308F10483FB586A71E2EF7C9E49C65E
                                      Function 00412475 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 190synchronizationsleepfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,004750E4,00000003), ref: 00412494
                                      • ExitProcess.KERNEL32(00000000), ref: 004124A0
                                      • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0041251A
                                      • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412529
                                      • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00412534
                                      • CloseHandle.KERNEL32(00000000), ref: 0041253B
                                      • GetCurrentProcessId.KERNEL32 ref: 00412541
                                      • PathFileExistsW.SHLWAPI(?), ref: 00412572
                                      • GetTempPathW.KERNEL32(00000104,?), ref: 004125D5
                                      • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 004125EF
                                      • lstrcatW.KERNEL32(?,.exe), ref: 00412601
                                        • Part of subcall function 0041C3F1: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041C510,00000000,00000000,00000000), ref: 0041C430
                                      • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00412641
                                      • Sleep.KERNEL32(000001F4), ref: 00412682
                                      • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412697
                                      • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004126A2
                                      • CloseHandle.KERNEL32(00000000), ref: 004126A9
                                      • GetCurrentProcessId.KERNEL32 ref: 004126AF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
                                      • String ID: .exe$8SG$WDH$exepath$open$temp_
                                      • API String ID: 2649220323-436679193
                                      • Opcode ID: 5afe557bd59fe2fb36d972248b29c5deb24c09acede0227067c4c091f693347a
                                      • Instruction ID: 17e21f0bcac096b9b94ced5306d028ab2385f4d1d2402c2ee3c492442eb82615
                                      • Opcode Fuzzy Hash: 5afe557bd59fe2fb36d972248b29c5deb24c09acede0227067c4c091f693347a
                                      • Instruction Fuzzy Hash: 4651B371A00315BBDB10ABA09C9AEFE336D9B04715F10406BF502E71D2EFBC8E85865D
                                      Function 0041B047 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON
                                      Download Yara Rule
                                      APIs
                                      • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041B13C
                                      • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041B150
                                      • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,004660A4), ref: 0041B178
                                      • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00474EE0,00000000), ref: 0041B18E
                                      • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041B1CF
                                      • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041B1E7
                                      • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041B1FC
                                      • SetEvent.KERNEL32 ref: 0041B219
                                      • WaitForSingleObject.KERNEL32(000001F4), ref: 0041B22A
                                      • CloseHandle.KERNEL32 ref: 0041B23A
                                      • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041B25C
                                      • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041B266
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                      • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$NG
                                      • API String ID: 738084811-2094122233
                                      • Opcode ID: 1af6777f4b26f00d2594b4f9da1b5597036d5e91d20fdc05908bc04bace6597c
                                      • Instruction ID: fe650b41180b39ed17604f18bcb9a712e211fca36760164052b554565c231c06
                                      • Opcode Fuzzy Hash: 1af6777f4b26f00d2594b4f9da1b5597036d5e91d20fdc05908bc04bace6597c
                                      • Instruction Fuzzy Hash: 0351A3B12842056AD314B771DC96ABF379CDB84358F10043FB64A521E2EF788D48CA6E
                                      Function 00401A6D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                                      • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401B03
                                      • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401B13
                                      • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401B23
                                      • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401B33
                                      • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401B43
                                      • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B54
                                      • WriteFile.KERNEL32(00000000,00472AAA,00000002,00000000,00000000), ref: 00401B65
                                      • WriteFile.KERNEL32(00000000,00472AAC,00000004,00000000,00000000), ref: 00401B75
                                      • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401B85
                                      • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B96
                                      • WriteFile.KERNEL32(00000000,00472AB6,00000002,00000000,00000000), ref: 00401BA7
                                      • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401BB7
                                      • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401BC7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$Write$Create
                                      • String ID: RIFF$WAVE$data$fmt
                                      • API String ID: 1602526932-4212202414
                                      • Opcode ID: 62b265300192e2cf3fc36ee1b19606fb2409bb2919511e1e0316a81c88f5e1bc
                                      • Instruction ID: 2ec91bc18be8700290cedec85ec8f66933089e8d2246bcc6fed4c3761e19f715
                                      • Opcode Fuzzy Hash: 62b265300192e2cf3fc36ee1b19606fb2409bb2919511e1e0316a81c88f5e1bc
                                      • Instruction Fuzzy Hash: EB414E72644308BAE210DA51DD86FBB7EECEB89B50F40441AF644D60C0D7A4E909DBB3
                                      Function 00407270 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Users\user\Desktop\6122.scr.exe,00000001,0040764D,C:\Users\user\Desktop\6122.scr.exe,00000003,00407675,004752D8,004076CE), ref: 00407284
                                      • GetProcAddress.KERNEL32(00000000), ref: 0040728D
                                      • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 004072A2
                                      • GetProcAddress.KERNEL32(00000000), ref: 004072A5
                                      • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 004072B6
                                      • GetProcAddress.KERNEL32(00000000), ref: 004072B9
                                      • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 004072CA
                                      • GetProcAddress.KERNEL32(00000000), ref: 004072CD
                                      • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 004072DE
                                      • GetProcAddress.KERNEL32(00000000), ref: 004072E1
                                      • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 004072F2
                                      • GetProcAddress.KERNEL32(00000000), ref: 004072F5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressHandleModuleProc
                                      • String ID: C:\Users\user\Desktop\6122.scr.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                      • API String ID: 1646373207-128665797
                                      • Opcode ID: 219bb9ae8fbeca959e8a3246f6ba2b5d667704a520b136de0cc32d122fe89174
                                      • Instruction ID: f839149ce94c73eee9bda0254407c114f4740b95dc73f4bc012c28e2a4ae17e7
                                      • Opcode Fuzzy Hash: 219bb9ae8fbeca959e8a3246f6ba2b5d667704a520b136de0cc32d122fe89174
                                      • Instruction Fuzzy Hash: 520171E0E4431676DB216F3A6C54D4B6F9C9E5125131A087BB409E2292FEBCE800CE6D
                                      Function 0041C01B Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • lstrlenW.KERNEL32(?), ref: 0041C036
                                      • _memcmp.LIBVCRUNTIME ref: 0041C04E
                                      • lstrlenW.KERNEL32(?), ref: 0041C067
                                      • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041C0A2
                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041C0B5
                                      • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041C0F9
                                      • lstrcmpW.KERNEL32(?,?), ref: 0041C114
                                      • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041C12C
                                      • _wcslen.LIBCMT ref: 0041C13B
                                      • FindVolumeClose.KERNEL32(?), ref: 0041C15B
                                      • GetLastError.KERNEL32 ref: 0041C173
                                      • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041C1A0
                                      • lstrcatW.KERNEL32(?,?), ref: 0041C1B9
                                      • lstrcpyW.KERNEL32(?,?), ref: 0041C1C8
                                      • GetLastError.KERNEL32 ref: 0041C1D0
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                      • String ID: ?
                                      • API String ID: 3941738427-1684325040
                                      • Opcode ID: abe7e308a1a6702f98718e9be80ca678ae2d2d31c1c14d85f2c6eaae61ca29ed
                                      • Instruction ID: a349862c8cee18361e8dc915c9858c0b302c9409c899df8dda18ff866c7f94c5
                                      • Opcode Fuzzy Hash: abe7e308a1a6702f98718e9be80ca678ae2d2d31c1c14d85f2c6eaae61ca29ed
                                      • Instruction Fuzzy Hash: 8B416171584316EBD720DFA0DC889EB77ECAB49755F00092BF545C2261EB78C988CBDA
                                      Function 00414D86 Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 109libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414DD5
                                      • LoadLibraryA.KERNEL32(?), ref: 00414E17
                                      • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E37
                                      • FreeLibrary.KERNEL32(00000000), ref: 00414E3E
                                      • LoadLibraryA.KERNEL32(?), ref: 00414E76
                                      • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E88
                                      • FreeLibrary.KERNEL32(00000000), ref: 00414E8F
                                      • GetProcAddress.KERNEL32(00000000,?), ref: 00414E9E
                                      • FreeLibrary.KERNEL32(00000000), ref: 00414EB5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                      • String ID: IA$\ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
                                      • API String ID: 2490988753-1941338355
                                      • Opcode ID: 5f1d90fefb9d3b4d80abd47ac0ceceaf8be97214d3ee7f7b1d429d579a686c66
                                      • Instruction ID: d7a8240acd80c680e6a706eb94e62412fcb65bdb905c2e3468e0ccb64a1f64dc
                                      • Opcode Fuzzy Hash: 5f1d90fefb9d3b4d80abd47ac0ceceaf8be97214d3ee7f7b1d429d579a686c66
                                      • Instruction Fuzzy Hash: 8C31D5B1902315A7C320EF65DC84EDBB7D8AF84744F004A2AF94893250D778DD858BEE
                                      Function 0044F42D Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$EnvironmentVariable$_wcschr
                                      • String ID:
                                      • API String ID: 3899193279-0
                                      • Opcode ID: 12b2d8700cfafab1c51f31b0af1c60b5a90c67e430b3d12670f3d9796c815c4a
                                      • Instruction ID: f75d98bba309171a1893162bbba9979c566f834f65d54a181aa040c21db392b6
                                      • Opcode Fuzzy Hash: 12b2d8700cfafab1c51f31b0af1c60b5a90c67e430b3d12670f3d9796c815c4a
                                      • Instruction Fuzzy Hash: C4D13672D007006BFB20AF799D81A6B77A4EF01318F05427FE919A7382EB3D99058799
                                      Function 00412AB4 Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 482sleepfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00412ACD
                                        • Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040407C), ref: 0041B99F
                                        • Part of subcall function 00418568: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E74), ref: 0041857E
                                        • Part of subcall function 00418568: CloseHandle.KERNEL32(t^F,?,?,004040F5,00465E74), ref: 00418587
                                      • Sleep.KERNEL32(0000000A,00465E74), ref: 00412C1F
                                      • Sleep.KERNEL32(0000000A,00465E74,00465E74), ref: 00412CC1
                                      • Sleep.KERNEL32(0000000A,00465E74,00465E74,00465E74), ref: 00412D63
                                      • DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412DC5
                                      • DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412DFC
                                      • DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412E38
                                      • Sleep.KERNEL32(000001F4,00465E74,00465E74,00465E74), ref: 00412E52
                                      • Sleep.KERNEL32(00000064), ref: 00412E94
                                        • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                      • String ID: /stext "$0TG$0TG$NG$NG
                                      • API String ID: 1223786279-2576077980
                                      • Opcode ID: 2986c19d5eff0671da4a124577a32cf2d74727819232519ecdbd70d3c5314773
                                      • Instruction ID: 3b0169c2c8bc9f0d695cedb60fdc7b81a1931596247e975dd6f1dc47d42db627
                                      • Opcode Fuzzy Hash: 2986c19d5eff0671da4a124577a32cf2d74727819232519ecdbd70d3c5314773
                                      • Instruction Fuzzy Hash: 990255311083418AC325FB62D851AEFB3E5AFD4348F50483EF58A971E2EF785A49C65A
                                      Function 0041C68F Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041C6B1
                                      • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041C6F5
                                      • RegCloseKey.ADVAPI32(?), ref: 0041C9BF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseEnumOpen
                                      • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
                                      • API String ID: 1332880857-3714951968
                                      • Opcode ID: 131f557390299a5fb98f0b65c13fdfd9cb57ca643134b75c275777f897c8710a
                                      • Instruction ID: af0903b0dab8fbea49832074ad132f154b97281cd99b968e1e8b6bf9777b958e
                                      • Opcode Fuzzy Hash: 131f557390299a5fb98f0b65c13fdfd9cb57ca643134b75c275777f897c8710a
                                      • Instruction Fuzzy Hash: 248144711083419BC325EF11D851EEFB7E8BF94309F10492FB589921A1FF78AE49CA5A
                                      Function 0041D58F Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041D5DA
                                      • GetCursorPos.USER32(?), ref: 0041D5E9
                                      • SetForegroundWindow.USER32(?), ref: 0041D5F2
                                      • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041D60C
                                      • Shell_NotifyIconA.SHELL32(00000002,00474B48), ref: 0041D65D
                                      • ExitProcess.KERNEL32 ref: 0041D665
                                      • CreatePopupMenu.USER32 ref: 0041D66B
                                      • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041D680
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                      • String ID: Close
                                      • API String ID: 1657328048-3535843008
                                      • Opcode ID: dc0ab9a0fe4ab677523636461039160516679b910eee6fe46bba41fdb84f3345
                                      • Instruction ID: 483e3be36cf21f9f431d69439bfbb75804d706e25d1e382f075e68ac53faeb55
                                      • Opcode Fuzzy Hash: dc0ab9a0fe4ab677523636461039160516679b910eee6fe46bba41fdb84f3345
                                      • Instruction Fuzzy Hash: 392127B1944208FFDB194FA4ED0EAAA3B65FB08342F000135FA0A950B1D775EDA1EB5D
                                      Function 00404E26 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 65synchronizationCOMMON
                                      Download Yara Rule
                                      APIs
                                      • WaitForSingleObject.KERNEL32(?,000000FF,00000000,00474EF8,PkGNG,00000000,00474EF8,00404CA8,00000000,?,?,?,00474EF8,?), ref: 00404E38
                                      • SetEvent.KERNEL32(?), ref: 00404E43
                                      • CloseHandle.KERNEL32(?), ref: 00404E4C
                                      • closesocket.WS2_32(?), ref: 00404E5A
                                      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00404E91
                                      • SetEvent.KERNEL32(?), ref: 00404EA2
                                      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00404EA9
                                      • SetEvent.KERNEL32(?), ref: 00404EBA
                                      • CloseHandle.KERNEL32(?), ref: 00404EBF
                                      • CloseHandle.KERNEL32(?), ref: 00404EC4
                                      • SetEvent.KERNEL32(?), ref: 00404ED1
                                      • CloseHandle.KERNEL32(?), ref: 00404ED6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                      • String ID: PkGNG
                                      • API String ID: 3658366068-263838557
                                      • Opcode ID: 87d744648c5afa45b50529b6b6d14d146fbf4d1d8295755f98280c9be6f36435
                                      • Instruction ID: 0c11cd9b042c69dc9d4dd2828563f6d61870a883144e53252efabab5b24bcc37
                                      • Opcode Fuzzy Hash: 87d744648c5afa45b50529b6b6d14d146fbf4d1d8295755f98280c9be6f36435
                                      • Instruction Fuzzy Hash: BF21E871104B04AFDB216B26DC49B27BBA1FF40326F104A2EE2E211AF1CB75B851DB58
                                      Function 00445D56 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$Info
                                      • String ID:
                                      • API String ID: 2509303402-0
                                      • Opcode ID: 5c7b1bf4f475568e38e69d940d0222fa4f9c7dd3754b5f784b0771feacd0cc66
                                      • Instruction ID: 88ee944febda996c7adaaf7605242af7944d99fb061a5fd2e4f26fad8993db39
                                      • Opcode Fuzzy Hash: 5c7b1bf4f475568e38e69d940d0222fa4f9c7dd3754b5f784b0771feacd0cc66
                                      • Instruction Fuzzy Hash: 75B1CD719006059FEF20DF69C881BEEBBB4FF09304F14412EF5A8A7242D6799D45CB65
                                      Function 00408B7A Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 328fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00408CE3
                                      • GetFileSizeEx.KERNEL32(00000000,?), ref: 00408D1B
                                      • __aulldiv.LIBCMT ref: 00408D4D
                                        • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                        • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                      • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00408E70
                                      • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408E8B
                                      • CloseHandle.KERNEL32(00000000), ref: 00408F64
                                      • CloseHandle.KERNEL32(00000000,00000052), ref: 00408FAE
                                      • CloseHandle.KERNEL32(00000000), ref: 00408FFC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
                                      • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $NG
                                      • API String ID: 3086580692-2582957567
                                      • Opcode ID: 63a76c325e571f1cbcae1b5be894793c9b49cb204c16b04160e7bd094f2be9c7
                                      • Instruction ID: 4fd1ef8f0950b8c70c5ee12d710945c0a569e6ad21e20d2a74dcf75f3ec9a52d
                                      • Opcode Fuzzy Hash: 63a76c325e571f1cbcae1b5be894793c9b49cb204c16b04160e7bd094f2be9c7
                                      • Instruction Fuzzy Hash: 95B193716083409BC314FB25C982AAFB7E5AFC4354F50492FF589622D2EF789945CB8B
                                      Function 0040A726 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • Sleep.KERNEL32(00001388), ref: 0040A740
                                        • Part of subcall function 0040A675: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A74D), ref: 0040A6AB
                                        • Part of subcall function 0040A675: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A74D), ref: 0040A6BA
                                        • Part of subcall function 0040A675: Sleep.KERNEL32(00002710,?,?,?,0040A74D), ref: 0040A6E7
                                        • Part of subcall function 0040A675: CloseHandle.KERNEL32(00000000,?,?,?,0040A74D), ref: 0040A6EE
                                      • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040A77C
                                      • GetFileAttributesW.KERNEL32(00000000), ref: 0040A78D
                                      • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040A7A4
                                      • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 0040A81E
                                        • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C49E
                                      • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00466468,00000000,00000000,00000000), ref: 0040A927
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                      • String ID: 8SG$8SG$pQG$pQG$PG$PG
                                      • API String ID: 3795512280-1152054767
                                      • Opcode ID: f9bf0f70ca639f6d962135a3ade2805c3c6b71e3802994e37fdf4666e5df7246
                                      • Instruction ID: 265ddfea45d140738b9a7e0f0353a6f5be26653907181caffe3561bb72ed66c0
                                      • Opcode Fuzzy Hash: f9bf0f70ca639f6d962135a3ade2805c3c6b71e3802994e37fdf4666e5df7246
                                      • Instruction Fuzzy Hash: A7517E716043055ACB09BB32C866ABE739A9F80349F00483FB642B71E2DF7C9D09865E
                                      Function 004048C8 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 144networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • connect.WS2_32(?,?,?), ref: 004048E0
                                      • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A00
                                      • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A0E
                                      • WSAGetLastError.WS2_32 ref: 00404A21
                                        • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                      • String ID: Connection Failed: $Connection Refused$PkGNG$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                      • API String ID: 994465650-3229884001
                                      • Opcode ID: 544a8dfd755885537e58458bfc18e92728dddd0fb449b18b6c8fe8c32441fe06
                                      • Instruction ID: c5d57dbf39bf42eeb7f1fe8451fa1a1ddda5cb55b73798f96fdafd5064c5310c
                                      • Opcode Fuzzy Hash: 544a8dfd755885537e58458bfc18e92728dddd0fb449b18b6c8fe8c32441fe06
                                      • Instruction Fuzzy Hash: 3E41E8B47406016BD61877BA8D1B53E7A15AB81304B50017FE60267AD3EB7D9C108BDF
                                      Function 004512C6 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • ___free_lconv_mon.LIBCMT ref: 0045130A
                                        • Part of subcall function 00450502: _free.LIBCMT ref: 0045051F
                                        • Part of subcall function 00450502: _free.LIBCMT ref: 00450531
                                        • Part of subcall function 00450502: _free.LIBCMT ref: 00450543
                                        • Part of subcall function 00450502: _free.LIBCMT ref: 00450555
                                        • Part of subcall function 00450502: _free.LIBCMT ref: 00450567
                                        • Part of subcall function 00450502: _free.LIBCMT ref: 00450579
                                        • Part of subcall function 00450502: _free.LIBCMT ref: 0045058B
                                        • Part of subcall function 00450502: _free.LIBCMT ref: 0045059D
                                        • Part of subcall function 00450502: _free.LIBCMT ref: 004505AF
                                        • Part of subcall function 00450502: _free.LIBCMT ref: 004505C1
                                        • Part of subcall function 00450502: _free.LIBCMT ref: 004505D3
                                        • Part of subcall function 00450502: _free.LIBCMT ref: 004505E5
                                        • Part of subcall function 00450502: _free.LIBCMT ref: 004505F7
                                      • _free.LIBCMT ref: 004512FF
                                        • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                        • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                      • _free.LIBCMT ref: 00451321
                                      • _free.LIBCMT ref: 00451336
                                      • _free.LIBCMT ref: 00451341
                                      • _free.LIBCMT ref: 00451363
                                      • _free.LIBCMT ref: 00451376
                                      • _free.LIBCMT ref: 00451384
                                      • _free.LIBCMT ref: 0045138F
                                      • _free.LIBCMT ref: 004513C7
                                      • _free.LIBCMT ref: 004513CE
                                      • _free.LIBCMT ref: 004513EB
                                      • _free.LIBCMT ref: 00451403
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                      • String ID:
                                      • API String ID: 161543041-0
                                      • Opcode ID: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                      • Instruction ID: 673b37a441ff9bbb7eb6cd98574e5fa8379d72fae64c09c4febd1ea684bb8cd8
                                      • Opcode Fuzzy Hash: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                      • Instruction Fuzzy Hash: 0E319E315007009FFB20AA7AD845B5B73E8EF0131AF50851FEC68D7662DF78AD448B59
                                      Function 00419FB4 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 176sleeptimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 00419FB9
                                      • GdiplusStartup.GDIPLUS(00474ACC,?,00000000), ref: 00419FEB
                                      • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041A077
                                      • Sleep.KERNEL32(000003E8), ref: 0041A0FD
                                      • GetLocalTime.KERNEL32(?), ref: 0041A105
                                      • Sleep.KERNEL32(00000000,00000018,00000000), ref: 0041A1F4
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                      • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i$PG$PG$PG
                                      • API String ID: 489098229-1431523004
                                      • Opcode ID: a44948d284f133504734d697ca6f7e31c11da472c88381ebf6f8b069d30e9c47
                                      • Instruction ID: 65e100c03f0dda0ba9a952c873ad8774fe275ee1deca45487f64c7c8a8292b0e
                                      • Opcode Fuzzy Hash: a44948d284f133504734d697ca6f7e31c11da472c88381ebf6f8b069d30e9c47
                                      • Instruction Fuzzy Hash: E7515D70A00215AACB14BBB5C8529ED7BA9AB44308F40403FF509AB1E2EF7C9D85C799
                                      Function 0040D7FF Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 148COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,?,0040D80F), ref: 00412860
                                        • Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF,?,0040D80F), ref: 00412873
                                        • Part of subcall function 004136F8: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 00413714
                                        • Part of subcall function 004136F8: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 0041372D
                                        • Part of subcall function 004136F8: RegCloseKey.ADVAPI32(?), ref: 00413738
                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040D859
                                      • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D9B8
                                      • ExitProcess.KERNEL32 ref: 0040D9C4
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                      • String ID: """, 0$.vbs$8SG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                                      • API String ID: 1913171305-3159800282
                                      • Opcode ID: 523fac73997d54481d8aebdb5cb67a2a0406e130f2c03ac9efc8718d19fe164d
                                      • Instruction ID: 6fc8d312854778a25908ca85050b1cee1951ef16e4956e50e312a563d71e527c
                                      • Opcode Fuzzy Hash: 523fac73997d54481d8aebdb5cb67a2a0406e130f2c03ac9efc8718d19fe164d
                                      • Instruction Fuzzy Hash: 0C413A719001195ACB15FA62DC56DEEB778AF50309F10007FB10AB61E2EF785E4ACA98
                                      Function 00450600 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free
                                      • String ID:
                                      • API String ID: 269201875-0
                                      • Opcode ID: 47079874d6611f76b22abc1c1892e8562d414d23f3395fd45a7677fdf32a9ec5
                                      • Instruction ID: d910990a8472ee08c0279d8077499983e41ff25138a9859a729e4309013b5263
                                      • Opcode Fuzzy Hash: 47079874d6611f76b22abc1c1892e8562d414d23f3395fd45a7677fdf32a9ec5
                                      • Instruction Fuzzy Hash: E2C17476D40204AFEB20DBA9CC83FDE77B8AB19705F14015AFE05EB283D6B49D458798
                                      Function 00455BDB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 004558A9: CreateFileW.KERNEL32(00000000,00000000,?,00455C84,?,?,00000000,?,00455C84,00000000,0000000C), ref: 004558C6
                                      • GetLastError.KERNEL32 ref: 00455CEF
                                      • __dosmaperr.LIBCMT ref: 00455CF6
                                      • GetFileType.KERNEL32(00000000), ref: 00455D02
                                      • GetLastError.KERNEL32 ref: 00455D0C
                                      • __dosmaperr.LIBCMT ref: 00455D15
                                      • CloseHandle.KERNEL32(00000000), ref: 00455D35
                                      • CloseHandle.KERNEL32(?), ref: 00455E7F
                                      • GetLastError.KERNEL32 ref: 00455EB1
                                      • __dosmaperr.LIBCMT ref: 00455EB8
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                      • String ID: H
                                      • API String ID: 4237864984-2852464175
                                      • Opcode ID: ad10cc44415123364ccf3ab0f87a2b5b2deaae059395c87e8052164914e7d7f7
                                      • Instruction ID: f4290dc4267d91ba683862cdaabef3013db21248f4240db41616def06e578eae
                                      • Opcode Fuzzy Hash: ad10cc44415123364ccf3ab0f87a2b5b2deaae059395c87e8052164914e7d7f7
                                      • Instruction Fuzzy Hash: D5A155329106049FDF19AF68DC617BE3BA0EB06325F14415EEC11EB392CB398D5ACB59
                                      Function 00453D83 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 268COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,0045405C,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00453E2F
                                      • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453EB2
                                      • __alloca_probe_16.LIBCMT ref: 00453EEA
                                      • MultiByteToWideChar.KERNEL32(00000001,00000001,?,00000001,00000000,\@E,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453F45
                                      • __alloca_probe_16.LIBCMT ref: 00453F94
                                      • MultiByteToWideChar.KERNEL32(00000001,00000009,00000001,00000000,00000000,00000000,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453F5C
                                        • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169
                                      • MultiByteToWideChar.KERNEL32(00000001,00000001,00000001,00000000,00000000,?,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453FD8
                                      • __freea.LIBCMT ref: 00454003
                                      • __freea.LIBCMT ref: 0045400F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                      • String ID: \@E
                                      • API String ID: 201697637-1814623452
                                      • Opcode ID: 347d6d77569ccb8731e03be0652f4f39992ef0e8e93efb01081f6886d5a4a2b8
                                      • Instruction ID: bd5a1837779a5f2dcb5c2ea5aeb828518df7829aba760434011a70bbc407b236
                                      • Opcode Fuzzy Hash: 347d6d77569ccb8731e03be0652f4f39992ef0e8e93efb01081f6886d5a4a2b8
                                      • Instruction Fuzzy Hash: E391F472E002069ADB209E65CC42AEFBBF59F09756F14052BFC01E7282D739DD89C768
                                      Function 0044AC49 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 216COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,$C,0043EA24,?,?,PkGNG,0044AE9A,00000001,00000001,73E85006), ref: 0044ACA3
                                      • __alloca_probe_16.LIBCMT ref: 0044ACDB
                                      • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,PkGNG,0044AE9A,00000001,00000001,73E85006,?,?,?), ref: 0044AD29
                                      • __alloca_probe_16.LIBCMT ref: 0044ADC0
                                      • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,73E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044AE23
                                      • __freea.LIBCMT ref: 0044AE30
                                        • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169
                                      • __freea.LIBCMT ref: 0044AE39
                                      • __freea.LIBCMT ref: 0044AE5E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                      • String ID: $C$PkGNG
                                      • API String ID: 3864826663-3740547665
                                      • Opcode ID: 362257cb831b64f560ca9c305cbafbf1ddd2a76c4c9bcde51592d12c0f33465e
                                      • Instruction ID: b5b01290aead076256688b5938d42e4b2a7c64905c3dece0b68445a47d4ef5f6
                                      • Opcode Fuzzy Hash: 362257cb831b64f560ca9c305cbafbf1ddd2a76c4c9bcde51592d12c0f33465e
                                      • Instruction Fuzzy Hash: 1F513A72680206AFFB258F64CC41EBF77AAEB44714F24462EFC14D6240EB38DC60875A
                                      Function 00450A25 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 204COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free
                                      • String ID: \&G$\&G$`&G
                                      • API String ID: 269201875-253610517
                                      • Opcode ID: bf6a2d62285109b65615641ef8a9ee438ca725d72dbf644c1fcc8e573ee560d0
                                      • Instruction ID: 0b3297c67b001fbc5a9f4fbe1fd197d652097ca420ae28a40b4f72db8b3ed5d1
                                      • Opcode Fuzzy Hash: bf6a2d62285109b65615641ef8a9ee438ca725d72dbf644c1fcc8e573ee560d0
                                      • Instruction Fuzzy Hash: 77610475900204AFDB20CFA9C882B9ABBF4EF05315F14416BED58EB342D774AD458B98
                                      Function 00414BB0 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: 65535$udp
                                      • API String ID: 0-1267037602
                                      • Opcode ID: c855b19cc43d9bec36cd86ac5f012ace8f0d54e169e32fa1a21da6d4488bf9b2
                                      • Instruction ID: ff24d6befd6f0703c902a6165bd45161ed4db0fb5f75d2635e7e580b9b2721aa
                                      • Opcode Fuzzy Hash: c855b19cc43d9bec36cd86ac5f012ace8f0d54e169e32fa1a21da6d4488bf9b2
                                      • Instruction Fuzzy Hash: EF51E7756093019FDB209B58E9057BB37A4AFC4755F08082FF881973A1E76DCCC1865E
                                      Function 0040ACD6 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • __Init_thread_footer.LIBCMT ref: 0040AD38
                                      • Sleep.KERNEL32(000001F4), ref: 0040AD43
                                      • GetForegroundWindow.USER32 ref: 0040AD49
                                      • GetWindowTextLengthW.USER32(00000000), ref: 0040AD52
                                      • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040AD86
                                      • Sleep.KERNEL32(000003E8), ref: 0040AE54
                                        • Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,00000000,0040B20A,00000000), ref: 0040A662
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                      • String ID: [${ User has been idle for $ minutes }$]
                                      • API String ID: 911427763-3954389425
                                      • Opcode ID: feb8edceca8c1d3b0438b79f4b5d8782787a457fd28da8b62aac7c6790c891ec
                                      • Instruction ID: 3d5ee5432c15115af2c0f1375ae13a0ba8112eb59c463c5c733e63bb31497985
                                      • Opcode Fuzzy Hash: feb8edceca8c1d3b0438b79f4b5d8782787a457fd28da8b62aac7c6790c891ec
                                      • Instruction Fuzzy Hash: 6D51B1316043419BD314FB21D846AAE7796AB84308F50093FF586A22E2EF7C9D45C69F
                                      Function 0043A83A Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A892
                                      • GetLastError.KERNEL32(?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A89F
                                      • __dosmaperr.LIBCMT ref: 0043A8A6
                                      • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A8D2
                                      • GetLastError.KERNEL32(?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A8DC
                                      • __dosmaperr.LIBCMT ref: 0043A8E3
                                      • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D55,?), ref: 0043A926
                                      • GetLastError.KERNEL32(?,?,?,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A930
                                      • __dosmaperr.LIBCMT ref: 0043A937
                                      • _free.LIBCMT ref: 0043A943
                                      • _free.LIBCMT ref: 0043A94A
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                      • String ID:
                                      • API String ID: 2441525078-0
                                      • Opcode ID: 333218d4c374834d2f5605b8d1434d3a456e4a6d1d3d381f1630f1823c8abcb3
                                      • Instruction ID: 785efe6d9c8e3fffb8b85045f967b8474775cb8629fdf0d32462ae01257f7f2e
                                      • Opcode Fuzzy Hash: 333218d4c374834d2f5605b8d1434d3a456e4a6d1d3d381f1630f1823c8abcb3
                                      • Instruction Fuzzy Hash: FF31F57140420AFFDF01AFA5CC45DAF3B68EF09325F10021AF950662A1DB38CD21DB6A
                                      Function 004054A0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SetEvent.KERNEL32(?,?), ref: 004054BF
                                      • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040556F
                                      • TranslateMessage.USER32(?), ref: 0040557E
                                      • DispatchMessageA.USER32(?), ref: 00405589
                                      • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00474F78), ref: 00405641
                                      • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 00405679
                                        • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                      • String ID: CloseChat$DisplayMessage$GetMessage
                                      • API String ID: 2956720200-749203953
                                      • Opcode ID: d61d42d8eab0d720631995167214654c6103fa2369fe784e1bd38fbaf09f349a
                                      • Instruction ID: c1940132788662b917c5ec79ff16bb55de46c7435784779dc5fc992d72e4b12f
                                      • Opcode Fuzzy Hash: d61d42d8eab0d720631995167214654c6103fa2369fe784e1bd38fbaf09f349a
                                      • Instruction Fuzzy Hash: CE41A171604701ABCB14FB75DC5A86F37A9AB85704F40093EF916A36E1EF3C8905CB9A
                                      Function 00417CDF Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 108filesynchronizationCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00417F2C: __EH_prolog.LIBCMT ref: 00417F31
                                      • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,004660A4), ref: 00417DDC
                                      • CloseHandle.KERNEL32(00000000), ref: 00417DE5
                                      • DeleteFileA.KERNEL32(00000000), ref: 00417DF4
                                      • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00417DA8
                                        • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
                                      • String ID: 0VG$0VG$<$@$Temp
                                      • API String ID: 1704390241-2575729100
                                      • Opcode ID: 1c1b3640276c9f2484efac8a9a88c7dcef26998f5c3edd0453bd207f6b4608f6
                                      • Instruction ID: cfce1e327495ca125f9f778a73892d1ad62a3a088d665d9de3c725e9e650d499
                                      • Opcode Fuzzy Hash: 1c1b3640276c9f2484efac8a9a88c7dcef26998f5c3edd0453bd207f6b4608f6
                                      • Instruction Fuzzy Hash: 0E415F319002099BCB14FB62DC56AEE7775AF40318F50417EF506764E1EF7C1A8ACB99
                                      Function 00416940 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 46clipboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenClipboard.USER32 ref: 00416941
                                      • EmptyClipboard.USER32 ref: 0041694F
                                      • CloseClipboard.USER32 ref: 00416955
                                      • OpenClipboard.USER32 ref: 0041695C
                                      • GetClipboardData.USER32(0000000D), ref: 0041696C
                                      • GlobalLock.KERNEL32(00000000), ref: 00416975
                                      • GlobalUnlock.KERNEL32(00000000), ref: 0041697E
                                      • CloseClipboard.USER32 ref: 00416984
                                        • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                      • String ID: !D@
                                      • API String ID: 2172192267-604454484
                                      • Opcode ID: 014ab2952fb1720400378532343d04f3ca6c69c69b6d94fb269798378f0b3219
                                      • Instruction ID: 305b70c8a6b081cbeb1fc088e42579eafb4add048c4ccd3ac1cf7446a02d8759
                                      • Opcode Fuzzy Hash: 014ab2952fb1720400378532343d04f3ca6c69c69b6d94fb269798378f0b3219
                                      • Instruction Fuzzy Hash: CC015E31214301DFC714BB72DC09AAE77A5AF88742F40047EF906821E2DF38CC44CA69
                                      Function 004132D2 Relevance: 15.2, APIs: 10, Instructions: 153fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00413417
                                      • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00413425
                                      • GetFileSize.KERNEL32(?,00000000), ref: 00413432
                                      • UnmapViewOfFile.KERNEL32(00000000), ref: 00413452
                                      • CloseHandle.KERNEL32(00000000), ref: 0041345F
                                      • CloseHandle.KERNEL32(?), ref: 00413465
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$CloseHandleView$CreateMappingSizeUnmap
                                      • String ID:
                                      • API String ID: 297527592-0
                                      • Opcode ID: 1b52e587fb9d9e89c8408f811d16bdaf082f1bab315b69f0c216b55e30adf48b
                                      • Instruction ID: 9e0538afe5582c7c3c7070a3da709670e2bb39b60280b40541f30be5467d1837
                                      • Opcode Fuzzy Hash: 1b52e587fb9d9e89c8408f811d16bdaf082f1bab315b69f0c216b55e30adf48b
                                      • Instruction Fuzzy Hash: ED41E631108305BBD7109F25DC4AF6B3BACEF89726F10092AFA14D51A2DF38DA40C66E
                                      Function 0041AB0D Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB1C
                                      • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB33
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB40
                                      • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB4F
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB60
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB63
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Service$CloseHandle$Open$ControlManager
                                      • String ID:
                                      • API String ID: 221034970-0
                                      • Opcode ID: 06969d4054276dbf450069cd14adbb04630f9483e2dd0d38d9b092c5558579ee
                                      • Instruction ID: 6fbe0b082825830d9e24babaefac53afed48758aa8e56b4d18e4903ff4329a9c
                                      • Opcode Fuzzy Hash: 06969d4054276dbf450069cd14adbb04630f9483e2dd0d38d9b092c5558579ee
                                      • Instruction Fuzzy Hash: 41114C71901218AFD711AF64DCC4DFF3B7CDB42B62B000036FA05D2192DB289C46AAFA
                                      Function 00448121 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 00448135
                                        • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                        • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                      • _free.LIBCMT ref: 00448141
                                      • _free.LIBCMT ref: 0044814C
                                      • _free.LIBCMT ref: 00448157
                                      • _free.LIBCMT ref: 00448162
                                      • _free.LIBCMT ref: 0044816D
                                      • _free.LIBCMT ref: 00448178
                                      • _free.LIBCMT ref: 00448183
                                      • _free.LIBCMT ref: 0044818E
                                      • _free.LIBCMT ref: 0044819C
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast
                                      • String ID:
                                      • API String ID: 776569668-0
                                      • Opcode ID: 27d76b13a5ecae076ca6598a5b1433465caaf67949f0bdc0fbde8a5d49186781
                                      • Instruction ID: 63500befab30bf138fa449b3e81d3956d19e40097f86fc95f12732a98ce5ff4f
                                      • Opcode Fuzzy Hash: 27d76b13a5ecae076ca6598a5b1433465caaf67949f0bdc0fbde8a5d49186781
                                      • Instruction Fuzzy Hash: C211B67A500508BFEB01EF96C842CDD3BA5FF05359B0240AAFA588F222DA35DF509BC5
                                      Function 004114F5 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 191COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Eventinet_ntoa
                                      • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$NG
                                      • API String ID: 3578746661-3604713145
                                      • Opcode ID: 56d2d8895fe3b6af3d7bfbb84932521cb61644df9a1adc77dd7b2c2bf54f5752
                                      • Instruction ID: 71dfdc03858149a45142756d2b421c0b7bbb6d70992310a40494c7f1f0681c69
                                      • Opcode Fuzzy Hash: 56d2d8895fe3b6af3d7bfbb84932521cb61644df9a1adc77dd7b2c2bf54f5752
                                      • Instruction Fuzzy Hash: 0051C131A042015BC614FB36C91AAAE37A5AB85344F40453FF906A76F1EF7C8985C7DE
                                      Function 00455F04 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,00456FFF), ref: 00455F27
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: DecodePointer
                                      • String ID: acos$asin$exp$log$log10$pow$sqrt
                                      • API String ID: 3527080286-3064271455
                                      • Opcode ID: 629998c7ca290600fade91f32205cb7004f8bc569fe6c3e827db03ba52e3cc78
                                      • Instruction ID: ff4fc8d1aadbe784407353d8516796ad37925c88dabf63da6293f70e8270e0de
                                      • Opcode Fuzzy Hash: 629998c7ca290600fade91f32205cb7004f8bc569fe6c3e827db03ba52e3cc78
                                      • Instruction Fuzzy Hash: 16519F71900909CBCF10CF58E9485BEBBB0FF49306FA14197D841A73A6DB399D298B1E
                                      Function 0044B3BC Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 152fileCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,PkGNG,0044BB31,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B3FE
                                      • __fassign.LIBCMT ref: 0044B479
                                      • __fassign.LIBCMT ref: 0044B494
                                      • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0044B4BA
                                      • WriteFile.KERNEL32(?,FF8BC35D,00000000,0044BB31,00000000,?,?,?,?,?,?,?,?,PkGNG,0044BB31,?), ref: 0044B4D9
                                      • WriteFile.KERNEL32(?,?,00000001,0044BB31,00000000,?,?,?,?,?,?,?,?,PkGNG,0044BB31,?), ref: 0044B512
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                      • String ID: PkGNG
                                      • API String ID: 1324828854-263838557
                                      • Opcode ID: e1ab2fdd82c1bf82b8ea5de4eaaa1e5c3a736621917fd27297e58c6e874c6116
                                      • Instruction ID: 24f44d390d373c30b0d8a34eda065edd0bccebe0da4884afe324d1cece3cc5ea
                                      • Opcode Fuzzy Hash: e1ab2fdd82c1bf82b8ea5de4eaaa1e5c3a736621917fd27297e58c6e874c6116
                                      • Instruction Fuzzy Hash: 0751D270900208AFDB10CFA8D885AEEFBF4EF09305F14856BE955E7292D734D941CBA9
                                      Function 00417495 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 004174F5
                                        • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C49E
                                      • Sleep.KERNEL32(00000064), ref: 00417521
                                      • DeleteFileW.KERNEL32(00000000), ref: 00417555
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$CreateDeleteExecuteShellSleep
                                      • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                      • API String ID: 1462127192-2001430897
                                      • Opcode ID: d6a7a8c36c87aba2787b8ea33aa4d1f7fca6d44790c4f13fbcc8ebc3b329175f
                                      • Instruction ID: 51d64fe7c8a5c54eac4555a52c350958ac4104e8f54c8767ba2a87230734c78e
                                      • Opcode Fuzzy Hash: d6a7a8c36c87aba2787b8ea33aa4d1f7fca6d44790c4f13fbcc8ebc3b329175f
                                      • Instruction Fuzzy Hash: 1431307194011A9ADB04FB62DC96DED7779AF50309F40017EF606730E2EF785A8ACA9C
                                      Function 004073AC Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 99COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentProcess.KERNEL32(00472B14,00000000,004752D8,00003000,00000004,00000000,00000001), ref: 004073DD
                                      • GetCurrentProcess.KERNEL32(00472B14,00000000,00008000,?,00000000,00000001,00000000,00407656,C:\Users\user\Desktop\6122.scr.exe), ref: 0040749E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CurrentProcess
                                      • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir
                                      • API String ID: 2050909247-4242073005
                                      • Opcode ID: c96af00a5e7ec94e66acc45bf1863d5a4294996af44aaa2752f51638bf238a49
                                      • Instruction ID: f630994b7aed3d2c1b9b8fa2b3e4f68b22e8b08ead4833dea6669ff7d567ef23
                                      • Opcode Fuzzy Hash: c96af00a5e7ec94e66acc45bf1863d5a4294996af44aaa2752f51638bf238a49
                                      • Instruction Fuzzy Hash: 7031A471A04700ABD321FF65ED46F167BB8AB44305F10087EF515A6292E7B8B8448B6F
                                      Function 00401D0B Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON
                                      Download Yara Rule
                                      APIs
                                      • _strftime.LIBCMT ref: 00401D50
                                        • Part of subcall function 00401A6D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                                      • waveInUnprepareHeader.WINMM(00472A88,00000020,00000000,?), ref: 00401E02
                                      • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401E40
                                      • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401E4F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                      • String ID: %Y-%m-%d %H.%M$.wav$dMG$|MG
                                      • API String ID: 3809562944-243156785
                                      • Opcode ID: 056d7ed0179ee1e3bc41876d6f94bfa6cd5a524795bf822a31929a0c00ad1597
                                      • Instruction ID: 027c37fd5a1300b84eaed5fd93cda356eabc1c7fedb6cd9f381e221a57c36ff8
                                      • Opcode Fuzzy Hash: 056d7ed0179ee1e3bc41876d6f94bfa6cd5a524795bf822a31929a0c00ad1597
                                      • Instruction Fuzzy Hash: 383181315043019FC324EB21DD46A9A77A8EB84314F40443EF18DA21F2EFB89A49CB5E
                                      Function 00410E61 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 75COMMON
                                      Download Yara Rule
                                      APIs
                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00410E6E
                                      • int.LIBCPMT ref: 00410E81
                                        • Part of subcall function 0040E0C1: std::_Lockit::_Lockit.LIBCPMT ref: 0040E0D2
                                        • Part of subcall function 0040E0C1: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E0EC
                                      • std::_Facet_Register.LIBCPMT ref: 00410EC1
                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00410ECA
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 00410EE8
                                      • __Init_thread_footer.LIBCMT ref: 00410F29
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
                                      • String ID: ,kG$0kG
                                      • API String ID: 3815856325-2015055088
                                      • Opcode ID: e119dbdcd7508405a4e8dfb13a442e59be6990f0aecb212b832b7139a16d9266
                                      • Instruction ID: 12cf7b7900226bd12227407fb3b1cbab205c4dd0745ae636880afd2a72082c2f
                                      • Opcode Fuzzy Hash: e119dbdcd7508405a4e8dfb13a442e59be6990f0aecb212b832b7139a16d9266
                                      • Instruction Fuzzy Hash: 162134329005249BC704EB6AD9428DE37A8EF48324F20056FF804A72D1DBB9AD81CB9D
                                      Function 00401BE9 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 71COMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BF9
                                      • waveInOpen.WINMM(00472AC0,000000FF,00472AA8,Function_00001D0B,00000000,00000000,00000024), ref: 00401C8F
                                      • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401CE3
                                      • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401CF2
                                      • waveInStart.WINMM ref: 00401CFE
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                      • String ID: dMG$|MG$PG
                                      • API String ID: 1356121797-532278878
                                      • Opcode ID: f0413ad6b7edbe83be065844dac3f0d77922414ea45c2d30098e63d2db50c4df
                                      • Instruction ID: ba088f7df0b955e0db37e5e5e2d8d6799d5f59e9c832501e8260ac80857d70f0
                                      • Opcode Fuzzy Hash: f0413ad6b7edbe83be065844dac3f0d77922414ea45c2d30098e63d2db50c4df
                                      • Instruction Fuzzy Hash: 53212A71604201AFC739DF6AEE15A6A7BB6FB94715B00803FA10DD76B1DBB84881CB5C
                                      Function 0041D45D Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041D476
                                        • Part of subcall function 0041D50F: RegisterClassExA.USER32(00000030), ref: 0041D55B
                                        • Part of subcall function 0041D50F: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D576
                                        • Part of subcall function 0041D50F: GetLastError.KERNEL32 ref: 0041D580
                                      • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041D4AD
                                      • lstrcpynA.KERNEL32(00474B60,Remcos,00000080), ref: 0041D4C7
                                      • Shell_NotifyIconA.SHELL32(00000000,00474B48), ref: 0041D4DD
                                      • TranslateMessage.USER32(?), ref: 0041D4E9
                                      • DispatchMessageA.USER32(?), ref: 0041D4F3
                                      • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041D500
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                      • String ID: Remcos
                                      • API String ID: 1970332568-165870891
                                      • Opcode ID: e379e7694b2aceffa08d25cf1e7e1f0c4c43df4e14370d432b5b71655a4afb2b
                                      • Instruction ID: 4ccd8a34d55b2cf311069b5b9598b364b65d9d4e2968dcdf9eb94a5ca0393a4d
                                      • Opcode Fuzzy Hash: e379e7694b2aceffa08d25cf1e7e1f0c4c43df4e14370d432b5b71655a4afb2b
                                      • Instruction Fuzzy Hash: AC015271800245EBD7109FA5EC4CFEABB7CEB85705F004026F515930A1D778E885CB98
                                      Function 0044CD80 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5edaaaea362a6c10ef7d8e875ae5e8a922473b35402a21f9a1197ff68539a873
                                      • Instruction ID: c2c0890efeac2311cc0422bbb5d66c498191acafde20d8af94b1f6b0c86a236e
                                      • Opcode Fuzzy Hash: 5edaaaea362a6c10ef7d8e875ae5e8a922473b35402a21f9a1197ff68539a873
                                      • Instruction Fuzzy Hash: 5AC1D770D04249AFEF11DFA9C881BAEBBB4EF09314F18415AE914A7392C77C9D41CB69
                                      Function 00445179 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                                        • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                        • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                                        • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                      • _memcmp.LIBVCRUNTIME ref: 00445423
                                      • _free.LIBCMT ref: 00445494
                                      • _free.LIBCMT ref: 004454AD
                                      • _free.LIBCMT ref: 004454DF
                                      • _free.LIBCMT ref: 004454E8
                                      • _free.LIBCMT ref: 004454F4
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$ErrorLast$_abort_memcmp
                                      • String ID: C
                                      • API String ID: 1679612858-1037565863
                                      • Opcode ID: 3b59ec677d4d175c50db296303e2411e5fb3dbfaa0361dba4d40d6cf04aba7d4
                                      • Instruction ID: 551747f29a431029642ca2aca46be5bbca0cbe6c77a4b2ed9ddfbf6361621c56
                                      • Opcode Fuzzy Hash: 3b59ec677d4d175c50db296303e2411e5fb3dbfaa0361dba4d40d6cf04aba7d4
                                      • Instruction Fuzzy Hash: B2B13975A016199BEB24DF18C884BAEB7B4FF08308F5045EEE949A7351E774AE90CF44
                                      Function 0041490A Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: tcp$udp
                                      • API String ID: 0-3725065008
                                      • Opcode ID: 856ac91ac91911106c473792f8c7d8f31027b78cae10ba96d9f0cbb069fdbf0d
                                      • Instruction ID: c6aeaafd44a905d145cb4251883953767b251f71b123717361be5a5837da4da2
                                      • Opcode Fuzzy Hash: 856ac91ac91911106c473792f8c7d8f31027b78cae10ba96d9f0cbb069fdbf0d
                                      • Instruction Fuzzy Hash: 637177B06083028FDB24CF65C480BABB7E4AFD4395F15442FF88986351E778DD858B9A
                                      Function 00411CFE Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 206memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0041179C: SetLastError.KERNEL32(0000000D,00411D1C,00000000,t^F,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 004117A2
                                      • SetLastError.KERNEL32(000000C1,00000000,t^F,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 00411D37
                                      • GetNativeSystemInfo.KERNEL32(?,?,00000000,t^F,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 00411DA5
                                      • SetLastError.KERNEL32(0000000E), ref: 00411DC9
                                        • Part of subcall function 00411CA3: VirtualAlloc.KERNEL32(00000000,00000000,00000000,00000000,00411DE7,?,00000000,00003000,00000040,00000000), ref: 00411CB3
                                      • GetProcessHeap.KERNEL32(00000008,00000040), ref: 00411E10
                                      • HeapAlloc.KERNEL32(00000000), ref: 00411E17
                                      • SetLastError.KERNEL32(0000045A), ref: 00411F2A
                                        • Part of subcall function 00412077: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F37), ref: 004120E7
                                        • Part of subcall function 00412077: HeapFree.KERNEL32(00000000), ref: 004120EE
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
                                      • String ID: t^F
                                      • API String ID: 3950776272-389975521
                                      • Opcode ID: 461a53a6892bac39e8501077da2db8edf6161aa159888280e3eaf045f7e1ced3
                                      • Instruction ID: a5564978de1508fcfe39aaa31f5973b4ee53e0220ffe5d2cf9b9f7f7cc9a58c7
                                      • Opcode Fuzzy Hash: 461a53a6892bac39e8501077da2db8edf6161aa159888280e3eaf045f7e1ced3
                                      • Instruction Fuzzy Hash: B661E370601201ABC7109F66C980BAB7BA5BF44744F04411BFA058B7A2E7BCE8D2CBD9
                                      Function 0040186A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • __Init_thread_footer.LIBCMT ref: 004018BE
                                      • ExitThread.KERNEL32 ref: 004018F6
                                      • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00474EE0,00000000), ref: 00401A04
                                        • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                      • String ID: PkG$XMG$NG$NG
                                      • API String ID: 1649129571-3151166067
                                      • Opcode ID: cdec32db15edff859d4dc3adfbb971a1a7df97296c827c92140e57336d635a83
                                      • Instruction ID: 5b8630810f78da979eb204bf693be1d55f2004797ab3201abec5cd50ea38d472
                                      • Opcode Fuzzy Hash: cdec32db15edff859d4dc3adfbb971a1a7df97296c827c92140e57336d635a83
                                      • Instruction Fuzzy Hash: BF41B4312042109BC324FB26DD96ABE73A6AB85314F00453FF54AA61F2DF386D49C75E
                                      Function 00407963 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,00474EE0,00465FA4,?,00000000,00407FFC,00000000), ref: 004079C5
                                      • WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000,?,000186A0,?,?,00000000,00407FFC,00000000,?,?,0000000A,00000000), ref: 00407A0D
                                        • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                      • CloseHandle.KERNEL32(00000000,?,00000000,00407FFC,00000000,?,?,0000000A,00000000), ref: 00407A4D
                                      • MoveFileW.KERNEL32(00000000,00000000), ref: 00407A6A
                                      • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407A95
                                      • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AA5
                                        • Part of subcall function 00404B96: WaitForSingleObject.KERNEL32(?,000000FF,?,00474EF8,00404C49,00000000,?,?,?,00474EF8,?), ref: 00404BA5
                                        • Part of subcall function 00404B96: SetEvent.KERNEL32(?), ref: 00404BC3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                      • String ID: .part
                                      • API String ID: 1303771098-3499674018
                                      • Opcode ID: 3af979d2a86f55abb037a5ea190009b8bddef8696a723389280064d929b35107
                                      • Instruction ID: 3872d967715c28256f57216ae0d43a20e9ded80e7ed52efebe816600842ab993
                                      • Opcode Fuzzy Hash: 3af979d2a86f55abb037a5ea190009b8bddef8696a723389280064d929b35107
                                      • Instruction Fuzzy Hash: 7F318371508341AFC210EB21DC4599FB7A8FF94359F00493EB545A2192EB78EE48CB9A
                                      Function 00419993 Relevance: 12.1, APIs: 8, Instructions: 102keyboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 004199CC
                                      • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004199ED
                                      • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00419A0D
                                      • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00419A21
                                      • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00419A37
                                      • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00419A54
                                      • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00419A6F
                                      • SendInput.USER32(00000001,?,0000001C,?,00000000), ref: 00419A8B
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: InputSend
                                      • String ID:
                                      • API String ID: 3431551938-0
                                      • Opcode ID: f95364bfe09dcd8f200507449a759ee15de787b6f4e4bd27b79311205e9f388b
                                      • Instruction ID: babcb3f23bbfeda7ed9031f98f3524dfd9ae94bb4b0c65128b251ed995bccade
                                      • Opcode Fuzzy Hash: f95364bfe09dcd8f200507449a759ee15de787b6f4e4bd27b79311205e9f388b
                                      • Instruction Fuzzy Hash: CE31B471558349AEE310CF51DC41BEBBBDCEF98B54F00080FF6808A181D2A6A9C88B97
                                      Function 00447571 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: __freea$__alloca_probe_16_free
                                      • String ID: a/p$am/pm$zD
                                      • API String ID: 2936374016-2723203690
                                      • Opcode ID: ad0e661e8ca139f4988ec10911a06b569de76af7a8f23a444d27c6a0fba4a5cb
                                      • Instruction ID: 9fbfa546a4d6e8c17a1525f8bb1fcc11d6b56032d3bbc67104e2604220ae0e85
                                      • Opcode Fuzzy Hash: ad0e661e8ca139f4988ec10911a06b569de76af7a8f23a444d27c6a0fba4a5cb
                                      • Instruction Fuzzy Hash: 6AD1D1B1918206CAFB249F68C845ABBB7B1FF05310F28415BE545AB351D33D9D43CBA9
                                      Function 00413A55 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 179registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413ABC
                                      • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413AEB
                                      • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 00413B8B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Enum$InfoQueryValue
                                      • String ID: [regsplt]$xUG$TG
                                      • API String ID: 3554306468-1165877943
                                      • Opcode ID: e28986e9332aa07a6eea5a33b9e26ecc66a365c7f4eba0dbebaa861638ff76d3
                                      • Instruction ID: b9c9d149d6e4de0395087b00820169330fa190b61d8fc59f93bff107e3475f49
                                      • Opcode Fuzzy Hash: e28986e9332aa07a6eea5a33b9e26ecc66a365c7f4eba0dbebaa861638ff76d3
                                      • Instruction Fuzzy Hash: E5511D72900219AADB11EB95DC85EEFB77DAF04305F10007AF505F6191EF786B48CBA9
                                      Function 00456C1A Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 152COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free
                                      • String ID: D[E$D[E
                                      • API String ID: 269201875-3695742444
                                      • Opcode ID: a6e07d2e332d0ea6e1aa7b7f7b4c4c7b9128dbb8fddfed026ac15973f0d55745
                                      • Instruction ID: e1ec1e089ae9cf4c30c2343e7c59e1c9a5dba52e91c7d03f0b1416238821c5a9
                                      • Opcode Fuzzy Hash: a6e07d2e332d0ea6e1aa7b7f7b4c4c7b9128dbb8fddfed026ac15973f0d55745
                                      • Instruction Fuzzy Hash: 7A415B31A001046BEB216BBA8C4566F3BB4EF41336F96061BFC24D7293DA7C880D566D
                                      Function 00413D0D Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 135registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00413D46
                                        • Part of subcall function 00413A55: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413ABC
                                        • Part of subcall function 00413A55: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413AEB
                                        • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                      • RegCloseKey.ADVAPI32(00000000,004660A4,004660A4,00466468,00466468,00000071), ref: 00413EB4
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseEnumInfoOpenQuerysend
                                      • String ID: xUG$NG$NG$TG
                                      • API String ID: 3114080316-2811732169
                                      • Opcode ID: c6f35c2bf26cfa5651eb61a3c71b5883c010595c96b2a316ccc479b627cc95f7
                                      • Instruction ID: 865164b8d80166fcad8b4517e5ed4c9fbafb7c73de3830c3e78154838722fbed
                                      • Opcode Fuzzy Hash: c6f35c2bf26cfa5651eb61a3c71b5883c010595c96b2a316ccc479b627cc95f7
                                      • Instruction Fuzzy Hash: 0B419E316082405BC324F726DC56AEF72959FD1348F40883FF54A671D2EF7C5949866E
                                      Function 0045112C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 110COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • MultiByteToWideChar.KERNEL32(?,00000000,000000FF,?,00000000,00000000,0043F8C8,?,00000000,?,00000001,?,000000FF,00000001,0043F8C8,?), ref: 00451179
                                      • __alloca_probe_16.LIBCMT ref: 004511B1
                                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00451202
                                      • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00451214
                                      • __freea.LIBCMT ref: 0045121D
                                        • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                      • String ID: PkGNG
                                      • API String ID: 313313983-263838557
                                      • Opcode ID: bce85a8c1b82420839f42ccd06a1f385e5b5f24b7ce490b3fee2b1b7615d4ae7
                                      • Instruction ID: 2862a929c21554b3885a63a70f5d1b49ed21d23a3953ed9914841bfcf42aa681
                                      • Opcode Fuzzy Hash: bce85a8c1b82420839f42ccd06a1f385e5b5f24b7ce490b3fee2b1b7615d4ae7
                                      • Instruction Fuzzy Hash: 6631D271A0020AABDF24DFA5DC41EAF7BA5EB04315F0445AAFC04D72A2E739CD55CB94
                                      Function 0041B68A Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 91COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0041361B: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?,004750E4), ref: 0041363D
                                        • Part of subcall function 0041361B: RegQueryValueExW.ADVAPI32(?,0040F313,00000000,00000000,?,00000400), ref: 0041365C
                                        • Part of subcall function 0041361B: RegCloseKey.ADVAPI32(?), ref: 00413665
                                        • Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
                                      • _wcslen.LIBCMT ref: 0041B763
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseCurrentOpenProcessQueryValue_wcslen
                                      • String ID: .exe$8SG$http\shell\open\command$program files (x86)\$program files\
                                      • API String ID: 37874593-122982132
                                      • Opcode ID: 2f5c0ff3d6ea7972f87a7f3e3c7ffac37502a487daadfbe7cd55c680b7f4a926
                                      • Instruction ID: 0af867b59be632d30c611c6dccf556baefac66a2e67262e696d3f692bc65d575
                                      • Opcode Fuzzy Hash: 2f5c0ff3d6ea7972f87a7f3e3c7ffac37502a487daadfbe7cd55c680b7f4a926
                                      • Instruction Fuzzy Hash: 6721A472A002086BDB14BAB58CD6AFE766D9B85328F14043FF405B72C2EE7C9D494269
                                      Function 0040BEE9 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 004135A6: RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 004135CA
                                        • Part of subcall function 004135A6: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 004135E7
                                        • Part of subcall function 004135A6: RegCloseKey.KERNELBASE(?), ref: 004135F2
                                      • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040BF6B
                                      • PathFileExistsA.SHLWAPI(?), ref: 0040BF78
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                      • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                      • API String ID: 1133728706-4073444585
                                      • Opcode ID: 44b5265c6c0164f295b1527da2f4df424204d8919945bee9dcb633f0f8b76136
                                      • Instruction ID: 11f9a5ab4d81baf10890d677fe2d2a0774849eb970c5828eb217b404dd8a17fe
                                      • Opcode Fuzzy Hash: 44b5265c6c0164f295b1527da2f4df424204d8919945bee9dcb633f0f8b76136
                                      • Instruction Fuzzy Hash: 38215271A4021AA6CB04F7B2CC569EE77699F10704F40017FE506B71D2EF7899498ADE
                                      Function 00456B53 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 273ab8544d097714f5f9861dee4502037fec93a611cdb24e761043779f074d75
                                      • Instruction ID: 6cb1fb7365923ae9cd4386fa22a0d7cc2d4bdc50975796c61f51bb0de8f74700
                                      • Opcode Fuzzy Hash: 273ab8544d097714f5f9861dee4502037fec93a611cdb24e761043779f074d75
                                      • Instruction Fuzzy Hash: B9110272504214BAEB216F728C0496F3AACEF85326B52422BFD11C7252DE38CC41CAA8
                                      Function 00450EFA Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00450C41: _free.LIBCMT ref: 00450C6A
                                      • _free.LIBCMT ref: 00450F48
                                        • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                        • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                      • _free.LIBCMT ref: 00450F53
                                      • _free.LIBCMT ref: 00450F5E
                                      • _free.LIBCMT ref: 00450FB2
                                      • _free.LIBCMT ref: 00450FBD
                                      • _free.LIBCMT ref: 00450FC8
                                      • _free.LIBCMT ref: 00450FD3
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast
                                      • String ID:
                                      • API String ID: 776569668-0
                                      • Opcode ID: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                      • Instruction ID: d9348172fd0740f80504453a64c2ebf0df3e8af845a5f6206b1ac0666941ab15
                                      • Opcode Fuzzy Hash: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                      • Instruction Fuzzy Hash: B411A231540B04AAD625BB72CC47FCB779CAF0230BF44491EBEED66053D6ACB9085745
                                      Function 00411163 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                      Download Yara Rule
                                      APIs
                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00411170
                                      • int.LIBCPMT ref: 00411183
                                        • Part of subcall function 0040E0C1: std::_Lockit::_Lockit.LIBCPMT ref: 0040E0D2
                                        • Part of subcall function 0040E0C1: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E0EC
                                      • std::_Facet_Register.LIBCPMT ref: 004111C3
                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 004111CC
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 004111EA
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                      • String ID: (mG
                                      • API String ID: 2536120697-4059303827
                                      • Opcode ID: 34a51a48ebffab58c1c893f3ae79879d0a70666fb45cbfefdea1ee74b3510b9f
                                      • Instruction ID: 9d9da6683174d9a5c92fa95d325e3547e0845688fcbb555b93a4fb26f280994d
                                      • Opcode Fuzzy Hash: 34a51a48ebffab58c1c893f3ae79879d0a70666fb45cbfefdea1ee74b3510b9f
                                      • Instruction Fuzzy Hash: 1411EB32900518A7CB14BB9AD8058DEBB79DF44354F10456FBE04A72D1DB789D40C7D9
                                      Function 0043A35A Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetLastError.KERNEL32(?,?,0043A351,004392BE), ref: 0043A368
                                      • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0043A376
                                      • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A38F
                                      • SetLastError.KERNEL32(00000000,?,0043A351,004392BE), ref: 0043A3E1
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLastValue___vcrt_
                                      • String ID:
                                      • API String ID: 3852720340-0
                                      • Opcode ID: eac7a4b750c305e7b0904a447f782895729b7b2cae8ca2bab40c67d71c469531
                                      • Instruction ID: 5d53a0da36a7034647469206452edf011e0dcb0cee8899775f26e7a14c982385
                                      • Opcode Fuzzy Hash: eac7a4b750c305e7b0904a447f782895729b7b2cae8ca2bab40c67d71c469531
                                      • Instruction Fuzzy Hash: 7F01283214C3519EA61526796C86A6B2648EB0A7B9F30133FF918815F1EF594C90514D
                                      Function 004075B0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                                      Download Yara Rule
                                      APIs
                                      • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Users\user\Desktop\6122.scr.exe), ref: 004075D0
                                        • Part of subcall function 004074FD: _wcslen.LIBCMT ref: 00407521
                                        • Part of subcall function 004074FD: CoGetObject.OLE32(?,00000024,00466518,00000000), ref: 00407582
                                      • CoUninitialize.OLE32 ref: 00407629
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: InitializeObjectUninitialize_wcslen
                                      • String ID: C:\Users\user\Desktop\6122.scr.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                      • API String ID: 3851391207-895417928
                                      • Opcode ID: 511e675c99acabaccc32e6a32445821ea963e9a83317c60cb45550512dba77c0
                                      • Instruction ID: 681a2da4e9d4b9e6b45db6330fec0c9e961fb52a18ca78f8243115a9baea1a6b
                                      • Opcode Fuzzy Hash: 511e675c99acabaccc32e6a32445821ea963e9a83317c60cb45550512dba77c0
                                      • Instruction Fuzzy Hash: B201D272B087016BE2245B25DC0EF6B7758DB81729F11083FF902A61C2EBA9BC0145AB
                                      Function 0040BAA1 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040BADD
                                      • GetLastError.KERNEL32 ref: 0040BAE7
                                      Strings
                                      • UserProfile, xrefs: 0040BAAD
                                      • [Chrome Cookies not found], xrefs: 0040BB01
                                      • [Chrome Cookies found, cleared!], xrefs: 0040BB0D
                                      • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040BAA8
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: DeleteErrorFileLast
                                      • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                      • API String ID: 2018770650-304995407
                                      • Opcode ID: 3ac18cd69eb512cfe3046ffff68c330a49271f1a171cc2acfba67e1dc9669370
                                      • Instruction ID: 6bc0ec4de36c0471385c24d45a27137009bd471b3f80e31671ebbef4da92dce6
                                      • Opcode Fuzzy Hash: 3ac18cd69eb512cfe3046ffff68c330a49271f1a171cc2acfba67e1dc9669370
                                      • Instruction Fuzzy Hash: 08018F31A402095ACA04BBBACD5B8BE7724E912714F50017BF802726E6FE7D5A059ADE
                                      Function 0041CD9B Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 48memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • AllocConsole.KERNEL32(00475338), ref: 0041CDA4
                                      • ShowWindow.USER32(00000000,00000000), ref: 0041CDBD
                                      • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CDE2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Console$AllocOutputShowWindow
                                      • String ID: Remcos v$5.1.0 Pro$CONOUT$
                                      • API String ID: 2425139147-1043272453
                                      • Opcode ID: 7204a5bae693ec2f4884850c6238c56aa94b879f8555490226ef59d43c8bca4e
                                      • Instruction ID: 3d4e39fb732e2b6cb40f789e287104da8d9afdf675614735db993d10cd8ea689
                                      • Opcode Fuzzy Hash: 7204a5bae693ec2f4884850c6238c56aa94b879f8555490226ef59d43c8bca4e
                                      • Instruction Fuzzy Hash: CD0188719803087AD610F7F1DC8BF9D776C5B14705F6004277604A70D3E7BD9954466E
                                      Function 0044333A Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,PkGNG,004432EB,00000003,PkGNG,0044328B,00000003,0046E948,0000000C,004433E2,00000003,00000002), ref: 0044335A
                                      • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044336D
                                      • FreeLibrary.KERNEL32(00000000,?,?,PkGNG,004432EB,00000003,PkGNG,0044328B,00000003,0046E948,0000000C,004433E2,00000003,00000002,00000000,PkGNG), ref: 00443390
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressFreeHandleLibraryModuleProc
                                      • String ID: CorExitProcess$PkGNG$mscoree.dll
                                      • API String ID: 4061214504-213444651
                                      • Opcode ID: cc52f7ac488aa55dad4b7db89aaf695af0dd1fe717ea7d7a85019ca2162c21c0
                                      • Instruction ID: b4f1316bd170a33105784e50650a9bde6d9e9410588fddf83d5a1a7bf10dc45d
                                      • Opcode Fuzzy Hash: cc52f7ac488aa55dad4b7db89aaf695af0dd1fe717ea7d7a85019ca2162c21c0
                                      • Instruction Fuzzy Hash: 6AF0A430A00208FBDB149F55DC09B9EBFB4EF04713F0041A9FC05A2261CB349E40CA98
                                      Function 0043AADC Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                      Download Yara Rule
                                      APIs
                                      • __allrem.LIBCMT ref: 0043AC69
                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AC85
                                      • __allrem.LIBCMT ref: 0043AC9C
                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043ACBA
                                      • __allrem.LIBCMT ref: 0043ACD1
                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043ACEF
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                      • String ID:
                                      • API String ID: 1992179935-0
                                      • Opcode ID: 324a3f8db7a4af308d45995ace6313bc09822ddcf2faf4fc4501ccf235525b64
                                      • Instruction ID: 0cac597ccac2158415e78c81c2c349525783c2449c9f0a8280db41f57d0428da
                                      • Opcode Fuzzy Hash: 324a3f8db7a4af308d45995ace6313bc09822ddcf2faf4fc4501ccf235525b64
                                      • Instruction Fuzzy Hash: CC812B72640706ABE7209F29CC41B5BB3A9EF48324F24552FF590D7781EB7CE9108B5A
                                      Function 00404371 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 206sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • Sleep.KERNEL32(00000000,?), ref: 004044C4
                                        • Part of subcall function 00404607: __EH_prolog.LIBCMT ref: 0040460C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: H_prologSleep
                                      • String ID: CloseCamera$FreeFrame$GetFrame$HNG$OpenCamera
                                      • API String ID: 3469354165-3054508432
                                      • Opcode ID: f7db187a1fe7af92a7c3ce0a79d7e7b6810ab1ab4c8a6d96157cd488684fa951
                                      • Instruction ID: 62663cdee79800d8a54f028f5a980ee1c6790ad11611a7059aef087dab150aaf
                                      • Opcode Fuzzy Hash: f7db187a1fe7af92a7c3ce0a79d7e7b6810ab1ab4c8a6d96157cd488684fa951
                                      • Instruction Fuzzy Hash: 5C51E1B1A042116BCA14FB369D0A66E3755ABC5748F00053FFA06677E2EF7C8A45839E
                                      Function 004458F9 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: __cftoe
                                      • String ID:
                                      • API String ID: 4189289331-0
                                      • Opcode ID: 73f4726c011166e6bdcb5754414c0ade346116ed487fada7dd59cfb8b2f8224a
                                      • Instruction ID: 6c78d09a6f5169ef6f707262af513c71f712f2c279f5202ad8aecd4a6012115a
                                      • Opcode Fuzzy Hash: 73f4726c011166e6bdcb5754414c0ade346116ed487fada7dd59cfb8b2f8224a
                                      • Instruction Fuzzy Hash: D951EA72900A05ABFF209B59CC81FAF77A9EF49334F14421FF515A6293DB39D900866C
                                      Function 0041AC78 Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,0041A38E,00000000), ref: 0041AC88
                                      • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,0041A38E,00000000), ref: 0041AC9C
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACA9
                                      • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0041A38E,00000000), ref: 0041ACDE
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACF0
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACF3
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                      • String ID:
                                      • API String ID: 493672254-0
                                      • Opcode ID: f3d4b447748c037b2dac55463b57a149c398f0d820f611c96b244fdc7ed94624
                                      • Instruction ID: ed0bae8235b77a8e2b5b4951a925fd67a34dfbd091713fce30693036f81a5133
                                      • Opcode Fuzzy Hash: f3d4b447748c037b2dac55463b57a149c398f0d820f611c96b244fdc7ed94624
                                      • Instruction Fuzzy Hash: 84014E311452147BD6110B385C4DEFB3B5CDB42771F100317F925922D1EA68CD45B5EE
                                      Function 0044A004 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 305COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: __alldvrm$_strrchr
                                      • String ID: PkGNG
                                      • API String ID: 1036877536-263838557
                                      • Opcode ID: 6e4ce0a9cd107544135c8758f381171db584a835852a0c7515be2cd765a07ccf
                                      • Instruction ID: 0200e234d7a66e392568480c50467de0d06b46efb2a76a7ba0b74d69ca9a70f2
                                      • Opcode Fuzzy Hash: 6e4ce0a9cd107544135c8758f381171db584a835852a0c7515be2cd765a07ccf
                                      • Instruction Fuzzy Hash: 57A166319843869FFB21CF58C8817AEBBA1FF25304F1441AFE9859B382C27D8951C75A
                                      Function 00448215 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                                      • _free.LIBCMT ref: 0044824C
                                      • _free.LIBCMT ref: 00448274
                                      • SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448281
                                      • SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                                      • _abort.LIBCMT ref: 00448293
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLast$_free$_abort
                                      • String ID:
                                      • API String ID: 3160817290-0
                                      • Opcode ID: d577d612c1ffbc00090520c66a2c794f4cb9603406b177c38f93d9dbc2276fca
                                      • Instruction ID: 1e51d54565af68f960eede883612623578b8b4ccb82fc25c91f14e3db4823c68
                                      • Opcode Fuzzy Hash: d577d612c1ffbc00090520c66a2c794f4cb9603406b177c38f93d9dbc2276fca
                                      • Instruction Fuzzy Hash: 15F0F935104F006AF611332A6C05B5F2515ABC276AF25066FF92892292DFACCC4581AD
                                      Function 0041AAA6 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAB5
                                      • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAC9
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAD6
                                      • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAE5
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAF7
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAFA
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Service$CloseHandle$Open$ControlManager
                                      • String ID:
                                      • API String ID: 221034970-0
                                      • Opcode ID: bc8933c3fd8e2fa998b2246ab8c72ed9b0f5170f60f0245b371609b51ac54b8f
                                      • Instruction ID: 651adf303b3d55a6ad93a9774d9c6d096703db2647e4265c62a250da7e042a32
                                      • Opcode Fuzzy Hash: bc8933c3fd8e2fa998b2246ab8c72ed9b0f5170f60f0245b371609b51ac54b8f
                                      • Instruction Fuzzy Hash: 68F0C231541218ABD711AF25AC49EFF3B6CDF45BA2F000026FE0992192DB68CD4695E9
                                      Function 0041ABAA Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABB9
                                      • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABCD
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABDA
                                      • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABE9
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABFB
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABFE
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Service$CloseHandle$Open$ControlManager
                                      • String ID:
                                      • API String ID: 221034970-0
                                      • Opcode ID: 94d93926ec858c5890fc603d54741d931e0eaafa3f6b468ff921a10e10d86c77
                                      • Instruction ID: cdcae22f94af1ce7d279f83afe572816001e75aa845eac4345c2c81124f82824
                                      • Opcode Fuzzy Hash: 94d93926ec858c5890fc603d54741d931e0eaafa3f6b468ff921a10e10d86c77
                                      • Instruction Fuzzy Hash: 84F0C231501218ABD6116F259C49DFF3B6CDB45B62F40002AFE0996192EB38DD4595F9
                                      Function 0041AC11 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC20
                                      • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC34
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC41
                                      • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC50
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC62
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC65
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Service$CloseHandle$Open$ControlManager
                                      • String ID:
                                      • API String ID: 221034970-0
                                      • Opcode ID: 4f42f77feb4e09d2984437374767d6fba58dab4553ac710dbf5187c031f369c2
                                      • Instruction ID: 1af6be829003de2eeb85b71d4b0cbdb2c911632148e7083bdbbda8586ff13133
                                      • Opcode Fuzzy Hash: 4f42f77feb4e09d2984437374767d6fba58dab4553ac710dbf5187c031f369c2
                                      • Instruction Fuzzy Hash: 2FF0F631501228BBD711AF25EC49DFF3B6CDB45B62F00002AFE0992192EB38CD4595F9
                                      Function 00442801 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: PkGNG
                                      • API String ID: 0-263838557
                                      • Opcode ID: 8d454ba49d51131fc87e61242d4279149af29133b98be3a40794271295c3e434
                                      • Instruction ID: 497cf8d2f4a88fd96e7f98feeb1d24cd381d204b534fd1f3fd6e485e43360072
                                      • Opcode Fuzzy Hash: 8d454ba49d51131fc87e61242d4279149af29133b98be3a40794271295c3e434
                                      • Instruction Fuzzy Hash: EA413871A00704BFF324AF79CD41B5EBBA9EB88710F10862FF105DB681E7B999418788
                                      Function 00404CC3 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121synchronizationthreadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00474F50), ref: 00404DB3
                                      • CreateThread.KERNEL32(00000000,00000000,?,00474EF8,00000000,00000000), ref: 00404DC7
                                      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00404DD2
                                      • CloseHandle.KERNEL32(?), ref: 00404DDB
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                      • String ID: PkGNG
                                      • API String ID: 3360349984-263838557
                                      • Opcode ID: e2f882af2a30351f686d04b3cd6d667c62da5f5effcafa466e9aedc6b7e26869
                                      • Instruction ID: 465453d6db43d9529954589ba2efa69a6de0eb64d520c2048147815e962fb190
                                      • Opcode Fuzzy Hash: e2f882af2a30351f686d04b3cd6d667c62da5f5effcafa466e9aedc6b7e26869
                                      • Instruction Fuzzy Hash: 3E4192B1108301AFC714EB62CD55DBFB7EDAFD4314F40093EF992A22E1DB3899098666
                                      Function 0040A675 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A74D), ref: 0040A6AB
                                      • GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A74D), ref: 0040A6BA
                                      • Sleep.KERNEL32(00002710,?,?,?,0040A74D), ref: 0040A6E7
                                      • CloseHandle.KERNEL32(00000000,?,?,?,0040A74D), ref: 0040A6EE
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$CloseCreateHandleSizeSleep
                                      • String ID: XQG
                                      • API String ID: 1958988193-3606453820
                                      • Opcode ID: 38e21002b9c7a7665831af374e9118a36682828a780468fd2ba8ddd7b6ab83cd
                                      • Instruction ID: 2d5b847f40b6dc6d65e682cb961bc0859910b41d7418e35cc132b68a4a9af338
                                      • Opcode Fuzzy Hash: 38e21002b9c7a7665831af374e9118a36682828a780468fd2ba8ddd7b6ab83cd
                                      • Instruction Fuzzy Hash: AD112B30600740EEE631A7249895A5F3B6AEB41356F48083AF2C26B6D2C6799CA0C35E
                                      Function 0041D50F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegisterClassExA.USER32(00000030), ref: 0041D55B
                                      • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D576
                                      • GetLastError.KERNEL32 ref: 0041D580
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ClassCreateErrorLastRegisterWindow
                                      • String ID: 0$MsgWindowClass
                                      • API String ID: 2877667751-2410386613
                                      • Opcode ID: a7bf03488480a67a5ab74e572dd3e9b3283d69d087452f3b28ffeaf09d6b5029
                                      • Instruction ID: 921741f364e14ac5d494c0d6481b3569f22aad0bbfd2e997b493b5423d792a6e
                                      • Opcode Fuzzy Hash: a7bf03488480a67a5ab74e572dd3e9b3283d69d087452f3b28ffeaf09d6b5029
                                      • Instruction Fuzzy Hash: 910129B1D00219BBDB00DFD5ECC49EFBBBDEA04355F40053AF900A6240E77859058AA4
                                      Function 00407755 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040779B
                                      • CloseHandle.KERNEL32(?), ref: 004077AA
                                      • CloseHandle.KERNEL32(?), ref: 004077AF
                                      Strings
                                      • C:\Windows\System32\cmd.exe, xrefs: 00407796
                                      • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 00407791
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseHandle$CreateProcess
                                      • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                      • API String ID: 2922976086-4183131282
                                      • Opcode ID: 86afbde76f2a9426f4ed7e8e7c7881cd7a3c7ba11745d0fd7a0dc136aa7099f4
                                      • Instruction ID: bcd6b2dc2297655d1c2a6c7a9d844aadd79638dc8707381bf3a952a3ff6736b4
                                      • Opcode Fuzzy Hash: 86afbde76f2a9426f4ed7e8e7c7881cd7a3c7ba11745d0fd7a0dc136aa7099f4
                                      • Instruction Fuzzy Hash: BCF03676D4029D76CB20ABD6DC0EEDF7F7DEBC5B11F00056AF904A6141E6746404C6B9
                                      Function 00407260 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: SG$C:\Users\user\Desktop\6122.scr.exe
                                      • API String ID: 0-2335978512
                                      • Opcode ID: aeb7ec08203138e6f15c389ffc7d883b5859742f8fda7ba0964a05b6f7ae7d1f
                                      • Instruction ID: 1b954d03a55cc3c1a25a26db856d3c6076ddce7f3b9fad0ad77fefb3a3407f05
                                      • Opcode Fuzzy Hash: aeb7ec08203138e6f15c389ffc7d883b5859742f8fda7ba0964a05b6f7ae7d1f
                                      • Instruction Fuzzy Hash: 2CF046B0F14A00EBCB0467655D186693A05A740356F404C77F907EA2F2EBBD5C41C61E
                                      Function 004050E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00474EF8), ref: 00405120
                                      • SetEvent.KERNEL32(?), ref: 0040512C
                                      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00405137
                                      • CloseHandle.KERNEL32(?), ref: 00405140
                                        • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                      • String ID: KeepAlive | Disabled
                                      • API String ID: 2993684571-305739064
                                      • Opcode ID: 09248d073b904291628f2a82f92fe6a987867c86155402bef043dd91105bf09b
                                      • Instruction ID: c1447ea2195e795a2fa4d382ed9a15925dec3dc8ccf256ab7d783030aa8980db
                                      • Opcode Fuzzy Hash: 09248d073b904291628f2a82f92fe6a987867c86155402bef043dd91105bf09b
                                      • Instruction Fuzzy Hash: 4CF06271904711BBDB103B758D0A66B7A54AB02311F0009BEF982916E2D6798840CF9A
                                      Function 0041ADC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                      • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 0041ADF2
                                      • PlaySoundW.WINMM(00000000,00000000), ref: 0041AE00
                                      • Sleep.KERNEL32(00002710), ref: 0041AE07
                                      • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 0041AE10
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: PlaySound$HandleLocalModuleSleepTime
                                      • String ID: Alarm triggered
                                      • API String ID: 614609389-2816303416
                                      • Opcode ID: b7b395eb2d8a8c6ac5b29d0703eec326aa80e776d4c85912c0c2915f52647228
                                      • Instruction ID: 9c0713ce1321a11b0f254193fe9a85ef30a97b7eb59a64372af151f10574a600
                                      • Opcode Fuzzy Hash: b7b395eb2d8a8c6ac5b29d0703eec326aa80e776d4c85912c0c2915f52647228
                                      • Instruction Fuzzy Hash: 36E01226B44260779620377B6D4FD6F3D28DAC2B5170100BEFA0666192D9580C4586FB
                                      Function 0041CD58 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041CDED), ref: 0041CD62
                                      • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041CDED), ref: 0041CD6F
                                      • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041CDED), ref: 0041CD7C
                                      • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041CDED), ref: 0041CD8F
                                      Strings
                                      • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041CD82
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Console$AttributeText$BufferHandleInfoScreen
                                      • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                      • API String ID: 3024135584-2418719853
                                      • Opcode ID: 7fe6fe9ce11b1ae804115fcba13355f31785efbed8ffac05f5782df1f2ab6211
                                      • Instruction ID: 0b88db63cd78dea0703aeaf814a7171c31f7e2e6e0b1944ffb711cb25cf7542c
                                      • Opcode Fuzzy Hash: 7fe6fe9ce11b1ae804115fcba13355f31785efbed8ffac05f5782df1f2ab6211
                                      • Instruction Fuzzy Hash: B4E04872904315E7E31027B5EC4DDAB7B7CE745713B100266FA12915D39A749C40C6B5
                                      Function 0044139A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 333ae2597f59f70c30e2a138da7d2dacca2148bf7cc6369c5742e0f4ac8aaabd
                                      • Instruction ID: 3288ceb70b28299b768e57bc56a65f905b411dc47ae91625c595fe6b39b3afde
                                      • Opcode Fuzzy Hash: 333ae2597f59f70c30e2a138da7d2dacca2148bf7cc6369c5742e0f4ac8aaabd
                                      • Instruction Fuzzy Hash: 4D71C431900256ABEF21CF55C884AFFBBB5EF95350F14012BE812A72A1D7748CC1CBA9
                                      Function 00444CFB Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169
                                      • _free.LIBCMT ref: 00444E06
                                      • _free.LIBCMT ref: 00444E1D
                                      • _free.LIBCMT ref: 00444E3C
                                      • _free.LIBCMT ref: 00444E57
                                      • _free.LIBCMT ref: 00444E6E
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$AllocateHeap
                                      • String ID:
                                      • API String ID: 3033488037-0
                                      • Opcode ID: bf8b46b868af2ecf30d3444370171b65bdd51122b8350dbbe1b9982e260663b5
                                      • Instruction ID: 75a60bec03265776b93b53542ea819fdab521e44af267d44e1f719a945e8e2e2
                                      • Opcode Fuzzy Hash: bf8b46b868af2ecf30d3444370171b65bdd51122b8350dbbe1b9982e260663b5
                                      • Instruction Fuzzy Hash: 5451D371A00704AFEB20DF6AC841B6673F4FF85729B14456EE819D7250E739EE01CB88
                                      Function 00449365 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F234), ref: 004493CF
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 00449447
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 00449474
                                      • _free.LIBCMT ref: 004493BD
                                        • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                        • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                      • _free.LIBCMT ref: 00449589
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                      • String ID:
                                      • API String ID: 1286116820-0
                                      • Opcode ID: 0a3c6fbe7e5a1f133d1032b40f823fca6b3dff27f0c0d46b4efcd8c71cfe77a6
                                      • Instruction ID: c95a83c4fc9d8f5f381c6ef12c4bd90d50aad01b0883e3b7d6e96279f2ead045
                                      • Opcode Fuzzy Hash: 0a3c6fbe7e5a1f133d1032b40f823fca6b3dff27f0c0d46b4efcd8c71cfe77a6
                                      • Instruction Fuzzy Hash: 71511A71904205EBEB14EFA9DD819AFB7BCEF44324F10066FE51493291EB788E42DB58
                                      Function 0040F8FD Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F91B
                                      • Process32FirstW.KERNEL32(00000000,?), ref: 0040F93F
                                      • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F94E
                                      • CloseHandle.KERNEL32(00000000), ref: 0040FB05
                                        • Part of subcall function 0041BFE5: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040F5F9,00000000,?,?,00475338), ref: 0041BFFA
                                        • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
                                        • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
                                      • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040FAF6
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process$OpenProcess32$Next$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                      • String ID:
                                      • API String ID: 4269425633-0
                                      • Opcode ID: 371d05c907dcca9c3c12ab80cf798e7523ffd5e5ecf3e3ca40c8afe2c02f4cbd
                                      • Instruction ID: d179df5438ecf7187d550cf9263b6860c2801d48d571b2859f9d543a591e132f
                                      • Opcode Fuzzy Hash: 371d05c907dcca9c3c12ab80cf798e7523ffd5e5ecf3e3ca40c8afe2c02f4cbd
                                      • Instruction Fuzzy Hash: 784116311083419BC325F722DC55AEFB3A5AF94345F50493EF48A921E2EF385A49C75A
                                      Function 00443DF9 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free
                                      • String ID:
                                      • API String ID: 269201875-0
                                      • Opcode ID: f0d0e5395ad938097262dc5d88931f0578874cbbbca0d0094bbf983591b431c8
                                      • Instruction ID: 5dce3a056f7b38871bf3701478ebec2c01ef4ac0d1e4adeac0a27022f106ca0c
                                      • Opcode Fuzzy Hash: f0d0e5395ad938097262dc5d88931f0578874cbbbca0d0094bbf983591b431c8
                                      • Instruction Fuzzy Hash: 0741F536A012009FEB20DF78C881A5EB3F1EF89B14F2545AEE515EB341DB35AE01CB84
                                      Function 0044F35A Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetEnvironmentStringsW.KERNEL32 ref: 0044F363
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044F386
                                        • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044F3AC
                                      • _free.LIBCMT ref: 0044F3BF
                                      • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044F3CE
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                      • String ID:
                                      • API String ID: 336800556-0
                                      • Opcode ID: 02a97bdb6e6c5d26fe886d3a9ae646317caea956d8251916105bf2d3fe3a3540
                                      • Instruction ID: 8337c1946637dec1c7c9c61cb05458c13fbc509b7d73539ecc926bc10a2836fd
                                      • Opcode Fuzzy Hash: 02a97bdb6e6c5d26fe886d3a9ae646317caea956d8251916105bf2d3fe3a3540
                                      • Instruction Fuzzy Hash: 2301B173601755BB37211ABA5C8CC7F6A6CDAC6FA5315013FFD14C2202EA68CD0581B9
                                      Function 0041C3F1 Relevance: 7.6, APIs: 5, Instructions: 67fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041C510,00000000,00000000,00000000), ref: 0041C430
                                      • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000004,00000000,0041C510,00000000,00000000), ref: 0041C44D
                                      • CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041C510,00000000,00000000), ref: 0041C459
                                      • WriteFile.KERNEL32(00000000,00000000,00000000,00406F85,00000000,?,00000004,00000000,0041C510,00000000,00000000), ref: 0041C46A
                                      • CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041C510,00000000,00000000), ref: 0041C477
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$CloseHandle$CreatePointerWrite
                                      • String ID:
                                      • API String ID: 1852769593-0
                                      • Opcode ID: c16bf2a5e476d7eb9c065cb57b6c83635d373e8a2041914a8f43a70e8d32cf2e
                                      • Instruction ID: 5cb8be75c3dc4c1e2f747800af3fbfd5a98fa41e64789a84fd548ad7506a8702
                                      • Opcode Fuzzy Hash: c16bf2a5e476d7eb9c065cb57b6c83635d373e8a2041914a8f43a70e8d32cf2e
                                      • Instruction Fuzzy Hash: B0110471288220FFEA104B24ACD9EFB739CEB46375F10462AF592C22C1C7259C81863A
                                      Function 00448299 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetLastError.KERNEL32(?,00000000,?,0043BC87,00000000,?,?,0043BD0B,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0044829E
                                      • _free.LIBCMT ref: 004482D3
                                      • _free.LIBCMT ref: 004482FA
                                      • SetLastError.KERNEL32(00000000), ref: 00448307
                                      • SetLastError.KERNEL32(00000000), ref: 00448310
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLast$_free
                                      • String ID:
                                      • API String ID: 3170660625-0
                                      • Opcode ID: 3b5a676440ed160f08d3b9c67501060176d9d4d3bcfe02f134d94644f9898a15
                                      • Instruction ID: 817e1e76de570c2b023109a843fda652767a1b5a915d0172e9d2adf04509528a
                                      • Opcode Fuzzy Hash: 3b5a676440ed160f08d3b9c67501060176d9d4d3bcfe02f134d94644f9898a15
                                      • Instruction Fuzzy Hash: 5601F936500B0067F3112A2A5C8596F2559EBC2B7A735452FFD19A22D2EFADCC01816D
                                      Function 004509BC Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 004509D4
                                        • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                        • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                      • _free.LIBCMT ref: 004509E6
                                      • _free.LIBCMT ref: 004509F8
                                      • _free.LIBCMT ref: 00450A0A
                                      • _free.LIBCMT ref: 00450A1C
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast
                                      • String ID:
                                      • API String ID: 776569668-0
                                      • Opcode ID: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                      • Instruction ID: 8e1836d4b3683ea2f551dac33bf8b94159c93f8dbbc189607f67f5fa0db289e6
                                      • Opcode Fuzzy Hash: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                      • Instruction Fuzzy Hash: F3F04F76504600B79620EB5DE8C2C1B73D9EA0571A795891BF66CDB612CB38FCC0869C
                                      Function 00444048 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 00444066
                                        • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                        • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                      • _free.LIBCMT ref: 00444078
                                      • _free.LIBCMT ref: 0044408B
                                      • _free.LIBCMT ref: 0044409C
                                      • _free.LIBCMT ref: 004440AD
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast
                                      • String ID:
                                      • API String ID: 776569668-0
                                      • Opcode ID: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                      • Instruction ID: c4ed0220327abb1134bcf7d54e43c2409a3611c90002b0fe773cef56a7474a4d
                                      • Opcode Fuzzy Hash: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                      • Instruction Fuzzy Hash: 11F03AB18009208FA631AF2DBD414053B61E705769346822BF62C62A70C7B94ED2CFCF
                                      Function 0044BA37 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: PkGNG
                                      • API String ID: 0-263838557
                                      • Opcode ID: 6a83c2428ddcf6ea71a3f14a315267ad78d224b448d93c685a7e270e7132f7c7
                                      • Instruction ID: 56b21f6c39f874414c878b072b89285690216c2d241c0ad811085e1835033e53
                                      • Opcode Fuzzy Hash: 6a83c2428ddcf6ea71a3f14a315267ad78d224b448d93c685a7e270e7132f7c7
                                      • Instruction Fuzzy Hash: 1B51B271D00249AAEF14DFA9C885FAFBBB8EF45314F14015FE400A7291DB78D901CBA9
                                      Function 0044E6E9 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                      Download Yara Rule
                                      APIs
                                      • _strpbrk.LIBCMT ref: 0044E738
                                      • _free.LIBCMT ref: 0044E855
                                        • Part of subcall function 0043BD19: IsProcessorFeaturePresent.KERNEL32(00000017,0043BCEB,?,?,?,?,?,00000000,?,?,0043BD0B,00000000,00000000,00000000,00000000,00000000), ref: 0043BD1B
                                        • Part of subcall function 0043BD19: GetCurrentProcess.KERNEL32(C0000417), ref: 0043BD3D
                                        • Part of subcall function 0043BD19: TerminateProcess.KERNEL32(00000000), ref: 0043BD44
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                                      • String ID: *?$.
                                      • API String ID: 2812119850-3972193922
                                      • Opcode ID: 6703a85dd49711e1afab558f77f60869b6155e4f96c4351f2947c71862cae23b
                                      • Instruction ID: 94a4b4bbf586d133b1ca6d09685756ea089c4dad0dcc4a5060c65dcbb11523ea
                                      • Opcode Fuzzy Hash: 6703a85dd49711e1afab558f77f60869b6155e4f96c4351f2947c71862cae23b
                                      • Instruction Fuzzy Hash: B951C375E00109EFEF14DFAAC881AAEBBB5FF58314F25816EE454E7301E6399E018B54
                                      Function 00415AEA Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CountEventTick
                                      • String ID: !D@$NG
                                      • API String ID: 180926312-2721294649
                                      • Opcode ID: b594ea947eeeebaeb01dcb2502271808d01e6126574666623e926871b5046dd7
                                      • Instruction ID: 1740d3d485f2be3f914829e5aa2a54ae858af1ae40273f66f7ff2800e9d96298
                                      • Opcode Fuzzy Hash: b594ea947eeeebaeb01dcb2502271808d01e6126574666623e926871b5046dd7
                                      • Instruction Fuzzy Hash: 7E51A1316083019AC724FB32D852AEF73A5AF94314F50493FF54A671E2EF3C5949C68A
                                      Function 00409EA3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 157COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetKeyboardLayoutNameA.USER32(?), ref: 00409ED3
                                        • Part of subcall function 004048C8: connect.WS2_32(?,?,?), ref: 004048E0
                                        • Part of subcall function 0041C515: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00409F5B,00474EE0,?,00474EE0,00000000,00474EE0,00000000), ref: 0041C52A
                                        • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CreateFileKeyboardLayoutNameconnectsend
                                      • String ID: XQG$NG$PG
                                      • API String ID: 1634807452-3565412412
                                      • Opcode ID: 54480eb0bc649cc79f0ae2d6016b7d596c1c2f6fed1d275c9adea3c12e8bc9d3
                                      • Instruction ID: e0ccbd324811511655e6ba18c086c0ffec884fa52ef92f7e14ea490dcf81b303
                                      • Opcode Fuzzy Hash: 54480eb0bc649cc79f0ae2d6016b7d596c1c2f6fed1d275c9adea3c12e8bc9d3
                                      • Instruction Fuzzy Hash: BA5133315082415AC324F732D852AEFB3E5AFD4348F50493FF44A671E6EF78594AC649
                                      Function 00442385 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                      Download Yara Rule
                                      APIs
                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004424DE
                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004424F3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                      • String ID: `#D$`#D
                                      • API String ID: 885266447-2450397995
                                      • Opcode ID: 36fac044672f79bbd2692348072d6fa41419b258ac2755bfc370d2617ef2a991
                                      • Instruction ID: d0478598ef992627c852fcfbe86add3ca1c9fa58067414995f231753f3186543
                                      • Opcode Fuzzy Hash: 36fac044672f79bbd2692348072d6fa41419b258ac2755bfc370d2617ef2a991
                                      • Instruction Fuzzy Hash: 78519071A00208AFDF18DF59C980AAEBBB2FB94314F59C19AF81897361D7B9DD41CB44
                                      Function 00443435 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\6122.scr.exe,00000104), ref: 00443475
                                      • _free.LIBCMT ref: 00443540
                                      • _free.LIBCMT ref: 0044354A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$FileModuleName
                                      • String ID: C:\Users\user\Desktop\6122.scr.exe
                                      • API String ID: 2506810119-4047784405
                                      • Opcode ID: c70776266e2bd8d98222b272a4c4964d73f1f6f6485ba9fff5740fbb3794026e
                                      • Instruction ID: 78b8e4ab202bb8962dfea6a4c95dea7b8c186c0554b41bb8e719afd17783d6d0
                                      • Opcode Fuzzy Hash: c70776266e2bd8d98222b272a4c4964d73f1f6f6485ba9fff5740fbb3794026e
                                      • Instruction Fuzzy Hash: 2E31C471A00258BFEB21DF999C8199EBBBCEF85B15F10406BF50497311D6B89F81CB98
                                      Function 0044B81F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101fileCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,00000D55,00000000,00000000,FF8BC35D,00000000,?,PkGNG,0044BB7E,?,00000000,FF8BC35D), ref: 0044B8D2
                                      • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0044B900
                                      • GetLastError.KERNEL32 ref: 0044B931
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ByteCharErrorFileLastMultiWideWrite
                                      • String ID: PkGNG
                                      • API String ID: 2456169464-263838557
                                      • Opcode ID: f29f19b57bd44476b84c2158df793cbd226619e25f42890a5cb9caccfef44ccc
                                      • Instruction ID: a4f89274a665815b2d7bd0a52cbb4c71b9b2878c435ac706d73e761117ab6cd9
                                      • Opcode Fuzzy Hash: f29f19b57bd44476b84c2158df793cbd226619e25f42890a5cb9caccfef44ccc
                                      • Instruction Fuzzy Hash: 18317271A002199FDB14DF59DC809EAB7B8EB48305F0444BEE90AD7260DB34ED80CBA4
                                      Function 0040404C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404066
                                        • Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040407C), ref: 0041B99F
                                        • Part of subcall function 00418568: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E74), ref: 0041857E
                                        • Part of subcall function 00418568: CloseHandle.KERNEL32(t^F,?,?,004040F5,00465E74), ref: 00418587
                                        • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C49E
                                      • Sleep.KERNEL32(000000FA,00465E74), ref: 00404138
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                      • String ID: /sort "Visit Time" /stext "$0NG
                                      • API String ID: 368326130-3219657780
                                      • Opcode ID: 5a82faa1ad293261ac248fbd7caeb08181cf258f5e0d188fe14b0def416cf126
                                      • Instruction ID: 62b88373b0174ac8ae4090b78ebfd0a8fca35ca34796720d8357018cc2c92f87
                                      • Opcode Fuzzy Hash: 5a82faa1ad293261ac248fbd7caeb08181cf258f5e0d188fe14b0def416cf126
                                      • Instruction Fuzzy Hash: E9316271A0011956CB15FBA6D8969EE7375AB90308F40007FF206B71E2EF385D89CA99
                                      Function 004162E4 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON
                                      Download Yara Rule
                                      APIs
                                      • _wcslen.LIBCMT ref: 004162F5
                                        • Part of subcall function 00413877: RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
                                        • Part of subcall function 00413877: RegSetValueExA.ADVAPI32(004660A4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138A0
                                        • Part of subcall function 00413877: RegCloseKey.ADVAPI32(004660A4,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138AB
                                        • Part of subcall function 00409DE4: _wcslen.LIBCMT ref: 00409DFD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _wcslen$CloseCreateValue
                                      • String ID: !D@$okmode$PG
                                      • API String ID: 3411444782-3370592832
                                      • Opcode ID: 3229767f42b224c22e38ab05f87ced9dbd25ea478007aec8b0515c8cef1bdfe3
                                      • Instruction ID: dff749dc984b923ba5de2327a6f3f9cc2e67bcaf748228c26ce3aec7d70e92d7
                                      • Opcode Fuzzy Hash: 3229767f42b224c22e38ab05f87ced9dbd25ea478007aec8b0515c8cef1bdfe3
                                      • Instruction Fuzzy Hash: 10119371B442011ADB187B72D832ABD22969F94358F80443FF54AAF2E2DEBD4C51525D
                                      Function 0040C5EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040C4C3: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C4F6
                                      • PathFileExistsW.SHLWAPI(00000000), ref: 0040C61D
                                      • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C688
                                      Strings
                                      • User Data\Profile ?\Network\Cookies, xrefs: 0040C635
                                      • User Data\Default\Network\Cookies, xrefs: 0040C603
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExistsFilePath
                                      • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                      • API String ID: 1174141254-1980882731
                                      • Opcode ID: ec0199523fc237e56364718817167f2e0688e89b82cc13cff5a9b1f21d5ed8d2
                                      • Instruction ID: e6b9b9a8142aca5ff9e4641a3ff80a721fb4b0471daa7637ae592fad8ebd6223
                                      • Opcode Fuzzy Hash: ec0199523fc237e56364718817167f2e0688e89b82cc13cff5a9b1f21d5ed8d2
                                      • Instruction Fuzzy Hash: B421037190011996CB14F7A2DC96CEEB738EE50319F40053FB502B31D2EF789A46C698
                                      Function 0040C6BB Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040C526: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C559
                                      • PathFileExistsW.SHLWAPI(00000000), ref: 0040C6EC
                                      • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C757
                                      Strings
                                      • User Data\Profile ?\Network\Cookies, xrefs: 0040C704
                                      • User Data\Default\Network\Cookies, xrefs: 0040C6D2
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExistsFilePath
                                      • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                      • API String ID: 1174141254-1980882731
                                      • Opcode ID: 830e565da1f4430f56a3fad2b3585c60fae3d202001501423d8e3de01861922a
                                      • Instruction ID: 83f6a23093d6b0727a30a1d550f3d6f5bdb2bb72864fa742cd8a9fd6423befd9
                                      • Opcode Fuzzy Hash: 830e565da1f4430f56a3fad2b3585c60fae3d202001501423d8e3de01861922a
                                      • Instruction Fuzzy Hash: AE21D37190011AD6CB05F7A2DC96CEEB778EE50719B50013FF502B31D2EF789A46C698
                                      Function 0040A179 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateThread.KERNEL32(00000000,00000000,0040A27D,004750F0,00000000,00000000), ref: 0040A1FE
                                      • CreateThread.KERNEL32(00000000,00000000,0040A267,004750F0,00000000,00000000), ref: 0040A20E
                                      • CreateThread.KERNEL32(00000000,00000000,0040A289,004750F0,00000000,00000000), ref: 0040A21A
                                        • Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B172
                                        • Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CreateThread$LocalTimewsprintf
                                      • String ID: Offline Keylogger Started
                                      • API String ID: 465354869-4114347211
                                      • Opcode ID: 739852a997fc0ae6182b294a28b4bb93c4a2cbea1e12e060c92b97aef043fd25
                                      • Instruction ID: bcf1cfbdc14a627f6781ea3a40f7cea6448602225ce5b2be95dc640702f6c2bd
                                      • Opcode Fuzzy Hash: 739852a997fc0ae6182b294a28b4bb93c4a2cbea1e12e060c92b97aef043fd25
                                      • Instruction Fuzzy Hash: DE1194B12003187AD220B7369C86CBB765DDA8139CB00057FF946222D2EA795D54CAFB
                                      Function 0040AEEE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B172
                                        • Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3
                                        • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                      • CreateThread.KERNEL32(00000000,00000000,0040A267,?,00000000,00000000), ref: 0040AF6E
                                      • CreateThread.KERNEL32(00000000,00000000,0040A289,?,00000000,00000000), ref: 0040AF7A
                                      • CreateThread.KERNEL32(00000000,00000000,0040A295,?,00000000,00000000), ref: 0040AF86
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CreateThread$LocalTime$wsprintf
                                      • String ID: Online Keylogger Started
                                      • API String ID: 112202259-1258561607
                                      • Opcode ID: be6d66d5fa79c5f31e74c778d4d5e15bc8bc5d5b3a82591b70bbeab99a5f0c5b
                                      • Instruction ID: a86b307176fed80e65d2d8085b20e14cf0e56bf63d45b36b749a5edd9f3e52e0
                                      • Opcode Fuzzy Hash: be6d66d5fa79c5f31e74c778d4d5e15bc8bc5d5b3a82591b70bbeab99a5f0c5b
                                      • Instruction Fuzzy Hash: 1401C8A070031939E62076365C87D7F7A5DCA81398F40057FF645362C6D97D1C5586FB
                                      Function 0041B4EF Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 59timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: LocalTime
                                      • String ID: | $%02i:%02i:%02i:%03i $PkGNG
                                      • API String ID: 481472006-3277280411
                                      • Opcode ID: cd8841d7ce7b31923eb0730a989a812e14017909399abac035ca2ef2887a575a
                                      • Instruction ID: b0c371a91d376d28eb23a1cf2c2b6b2589463c7c7bf84255da33bc44f247512a
                                      • Opcode Fuzzy Hash: cd8841d7ce7b31923eb0730a989a812e14017909399abac035ca2ef2887a575a
                                      • Instruction Fuzzy Hash: 361181714082055AC304EB62D8419BFB3E9AB44348F50093FF895A21E1EF3CDA49C65A
                                      Function 00404F51 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLocalTime.KERNEL32(?), ref: 00404F81
                                      • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00404FCD
                                      • CreateThread.KERNEL32(00000000,00000000,00405150,?,00000000,00000000), ref: 00404FE0
                                      Strings
                                      • KeepAlive | Enabled | Timeout: , xrefs: 00404F94
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Create$EventLocalThreadTime
                                      • String ID: KeepAlive | Enabled | Timeout:
                                      • API String ID: 2532271599-1507639952
                                      • Opcode ID: 7c8a9ce4b383af45d5410d66a549d3ab3812e2de270479e75a3fa2d1d41e82a0
                                      • Instruction ID: 982fc92e7e47f2769c776e0d9ab1702947c5453eb715a4cfed9cf45540ca89dc
                                      • Opcode Fuzzy Hash: 7c8a9ce4b383af45d5410d66a549d3ab3812e2de270479e75a3fa2d1d41e82a0
                                      • Instruction Fuzzy Hash: A8110671904385AAC720A7778C0DEAB7FA8DBD2710F04046FF54163291DAB89445CBBA
                                      Function 00406A63 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryA.KERNEL32(crypt32,CryptUnprotectData), ref: 00406A82
                                      • GetProcAddress.KERNEL32(00000000), ref: 00406A89
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressLibraryLoadProc
                                      • String ID: CryptUnprotectData$crypt32
                                      • API String ID: 2574300362-2380590389
                                      • Opcode ID: 58a6a211d8528d7034b6d4e537693813dfb36b0b7d2b88ce6c125ece2ab5d6dc
                                      • Instruction ID: d796ed41fc96dc9ef8d801536240fab0e9422483ab40f89d2a564a4d0f07de08
                                      • Opcode Fuzzy Hash: 58a6a211d8528d7034b6d4e537693813dfb36b0b7d2b88ce6c125ece2ab5d6dc
                                      • Instruction Fuzzy Hash: 6201B535B00216ABCB18DFAD9D449ABBBB8EB49300F14817EE95AE3341D674D9008BA4
                                      Function 0044C253 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • SetFilePointerEx.KERNEL32(00000000,00000000,00000002,FF8BC369,00000000,FF8BC35D,00000000,10558B1C,10558B1C,PkGNG,0044C302,FF8BC369,00000000,00000002,00000000,PkGNG), ref: 0044C28C
                                      • GetLastError.KERNEL32 ref: 0044C296
                                      • __dosmaperr.LIBCMT ref: 0044C29D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorFileLastPointer__dosmaperr
                                      • String ID: PkGNG
                                      • API String ID: 2336955059-263838557
                                      • Opcode ID: 60eaf30ffa5a6b77e16cdf42a69bcf8f7fa5cf007f91ab5b57ca5c6e56bd7837
                                      • Instruction ID: 03228b3a5a263cac3d3762c0c6cb9bea0ee6cefe7ee70a3785aa569069518732
                                      • Opcode Fuzzy Hash: 60eaf30ffa5a6b77e16cdf42a69bcf8f7fa5cf007f91ab5b57ca5c6e56bd7837
                                      • Instruction Fuzzy Hash: 9E016D32A11104BBDF008FE9CC4089E3719FB86320B28039AF810A7290EAB5DC118B64
                                      Function 0040515C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
                                      Download Yara Rule
                                      APIs
                                      • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405159), ref: 00405173
                                      • CloseHandle.KERNEL32(?), ref: 004051CA
                                      • SetEvent.KERNEL32(?), ref: 004051D9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseEventHandleObjectSingleWait
                                      • String ID: Connection Timeout
                                      • API String ID: 2055531096-499159329
                                      • Opcode ID: 16c0c5432ea764d1c3b3677813c316a5f50629e206d56325c82df1a06a1f960a
                                      • Instruction ID: e4880b57ed2806ada623013920947221b56867654f576af2420d72dde76e11cf
                                      • Opcode Fuzzy Hash: 16c0c5432ea764d1c3b3677813c316a5f50629e206d56325c82df1a06a1f960a
                                      • Instruction Fuzzy Hash: 1201D831A40F40AFE7257B368D9552BBBE0FF01302704097FE68396AE2D6789800CF59
                                      Function 0040E7C5 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                      Download Yara Rule
                                      APIs
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E833
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Exception@8Throw
                                      • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                      • API String ID: 2005118841-1866435925
                                      • Opcode ID: 8dcc56bc0b3abd67e197b42ddab56c72444c781ea05e0f6efff8352e2a22a648
                                      • Instruction ID: aca7d9cae529c24a85643cb8f0975e7fdd15ab88b82278639a3f13e82648cb6f
                                      • Opcode Fuzzy Hash: 8dcc56bc0b3abd67e197b42ddab56c72444c781ea05e0f6efff8352e2a22a648
                                      • Instruction Fuzzy Hash: 2C01B1315443086AE618F693C843FAA73585B10708F108C2FAA15761C2F67D6961C66B
                                      Function 0041CAE1 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 42windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FormatMessageA.KERNEL32(00001100,00000000,00000000,00000400,?,00000000,00000000,00474EF8,00474EF8,PkGNG,00404A40), ref: 0041CB09
                                      • LocalFree.KERNEL32(?,?), ref: 0041CB2F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: FormatFreeLocalMessage
                                      • String ID: @J@$PkGNG
                                      • API String ID: 1427518018-1416487119
                                      • Opcode ID: 582a0a935ffae84e33b405a2c8e80a835bcb557197e1ba62297b84e69e8a9d31
                                      • Instruction ID: 02a9d8e2c753fe243ccbc909122ce1ddd8f8b45a09ed5088e6b723b988b0f700
                                      • Opcode Fuzzy Hash: 582a0a935ffae84e33b405a2c8e80a835bcb557197e1ba62297b84e69e8a9d31
                                      • Instruction Fuzzy Hash: 5EF0A434B0021AAADF08A7A6DD4ADFF7769DB84305B10007FB606B21D1EEB86D05D659
                                      Function 0040DFA6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                      Download Yara Rule
                                      APIs
                                      • std::_Lockit::_Lockit.LIBCPMT ref: 0040DFB1
                                      • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040DFF0
                                        • Part of subcall function 00435640: _Yarn.LIBCPMT ref: 0043565F
                                        • Part of subcall function 00435640: _Yarn.LIBCPMT ref: 00435683
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E016
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                      • String ID: bad locale name
                                      • API String ID: 3628047217-1405518554
                                      • Opcode ID: 03a3a1b6538e95a80bbc96a5a3230d3fb174e533ca0510e3d942a7448ac3be7a
                                      • Instruction ID: c9d4814c50014869750c7e26a4e1a69426a580a77e14145940ab7c7d7e24a8db
                                      • Opcode Fuzzy Hash: 03a3a1b6538e95a80bbc96a5a3230d3fb174e533ca0510e3d942a7448ac3be7a
                                      • Instruction Fuzzy Hash: EAF081314006049AC634FA62D863B9AB7B89F14718F504A7FB906228D1EF7CBA1CCA4C
                                      Function 0041376F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,0046611C), ref: 0041377E
                                      • RegSetValueExA.ADVAPI32(0046611C,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0041CAB1,WallpaperStyle,0046611C,00000001,00474EE0,00000000), ref: 004137A6
                                      • RegCloseKey.ADVAPI32(0046611C,?,?,0041CAB1,WallpaperStyle,0046611C,00000001,00474EE0,00000000,?,0040875D,00000001), ref: 004137B1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseCreateValue
                                      • String ID: Control Panel\Desktop
                                      • API String ID: 1818849710-27424756
                                      • Opcode ID: 6030d9855dac89f4cd46f7f8c789974497344dcf9873e73d86c3d4cdefa30cde
                                      • Instruction ID: c04290829ccef693e4e8b5b7d06cdf9a2950efbbd707a4c1379ff92f90edcb59
                                      • Opcode Fuzzy Hash: 6030d9855dac89f4cd46f7f8c789974497344dcf9873e73d86c3d4cdefa30cde
                                      • Instruction Fuzzy Hash: B8F06272400118FBCB009FA1DD45DEA376CEF04B51F108566FD09A61A1D7359E14DB54
                                      Function 00416C2D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateThread.KERNEL32(00000000,00000000,Function_0001D45D,00000000,00000000,00000000), ref: 00416C47
                                      • ShowWindow.USER32(00000009), ref: 00416C61
                                      • SetForegroundWindow.USER32 ref: 00416C6D
                                        • Part of subcall function 0041CD9B: AllocConsole.KERNEL32(00475338), ref: 0041CDA4
                                        • Part of subcall function 0041CD9B: ShowWindow.USER32(00000000,00000000), ref: 0041CDBD
                                        • Part of subcall function 0041CD9B: SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CDE2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Window$ConsoleShow$AllocCreateForegroundOutputThread
                                      • String ID: !D@
                                      • API String ID: 3446828153-604454484
                                      • Opcode ID: 6979cefb1d1fefa54efaa96eb459276fcc124e6eae3c34ad0f1a5970b9474eaa
                                      • Instruction ID: c1d0571eb829819ca76672189d51ce116019f2d3a91c4b5ec781e9fa27a10d2f
                                      • Opcode Fuzzy Hash: 6979cefb1d1fefa54efaa96eb459276fcc124e6eae3c34ad0f1a5970b9474eaa
                                      • Instruction Fuzzy Hash: 9EF05E70158201EAD720AB62EC45AFA7B69EB54351F00483BF849D14F2DB398C85C69D
                                      Function 004160EE Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                      Download Yara Rule
                                      APIs
                                      • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 00416130
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExecuteShell
                                      • String ID: /C $cmd.exe$open
                                      • API String ID: 587946157-3896048727
                                      • Opcode ID: 1fb54d341f42364606467e993f20cb3c4ceaa424224daa94047b07daa39982c0
                                      • Instruction ID: 0a18f3537a1213b4b5dca9b82f73c842755a7e35c30cee8a650de64661b344da
                                      • Opcode Fuzzy Hash: 1fb54d341f42364606467e993f20cb3c4ceaa424224daa94047b07daa39982c0
                                      • Instruction Fuzzy Hash: 0DE0C0B0208345AAC705E775CC95CBF73ADAA94749B50483F7142A20E2EF7C9D49C659
                                      Function 0040140A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 00401414
                                      • GetProcAddress.KERNEL32(00000000), ref: 0040141B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressHandleModuleProc
                                      • String ID: GetCursorInfo$User32.dll
                                      • API String ID: 1646373207-2714051624
                                      • Opcode ID: 0feee19109755bbb7e48939f97e78712d63acfb534ae43d0cb60b2001d0c131e
                                      • Instruction ID: 65f79b4a2c2aed896b4012a4b0ac893fb7d0ccba54e760513c8834f3bef68171
                                      • Opcode Fuzzy Hash: 0feee19109755bbb7e48939f97e78712d63acfb534ae43d0cb60b2001d0c131e
                                      • Instruction Fuzzy Hash: B4B09B70541740E7CB106BF45C4F9153555B514703B105476B44996151D7B44400C61E
                                      Function 004014AF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 004014B9
                                      • GetProcAddress.KERNEL32(00000000), ref: 004014C0
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressLibraryLoadProc
                                      • String ID: GetLastInputInfo$User32.dll
                                      • API String ID: 2574300362-1519888992
                                      • Opcode ID: 6185ad33e38da01c5cedd7fab51ef37947c258832bc82ab0b36b916a7b459740
                                      • Instruction ID: ea73ef4d1088e939c140d9431744cb36a9dcab52d5ea7f3e4bb33043e5d41cbe
                                      • Opcode Fuzzy Hash: 6185ad33e38da01c5cedd7fab51ef37947c258832bc82ab0b36b916a7b459740
                                      • Instruction Fuzzy Hash: 5EB092B45C1700FBCB106FA4AC4E9293AA9A614703B1088ABB845D2162EBB884008F9F
                                      Function 0040C00C Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      • Cleared browsers logins and cookies., xrefs: 0040C0F5
                                      • [Cleared browsers logins and cookies.], xrefs: 0040C0E4
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Sleep
                                      • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                      • API String ID: 3472027048-1236744412
                                      • Opcode ID: 24f20f3b92deb628025467620478f708c177420abe32db4e4f6f8a7850cc6954
                                      • Instruction ID: fac43f66edf0589ccdcbb227709f1a337e776f7542e83b73a027453bfa593f46
                                      • Opcode Fuzzy Hash: 24f20f3b92deb628025467620478f708c177420abe32db4e4f6f8a7850cc6954
                                      • Instruction Fuzzy Hash: 2531C804348380E9D6116BF554567AB7B814E93744F08457FB9C42B3D3D97E4848C7AF
                                      Function 0040A529 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0041C551: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041C561
                                        • Part of subcall function 0041C551: GetWindowTextLengthW.USER32(00000000), ref: 0041C56A
                                        • Part of subcall function 0041C551: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041C594
                                      • Sleep.KERNEL32(000001F4), ref: 0040A573
                                      • Sleep.KERNEL32(00000064), ref: 0040A5FD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Window$SleepText$ForegroundLength
                                      • String ID: [ $ ]
                                      • API String ID: 3309952895-93608704
                                      • Opcode ID: 4603c95d7a0278816d05f17b1e103e1b56ebf32c1baad14edcc254fcbbfd146b
                                      • Instruction ID: 97bd403738d1ca0cb59e80c1fc79ee6201ed0cb329172f4776a94889a39aca56
                                      • Opcode Fuzzy Hash: 4603c95d7a0278816d05f17b1e103e1b56ebf32c1baad14edcc254fcbbfd146b
                                      • Instruction Fuzzy Hash: FE119F315043006BC614BB65CC5399F77A8AF50308F40053FF552665E2FF79AA5886DB
                                      Function 00443A33 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 26aae147e3b4032e8d822610677c8b44980169b964e3a1f9465f38b9cd56633c
                                      • Instruction ID: 17f232e73e96fb976a24982deb7d35e81c220cd9520ca4ef7e8dcf180de91df6
                                      • Opcode Fuzzy Hash: 26aae147e3b4032e8d822610677c8b44980169b964e3a1f9465f38b9cd56633c
                                      • Instruction Fuzzy Hash: 1301F2B36497067EFA202E786CC1F67220CDF41BBEB34032BB574712D1DA68CE404568
                                      Function 00443AB2 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 544fafb264448ea5c1072d449201ab24ccf485d51590c339dd7f80fdded84d3d
                                      • Instruction ID: 34d970f17befced98e3ca294e9c9a609e5e7bfbb0444a55afbb34e25ce639c56
                                      • Opcode Fuzzy Hash: 544fafb264448ea5c1072d449201ab24ccf485d51590c339dd7f80fdded84d3d
                                      • Instruction Fuzzy Hash: 0601A2B26096117EFA111E796CC4E27624CDB81BBF325032BF535612D6DA688E014169
                                      Function 00448566 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,0044850D,?,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue), ref: 00448598
                                      • GetLastError.KERNEL32(?,0044850D,?,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue,0045F160,0045F168,00000000,00000364,?,004482E7), ref: 004485A4
                                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0044850D,?,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue,0045F160,0045F168,00000000), ref: 004485B2
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: LibraryLoad$ErrorLast
                                      • String ID:
                                      • API String ID: 3177248105-0
                                      • Opcode ID: 03982c6842d6040e15a2f529479e2a2fef9fe475335e7dbaf6b0fa49dfb65394
                                      • Instruction ID: d5df962f837ff7629ef00c7a8b4dcab40ba3e58d8e4ddb8b40c265455ff02ab4
                                      • Opcode Fuzzy Hash: 03982c6842d6040e15a2f529479e2a2fef9fe475335e7dbaf6b0fa49dfb65394
                                      • Instruction Fuzzy Hash: AA012832602322FBD7214B289C4495B7798AB50B61B20053AFD05D3241DF34CD01CAE8
                                      Function 0041C485 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C49E
                                      • GetFileSize.KERNEL32(00000000,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C4B2
                                      • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C4D7
                                      • CloseHandle.KERNEL32(00000000,?,00000000,0040412F,00465E74), ref: 0041C4E5
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$CloseCreateHandleReadSize
                                      • String ID:
                                      • API String ID: 3919263394-0
                                      • Opcode ID: c4d28c244904a0c4b31f6914b30dbe9704a3e03414ae878e480ac2c22075bc56
                                      • Instruction ID: d938e931a51b81dfe9e25773ede9364464a286a3a3b97e7b856b7b87d8bf29b3
                                      • Opcode Fuzzy Hash: c4d28c244904a0c4b31f6914b30dbe9704a3e03414ae878e480ac2c22075bc56
                                      • Instruction Fuzzy Hash: 0FF0C2B1245308BFE6101B25ACD4EBB375CEB867A9F00053EF902A22C1CA298C05913A
                                      Function 0041C1DD Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
                                      • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
                                      • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C233
                                      • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C23B
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseHandleOpenProcess
                                      • String ID:
                                      • API String ID: 39102293-0
                                      • Opcode ID: f9441541d1e055ebec971b28555d0febc4d5c2f8e157a993c91f5ce795852cd2
                                      • Instruction ID: 502f13a9e38f74389cb09c542eced9ec4ef47df168bad581006c654e14f0d55b
                                      • Opcode Fuzzy Hash: f9441541d1e055ebec971b28555d0febc4d5c2f8e157a993c91f5ce795852cd2
                                      • Instruction Fuzzy Hash: 53012BB1680315ABD61057D49C89FB7B27CDB84796F0000A7FA04D21D2EF748C818679
                                      Function 00439863 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • ___BuildCatchObject.LIBVCRUNTIME ref: 0043987A
                                        • Part of subcall function 00439EB2: ___AdjustPointer.LIBCMT ref: 00439EFC
                                      • _UnwindNestedFrames.LIBCMT ref: 00439891
                                      • ___FrameUnwindToState.LIBVCRUNTIME ref: 004398A3
                                      • CallCatchBlock.LIBVCRUNTIME ref: 004398C7
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                      • String ID:
                                      • API String ID: 2633735394-0
                                      • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                      • Instruction ID: dcee73c62e3621a690853eebe59cad03ae51e1002f288686f44977c5109bb855
                                      • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                      • Instruction Fuzzy Hash: 18011732000109BBCF12AF55CC01EDA3BBAEF9D754F04511AFD5861221C3BAE861DBA5
                                      Function 004193E3 Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetSystemMetrics.USER32(0000004C), ref: 004193F0
                                      • GetSystemMetrics.USER32(0000004D), ref: 004193F6
                                      • GetSystemMetrics.USER32(0000004E), ref: 004193FC
                                      • GetSystemMetrics.USER32(0000004F), ref: 00419402
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: MetricsSystem
                                      • String ID:
                                      • API String ID: 4116985748-0
                                      • Opcode ID: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                      • Instruction ID: 9a44d86f369c7068fc2c949f9b02ed5542bf43da40f6b7222f807aea32733f55
                                      • Opcode Fuzzy Hash: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                      • Instruction Fuzzy Hash: DFF0A471B043155BD744EA759C51A6F6BD5EBD4264F10043FF20887281EE78DC468785
                                      Function 00438F31 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00438F31
                                      • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00438F36
                                      • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00438F3B
                                        • Part of subcall function 0043A43A: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0043A44B
                                      • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00438F50
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                      • String ID:
                                      • API String ID: 1761009282-0
                                      • Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                      • Instruction ID: 04dbcd9d80b8837b95b31ffc0e846904d80335f120ca5f78e3accc67d081205e
                                      • Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                      • Instruction Fuzzy Hash: 59C04C15080781541C50B6B2210B2AE83461E7E38DFD074DFFCE0571038E4E043B653F
                                      Function 00442C5D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                      Download Yara Rule
                                      APIs
                                      • __startOneArgErrorHandling.LIBCMT ref: 00442CED
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorHandling__start
                                      • String ID: pow
                                      • API String ID: 3213639722-2276729525
                                      • Opcode ID: ae0341c24035669086af68b363e9d44c4063f2ceb2f02d621ae22780893f867c
                                      • Instruction ID: c2a334fe3ab53b67a82bc2a1da04863f7f1ed5e2a579c87dfbcc8ae8a095d349
                                      • Opcode Fuzzy Hash: ae0341c24035669086af68b363e9d44c4063f2ceb2f02d621ae22780893f867c
                                      • Instruction Fuzzy Hash: C6516DA1E0420296FB167B14CE4137B2BA4DB40751F704D7FF096823AAEB7D8C859A4F
                                      Function 00449E3C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • WideCharToMultiByte.KERNEL32(000000FF,00000000,00000006,00000001,?,?,00000000,?,00000000,?,?,00000000,00000006,?,?,?), ref: 00449F0F
                                      • GetLastError.KERNEL32 ref: 00449F2B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ByteCharErrorLastMultiWide
                                      • String ID: PkGNG
                                      • API String ID: 203985260-263838557
                                      • Opcode ID: 8762d6c9eb8cd6bb849928aa97b0b7335ecf1b8cbe6ccd937ce160abea437523
                                      • Instruction ID: 5218313022fb824330162c1b3e1e252a07855a0508c927524b2412b0d5c8e50b
                                      • Opcode Fuzzy Hash: 8762d6c9eb8cd6bb849928aa97b0b7335ecf1b8cbe6ccd937ce160abea437523
                                      • Instruction Fuzzy Hash: A531F831600205EBEB21EF56C845BAB77A8DF55711F24416BF9048B3D1DB38CD41E7A9
                                      Function 0040B748 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                                      • __Init_thread_footer.LIBCMT ref: 0040B797
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Init_thread_footer__onexit
                                      • String ID: [End of clipboard]$[Text copied to clipboard]
                                      • API String ID: 1881088180-3686566968
                                      • Opcode ID: 60402113f4b18a007ad5d9fa0adee8409e9b11ca3b01e04d5642538178529adf
                                      • Instruction ID: c7bebb0a0a15900a9cc4ffb6e17528162536323bfdf0e6139bd55c50ddf57f74
                                      • Opcode Fuzzy Hash: 60402113f4b18a007ad5d9fa0adee8409e9b11ca3b01e04d5642538178529adf
                                      • Instruction Fuzzy Hash: C0219F32A101054ACB14FB66D8829EDB379AF90318F10453FE505731E2EF386D4A8A9C
                                      Function 00451B37 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00451D92,?,00000050,?,?,?,?,?), ref: 00451C12
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: ACP$OCP
                                      • API String ID: 0-711371036
                                      • Opcode ID: 9e0df5bdb224d2be14a0cd5949da06f0ee57b11af7c7271d7bdd2cdd18eeb32c
                                      • Instruction ID: fc24b39bc158c677debbea649066bee6e1bba6d32f28379ebc1c8ba741b2d3ba
                                      • Opcode Fuzzy Hash: 9e0df5bdb224d2be14a0cd5949da06f0ee57b11af7c7271d7bdd2cdd18eeb32c
                                      • Instruction Fuzzy Hash: BA217D22A4010063DB34CF54C940B9B326ADF50B27F568166ED09C7322F73AED44C39C
                                      Function 0044B731 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81fileCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • WriteFile.KERNEL32(?,?,?,?,00000000,FF8BC35D,00000000,?,PkGNG,0044BB6E,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B7DB
                                      • GetLastError.KERNEL32 ref: 0044B804
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorFileLastWrite
                                      • String ID: PkGNG
                                      • API String ID: 442123175-263838557
                                      • Opcode ID: e2af8d231f6539d56f2593d6ace3ed0d4bab48f660b2d85d051dab4aa689f9d2
                                      • Instruction ID: 56933c973e2243a1a9a6e47b5ff38ff3048756f5123006952a384074424e161b
                                      • Opcode Fuzzy Hash: e2af8d231f6539d56f2593d6ace3ed0d4bab48f660b2d85d051dab4aa689f9d2
                                      • Instruction Fuzzy Hash: 12319331A00619DBCB24CF59CD809DAB3F9EF88311F1445AAE509D7361D734ED81CB68
                                      Function 0044B652 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77fileCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • WriteFile.KERNEL32(?,?,?,?,00000000,FF8BC35D,00000000,?,PkGNG,0044BB8E,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B6ED
                                      • GetLastError.KERNEL32 ref: 0044B716
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorFileLastWrite
                                      • String ID: PkGNG
                                      • API String ID: 442123175-263838557
                                      • Opcode ID: 51546446b41bf805027a94335c0e64e4fe702750584376849c5da3291fd64da6
                                      • Instruction ID: 12ef57d8ab414bd2a6c5914f5c8b73f84ca543b1ee1fc2f1adbb6bb6aefc8993
                                      • Opcode Fuzzy Hash: 51546446b41bf805027a94335c0e64e4fe702750584376849c5da3291fd64da6
                                      • Instruction Fuzzy Hash: 6C21B435600219DFCB14CF69C980BE9B3F8EB48302F1044AAE94AD7351D734ED81CB64
                                      Function 00404FF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415CC9,?,00000001,0000004C,00000000), ref: 00405030
                                        • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                      • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415CC9,?,00000001,0000004C,00000000), ref: 00405087
                                      Strings
                                      • KeepAlive | Enabled | Timeout: , xrefs: 0040501F
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: LocalTime
                                      • String ID: KeepAlive | Enabled | Timeout:
                                      • API String ID: 481472006-1507639952
                                      • Opcode ID: 2607bdc9f0d933924e59b09d9b4d17e10e2c88dcc52cf24d6e3d3c5d02c0a6dc
                                      • Instruction ID: 59903f388a44bacb81d563bcbf5ab321eb0051b597eccb46fab67989b44e7fd4
                                      • Opcode Fuzzy Hash: 2607bdc9f0d933924e59b09d9b4d17e10e2c88dcc52cf24d6e3d3c5d02c0a6dc
                                      • Instruction Fuzzy Hash: 1D21F2719046405BD710B7259C0676F7B64E751308F40087EE8491B2A6DA7D5A88CBEF
                                      Function 0041663B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62sleepfilenetworkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • Sleep.KERNEL32 ref: 00416640
                                      • URLDownloadToFileW.URLMON(00000000,00000000,00000002,00000000,00000000), ref: 004166A2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: DownloadFileSleep
                                      • String ID: !D@
                                      • API String ID: 1931167962-604454484
                                      • Opcode ID: 2ae7695c40f29ee67dd386e4d97dc8b30bdd8952bcd1bbd735126d4dc73e8781
                                      • Instruction ID: f21b004d79e7af0ef9ad63e4b6518ad07bb10e0138b316cec4f8e9f86784bb19
                                      • Opcode Fuzzy Hash: 2ae7695c40f29ee67dd386e4d97dc8b30bdd8952bcd1bbd735126d4dc73e8781
                                      • Instruction Fuzzy Hash: C6115171A083029AC714FF72D8969BE77A8AF54348F400C3FF546621E2EE3C9949C65A
                                      Function 0041AD17 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                      Download Yara Rule
                                      APIs
                                      • PathFileExistsW.SHLWAPI(00000000), ref: 0041AD3C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExistsFilePath
                                      • String ID: alarm.wav$hYG
                                      • API String ID: 1174141254-2782910960
                                      • Opcode ID: a80849807d39b6d885b850496f76bbee22079f6d4cd25328039c8df50d7c6aa3
                                      • Instruction ID: 1ebdaa4a32a078914063a8122a991a3a49773bb3edac1861de613ef54c78e1f6
                                      • Opcode Fuzzy Hash: a80849807d39b6d885b850496f76bbee22079f6d4cd25328039c8df50d7c6aa3
                                      • Instruction Fuzzy Hash: 7A01F5B064460156C604F37698167EE37464B80319F00447FF68A266E2EFBC9D99C68F
                                      Function 0040B051 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B172
                                        • Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3
                                        • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                      • CloseHandle.KERNEL32(?), ref: 0040B0B4
                                      • UnhookWindowsHookEx.USER32 ref: 0040B0C7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                      • String ID: Online Keylogger Stopped
                                      • API String ID: 1623830855-1496645233
                                      • Opcode ID: bcbfeeedac202dcce5c27b8ae7271b8f67804fce0d04219dcea429481c7fcc84
                                      • Instruction ID: 2e372e3e3892c4e8816e9c8053feed756abc81e7e35a03d4dadb391bbfa0e77d
                                      • Opcode Fuzzy Hash: bcbfeeedac202dcce5c27b8ae7271b8f67804fce0d04219dcea429481c7fcc84
                                      • Instruction Fuzzy Hash: 0101F5306002049BD7217B35C80B3BF7BA59B41305F40007FE642226D2EBB91845D7DE
                                      Function 00448BB3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,73E85006,00000001,?,0043CE55), ref: 00448C24
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: String
                                      • String ID: LCMapStringEx$PkGNG
                                      • API String ID: 2568140703-1065776982
                                      • Opcode ID: 6176356b550008225c45ed95f9c308570f022b01c1c57b82113652449518e224
                                      • Instruction ID: 91dcaeff4e4508283399e99d6512adb219adb357de156da575c9a111b1dd59a7
                                      • Opcode Fuzzy Hash: 6176356b550008225c45ed95f9c308570f022b01c1c57b82113652449518e224
                                      • Instruction Fuzzy Hash: 3F016532500209FBCF029F90DC01EEE7F62EF08351F10452AFE0925161CA3A8971AB99
                                      Function 004017EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                      Download Yara Rule
                                      APIs
                                      • waveInPrepareHeader.WINMM(?,00000020,?,?,00476B50,00474EE0,?,00000000,00401A15), ref: 00401849
                                      • waveInAddBuffer.WINMM(?,00000020,?,00000000,00401A15), ref: 0040185F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: wave$BufferHeaderPrepare
                                      • String ID: XMG
                                      • API String ID: 2315374483-813777761
                                      • Opcode ID: db4cc151110a5f9a71eb5ce2d7546914e9eb517e880c4322ad0588f055fadbe6
                                      • Instruction ID: 6f1d19605e244f5f119b09d66236675289974365e05be472c2159163c6862827
                                      • Opcode Fuzzy Hash: db4cc151110a5f9a71eb5ce2d7546914e9eb517e880c4322ad0588f055fadbe6
                                      • Instruction Fuzzy Hash: D3016D71700301AFD7209F75EC48969BBA9FB89355701413AF409D3762EB759C90CBA8
                                      Function 00448AE6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • IsValidLocale.KERNEL32(00000000,JD,00000000,00000001,?,?,00444AEA,?,?,004444CA,?,00000004), ref: 00448B32
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: LocaleValid
                                      • String ID: IsValidLocaleName$JD
                                      • API String ID: 1901932003-2234456777
                                      • Opcode ID: 98bf4732c76f9d0cbfb8c103c3b900cf5be1bffc9926f7dc5154a94851103fac
                                      • Instruction ID: c43517d2c5aad0833927174c53c021eab8a1ac695cd7bc198788f3b2bcf9e263
                                      • Opcode Fuzzy Hash: 98bf4732c76f9d0cbfb8c103c3b900cf5be1bffc9926f7dc5154a94851103fac
                                      • Instruction Fuzzy Hash: D6F05230A80308F7DB106B60DC06FAEBF58CB04B52F10017EFD046B291CE786E05929E
                                      Function 0040C4C3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                      Download Yara Rule
                                      APIs
                                      • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C4F6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExistsFilePath
                                      • String ID: UserProfile$\AppData\Local\Google\Chrome\
                                      • API String ID: 1174141254-4188645398
                                      • Opcode ID: 7005c2773d118e2c9d7b7987c52ef0ef7a298987e294b58a31e1cd003faf56ca
                                      • Instruction ID: 529cceb54bdbac8586af3e6ebd5273a77adcdcd577382419881006e182ae29c8
                                      • Opcode Fuzzy Hash: 7005c2773d118e2c9d7b7987c52ef0ef7a298987e294b58a31e1cd003faf56ca
                                      • Instruction Fuzzy Hash: 96F05E31A00219A6C604BBF69C478BF7B3C9D50709B50017FBA01B61D3EE789945C6EE
                                      Function 0040C526 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                      Download Yara Rule
                                      APIs
                                      • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C559
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExistsFilePath
                                      • String ID: UserProfile$\AppData\Local\Microsoft\Edge\
                                      • API String ID: 1174141254-2800177040
                                      • Opcode ID: ab3f2aba289be1bf0ad3848519e66e4cff6ce689097d1d423b573e143f03c488
                                      • Instruction ID: 330371ab8f71d6844e3501a7b0875f3b866c8fe31c1dcac5d822fe972055fe7f
                                      • Opcode Fuzzy Hash: ab3f2aba289be1bf0ad3848519e66e4cff6ce689097d1d423b573e143f03c488
                                      • Instruction Fuzzy Hash: ECF05E31A00219A6CA14B7B69C47CEF7B6C9D50705B10017FB602B61D2EE78994186EE
                                      Function 0040C589 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                      Download Yara Rule
                                      APIs
                                      • PathFileExistsW.SHLWAPI(00000000,\Opera Software\Opera Stable\,00000000), ref: 0040C5BC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExistsFilePath
                                      • String ID: AppData$\Opera Software\Opera Stable\
                                      • API String ID: 1174141254-1629609700
                                      • Opcode ID: ab88a7dc1cafb0835d30463df654517a200d7fa6beafa267c9165c8e72f76c47
                                      • Instruction ID: 49b076bb86b4c8db4da1bdedad10e463925805c403c57d636a3174f469f12df7
                                      • Opcode Fuzzy Hash: ab88a7dc1cafb0835d30463df654517a200d7fa6beafa267c9165c8e72f76c47
                                      • Instruction Fuzzy Hash: 13F05E31A00319A6CA14B7B69C47CEF7B7C9D10709B40017BB601B61D2EE789D4586EA
                                      Function 0040B646 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetKeyState.USER32(00000011), ref: 0040B64B
                                        • Part of subcall function 0040A3E0: GetForegroundWindow.USER32 ref: 0040A416
                                        • Part of subcall function 0040A3E0: GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A422
                                        • Part of subcall function 0040A3E0: GetKeyboardLayout.USER32(00000000), ref: 0040A429
                                        • Part of subcall function 0040A3E0: GetKeyState.USER32(00000010), ref: 0040A433
                                        • Part of subcall function 0040A3E0: GetKeyboardState.USER32(?), ref: 0040A43E
                                        • Part of subcall function 0040A3E0: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A461
                                        • Part of subcall function 0040A3E0: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4C1
                                        • Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,00000000,0040B20A,00000000), ref: 0040A662
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                      • String ID: [AltL]$[AltR]
                                      • API String ID: 2738857842-2658077756
                                      • Opcode ID: 7258a7f4b132cbc40b361f8d5efa273a6a49595113cd8e0a5555153196a7725b
                                      • Instruction ID: e48b288e44f9d4c6b211653e2fe3bcc76c2b66b59b43e84e4aaf588e4500f4a3
                                      • Opcode Fuzzy Hash: 7258a7f4b132cbc40b361f8d5efa273a6a49595113cd8e0a5555153196a7725b
                                      • Instruction Fuzzy Hash: 3BE0652134021052C828323E592F6BE2D51C742754B86057FF9826B6C5DABF4D1542CF
                                      Function 0044ECEC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetOEMCP.KERNEL32(00000000,?,?,0044EF75,?), ref: 0044ED17
                                      • GetACP.KERNEL32(00000000,?,?,0044EF75,?), ref: 0044ED2E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: uD
                                      • API String ID: 0-2547262877
                                      • Opcode ID: b77d3b663c6aed767531e5de151c2f7480185761a2f62c70c64f4560ad89233a
                                      • Instruction ID: 19c10458df6b4aed5d20bc802b22671fd2b069e30d3a1616a3713fc20edc201d
                                      • Opcode Fuzzy Hash: b77d3b663c6aed767531e5de151c2f7480185761a2f62c70c64f4560ad89233a
                                      • Instruction Fuzzy Hash: A5F0C871800105CBEB20DB55DC897697771BF11335F144755E4394A6E2C7B98C81CF49
                                      Function 00448957 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetSystemTimeAsFileTime.KERNEL32(00000000,0043AAB7), ref: 00448996
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Time$FileSystem
                                      • String ID: GetSystemTimePreciseAsFileTime$PkGNG
                                      • API String ID: 2086374402-949981407
                                      • Opcode ID: 14ade04f60bc73be69f0a8e2d41fd66075f217d790f0afe8d3aaf6a6c36f91f3
                                      • Instruction ID: 0ece642104574987c61f359f6ab52f67772cb5eafdc88f944851b8b866d171c2
                                      • Opcode Fuzzy Hash: 14ade04f60bc73be69f0a8e2d41fd66075f217d790f0afe8d3aaf6a6c36f91f3
                                      • Instruction Fuzzy Hash: 55E0E571A41718E7D710AB259C02E7EBB54DB44B02B10027EFC0957382DE285D0496DE
                                      Function 0041618A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON
                                      Download Yara Rule
                                      APIs
                                      • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 004161A8
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExecuteShell
                                      • String ID: !D@$open
                                      • API String ID: 587946157-1586967515
                                      • Opcode ID: a3fafa264baa1d62442d83e0179a885528cd25db469b1c0675910708919d2975
                                      • Instruction ID: 73504a7432a82bf20c2cd712858cac99996ed9f8eaf32da6c0f13d1c3fa6c831
                                      • Opcode Fuzzy Hash: a3fafa264baa1d62442d83e0179a885528cd25db469b1c0675910708919d2975
                                      • Instruction Fuzzy Hash: 2FE0ED712483059AD614EA72DC91AFE7358AB54755F40083FF506514E2EE3C5849C65A
                                      Function 0045554B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • ___initconout.LIBCMT ref: 0045555B
                                        • Part of subcall function 00456B1D: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00455560,00000000,PkGNG,0044B59D,?,FF8BC35D,00000000,?,00000000), ref: 00456B30
                                      • WriteConsoleW.KERNEL32(FFFFFFFE,FF8BC369,00000001,00000000,00000000,00000000,PkGNG,0044B59D,?,FF8BC35D,00000000,?,00000000,PkGNG,0044BB19,?), ref: 0045557E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ConsoleCreateFileWrite___initconout
                                      • String ID: PkGNG
                                      • API String ID: 3087715906-263838557
                                      • Opcode ID: 4fd586c33a7e536def3848490aff3c82696797501ee569242fdde9145b290049
                                      • Instruction ID: e84ccb038854987deafcb7b601af55b429ad8f27f18c1f17be9b2782bd97289a
                                      • Opcode Fuzzy Hash: 4fd586c33a7e536def3848490aff3c82696797501ee569242fdde9145b290049
                                      • Instruction Fuzzy Hash: 10E02B70500508BBD610CB64DC25EB63319EB003B1F600315FE25C72D1EB34DD44C759
                                      Function 0040B6A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetKeyState.USER32(00000012), ref: 0040B6A5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: State
                                      • String ID: [CtrlL]$[CtrlR]
                                      • API String ID: 1649606143-2446555240
                                      • Opcode ID: 9c7a87a125a36fd6875230b5c06d2f1de547b3d92bb8a42f9d283a23a60e093e
                                      • Instruction ID: bec5627f59812d2efb235ad4bfa8f6d19d2d97b3e0140e65676d9d4505e8418d
                                      • Opcode Fuzzy Hash: 9c7a87a125a36fd6875230b5c06d2f1de547b3d92bb8a42f9d283a23a60e093e
                                      • Instruction Fuzzy Hash: 6FE04F2160021052C524363D5A1E67D2911CB52754B42096FF882A76CADEBF891543CF
                                      Function 0040E79F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                                      • __Init_thread_footer.LIBCMT ref: 00410F29
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Init_thread_footer__onexit
                                      • String ID: ,kG$0kG
                                      • API String ID: 1881088180-2015055088
                                      • Opcode ID: b05ab0c9b3baa3f524da702d8fc1cd1898caf97046da089980d037e9e657a158
                                      • Instruction ID: c595ded0a674a2b9ccc74dbc71d20adb946c68f5a758ea4f5ad5526f3cc50642
                                      • Opcode Fuzzy Hash: b05ab0c9b3baa3f524da702d8fc1cd1898caf97046da089980d037e9e657a158
                                      • Instruction Fuzzy Hash: 35E0D8312149208EC214A32995829C93791DB4E335B61412BF414D72D5CBAEB8C1CA1D
                                      Function 00413A23 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040D4CE,00000000,?,00000000), ref: 00413A31
                                      • RegDeleteValueW.ADVAPI32(?,?,?,00000000), ref: 00413A45
                                      Strings
                                      • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00413A2F
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: DeleteOpenValue
                                      • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                      • API String ID: 2654517830-1051519024
                                      • Opcode ID: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                      • Instruction ID: 6fb421a43559def270d35797bbb86f7c8bc210cd52a17bc53693ea6618a40a87
                                      • Opcode Fuzzy Hash: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                      • Instruction Fuzzy Hash: 99E0C23124420CFBDF104F71DD06FFA376CDB01F42F1006A5BA0692091C626DF049668
                                      Function 00440C91 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401D55), ref: 00440D27
                                      • GetLastError.KERNEL32 ref: 00440D35
                                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00440D90
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ByteCharMultiWide$ErrorLast
                                      • String ID:
                                      • API String ID: 1717984340-0
                                      • Opcode ID: a909a75f279edaa9992fcfd87f44a9f238bfc46e7277e37c8624290a99980dba
                                      • Instruction ID: f204e272a103731937cf510deb2d9f687334ef06d731906aa630a644c7418207
                                      • Opcode Fuzzy Hash: a909a75f279edaa9992fcfd87f44a9f238bfc46e7277e37c8624290a99980dba
                                      • Instruction Fuzzy Hash: BA411871A00206EFEF218FA5C8447AB7BA5EF45310F10816BFA549B3A1DB38AD25C759
                                      Function 00411B5F Relevance: 5.1, APIs: 4, Instructions: 119COMMON
                                      Download Yara Rule
                                      APIs
                                      • IsBadReadPtr.KERNEL32(?,00000014), ref: 00411B8C
                                      • IsBadReadPtr.KERNEL32(?,00000014), ref: 00411C58
                                      • SetLastError.KERNEL32(0000007F), ref: 00411C7A
                                      • SetLastError.KERNEL32(0000007E,00411EF0), ref: 00411C91
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1377685766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLastRead
                                      • String ID:
                                      • API String ID: 4100373531-0
                                      • Opcode ID: 46f42941f51e653cdae40cd00269a703bf4e12df5cc4a1911c605fdb7767d4e6
                                      • Instruction ID: 277f4bdee2933866d2d1c697a3b04f0a6a13197b354a533a519a822f1f8833ca
                                      • Opcode Fuzzy Hash: 46f42941f51e653cdae40cd00269a703bf4e12df5cc4a1911c605fdb7767d4e6
                                      • Instruction Fuzzy Hash: 37419C75244305DFE7248F18DC84BA7B3E8FB48711F00082EEA8A87661F739E845CB99

                                      Execution Graph

                                      Execution Coverage:9.5%
                                      Dynamic/Decrypted Code Coverage:100%
                                      Signature Coverage:0%
                                      Total number of Nodes:212
                                      Total number of Limit Nodes:13
                                      execution_graph 20159 77c331e 20160 77c30bc 20159->20160 20161 77c341d 20160->20161 20165 77c3b7e 20160->20165 20183 77c3b10 20160->20183 20200 77c3b20 20160->20200 20166 77c3b0c 20165->20166 20168 77c3b81 20165->20168 20217 77c40bf 20166->20217 20222 77c4343 20166->20222 20230 77c3fe2 20166->20230 20235 77c4602 20166->20235 20240 77c4102 20166->20240 20245 77c41a0 20166->20245 20253 77c44e8 20166->20253 20258 77c46ac 20166->20258 20263 77c4853 20166->20263 20268 77c4493 20166->20268 20273 77c3f32 20166->20273 20279 77c4231 20166->20279 20284 77c3f17 20166->20284 20289 77c421b 20166->20289 20167 77c3b5e 20167->20161 20168->20161 20184 77c3b20 20183->20184 20186 77c40bf 2 API calls 20184->20186 20187 77c421b 3 API calls 20184->20187 20188 77c3f17 2 API calls 20184->20188 20189 77c4231 2 API calls 20184->20189 20190 77c3f32 2 API calls 20184->20190 20191 77c4493 2 API calls 20184->20191 20192 77c4853 2 API calls 20184->20192 20193 77c46ac 2 API calls 20184->20193 20194 77c44e8 2 API calls 20184->20194 20195 77c41a0 4 API calls 20184->20195 20196 77c4102 3 API calls 20184->20196 20197 77c4602 2 API calls 20184->20197 20198 77c3fe2 2 API calls 20184->20198 20199 77c4343 5 API calls 20184->20199 20185 77c3b5e 20185->20161 20186->20185 20187->20185 20188->20185 20189->20185 20190->20185 20191->20185 20192->20185 20193->20185 20194->20185 20195->20185 20196->20185 20197->20185 20198->20185 20199->20185 20201 77c3b3a 20200->20201 20203 77c40bf 2 API calls 20201->20203 20204 77c421b 3 API calls 20201->20204 20205 77c3f17 2 API calls 20201->20205 20206 77c4231 2 API calls 20201->20206 20207 77c3f32 2 API calls 20201->20207 20208 77c4493 2 API calls 20201->20208 20209 77c4853 2 API calls 20201->20209 20210 77c46ac 2 API calls 20201->20210 20211 77c44e8 2 API calls 20201->20211 20212 77c41a0 4 API calls 20201->20212 20213 77c4102 3 API calls 20201->20213 20214 77c4602 2 API calls 20201->20214 20215 77c3fe2 2 API calls 20201->20215 20216 77c4343 5 API calls 20201->20216 20202 77c3b5e 20202->20161 20203->20202 20204->20202 20205->20202 20206->20202 20207->20202 20208->20202 20209->20202 20210->20202 20211->20202 20212->20202 20213->20202 20214->20202 20215->20202 20216->20202 20218 77c40c9 20217->20218 20219 77c40c2 20217->20219 20294 77c2878 20218->20294 20298 77c2880 20218->20298 20219->20167 20223 77c45ae 20222->20223 20226 77c2878 Wow64SetThreadContext 20223->20226 20227 77c2880 Wow64SetThreadContext 20223->20227 20224 77c4789 20225 77c4119 20225->20224 20302 77c4ca0 20225->20302 20308 77c4c90 20225->20308 20226->20225 20227->20225 20231 77c3f25 20230->20231 20326 77c2c94 20231->20326 20331 77c2ca0 20231->20331 20232 77c4085 20232->20232 20236 77c4609 20235->20236 20335 77c2a18 20236->20335 20339 77c2a13 20236->20339 20237 77c462a 20241 77c4108 20240->20241 20242 77c4789 20241->20242 20243 77c4ca0 3 API calls 20241->20243 20244 77c4c90 3 API calls 20241->20244 20243->20241 20244->20241 20246 77c41a6 20245->20246 20343 77c2958 20246->20343 20347 77c2950 20246->20347 20247 77c40b0 20248 77c40c2 20247->20248 20249 77c2a18 WriteProcessMemory 20247->20249 20250 77c2a13 WriteProcessMemory 20247->20250 20248->20167 20249->20247 20250->20247 20254 77c44f6 20253->20254 20256 77c2a18 WriteProcessMemory 20254->20256 20257 77c2a13 WriteProcessMemory 20254->20257 20255 77c489c 20256->20255 20257->20255 20259 77c46b2 20258->20259 20351 77c2b08 20259->20351 20355 77c2b01 20259->20355 20260 77c46db 20264 77c40b0 20263->20264 20265 77c40c2 20264->20265 20266 77c2a18 WriteProcessMemory 20264->20266 20267 77c2a13 WriteProcessMemory 20264->20267 20265->20167 20266->20264 20267->20264 20269 77c40b0 20268->20269 20270 77c40c2 20269->20270 20271 77c2a18 WriteProcessMemory 20269->20271 20272 77c2a13 WriteProcessMemory 20269->20272 20270->20167 20271->20269 20272->20269 20275 77c3f25 20273->20275 20274 77c3f60 20274->20167 20275->20274 20277 77c2c94 CreateProcessA 20275->20277 20278 77c2ca0 CreateProcessA 20275->20278 20276 77c4085 20276->20276 20277->20276 20278->20276 20280 77c423a 20279->20280 20281 77c462a 20280->20281 20282 77c2a18 WriteProcessMemory 20280->20282 20283 77c2a13 WriteProcessMemory 20280->20283 20282->20281 20283->20281 20285 77c3f78 20284->20285 20287 77c2c94 CreateProcessA 20285->20287 20288 77c2ca0 CreateProcessA 20285->20288 20286 77c4085 20286->20286 20287->20286 20288->20286 20290 77c4119 20289->20290 20291 77c4789 20290->20291 20292 77c4ca0 3 API calls 20290->20292 20293 77c4c90 3 API calls 20290->20293 20292->20290 20293->20290 20295 77c287c Wow64SetThreadContext 20294->20295 20297 77c290d 20295->20297 20297->20219 20299 77c2883 Wow64SetThreadContext 20298->20299 20301 77c290d 20299->20301 20301->20219 20303 77c4cb5 20302->20303 20314 77c239f 20303->20314 20318 77c2393 20303->20318 20322 77c2398 20303->20322 20304 77c4cc8 20304->20225 20309 77c4ca0 20308->20309 20311 77c239f ResumeThread 20309->20311 20312 77c2398 ResumeThread 20309->20312 20313 77c2393 ResumeThread 20309->20313 20310 77c4cc8 20310->20225 20311->20310 20312->20310 20313->20310 20315 77c23d8 ResumeThread 20314->20315 20317 77c2409 20315->20317 20317->20304 20319 77c2398 ResumeThread 20318->20319 20321 77c2409 20319->20321 20321->20304 20323 77c23d8 ResumeThread 20322->20323 20325 77c2409 20323->20325 20325->20304 20327 77c2c42 20326->20327 20328 77c2c9a CreateProcessA 20326->20328 20327->20232 20330 77c2eeb 20328->20330 20330->20330 20332 77c2ca3 CreateProcessA 20331->20332 20334 77c2eeb 20332->20334 20334->20334 20336 77c2a60 WriteProcessMemory 20335->20336 20338 77c2ab7 20336->20338 20338->20237 20340 77c2a18 WriteProcessMemory 20339->20340 20342 77c2ab7 20340->20342 20342->20237 20344 77c295b VirtualAllocEx 20343->20344 20346 77c29d5 20344->20346 20346->20247 20348 77c2954 VirtualAllocEx 20347->20348 20350 77c29d5 20348->20350 20350->20247 20352 77c2b53 ReadProcessMemory 20351->20352 20354 77c2b97 20352->20354 20354->20260 20356 77c2b08 ReadProcessMemory 20355->20356 20358 77c2b97 20356->20358 20358->20260 20359 77c6f78 20360 77c6f7b 20359->20360 20361 77c6fa0 20360->20361 20364 77c6fcb 20360->20364 20369 77c6fe0 20360->20369 20365 77c6fde 20364->20365 20366 77c7016 20364->20366 20374 77c62a4 20365->20374 20366->20361 20370 77c6fee 20369->20370 20373 77c700d 20369->20373 20371 77c62a4 CloseHandle 20370->20371 20372 77c7009 20371->20372 20372->20361 20373->20361 20375 77c7158 CloseHandle 20374->20375 20376 77c7009 20375->20376 20376->20361 20398 77c4ce8 20399 77c4e73 20398->20399 20401 77c4d0e 20398->20401 20401->20399 20402 77c0d64 20401->20402 20403 77c4f68 PostMessageW 20402->20403 20405 77c4fd4 20403->20405 20405->20401 20377 18e4668 20378 18e467a 20377->20378 20379 18e4686 20378->20379 20381 18e4779 20378->20381 20382 18e479d 20381->20382 20386 18e4888 20382->20386 20390 18e4878 20382->20390 20387 18e48af 20386->20387 20388 18e498c 20387->20388 20394 18e4248 20387->20394 20392 18e4888 20390->20392 20391 18e498c 20391->20391 20392->20391 20393 18e4248 CreateActCtxA 20392->20393 20393->20391 20395 18e5918 CreateActCtxA 20394->20395 20397 18e59db 20395->20397 20406 18ed138 20407 18ed17e 20406->20407 20411 18ed308 20407->20411 20415 18ed318 20407->20415 20408 18ed26b 20412 18ed346 20411->20412 20413 18ed316 20411->20413 20412->20408 20418 18eb348 20413->20418 20416 18eb348 DuplicateHandle 20415->20416 20417 18ed346 20415->20417 20416->20417 20417->20408 20419 18ed380 DuplicateHandle 20418->20419 20420 18ed416 20419->20420 20420->20412 20421 18eb378 20422 18eb3ba 20421->20422 20423 18eb3c0 GetModuleHandleW 20421->20423 20422->20423 20424 18eb3ed 20423->20424 20425 77c3144 20427 77c30bc 20425->20427 20426 77c341d 20427->20426 20428 77c3b7e 13 API calls 20427->20428 20429 77c3b20 13 API calls 20427->20429 20430 77c3b10 13 API calls 20427->20430 20428->20426 20429->20426 20430->20426

                                      Executed Functions

                                      Function 077C2C94 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 273processCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 0 77c2c94-77c2c98 1 77c2c9a 0->1 2 77c2c42-77c2c5a 0->2 3 77c2c9c-77c2ca1 1->3 4 77c2ca3-77c2d35 1->4 8 77c2c5c-77c2c62 2->8 9 77c2c63-77c2c88 2->9 3->4 10 77c2d6e-77c2d8e 4->10 11 77c2d37-77c2d41 4->11 8->9 18 77c2dc7-77c2df6 10->18 19 77c2d90-77c2d9a 10->19 11->10 13 77c2d43-77c2d45 11->13 16 77c2d68-77c2d6b 13->16 17 77c2d47-77c2d51 13->17 16->10 21 77c2d55-77c2d64 17->21 22 77c2d53 17->22 30 77c2e2f-77c2ee9 CreateProcessA 18->30 31 77c2df8-77c2e02 18->31 19->18 23 77c2d9c-77c2d9e 19->23 21->21 24 77c2d66 21->24 22->21 25 77c2da0-77c2daa 23->25 26 77c2dc1-77c2dc4 23->26 24->16 28 77c2dac 25->28 29 77c2dae-77c2dbd 25->29 26->18 28->29 29->29 32 77c2dbf 29->32 42 77c2eeb-77c2ef1 30->42 43 77c2ef2-77c2f78 30->43 31->30 33 77c2e04-77c2e06 31->33 32->26 35 77c2e08-77c2e12 33->35 36 77c2e29-77c2e2c 33->36 37 77c2e14 35->37 38 77c2e16-77c2e25 35->38 36->30 37->38 38->38 39 77c2e27 38->39 39->36 42->43 53 77c2f88-77c2f8c 43->53 54 77c2f7a-77c2f7e 43->54 55 77c2f9c-77c2fa0 53->55 56 77c2f8e-77c2f92 53->56 54->53 57 77c2f80 54->57 59 77c2fb0-77c2fb4 55->59 60 77c2fa2-77c2fa6 55->60 56->55 58 77c2f94 56->58 57->53 58->55 62 77c2fc6-77c2fcd 59->62 63 77c2fb6-77c2fbc 59->63 60->59 61 77c2fa8 60->61 61->59 64 77c2fcf-77c2fde 62->64 65 77c2fe4 62->65 63->62 64->65 66 77c2fe5 65->66 66->66
                                      APIs
                                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 077C2ED6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1395184989.00000000077C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_77c0000_Adobe.jbxd
                                      Similarity
                                      • API ID: CreateProcess
                                      • String ID: 7G$7G
                                      • API String ID: 963392458-765250710
                                      • Opcode ID: a1dd15365299095e163ff16c855d736fab2aa116fb42d98ac82ce38884f57080
                                      • Instruction ID: c81669f8d789dd0e36116cbc931b623644f9af76ba0cf17573243c55c0f1eb45
                                      • Opcode Fuzzy Hash: a1dd15365299095e163ff16c855d736fab2aa116fb42d98ac82ce38884f57080
                                      • Instruction Fuzzy Hash: FBA159B1D0071ACFEB20CFA8C8457DEBBB6BF48310F14856ED808A7245DB749985CB91
                                      Function 077C2CA0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 243processCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 68 77c2ca0-77c2d35 71 77c2d6e-77c2d8e 68->71 72 77c2d37-77c2d41 68->72 77 77c2dc7-77c2df6 71->77 78 77c2d90-77c2d9a 71->78 72->71 73 77c2d43-77c2d45 72->73 75 77c2d68-77c2d6b 73->75 76 77c2d47-77c2d51 73->76 75->71 79 77c2d55-77c2d64 76->79 80 77c2d53 76->80 88 77c2e2f-77c2ee9 CreateProcessA 77->88 89 77c2df8-77c2e02 77->89 78->77 81 77c2d9c-77c2d9e 78->81 79->79 82 77c2d66 79->82 80->79 83 77c2da0-77c2daa 81->83 84 77c2dc1-77c2dc4 81->84 82->75 86 77c2dac 83->86 87 77c2dae-77c2dbd 83->87 84->77 86->87 87->87 90 77c2dbf 87->90 100 77c2eeb-77c2ef1 88->100 101 77c2ef2-77c2f78 88->101 89->88 91 77c2e04-77c2e06 89->91 90->84 93 77c2e08-77c2e12 91->93 94 77c2e29-77c2e2c 91->94 95 77c2e14 93->95 96 77c2e16-77c2e25 93->96 94->88 95->96 96->96 97 77c2e27 96->97 97->94 100->101 111 77c2f88-77c2f8c 101->111 112 77c2f7a-77c2f7e 101->112 113 77c2f9c-77c2fa0 111->113 114 77c2f8e-77c2f92 111->114 112->111 115 77c2f80 112->115 117 77c2fb0-77c2fb4 113->117 118 77c2fa2-77c2fa6 113->118 114->113 116 77c2f94 114->116 115->111 116->113 120 77c2fc6-77c2fcd 117->120 121 77c2fb6-77c2fbc 117->121 118->117 119 77c2fa8 118->119 119->117 122 77c2fcf-77c2fde 120->122 123 77c2fe4 120->123 121->120 122->123 124 77c2fe5 123->124 124->124
                                      APIs
                                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 077C2ED6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1395184989.00000000077C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_77c0000_Adobe.jbxd
                                      Similarity
                                      • API ID: CreateProcess
                                      • String ID: 7G$7G
                                      • API String ID: 963392458-765250710
                                      • Opcode ID: 57a242bdafc565277602ab060bda64cebce07d652319faa62bf6fc6234cb0e4e
                                      • Instruction ID: 75e9e4c09981ebb5035311f79ece5875b242ee9125347f18c00d88bbbaf164de
                                      • Opcode Fuzzy Hash: 57a242bdafc565277602ab060bda64cebce07d652319faa62bf6fc6234cb0e4e
                                      • Instruction Fuzzy Hash: A69149B1D0061ACFEB20CF68C841BDEBBB6BF49310F14856EE808A7245DB759985CF91
                                      Function 018E4248 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 126 18e4248-18e59d9 CreateActCtxA 129 18e59db-18e59e1 126->129 130 18e59e2-18e5a3c 126->130 129->130 137 18e5a3e-18e5a41 130->137 138 18e5a4b-18e5a4f 130->138 137->138 139 18e5a60 138->139 140 18e5a51-18e5a5d 138->140 142 18e5a61 139->142 140->139 142->142
                                      APIs
                                      • CreateActCtxA.KERNEL32(?), ref: 018E59C9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1390784633.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_18e0000_Adobe.jbxd
                                      Similarity
                                      • API ID: Create
                                      • String ID: 7G
                                      • API String ID: 2289755597-2776063829
                                      • Opcode ID: 025045755bee1af7b720b70bf21eedee61b848e92346ae912d2e13cde05023ed
                                      • Instruction ID: 909ed8c663d7d55f843551847b1c5926108023da1a8034b70093929f9972544f
                                      • Opcode Fuzzy Hash: 025045755bee1af7b720b70bf21eedee61b848e92346ae912d2e13cde05023ed
                                      • Instruction Fuzzy Hash: 7341B074C00719CBDB24DFAAC884BDEBBF5BF49718F60806AD408AB251DB756945CF90
                                      Function 018E590D Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 95COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 143 18e590d-18e59d9 CreateActCtxA 145 18e59db-18e59e1 143->145 146 18e59e2-18e5a3c 143->146 145->146 153 18e5a3e-18e5a41 146->153 154 18e5a4b-18e5a4f 146->154 153->154 155 18e5a60 154->155 156 18e5a51-18e5a5d 154->156 158 18e5a61 155->158 156->155 158->158
                                      APIs
                                      • CreateActCtxA.KERNEL32(?), ref: 018E59C9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1390784633.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_18e0000_Adobe.jbxd
                                      Similarity
                                      • API ID: Create
                                      • String ID: 7G
                                      • API String ID: 2289755597-2776063829
                                      • Opcode ID: 0cff091862ba1553377c24e83019fa541dbcc97425656dc60dc3f1ce986410f5
                                      • Instruction ID: 4675eedfdf263665192acaa07e33e36dd40e142fe26c22d89bb391859ff324be
                                      • Opcode Fuzzy Hash: 0cff091862ba1553377c24e83019fa541dbcc97425656dc60dc3f1ce986410f5
                                      • Instruction Fuzzy Hash: B741CFB4C00719CBEB24CFAAC884B9EBBF5BF49308F60806AD408AB255DB756945CF50
                                      Function 077C2A13 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 72injectionCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 159 77c2a13-77c2a66 162 77c2a68-77c2a74 159->162 163 77c2a76-77c2ab5 WriteProcessMemory 159->163 162->163 165 77c2abe-77c2aee 163->165 166 77c2ab7-77c2abd 163->166 166->165
                                      APIs
                                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 077C2AA8
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1395184989.00000000077C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_77c0000_Adobe.jbxd
                                      Similarity
                                      • API ID: MemoryProcessWrite
                                      • String ID: 7G
                                      • API String ID: 3559483778-2776063829
                                      • Opcode ID: eda45900516ab42d52099eb971a897d063fc5ac5c4e9356692f5c584f1e38d63
                                      • Instruction ID: 302b92d14b18b91da730abb0468d1d00aa572b85827fa199dac00141b4634cae
                                      • Opcode Fuzzy Hash: eda45900516ab42d52099eb971a897d063fc5ac5c4e9356692f5c584f1e38d63
                                      • Instruction Fuzzy Hash: 622137B59003099FDB10CFA9C885BDEBBF5FF48310F14842AE918A7241D7789A44CBA0
                                      Function 077C2A18 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 69injectionCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 170 77c2a18-77c2a66 172 77c2a68-77c2a74 170->172 173 77c2a76-77c2ab5 WriteProcessMemory 170->173 172->173 175 77c2abe-77c2aee 173->175 176 77c2ab7-77c2abd 173->176 176->175
                                      APIs
                                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 077C2AA8
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1395184989.00000000077C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_77c0000_Adobe.jbxd
                                      Similarity
                                      • API ID: MemoryProcessWrite
                                      • String ID: 7G
                                      • API String ID: 3559483778-2776063829
                                      • Opcode ID: 8085b27e9a8958add677e431cbd5cd28f3e7b3a6f2c1a8d107530abb5be6c6df
                                      • Instruction ID: 188b763c25e986127385a817a4cb3eabd72bcf029abcc78e1545c7b9ebb75626
                                      • Opcode Fuzzy Hash: 8085b27e9a8958add677e431cbd5cd28f3e7b3a6f2c1a8d107530abb5be6c6df
                                      • Instruction Fuzzy Hash: 0E2139B59003099FDB10CFA9C885BDEBBF5FF48310F54882EE918A7241D7799944CBA4
                                      Function 077C2878 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68threadCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 180 77c2878-77c287a 181 77c287c-77c2881 180->181 182 77c2883-77c28cb 180->182 181->182 185 77c28cd-77c28d9 182->185 186 77c28db-77c290b Wow64SetThreadContext 182->186 185->186 188 77c290d-77c2913 186->188 189 77c2914-77c2944 186->189 188->189
                                      APIs
                                      • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 077C28FE
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1395184989.00000000077C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_77c0000_Adobe.jbxd
                                      Similarity
                                      • API ID: ContextThreadWow64
                                      • String ID: 7G
                                      • API String ID: 983334009-2776063829
                                      • Opcode ID: 1e906f4b455c989273cb994fb48b30e9b802cb5752bc7059a6fef75702cf68c1
                                      • Instruction ID: 0764491c8d480885e73c92155a4e0f45511a2f16f2585e5f104c80faac686f08
                                      • Opcode Fuzzy Hash: 1e906f4b455c989273cb994fb48b30e9b802cb5752bc7059a6fef75702cf68c1
                                      • Instruction Fuzzy Hash: C92157B1D0030A9FDB10CFAAC4857EEBBF4AF48320F14842ED559A7241CB789945CFA0
                                      Function 077C2B01 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 67COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 193 77c2b01-77c2b95 ReadProcessMemory 197 77c2b9e-77c2bce 193->197 198 77c2b97-77c2b9d 193->198 198->197
                                      APIs
                                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 077C2B88
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1395184989.00000000077C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_77c0000_Adobe.jbxd
                                      Similarity
                                      • API ID: MemoryProcessRead
                                      • String ID: 7G
                                      • API String ID: 1726664587-2776063829
                                      • Opcode ID: 557235c8f31757f6f562f3e8f95439c8bb57d8f650581ecb92bc7bdd65adcb18
                                      • Instruction ID: 57228cb0e803d76b7a1036103a5ed9d246354c19a3f803cdf063afdab8d97151
                                      • Opcode Fuzzy Hash: 557235c8f31757f6f562f3e8f95439c8bb57d8f650581ecb92bc7bdd65adcb18
                                      • Instruction Fuzzy Hash: 182116B58003499FDB10DFAAC885BDEBBF5FF48310F50882EE919A7240D7799541CBA0
                                      Function 018EB348 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 202 18eb348-18ed414 DuplicateHandle 204 18ed41d-18ed43a 202->204 205 18ed416-18ed41c 202->205 205->204
                                      APIs
                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,018ED346,?,?,?,?,?), ref: 018ED407
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1390784633.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_18e0000_Adobe.jbxd
                                      Similarity
                                      • API ID: DuplicateHandle
                                      • String ID: 7G
                                      • API String ID: 3793708945-2776063829
                                      • Opcode ID: 8519ac742f7874fde6ba86a985debddfd0e05e9de35d8738702d0848ef937ce5
                                      • Instruction ID: e7b6b90213717f41ddc6b133608293fdc879c467f554e45989b74f59a2194bcd
                                      • Opcode Fuzzy Hash: 8519ac742f7874fde6ba86a985debddfd0e05e9de35d8738702d0848ef937ce5
                                      • Instruction Fuzzy Hash: 4F21E4B5900309EFDB10CF9AD484ADEBBF8FB49310F14852AE954A3350D374A954CFA5
                                      Function 077C2B08 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 219 77c2b08-77c2b95 ReadProcessMemory 222 77c2b9e-77c2bce 219->222 223 77c2b97-77c2b9d 219->223 223->222
                                      APIs
                                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 077C2B88
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1395184989.00000000077C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_77c0000_Adobe.jbxd
                                      Similarity
                                      • API ID: MemoryProcessRead
                                      • String ID: 7G
                                      • API String ID: 1726664587-2776063829
                                      • Opcode ID: 9b20822574950492eb9dfc31330cde7239e8e7bf0a2496d26462dbbcb743f0cd
                                      • Instruction ID: 39b22eff9b289f8a458118c7322d24eb8645796c5e0fc36ab6167fc8d4e010b9
                                      • Opcode Fuzzy Hash: 9b20822574950492eb9dfc31330cde7239e8e7bf0a2496d26462dbbcb743f0cd
                                      • Instruction Fuzzy Hash: 422114B18003499FDB10DFAAC885BEEBBF5FF48310F50882EE519A7240D7799940CBA0
                                      Function 077C2880 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63threadCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 208 77c2880-77c28cb 211 77c28cd-77c28d9 208->211 212 77c28db-77c290b Wow64SetThreadContext 208->212 211->212 214 77c290d-77c2913 212->214 215 77c2914-77c2944 212->215 214->215
                                      APIs
                                      • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 077C28FE
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1395184989.00000000077C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_77c0000_Adobe.jbxd
                                      Similarity
                                      • API ID: ContextThreadWow64
                                      • String ID: 7G
                                      • API String ID: 983334009-2776063829
                                      • Opcode ID: 3ed57a2a3e833d7b4c8a9afad8fb093cb4f1f927690bf5dac5fa59b439d12ea8
                                      • Instruction ID: 110bf72acd2194cb9a5c12dab14dc3b59c24af917174d9591841c81847f30725
                                      • Opcode Fuzzy Hash: 3ed57a2a3e833d7b4c8a9afad8fb093cb4f1f927690bf5dac5fa59b439d12ea8
                                      • Instruction Fuzzy Hash: 022134B1D003099FDB10CFAAC4857EEBBF4AF48314F14842ED459A7241CB78AA45CBA0
                                      Function 018EB358 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 227 18eb358-18eb3b8 230 18eb3ba-18eb3bd 227->230 231 18eb3c0-18eb3eb GetModuleHandleW 227->231 230->231 232 18eb3ed-18eb3f3 231->232 233 18eb3f4-18eb408 231->233 232->233
                                      APIs
                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 018EB3DE
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1390784633.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_18e0000_Adobe.jbxd
                                      Similarity
                                      • API ID: HandleModule
                                      • String ID: 7G
                                      • API String ID: 4139908857-2776063829
                                      • Opcode ID: 8bb7f3690a33cc3cbfc4f6fcbc438e2f290f8474a8c4482ae566432226bdc0e4
                                      • Instruction ID: f2b363a9397f2dbd6467568452d7b8228b1128ff15c62afdb21d6dcf52170cb5
                                      • Opcode Fuzzy Hash: 8bb7f3690a33cc3cbfc4f6fcbc438e2f290f8474a8c4482ae566432226bdc0e4
                                      • Instruction Fuzzy Hash: 532156B5C043898FDB11CFAAD844BDEBFF4AF4A310F05849AD858A7251C378A509CFA1
                                      Function 018ED379 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 235 18ed379-18ed414 DuplicateHandle 236 18ed41d-18ed43a 235->236 237 18ed416-18ed41c 235->237 237->236
                                      APIs
                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,018ED346,?,?,?,?,?), ref: 018ED407
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1390784633.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_18e0000_Adobe.jbxd
                                      Similarity
                                      • API ID: DuplicateHandle
                                      • String ID: 7G
                                      • API String ID: 3793708945-2776063829
                                      • Opcode ID: 15ecd341c92f776ff003e8bdb90fdb668d8e029227c86bf8d6b9bc6e0b81d67a
                                      • Instruction ID: 3e11b52bc9acec81114cc45957a252ef9b7ab2455b5e8e039c8df1d2a31716b8
                                      • Opcode Fuzzy Hash: 15ecd341c92f776ff003e8bdb90fdb668d8e029227c86bf8d6b9bc6e0b81d67a
                                      • Instruction Fuzzy Hash: 3621E2B5D00209DFDB10CFAAD584ADEBBF4FB08310F14842AE918A3350D378AA44CF64
                                      Function 077C2950 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58memoryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 240 77c2950-77c2952 241 77c295b-77c29d3 VirtualAllocEx 240->241 242 77c2954-77c2959 240->242 246 77c29dc-77c2a01 241->246 247 77c29d5-77c29db 241->247 242->241 247->246
                                      APIs
                                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 077C29C6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1395184989.00000000077C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_77c0000_Adobe.jbxd
                                      Similarity
                                      • API ID: AllocVirtual
                                      • String ID: 7G
                                      • API String ID: 4275171209-2776063829
                                      • Opcode ID: 114614a63e0bde3527db6d268611cb3bdc69dbe6663665217b2c9a0561e39895
                                      • Instruction ID: f61a00cced87d882d9a57fde59cf5bd657234473ab7c2ca4aea53ac0577a9d72
                                      • Opcode Fuzzy Hash: 114614a63e0bde3527db6d268611cb3bdc69dbe6663665217b2c9a0561e39895
                                      • Instruction Fuzzy Hash: 251147B68002099FDB10DFAAD845BEEBBF5AB49310F14882AE515A7250C775A540CFA1
                                      Function 077C2958 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53memoryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 251 77c2958-77c29d3 VirtualAllocEx 255 77c29dc-77c2a01 251->255 256 77c29d5-77c29db 251->256 256->255
                                      APIs
                                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 077C29C6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1395184989.00000000077C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_77c0000_Adobe.jbxd
                                      Similarity
                                      • API ID: AllocVirtual
                                      • String ID: 7G
                                      • API String ID: 4275171209-2776063829
                                      • Opcode ID: 7050782a207fe169286e049679d82619b4708ed97e02d71fa8b962ba971b8e86
                                      • Instruction ID: 2ae1d1a9ce26f8aeabfa525bdff41f34dc8c676e0d6af5d2f8ef79b1d60479b5
                                      • Opcode Fuzzy Hash: 7050782a207fe169286e049679d82619b4708ed97e02d71fa8b962ba971b8e86
                                      • Instruction Fuzzy Hash: 511126B68003499FDB10DFAAC845BEEBBF5EF48310F14881AE515A7250C775A540CFA0
                                      Function 077C2393 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 52threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1395184989.00000000077C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_77c0000_Adobe.jbxd
                                      Similarity
                                      • API ID: ResumeThread
                                      • String ID: 7G
                                      • API String ID: 947044025-2776063829
                                      • Opcode ID: d4dfaad2972db2aa590a70ad0e58e5e35d962b1838356e20e05e906374f3791c
                                      • Instruction ID: d0c808a26f71edc526eb27b144101bcce84c039c44b745fb77e956e6089553a2
                                      • Opcode Fuzzy Hash: d4dfaad2972db2aa590a70ad0e58e5e35d962b1838356e20e05e906374f3791c
                                      • Instruction Fuzzy Hash: C01116B59043498BDB10DFAAC4457DFFBF4EF88314F24882AD919A7240D779AA44CBA4
                                      Function 077C2398 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1395184989.00000000077C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_77c0000_Adobe.jbxd
                                      Similarity
                                      • API ID: ResumeThread
                                      • String ID: 7G
                                      • API String ID: 947044025-2776063829
                                      • Opcode ID: 5fdd334b20d895fcb9204451747b792383c4b45cea81fca2b1f61b2e9ed4fa8b
                                      • Instruction ID: 22b35c280fe2e17dfe6a8479875b1fdad51f84b239dede9e2f1866348ca4b0f3
                                      • Opcode Fuzzy Hash: 5fdd334b20d895fcb9204451747b792383c4b45cea81fca2b1f61b2e9ed4fa8b
                                      • Instruction Fuzzy Hash: 151125B5D003498BDB10DFAAC4457DEFBF4EB88324F24882ED519A7240CB79A944CBA4
                                      Function 077C4F60 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • PostMessageW.USER32(?,00000010,00000000,?), ref: 077C4FC5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1395184989.00000000077C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_77c0000_Adobe.jbxd
                                      Similarity
                                      • API ID: MessagePost
                                      • String ID: 7G
                                      • API String ID: 410705778-2776063829
                                      • Opcode ID: ee8cc7f83b828d1d4ab9d72019253fb63e87cf9ad56e7a27ede2a39edd284eaf
                                      • Instruction ID: cb9164bf6a75599c4e2ded48371b460e068d6440cfffcfdb8e3fe06a4d477ad8
                                      • Opcode Fuzzy Hash: ee8cc7f83b828d1d4ab9d72019253fb63e87cf9ad56e7a27ede2a39edd284eaf
                                      • Instruction Fuzzy Hash: 731106B58003499FDB20CF9AD445BDEBFF8EB48320F14891EE514A7650C375A544CFA5
                                      Function 077C0D64 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • PostMessageW.USER32(?,00000010,00000000,?), ref: 077C4FC5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1395184989.00000000077C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_77c0000_Adobe.jbxd
                                      Similarity
                                      • API ID: MessagePost
                                      • String ID: 7G
                                      • API String ID: 410705778-2776063829
                                      • Opcode ID: ce88de3089c80e8e1cf76cdfd587fa2e15fa95e4f43a9596ee4477dc9e828fe4
                                      • Instruction ID: 4e22edde5480b6f0bfc759bf1ee6e233b7f34a22e65a6be2181f1c6ee294b8f7
                                      • Opcode Fuzzy Hash: ce88de3089c80e8e1cf76cdfd587fa2e15fa95e4f43a9596ee4477dc9e828fe4
                                      • Instruction Fuzzy Hash: D311F2B58003499FDB20CF9AC485BDEBFF8EB48320F14881EE918A7640D375A944CFA5
                                      Function 018EB378 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 018EB3DE
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1390784633.00000000018E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_18e0000_Adobe.jbxd
                                      Similarity
                                      • API ID: HandleModule
                                      • String ID: 7G
                                      • API String ID: 4139908857-2776063829
                                      • Opcode ID: 52a3291a97e3b388d1a2ca970842266583211c1ad22ffb4d54192e19184a03b5
                                      • Instruction ID: 7514e6cc26ac13ff45706feac26e05f4d0bbc91b770055631721ccae702df9fa
                                      • Opcode Fuzzy Hash: 52a3291a97e3b388d1a2ca970842266583211c1ad22ffb4d54192e19184a03b5
                                      • Instruction Fuzzy Hash: 7A11DFB5C0064A8FDB10CF9AC449ADEFBF4AB89314F10842AD929A7610D379A645CFA5
                                      Function 077C239F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1395184989.00000000077C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_77c0000_Adobe.jbxd
                                      Similarity
                                      • API ID: ResumeThread
                                      • String ID: 7G
                                      • API String ID: 947044025-2776063829
                                      • Opcode ID: 040887c1e9aaa6c8b8b7daa4e46a6388fe5657aec41c1c77a85782a5a2cf9852
                                      • Instruction ID: ebd34772d5bd5db86e43a957782e374ebbfac7d5b90e2c13d02ff85fcece0223
                                      • Opcode Fuzzy Hash: 040887c1e9aaa6c8b8b7daa4e46a6388fe5657aec41c1c77a85782a5a2cf9852
                                      • Instruction Fuzzy Hash: 4F1145B1D043498FDB10CFA9C4457EEFBF0AF89314F24886EC159A7241CB799A44CBA5
                                      Function 077C62A4 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 50COMMON
                                      Download Yara Rule
                                      APIs
                                      • CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,077C7009,?,?), ref: 077C71B0
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1395184989.00000000077C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_77c0000_Adobe.jbxd
                                      Similarity
                                      • API ID: CloseHandle
                                      • String ID: 7G
                                      • API String ID: 2962429428-2776063829
                                      • Opcode ID: 105c9f031ee19acdefcfdb197bb1fe1de1fbcf2b0af17e92e334200861813ad1
                                      • Instruction ID: 7a8ea6071fc2658cfed1fc0ba2ef542a3be9fe1c1fa6b0e0c2365e89cff69768
                                      • Opcode Fuzzy Hash: 105c9f031ee19acdefcfdb197bb1fe1de1fbcf2b0af17e92e334200861813ad1
                                      • Instruction Fuzzy Hash: DB1125B58007499FDB14DF9AC445BDEBBF4EB48320F10886ED958A7340D778A944CFA5
                                      Function 077C7151 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 49COMMON
                                      Download Yara Rule
                                      APIs
                                      • CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,077C7009,?,?), ref: 077C71B0
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1395184989.00000000077C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_77c0000_Adobe.jbxd
                                      Similarity
                                      • API ID: CloseHandle
                                      • String ID: 7G
                                      • API String ID: 2962429428-2776063829
                                      • Opcode ID: 082f01fffa464f875f1eb495dcedd2fcdca05af65d4cf5643aeec714d33d7fdc
                                      • Instruction ID: 12bed2485f1076d015f30b1d9fef3b64f38ee265637d7fa35b7467ae05ded5e8
                                      • Opcode Fuzzy Hash: 082f01fffa464f875f1eb495dcedd2fcdca05af65d4cf5643aeec714d33d7fdc
                                      • Instruction Fuzzy Hash: 521125B580024ACFDB20CF99D444BEEBBF4EB48320F14896AD458A7740C779A944CFA4
                                      Function 0180D01C Relevance: .1, Instructions: 72COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1390439425.000000000180D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0180D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_180d000_Adobe.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 92a25db59ab1721ca587bb59446ff176adb762eff3a35f968ca8e1b20f56ae5e
                                      • Instruction ID: 71c75dce4d4630d77678edc10f8e5f48f12b74d6f415aeb59aad402d7bb570ae
                                      • Opcode Fuzzy Hash: 92a25db59ab1721ca587bb59446ff176adb762eff3a35f968ca8e1b20f56ae5e
                                      • Instruction Fuzzy Hash: 72210071604348DFDB56DF94D8C0B26BB65EB84318F24C669D80E8B282C33AD907CA62
                                      Function 0180D017 Relevance: .1, Instructions: 53COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1390439425.000000000180D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0180D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_180d000_Adobe.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
                                      • Instruction ID: 4ebf747a4d337cc34e5935eb16b8c9867225f5fb7200a639b86bea98ae44d038
                                      • Opcode Fuzzy Hash: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
                                      • Instruction Fuzzy Hash: 5F11BE75504284CFCB12CF94D9C4B15BB61FB44314F24C6AAD8098B696C33AD54ACF62

                                      Execution Graph

                                      Execution Coverage:2.6%
                                      Dynamic/Decrypted Code Coverage:100%
                                      Signature Coverage:0%
                                      Total number of Nodes:1668
                                      Total number of Limit Nodes:5
                                      execution_graph 6512 10008640 6515 10008657 6512->6515 6516 10008665 6515->6516 6517 10008679 6515->6517 6518 10006368 __dosmaperr 20 API calls 6516->6518 6519 10008681 6517->6519 6520 10008693 6517->6520 6521 1000866a 6518->6521 6522 10006368 __dosmaperr 20 API calls 6519->6522 6527 10008652 6520->6527 6528 100054a7 6520->6528 6523 100062ac ___std_exception_copy 26 API calls 6521->6523 6524 10008686 6522->6524 6523->6527 6526 100062ac ___std_exception_copy 26 API calls 6524->6526 6526->6527 6529 100054ba 6528->6529 6530 100054c4 6528->6530 6529->6527 6530->6529 6531 10005af6 _abort 38 API calls 6530->6531 6532 100054e5 6531->6532 6536 10007a00 6532->6536 6537 10007a13 6536->6537 6538 100054fe 6536->6538 6537->6538 6544 10007f0f 6537->6544 6540 10007a2d 6538->6540 6541 10007a40 6540->6541 6542 10007a55 6540->6542 6541->6542 6679 10006d7e 6541->6679 6542->6529 6545 10007f1b ___DestructExceptionObject 6544->6545 6546 10005af6 _abort 38 API calls 6545->6546 6547 10007f24 6546->6547 6548 10007f72 _abort 6547->6548 6556 10005671 RtlEnterCriticalSection 6547->6556 6548->6538 6550 10007f42 6557 10007f86 6550->6557 6555 100055a8 _abort 38 API calls 6555->6548 6556->6550 6558 10007f56 6557->6558 6559 10007f94 __fassign 6557->6559 6561 10007f75 6558->6561 6559->6558 6564 10007cc2 6559->6564 6678 100056b9 RtlLeaveCriticalSection 6561->6678 6563 10007f69 6563->6548 6563->6555 6565 10007d42 6564->6565 6568 10007cd8 6564->6568 6566 10007d90 6565->6566 6569 1000571e _free 20 API calls 6565->6569 6632 10007e35 6566->6632 6568->6565 6570 10007d0b 6568->6570 6575 1000571e _free 20 API calls 6568->6575 6571 10007d64 6569->6571 6572 10007d2d 6570->6572 6577 1000571e _free 20 API calls 6570->6577 6573 1000571e _free 20 API calls 6571->6573 6574 1000571e _free 20 API calls 6572->6574 6576 10007d77 6573->6576 6579 10007d37 6574->6579 6581 10007d00 6575->6581 6578 1000571e _free 20 API calls 6576->6578 6583 10007d22 6577->6583 6584 10007d85 6578->6584 6585 1000571e _free 20 API calls 6579->6585 6580 10007dfe 6586 1000571e _free 20 API calls 6580->6586 6592 100090ba 6581->6592 6582 10007d9e 6582->6580 6590 1000571e 20 API calls _free 6582->6590 6620 100091b8 6583->6620 6589 1000571e _free 20 API calls 6584->6589 6585->6565 6591 10007e04 6586->6591 6589->6566 6590->6582 6591->6558 6593 100090cb 6592->6593 6619 100091b4 6592->6619 6594 100090dc 6593->6594 6595 1000571e _free 20 API calls 6593->6595 6596 100090ee 6594->6596 6598 1000571e _free 20 API calls 6594->6598 6595->6594 6597 10009100 6596->6597 6599 1000571e _free 20 API calls 6596->6599 6600 10009112 6597->6600 6601 1000571e _free 20 API calls 6597->6601 6598->6596 6599->6597 6602 10009124 6600->6602 6603 1000571e _free 20 API calls 6600->6603 6601->6600 6604 10009136 6602->6604 6606 1000571e _free 20 API calls 6602->6606 6603->6602 6605 10009148 6604->6605 6607 1000571e _free 20 API calls 6604->6607 6608 1000915a 6605->6608 6609 1000571e _free 20 API calls 6605->6609 6606->6604 6607->6605 6610 1000571e _free 20 API calls 6608->6610 6613 1000916c 6608->6613 6609->6608 6610->6613 6611 10009190 6616 100091a2 6611->6616 6617 1000571e _free 20 API calls 6611->6617 6612 1000917e 6612->6611 6615 1000571e _free 20 API calls 6612->6615 6613->6612 6614 1000571e _free 20 API calls 6613->6614 6614->6612 6615->6611 6618 1000571e _free 20 API calls 6616->6618 6616->6619 6617->6616 6618->6619 6619->6570 6621 100091c5 6620->6621 6631 1000921d 6620->6631 6622 1000571e _free 20 API calls 6621->6622 6623 100091d5 6621->6623 6622->6623 6624 100091e7 6623->6624 6625 1000571e _free 20 API calls 6623->6625 6626 100091f9 6624->6626 6628 1000571e _free 20 API calls 6624->6628 6625->6624 6627 1000920b 6626->6627 6629 1000571e _free 20 API calls 6626->6629 6630 1000571e _free 20 API calls 6627->6630 6627->6631 6628->6626 6629->6627 6630->6631 6631->6572 6633 10007e60 6632->6633 6634 10007e42 6632->6634 6633->6582 6634->6633 6638 1000925d 6634->6638 6637 1000571e _free 20 API calls 6637->6633 6639 10007e5a 6638->6639 6640 1000926e 6638->6640 6639->6637 6674 10009221 6640->6674 6643 10009221 __fassign 20 API calls 6644 10009281 6643->6644 6645 10009221 __fassign 20 API calls 6644->6645 6646 1000928c 6645->6646 6647 10009221 __fassign 20 API calls 6646->6647 6648 10009297 6647->6648 6649 10009221 __fassign 20 API calls 6648->6649 6650 100092a5 6649->6650 6651 1000571e _free 20 API calls 6650->6651 6652 100092b0 6651->6652 6653 1000571e _free 20 API calls 6652->6653 6654 100092bb 6653->6654 6655 1000571e _free 20 API calls 6654->6655 6656 100092c6 6655->6656 6657 10009221 __fassign 20 API calls 6656->6657 6658 100092d4 6657->6658 6659 10009221 __fassign 20 API calls 6658->6659 6660 100092e2 6659->6660 6661 10009221 __fassign 20 API calls 6660->6661 6662 100092f3 6661->6662 6663 10009221 __fassign 20 API calls 6662->6663 6664 10009301 6663->6664 6665 10009221 __fassign 20 API calls 6664->6665 6666 1000930f 6665->6666 6667 1000571e _free 20 API calls 6666->6667 6668 1000931a 6667->6668 6669 1000571e _free 20 API calls 6668->6669 6670 10009325 6669->6670 6671 1000571e _free 20 API calls 6670->6671 6672 10009330 6671->6672 6673 1000571e _free 20 API calls 6672->6673 6673->6639 6675 10009258 6674->6675 6676 10009248 6674->6676 6675->6643 6676->6675 6677 1000571e _free 20 API calls 6676->6677 6677->6676 6678->6563 6680 10006d8a ___DestructExceptionObject 6679->6680 6681 10005af6 _abort 38 API calls 6680->6681 6683 10006d94 6681->6683 6684 10006e18 _abort 6683->6684 6685 100055a8 _abort 38 API calls 6683->6685 6687 1000571e _free 20 API calls 6683->6687 6688 10005671 RtlEnterCriticalSection 6683->6688 6689 10006e0f 6683->6689 6684->6542 6685->6683 6687->6683 6688->6683 6692 100056b9 RtlLeaveCriticalSection 6689->6692 6691 10006e16 6691->6683 6692->6691 7259 10007a80 7260 10007a8d 7259->7260 7261 1000637b __dosmaperr 20 API calls 7260->7261 7262 10007aa7 7261->7262 7263 1000571e _free 20 API calls 7262->7263 7264 10007ab3 7263->7264 7265 1000637b __dosmaperr 20 API calls 7264->7265 7268 10007ad9 7264->7268 7267 10007acd 7265->7267 7266 10005eb7 11 API calls 7266->7268 7269 1000571e _free 20 API calls 7267->7269 7268->7266 7270 10007ae5 7268->7270 7269->7268 6084 10007103 GetCommandLineA GetCommandLineW 6085 10005303 6088 100050a5 6085->6088 6097 1000502f 6088->6097 6091 1000502f 5 API calls 6092 100050c3 6091->6092 6101 10005000 6092->6101 6095 10005000 20 API calls 6096 100050d9 6095->6096 6098 10005048 6097->6098 6099 10002ada _ValidateLocalCookies 5 API calls 6098->6099 6100 10005069 6099->6100 6100->6091 6102 1000502a 6101->6102 6103 1000500d 6101->6103 6102->6095 6104 10005024 6103->6104 6105 1000571e _free 20 API calls 6103->6105 6106 1000571e _free 20 API calls 6104->6106 6105->6103 6106->6102 6693 1000af43 6694 1000af59 6693->6694 6695 1000af4d 6693->6695 6695->6694 6696 1000af52 CloseHandle 6695->6696 6696->6694 6697 1000a945 6698 1000a96d 6697->6698 6699 1000a9a5 6698->6699 6700 1000a997 6698->6700 6701 1000a99e 6698->6701 6706 1000aa17 6700->6706 6710 1000aa00 6701->6710 6707 1000aa20 6706->6707 6714 1000b19b 6707->6714 6711 1000aa20 6710->6711 6712 1000b19b __startOneArgErrorHandling 21 API calls 6711->6712 6713 1000a9a3 6712->6713 6715 1000b1da __startOneArgErrorHandling 6714->6715 6717 1000b25c __startOneArgErrorHandling 6715->6717 6724 1000b59e 6715->6724 6722 1000b286 6717->6722 6727 100078a3 6717->6727 6719 1000b292 6721 10002ada _ValidateLocalCookies 5 API calls 6719->6721 6723 1000a99c 6721->6723 6722->6719 6731 1000b8b2 6722->6731 6738 1000b5c1 6724->6738 6728 100078cb 6727->6728 6729 10002ada _ValidateLocalCookies 5 API calls 6728->6729 6730 100078e8 6729->6730 6730->6722 6732 1000b8d4 6731->6732 6733 1000b8bf 6731->6733 6735 10006368 __dosmaperr 20 API calls 6732->6735 6734 1000b8d9 6733->6734 6736 10006368 __dosmaperr 20 API calls 6733->6736 6734->6719 6735->6734 6737 1000b8cc 6736->6737 6737->6719 6739 1000b5ec __raise_exc 6738->6739 6740 1000b7e5 RaiseException 6739->6740 6741 1000b5bc 6740->6741 6741->6717 7522 1000a1c6 IsProcessorFeaturePresent 7523 10007bc7 7524 10007bd3 ___DestructExceptionObject 7523->7524 7525 10007c0a _abort 7524->7525 7531 10005671 RtlEnterCriticalSection 7524->7531 7527 10007be7 7528 10007f86 __fassign 20 API calls 7527->7528 7529 10007bf7 7528->7529 7532 10007c10 7529->7532 7531->7527 7535 100056b9 RtlLeaveCriticalSection 7532->7535 7534 10007c17 7534->7525 7535->7534 6742 10005348 6743 10003529 ___vcrt_uninitialize 8 API calls 6742->6743 6744 1000534f 6743->6744 6745 10007b48 6755 10008ebf 6745->6755 6749 10007b55 6768 1000907c 6749->6768 6752 10007b7f 6753 1000571e _free 20 API calls 6752->6753 6754 10007b8a 6753->6754 6772 10008ec8 6755->6772 6757 10007b50 6758 10008fdc 6757->6758 6759 10008fe8 ___DestructExceptionObject 6758->6759 6792 10005671 RtlEnterCriticalSection 6759->6792 6761 1000905e 6806 10009073 6761->6806 6763 1000906a _abort 6763->6749 6764 10009032 RtlDeleteCriticalSection 6766 1000571e _free 20 API calls 6764->6766 6767 10008ff3 6766->6767 6767->6761 6767->6764 6793 1000a09c 6767->6793 6769 10009092 6768->6769 6770 10007b64 RtlDeleteCriticalSection 6768->6770 6769->6770 6771 1000571e _free 20 API calls 6769->6771 6770->6749 6770->6752 6771->6770 6773 10008ed4 ___DestructExceptionObject 6772->6773 6782 10005671 RtlEnterCriticalSection 6773->6782 6775 10008f77 6787 10008f97 6775->6787 6778 10008f83 _abort 6778->6757 6780 10008ee3 6780->6775 6781 10008e78 66 API calls 6780->6781 6783 10007b94 RtlEnterCriticalSection 6780->6783 6784 10008f6d 6780->6784 6781->6780 6782->6780 6783->6780 6790 10007ba8 RtlLeaveCriticalSection 6784->6790 6786 10008f75 6786->6780 6791 100056b9 RtlLeaveCriticalSection 6787->6791 6789 10008f9e 6789->6778 6790->6786 6791->6789 6792->6767 6794 1000a0a8 ___DestructExceptionObject 6793->6794 6795 1000a0b9 6794->6795 6796 1000a0ce 6794->6796 6797 10006368 __dosmaperr 20 API calls 6795->6797 6805 1000a0c9 _abort 6796->6805 6809 10007b94 RtlEnterCriticalSection 6796->6809 6799 1000a0be 6797->6799 6801 100062ac ___std_exception_copy 26 API calls 6799->6801 6800 1000a0ea 6810 1000a026 6800->6810 6801->6805 6803 1000a0f5 6826 1000a112 6803->6826 6805->6767 7074 100056b9 RtlLeaveCriticalSection 6806->7074 6808 1000907a 6808->6763 6809->6800 6811 1000a033 6810->6811 6812 1000a048 6810->6812 6813 10006368 __dosmaperr 20 API calls 6811->6813 6818 1000a043 6812->6818 6829 10008e12 6812->6829 6814 1000a038 6813->6814 6816 100062ac ___std_exception_copy 26 API calls 6814->6816 6816->6818 6818->6803 6819 1000907c 20 API calls 6820 1000a064 6819->6820 6835 10007a5a 6820->6835 6822 1000a06a 6842 1000adce 6822->6842 6825 1000571e _free 20 API calls 6825->6818 7073 10007ba8 RtlLeaveCriticalSection 6826->7073 6828 1000a11a 6828->6805 6830 10008e2a 6829->6830 6831 10008e26 6829->6831 6830->6831 6832 10007a5a 26 API calls 6830->6832 6831->6819 6833 10008e4a 6832->6833 6857 10009a22 6833->6857 6836 10007a66 6835->6836 6837 10007a7b 6835->6837 6838 10006368 __dosmaperr 20 API calls 6836->6838 6837->6822 6839 10007a6b 6838->6839 6840 100062ac ___std_exception_copy 26 API calls 6839->6840 6841 10007a76 6840->6841 6841->6822 6843 1000adf2 6842->6843 6844 1000addd 6842->6844 6845 1000ae2d 6843->6845 6850 1000ae19 6843->6850 6846 10006355 __dosmaperr 20 API calls 6844->6846 6847 10006355 __dosmaperr 20 API calls 6845->6847 6848 1000ade2 6846->6848 6851 1000ae32 6847->6851 6849 10006368 __dosmaperr 20 API calls 6848->6849 6854 1000a070 6849->6854 7030 1000ada6 6850->7030 6853 10006368 __dosmaperr 20 API calls 6851->6853 6855 1000ae3a 6853->6855 6854->6818 6854->6825 6856 100062ac ___std_exception_copy 26 API calls 6855->6856 6856->6854 6858 10009a2e ___DestructExceptionObject 6857->6858 6859 10009a36 6858->6859 6860 10009a4e 6858->6860 6882 10006355 6859->6882 6862 10009aec 6860->6862 6866 10009a83 6860->6866 6864 10006355 __dosmaperr 20 API calls 6862->6864 6867 10009af1 6864->6867 6865 10006368 __dosmaperr 20 API calls 6868 10009a43 _abort 6865->6868 6885 10008c7b RtlEnterCriticalSection 6866->6885 6870 10006368 __dosmaperr 20 API calls 6867->6870 6868->6831 6872 10009af9 6870->6872 6871 10009a89 6873 10009aa5 6871->6873 6874 10009aba 6871->6874 6875 100062ac ___std_exception_copy 26 API calls 6872->6875 6876 10006368 __dosmaperr 20 API calls 6873->6876 6886 10009b0d 6874->6886 6875->6868 6878 10009aaa 6876->6878 6880 10006355 __dosmaperr 20 API calls 6878->6880 6879 10009ab5 6937 10009ae4 6879->6937 6880->6879 6883 10005b7a __dosmaperr 20 API calls 6882->6883 6884 1000635a 6883->6884 6884->6865 6885->6871 6887 10009b34 6886->6887 6888 10009b3b 6886->6888 6891 10002ada _ValidateLocalCookies 5 API calls 6887->6891 6889 10009b5e 6888->6889 6890 10009b3f 6888->6890 6893 10009baf 6889->6893 6894 10009b92 6889->6894 6892 10006355 __dosmaperr 20 API calls 6890->6892 6895 10009d15 6891->6895 6896 10009b44 6892->6896 6898 10009bc5 6893->6898 6940 1000a00b 6893->6940 6897 10006355 __dosmaperr 20 API calls 6894->6897 6895->6879 6899 10006368 __dosmaperr 20 API calls 6896->6899 6903 10009b97 6897->6903 6943 100096b2 6898->6943 6901 10009b4b 6899->6901 6904 100062ac ___std_exception_copy 26 API calls 6901->6904 6906 10006368 __dosmaperr 20 API calls 6903->6906 6904->6887 6909 10009b9f 6906->6909 6907 10009bd3 6910 10009bf9 6907->6910 6917 10009bd7 6907->6917 6908 10009c0c 6912 10009c20 6908->6912 6913 10009c66 WriteFile 6908->6913 6911 100062ac ___std_exception_copy 26 API calls 6909->6911 6955 10009492 GetConsoleCP 6910->6955 6911->6887 6914 10009c56 6912->6914 6915 10009c28 6912->6915 6919 10009c89 GetLastError 6913->6919 6924 10009bef 6913->6924 6981 10009728 6914->6981 6920 10009c46 6915->6920 6921 10009c2d 6915->6921 6916 10009ccd 6916->6887 6926 10006368 __dosmaperr 20 API calls 6916->6926 6917->6916 6950 10009645 6917->6950 6919->6924 6973 100098f5 6920->6973 6921->6916 6966 10009807 6921->6966 6924->6887 6924->6916 6927 10009ca9 6924->6927 6929 10009cf2 6926->6929 6931 10009cb0 6927->6931 6932 10009cc4 6927->6932 6930 10006355 __dosmaperr 20 API calls 6929->6930 6930->6887 6933 10006368 __dosmaperr 20 API calls 6931->6933 6988 10006332 6932->6988 6935 10009cb5 6933->6935 6936 10006355 __dosmaperr 20 API calls 6935->6936 6936->6887 7029 10008c9e RtlLeaveCriticalSection 6937->7029 6939 10009aea 6939->6868 6993 10009f8d 6940->6993 7015 10008dbc 6943->7015 6945 100096c2 6946 100096c7 6945->6946 6947 10005af6 _abort 38 API calls 6945->6947 6946->6907 6946->6908 6948 100096ea 6947->6948 6948->6946 6949 10009708 GetConsoleMode 6948->6949 6949->6946 6951 1000969f 6950->6951 6954 1000966a 6950->6954 6951->6924 6952 1000a181 WriteConsoleW CreateFileW 6952->6954 6953 100096a1 GetLastError 6953->6951 6954->6951 6954->6952 6954->6953 6959 100094f5 6955->6959 6965 10009607 6955->6965 6956 10002ada _ValidateLocalCookies 5 API calls 6957 10009641 6956->6957 6957->6924 6960 1000957b WideCharToMultiByte 6959->6960 6962 100079e6 40 API calls __fassign 6959->6962 6964 100095d2 WriteFile 6959->6964 6959->6965 7024 10007c19 6959->7024 6961 100095a1 WriteFile 6960->6961 6960->6965 6961->6959 6963 1000962a GetLastError 6961->6963 6962->6959 6963->6965 6964->6959 6964->6963 6965->6956 6968 10009816 6966->6968 6967 100098d8 6970 10002ada _ValidateLocalCookies 5 API calls 6967->6970 6968->6967 6969 10009894 WriteFile 6968->6969 6969->6968 6971 100098da GetLastError 6969->6971 6972 100098f1 6970->6972 6971->6967 6972->6924 6980 10009904 6973->6980 6974 10009a0f 6975 10002ada _ValidateLocalCookies 5 API calls 6974->6975 6977 10009a1e 6975->6977 6976 10009986 WideCharToMultiByte 6978 10009a07 GetLastError 6976->6978 6979 100099bb WriteFile 6976->6979 6977->6924 6978->6974 6979->6978 6979->6980 6980->6974 6980->6976 6980->6979 6986 10009737 6981->6986 6982 100097ea 6983 10002ada _ValidateLocalCookies 5 API calls 6982->6983 6985 10009803 6983->6985 6984 100097a9 WriteFile 6984->6986 6987 100097ec GetLastError 6984->6987 6985->6924 6986->6982 6986->6984 6987->6982 6989 10006355 __dosmaperr 20 API calls 6988->6989 6990 1000633d __dosmaperr 6989->6990 6991 10006368 __dosmaperr 20 API calls 6990->6991 6992 10006350 6991->6992 6992->6887 7002 10008d52 6993->7002 6995 10009f9f 6996 10009fa7 6995->6996 6997 10009fb8 SetFilePointerEx 6995->6997 7000 10006368 __dosmaperr 20 API calls 6996->7000 6998 10009fd0 GetLastError 6997->6998 6999 10009fac 6997->6999 7001 10006332 __dosmaperr 20 API calls 6998->7001 6999->6898 7000->6999 7001->6999 7003 10008d74 7002->7003 7004 10008d5f 7002->7004 7007 10006355 __dosmaperr 20 API calls 7003->7007 7009 10008d99 7003->7009 7005 10006355 __dosmaperr 20 API calls 7004->7005 7006 10008d64 7005->7006 7008 10006368 __dosmaperr 20 API calls 7006->7008 7010 10008da4 7007->7010 7011 10008d6c 7008->7011 7009->6995 7012 10006368 __dosmaperr 20 API calls 7010->7012 7011->6995 7013 10008dac 7012->7013 7014 100062ac ___std_exception_copy 26 API calls 7013->7014 7014->7011 7016 10008dd6 7015->7016 7017 10008dc9 7015->7017 7019 10008de2 7016->7019 7020 10006368 __dosmaperr 20 API calls 7016->7020 7018 10006368 __dosmaperr 20 API calls 7017->7018 7021 10008dce 7018->7021 7019->6945 7022 10008e03 7020->7022 7021->6945 7023 100062ac ___std_exception_copy 26 API calls 7022->7023 7023->7021 7025 10005af6 _abort 38 API calls 7024->7025 7026 10007c24 7025->7026 7027 10007a00 __fassign 38 API calls 7026->7027 7028 10007c34 7027->7028 7028->6959 7029->6939 7033 1000ad24 7030->7033 7032 1000adca 7032->6854 7034 1000ad30 ___DestructExceptionObject 7033->7034 7044 10008c7b RtlEnterCriticalSection 7034->7044 7036 1000ad3e 7037 1000ad70 7036->7037 7038 1000ad65 7036->7038 7040 10006368 __dosmaperr 20 API calls 7037->7040 7045 1000ae4d 7038->7045 7041 1000ad6b 7040->7041 7060 1000ad9a 7041->7060 7043 1000ad8d _abort 7043->7032 7044->7036 7046 10008d52 26 API calls 7045->7046 7047 1000ae5d 7046->7047 7048 1000ae63 7047->7048 7050 1000ae95 7047->7050 7053 10008d52 26 API calls 7047->7053 7063 10008cc1 7048->7063 7050->7048 7051 10008d52 26 API calls 7050->7051 7055 1000aea1 CloseHandle 7051->7055 7054 1000ae8c 7053->7054 7057 10008d52 26 API calls 7054->7057 7055->7048 7058 1000aead GetLastError 7055->7058 7056 1000aedd 7056->7041 7057->7050 7058->7048 7059 10006332 __dosmaperr 20 API calls 7059->7056 7072 10008c9e RtlLeaveCriticalSection 7060->7072 7062 1000ada4 7062->7043 7064 10008cd0 7063->7064 7065 10008d37 7063->7065 7064->7065 7070 10008cfa 7064->7070 7066 10006368 __dosmaperr 20 API calls 7065->7066 7067 10008d3c 7066->7067 7068 10006355 __dosmaperr 20 API calls 7067->7068 7069 10008d27 7068->7069 7069->7056 7069->7059 7070->7069 7071 10008d21 SetStdHandle 7070->7071 7071->7069 7072->7062 7073->6828 7074->6808 7075 10002049 7076 10002055 ___DestructExceptionObject 7075->7076 7077 100020d3 7076->7077 7078 1000207d 7076->7078 7088 1000205e 7076->7088 7079 10002639 ___scrt_fastfail 4 API calls 7077->7079 7089 1000244c 7078->7089 7081 100020da 7079->7081 7082 10002082 7098 10002308 7082->7098 7084 10002087 __RTC_Initialize 7101 100020c4 7084->7101 7086 1000209f 7104 1000260b 7086->7104 7090 10002451 ___scrt_release_startup_lock 7089->7090 7091 10002461 7090->7091 7092 10002455 7090->7092 7095 1000246e 7091->7095 7096 1000499b _abort 28 API calls 7091->7096 7093 1000527a _abort 20 API calls 7092->7093 7094 1000245f 7093->7094 7094->7082 7095->7082 7097 10004bbd 7096->7097 7097->7082 7110 100034c7 RtlInterlockedFlushSList 7098->7110 7100 10002312 7100->7084 7112 1000246f 7101->7112 7103 100020c9 ___scrt_release_startup_lock 7103->7086 7105 10002617 7104->7105 7106 1000262d 7105->7106 7131 100053ed 7105->7131 7106->7088 7109 10003529 ___vcrt_uninitialize 8 API calls 7109->7106 7111 100034d7 7110->7111 7111->7100 7117 100053ff 7112->7117 7115 1000391b ___vcrt_uninitialize_ptd 6 API calls 7116 1000354d 7115->7116 7116->7103 7120 10005c2b 7117->7120 7121 10005c35 7120->7121 7123 10002476 7120->7123 7124 10005db2 7121->7124 7123->7115 7125 10005c45 __dosmaperr 5 API calls 7124->7125 7126 10005dd9 7125->7126 7127 10005df1 TlsFree 7126->7127 7128 10005de5 7126->7128 7127->7128 7129 10002ada _ValidateLocalCookies 5 API calls 7128->7129 7130 10005e02 7129->7130 7130->7123 7134 100074da 7131->7134 7137 100074f3 7134->7137 7135 10002ada _ValidateLocalCookies 5 API calls 7136 10002625 7135->7136 7136->7109 7137->7135 7271 10008a89 7274 10006d60 7271->7274 7275 10006d69 7274->7275 7276 10006d72 7274->7276 7278 10006c5f 7275->7278 7279 10005af6 _abort 38 API calls 7278->7279 7280 10006c6c 7279->7280 7281 10006d7e __fassign 38 API calls 7280->7281 7282 10006c74 7281->7282 7298 100069f3 7282->7298 7285 10006c8b 7285->7276 7288 10006cce 7291 1000571e _free 20 API calls 7288->7291 7291->7285 7292 10006cc9 7293 10006368 __dosmaperr 20 API calls 7292->7293 7293->7288 7294 10006d12 7294->7288 7322 100068c9 7294->7322 7295 10006ce6 7295->7294 7296 1000571e _free 20 API calls 7295->7296 7296->7294 7299 100054a7 __fassign 38 API calls 7298->7299 7300 10006a05 7299->7300 7301 10006a14 GetOEMCP 7300->7301 7302 10006a26 7300->7302 7304 10006a3d 7301->7304 7303 10006a2b GetACP 7302->7303 7302->7304 7303->7304 7304->7285 7305 100056d0 7304->7305 7306 1000570e 7305->7306 7310 100056de __dosmaperr 7305->7310 7307 10006368 __dosmaperr 20 API calls 7306->7307 7309 1000570c 7307->7309 7308 100056f9 RtlAllocateHeap 7308->7309 7308->7310 7309->7288 7312 10006e20 7309->7312 7310->7306 7310->7308 7311 1000474f __dosmaperr 7 API calls 7310->7311 7311->7310 7313 100069f3 40 API calls 7312->7313 7314 10006e3f 7313->7314 7317 10006e90 IsValidCodePage 7314->7317 7319 10006e46 7314->7319 7321 10006eb5 ___scrt_fastfail 7314->7321 7315 10002ada _ValidateLocalCookies 5 API calls 7316 10006cc1 7315->7316 7316->7292 7316->7295 7318 10006ea2 GetCPInfo 7317->7318 7317->7319 7318->7319 7318->7321 7319->7315 7325 10006acb GetCPInfo 7321->7325 7398 10006886 7322->7398 7324 100068ed 7324->7288 7331 10006b05 7325->7331 7334 10006baf 7325->7334 7328 10002ada _ValidateLocalCookies 5 API calls 7330 10006c5b 7328->7330 7330->7319 7335 100086e4 7331->7335 7333 10008a3e 43 API calls 7333->7334 7334->7328 7336 100054a7 __fassign 38 API calls 7335->7336 7337 10008704 MultiByteToWideChar 7336->7337 7339 10008742 7337->7339 7340 100087da 7337->7340 7342 100056d0 21 API calls 7339->7342 7345 10008763 ___scrt_fastfail 7339->7345 7341 10002ada _ValidateLocalCookies 5 API calls 7340->7341 7343 10006b66 7341->7343 7342->7345 7349 10008a3e 7343->7349 7344 100087d4 7354 10008801 7344->7354 7345->7344 7347 100087a8 MultiByteToWideChar 7345->7347 7347->7344 7348 100087c4 GetStringTypeW 7347->7348 7348->7344 7350 100054a7 __fassign 38 API calls 7349->7350 7351 10008a51 7350->7351 7358 10008821 7351->7358 7355 1000880d 7354->7355 7356 1000881e 7354->7356 7355->7356 7357 1000571e _free 20 API calls 7355->7357 7356->7340 7357->7356 7360 1000883c 7358->7360 7359 10008862 MultiByteToWideChar 7361 1000888c 7359->7361 7372 10008a16 7359->7372 7360->7359 7366 100056d0 21 API calls 7361->7366 7368 100088ad 7361->7368 7362 10002ada _ValidateLocalCookies 5 API calls 7363 10006b87 7362->7363 7363->7333 7364 100088f6 MultiByteToWideChar 7365 10008962 7364->7365 7367 1000890f 7364->7367 7370 10008801 __freea 20 API calls 7365->7370 7366->7368 7385 10005f19 7367->7385 7368->7364 7368->7365 7370->7372 7372->7362 7373 10008971 7375 100056d0 21 API calls 7373->7375 7378 10008992 7373->7378 7374 10008939 7374->7365 7376 10005f19 11 API calls 7374->7376 7375->7378 7376->7365 7377 10008a07 7380 10008801 __freea 20 API calls 7377->7380 7378->7377 7379 10005f19 11 API calls 7378->7379 7381 100089e6 7379->7381 7380->7365 7381->7377 7382 100089f5 WideCharToMultiByte 7381->7382 7382->7377 7383 10008a35 7382->7383 7384 10008801 __freea 20 API calls 7383->7384 7384->7365 7386 10005c45 __dosmaperr 5 API calls 7385->7386 7387 10005f40 7386->7387 7390 10005f49 7387->7390 7393 10005fa1 7387->7393 7391 10002ada _ValidateLocalCookies 5 API calls 7390->7391 7392 10005f9b 7391->7392 7392->7365 7392->7373 7392->7374 7394 10005c45 __dosmaperr 5 API calls 7393->7394 7395 10005fc8 7394->7395 7396 10002ada _ValidateLocalCookies 5 API calls 7395->7396 7397 10005f89 LCMapStringW 7396->7397 7397->7390 7399 10006892 ___DestructExceptionObject 7398->7399 7406 10005671 RtlEnterCriticalSection 7399->7406 7401 1000689c 7407 100068f1 7401->7407 7405 100068b5 _abort 7405->7324 7406->7401 7419 10007011 7407->7419 7409 1000693f 7410 10007011 26 API calls 7409->7410 7411 1000695b 7410->7411 7412 10007011 26 API calls 7411->7412 7413 10006979 7412->7413 7414 100068a9 7413->7414 7415 1000571e _free 20 API calls 7413->7415 7416 100068bd 7414->7416 7415->7414 7433 100056b9 RtlLeaveCriticalSection 7416->7433 7418 100068c7 7418->7405 7420 10007022 7419->7420 7429 1000701e 7419->7429 7421 10007029 7420->7421 7425 1000703c ___scrt_fastfail 7420->7425 7422 10006368 __dosmaperr 20 API calls 7421->7422 7423 1000702e 7422->7423 7424 100062ac ___std_exception_copy 26 API calls 7423->7424 7424->7429 7426 10007073 7425->7426 7427 1000706a 7425->7427 7425->7429 7426->7429 7431 10006368 __dosmaperr 20 API calls 7426->7431 7428 10006368 __dosmaperr 20 API calls 7427->7428 7430 1000706f 7428->7430 7429->7409 7432 100062ac ___std_exception_copy 26 API calls 7430->7432 7431->7430 7432->7429 7433->7418 6107 1000220c 6108 10002215 6107->6108 6109 1000221a dllmain_dispatch 6107->6109 6111 100022b1 6108->6111 6112 100022c7 6111->6112 6114 100022d0 6112->6114 6115 10002264 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 6112->6115 6114->6109 6115->6114 7138 1000724e GetProcessHeap 7139 1000284f 7140 10002882 std::exception::exception 27 API calls 7139->7140 7141 1000285d 7140->7141 7438 10003c90 RtlUnwind 7536 100036d0 7537 100036e2 7536->7537 7539 100036f0 @_EH4_CallFilterFunc@8 7536->7539 7538 10002ada _ValidateLocalCookies 5 API calls 7537->7538 7538->7539 7142 10005351 7143 10005360 7142->7143 7144 10005374 7142->7144 7143->7144 7147 1000571e _free 20 API calls 7143->7147 7145 1000571e _free 20 API calls 7144->7145 7146 10005386 7145->7146 7148 1000571e _free 20 API calls 7146->7148 7147->7144 7149 10005399 7148->7149 7150 1000571e _free 20 API calls 7149->7150 7151 100053aa 7150->7151 7152 1000571e _free 20 API calls 7151->7152 7153 100053bb 7152->7153 7540 100073d5 7541 100073e1 ___DestructExceptionObject 7540->7541 7552 10005671 RtlEnterCriticalSection 7541->7552 7543 100073e8 7544 10008be3 27 API calls 7543->7544 7545 100073f7 7544->7545 7551 10007406 7545->7551 7553 10007269 GetStartupInfoW 7545->7553 7550 10007417 _abort 7564 10007422 7551->7564 7552->7543 7554 10007286 7553->7554 7555 10007318 7553->7555 7554->7555 7556 10008be3 27 API calls 7554->7556 7559 1000731f 7555->7559 7557 100072af 7556->7557 7557->7555 7558 100072dd GetFileType 7557->7558 7558->7557 7561 10007326 7559->7561 7560 10007369 GetStdHandle 7560->7561 7561->7560 7562 100073d1 7561->7562 7563 1000737c GetFileType 7561->7563 7562->7551 7563->7561 7567 100056b9 RtlLeaveCriticalSection 7564->7567 7566 10007429 7566->7550 7567->7566 7568 10004ed7 7569 10006d60 51 API calls 7568->7569 7570 10004ee9 7569->7570 7579 10007153 GetEnvironmentStringsW 7570->7579 7573 10004ef4 7575 1000571e _free 20 API calls 7573->7575 7576 10004f29 7575->7576 7577 10004eff 7578 1000571e _free 20 API calls 7577->7578 7578->7573 7580 1000716a 7579->7580 7590 100071bd 7579->7590 7581 10007170 WideCharToMultiByte 7580->7581 7584 1000718c 7581->7584 7581->7590 7582 100071c6 FreeEnvironmentStringsW 7583 10004eee 7582->7583 7583->7573 7591 10004f2f 7583->7591 7585 100056d0 21 API calls 7584->7585 7586 10007192 7585->7586 7587 100071af 7586->7587 7588 10007199 WideCharToMultiByte 7586->7588 7589 1000571e _free 20 API calls 7587->7589 7588->7587 7589->7590 7590->7582 7590->7583 7592 10004f44 7591->7592 7593 1000637b __dosmaperr 20 API calls 7592->7593 7597 10004f6b 7593->7597 7594 1000571e _free 20 API calls 7596 10004fe9 7594->7596 7595 10004fcf 7595->7594 7596->7577 7597->7595 7598 1000637b __dosmaperr 20 API calls 7597->7598 7599 10004fd1 7597->7599 7600 1000544d ___std_exception_copy 26 API calls 7597->7600 7603 10004ff3 7597->7603 7606 1000571e _free 20 API calls 7597->7606 7598->7597 7601 10005000 20 API calls 7599->7601 7600->7597 7602 10004fd7 7601->7602 7604 1000571e _free 20 API calls 7602->7604 7605 100062bc ___std_exception_copy 11 API calls 7603->7605 7604->7595 7607 10004fff 7605->7607 7606->7597 6116 10002418 6117 10002420 ___scrt_release_startup_lock 6116->6117 6120 100047f5 6117->6120 6119 10002448 6121 10004804 6120->6121 6122 10004808 6120->6122 6121->6119 6125 10004815 6122->6125 6126 10005b7a __dosmaperr 20 API calls 6125->6126 6129 1000482c 6126->6129 6127 10002ada _ValidateLocalCookies 5 API calls 6128 10004811 6127->6128 6128->6119 6129->6127 7439 10004a9a 7442 10005411 7439->7442 7443 1000541d _abort 7442->7443 7444 10005af6 _abort 38 API calls 7443->7444 7447 10005422 7444->7447 7445 100055a8 _abort 38 API calls 7446 1000544c 7445->7446 7447->7445 5858 10001c5b 5859 10001c6b ___scrt_fastfail 5858->5859 5862 100012ee 5859->5862 5861 10001c87 5863 10001324 ___scrt_fastfail 5862->5863 5864 100013b7 GetEnvironmentVariableW 5863->5864 5888 100010f1 5864->5888 5867 100010f1 57 API calls 5868 10001465 5867->5868 5869 100010f1 57 API calls 5868->5869 5870 10001479 5869->5870 5871 100010f1 57 API calls 5870->5871 5872 1000148d 5871->5872 5873 100010f1 57 API calls 5872->5873 5874 100014a1 5873->5874 5875 100010f1 57 API calls 5874->5875 5876 100014b5 lstrlenW 5875->5876 5877 100014d2 5876->5877 5878 100014d9 lstrlenW 5876->5878 5877->5861 5879 100010f1 57 API calls 5878->5879 5880 10001501 lstrlenW lstrcatW 5879->5880 5881 100010f1 57 API calls 5880->5881 5882 10001539 lstrlenW lstrcatW 5881->5882 5883 100010f1 57 API calls 5882->5883 5884 1000156b lstrlenW lstrcatW 5883->5884 5885 100010f1 57 API calls 5884->5885 5886 1000159d lstrlenW lstrcatW 5885->5886 5887 100010f1 57 API calls 5886->5887 5887->5877 5889 10001118 ___scrt_fastfail 5888->5889 5890 10001129 lstrlenW 5889->5890 5901 10002c40 5890->5901 5892 10001148 lstrcatW lstrlenW 5893 10001177 lstrlenW FindFirstFileW 5892->5893 5894 10001168 lstrlenW 5892->5894 5895 100011a0 5893->5895 5896 100011e1 5893->5896 5894->5893 5897 100011c7 FindNextFileW 5895->5897 5900 100011aa 5895->5900 5896->5867 5897->5895 5898 100011da FindClose 5897->5898 5898->5896 5900->5897 5903 10001000 5900->5903 5902 10002c57 5901->5902 5902->5892 5902->5902 5904 10001022 ___scrt_fastfail 5903->5904 5905 100010af 5904->5905 5906 1000102f lstrcatW lstrlenW 5904->5906 5907 100010b5 lstrlenW 5905->5907 5908 100010ad 5905->5908 5909 1000105a lstrlenW 5906->5909 5910 1000106b lstrlenW 5906->5910 5934 10001e16 5907->5934 5908->5900 5909->5910 5920 10001e89 lstrlenW 5910->5920 5913 10001088 GetFileAttributesW 5913->5908 5915 1000109c 5913->5915 5914 100010ca 5914->5908 5916 10001e89 5 API calls 5914->5916 5915->5908 5926 1000173a 5915->5926 5918 100010df 5916->5918 5939 100011ea 5918->5939 5921 10002c40 ___scrt_fastfail 5920->5921 5922 10001ea7 lstrcatW lstrlenW 5921->5922 5923 10001ed1 lstrcatW 5922->5923 5924 10001ec2 5922->5924 5923->5913 5924->5923 5925 10001ec7 lstrlenW 5924->5925 5925->5923 5927 10001747 ___scrt_fastfail 5926->5927 5954 10001cca 5927->5954 5931 1000199f 5931->5908 5932 10001824 ___scrt_fastfail _strlen 5932->5931 5974 100015da 5932->5974 5935 10001e29 5934->5935 5938 10001e4c 5934->5938 5936 10001e2d lstrlenW 5935->5936 5935->5938 5937 10001e3f lstrlenW 5936->5937 5936->5938 5937->5938 5938->5914 5940 1000120e ___scrt_fastfail 5939->5940 5941 10001e89 5 API calls 5940->5941 5942 10001220 GetFileAttributesW 5941->5942 5943 10001235 5942->5943 5944 10001246 5942->5944 5943->5944 5946 1000173a 35 API calls 5943->5946 5945 10001e89 5 API calls 5944->5945 5947 10001258 5945->5947 5946->5944 5948 100010f1 56 API calls 5947->5948 5949 1000126d 5948->5949 5950 10001e89 5 API calls 5949->5950 5951 1000127f ___scrt_fastfail 5950->5951 5952 100010f1 56 API calls 5951->5952 5953 100012e6 5952->5953 5953->5908 5955 10001cf1 ___scrt_fastfail 5954->5955 5956 10001d0f CopyFileW CreateFileW 5955->5956 5957 10001d44 DeleteFileW 5956->5957 5958 10001d55 GetFileSize 5956->5958 5963 10001808 5957->5963 5959 10001ede 22 API calls 5958->5959 5960 10001d66 ReadFile 5959->5960 5961 10001d94 CloseHandle DeleteFileW 5960->5961 5962 10001d7d CloseHandle DeleteFileW 5960->5962 5961->5963 5962->5963 5963->5931 5964 10001ede 5963->5964 5966 1000222f 5964->5966 5967 1000224e 5966->5967 5970 10002250 5966->5970 5982 1000474f 5966->5982 5987 100047e5 5966->5987 5967->5932 5969 10002908 5971 100035d2 __CxxThrowException@8 RaiseException 5969->5971 5970->5969 5994 100035d2 5970->5994 5972 10002925 5971->5972 5972->5932 5975 1000160c _strcat _strlen 5974->5975 5976 1000163c lstrlenW 5975->5976 6082 10001c9d 5976->6082 5978 10001655 lstrcatW lstrlenW 5979 10001678 5978->5979 5980 10001693 ___scrt_fastfail 5979->5980 5981 1000167e lstrcatW 5979->5981 5980->5932 5981->5980 5997 10004793 5982->5997 5985 1000478f 5985->5966 5986 10004765 6003 10002ada 5986->6003 5992 100056d0 __dosmaperr 5987->5992 5988 1000570e 6016 10006368 5988->6016 5990 100056f9 RtlAllocateHeap 5991 1000570c 5990->5991 5990->5992 5991->5966 5992->5988 5992->5990 5993 1000474f __dosmaperr 7 API calls 5992->5993 5993->5992 5996 100035f2 RaiseException 5994->5996 5996->5969 5998 1000479f ___DestructExceptionObject 5997->5998 6010 10005671 RtlEnterCriticalSection 5998->6010 6000 100047aa 6011 100047dc 6000->6011 6002 100047d1 _abort 6002->5986 6004 10002ae3 6003->6004 6005 10002ae5 IsProcessorFeaturePresent 6003->6005 6004->5985 6007 10002b58 6005->6007 6015 10002b1c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 6007->6015 6009 10002c3b 6009->5985 6010->6000 6014 100056b9 RtlLeaveCriticalSection 6011->6014 6013 100047e3 6013->6002 6014->6013 6015->6009 6019 10005b7a GetLastError 6016->6019 6020 10005b93 6019->6020 6021 10005b99 6019->6021 6038 10005e08 6020->6038 6026 10005bf0 SetLastError 6021->6026 6045 1000637b 6021->6045 6025 10005bb3 6052 1000571e 6025->6052 6027 10005bf9 6026->6027 6027->5991 6031 10005bb9 6033 10005be7 SetLastError 6031->6033 6032 10005bcf 6065 1000593c 6032->6065 6033->6027 6036 1000571e _free 17 API calls 6037 10005be0 6036->6037 6037->6026 6037->6033 6070 10005c45 6038->6070 6040 10005e2f 6041 10005e47 TlsGetValue 6040->6041 6042 10005e3b 6040->6042 6041->6042 6043 10002ada _ValidateLocalCookies 5 API calls 6042->6043 6044 10005e58 6043->6044 6044->6021 6050 10006388 __dosmaperr 6045->6050 6046 100063c8 6049 10006368 __dosmaperr 19 API calls 6046->6049 6047 100063b3 RtlAllocateHeap 6048 10005bab 6047->6048 6047->6050 6048->6025 6058 10005e5e 6048->6058 6049->6048 6050->6046 6050->6047 6051 1000474f __dosmaperr 7 API calls 6050->6051 6051->6050 6053 10005729 HeapFree 6052->6053 6057 10005752 __dosmaperr 6052->6057 6054 1000573e 6053->6054 6053->6057 6055 10006368 __dosmaperr 18 API calls 6054->6055 6056 10005744 GetLastError 6055->6056 6056->6057 6057->6031 6059 10005c45 __dosmaperr 5 API calls 6058->6059 6060 10005e85 6059->6060 6061 10005ea0 TlsSetValue 6060->6061 6062 10005e94 6060->6062 6061->6062 6063 10002ada _ValidateLocalCookies 5 API calls 6062->6063 6064 10005bc8 6063->6064 6064->6025 6064->6032 6076 10005914 6065->6076 6071 10005c71 6070->6071 6072 10005c75 __crt_fast_encode_pointer 6070->6072 6071->6072 6073 10005ce1 __dosmaperr LoadLibraryExW GetLastError LoadLibraryExW FreeLibrary 6071->6073 6075 10005c95 6071->6075 6072->6040 6073->6071 6074 10005ca1 GetProcAddress 6074->6072 6075->6072 6075->6074 6077 10005854 __dosmaperr RtlEnterCriticalSection RtlLeaveCriticalSection 6076->6077 6078 10005938 6077->6078 6079 100058c4 6078->6079 6080 10005758 __dosmaperr 20 API calls 6079->6080 6081 100058e8 6080->6081 6081->6036 6083 10001ca6 _strlen 6082->6083 6083->5978 7608 100020db 7611 100020e7 ___DestructExceptionObject 7608->7611 7609 100020f6 7610 10002110 dllmain_raw 7610->7609 7612 1000212a 7610->7612 7611->7609 7611->7610 7616 1000210b 7611->7616 7621 10001eec 7612->7621 7614 10002177 7614->7609 7615 10001eec 31 API calls 7614->7615 7617 1000218a 7615->7617 7616->7609 7616->7614 7619 10001eec 31 API calls 7616->7619 7617->7609 7618 10002193 dllmain_raw 7617->7618 7618->7609 7620 1000216d dllmain_raw 7619->7620 7620->7614 7622 10001ef7 7621->7622 7623 10001f2a dllmain_crt_process_detach 7621->7623 7625 10001f1c dllmain_crt_process_attach 7622->7625 7626 10001efc 7622->7626 7624 10001f06 7623->7624 7624->7616 7625->7624 7627 10001f01 7626->7627 7628 10001f12 7626->7628 7627->7624 7631 1000240b 7627->7631 7636 100023ec 7628->7636 7644 100053e5 7631->7644 7737 10003513 7636->7737 7639 100023f5 7639->7624 7642 10002408 7642->7624 7643 1000351e 7 API calls 7643->7639 7650 10005aca 7644->7650 7647 1000351e 7726 10003820 7647->7726 7649 10002415 7649->7624 7651 10005ad4 7650->7651 7652 10002410 7650->7652 7653 10005e08 __dosmaperr 11 API calls 7651->7653 7652->7647 7654 10005adb 7653->7654 7654->7652 7655 10005e5e __dosmaperr 11 API calls 7654->7655 7656 10005aee 7655->7656 7658 100059b5 7656->7658 7659 100059c0 7658->7659 7663 100059d0 7658->7663 7664 100059d6 7659->7664 7662 1000571e _free 20 API calls 7662->7663 7663->7652 7665 100059e9 7664->7665 7668 100059ef 7664->7668 7666 1000571e _free 20 API calls 7665->7666 7666->7668 7667 1000571e _free 20 API calls 7669 100059fb 7667->7669 7668->7667 7670 1000571e _free 20 API calls 7669->7670 7671 10005a06 7670->7671 7672 1000571e _free 20 API calls 7671->7672 7673 10005a11 7672->7673 7674 1000571e _free 20 API calls 7673->7674 7675 10005a1c 7674->7675 7676 1000571e _free 20 API calls 7675->7676 7677 10005a27 7676->7677 7678 1000571e _free 20 API calls 7677->7678 7679 10005a32 7678->7679 7680 1000571e _free 20 API calls 7679->7680 7681 10005a3d 7680->7681 7682 1000571e _free 20 API calls 7681->7682 7683 10005a48 7682->7683 7684 1000571e _free 20 API calls 7683->7684 7685 10005a56 7684->7685 7690 1000589c 7685->7690 7696 100057a8 7690->7696 7692 100058c0 7693 100058ec 7692->7693 7709 10005809 7693->7709 7695 10005910 7695->7662 7697 100057b4 ___DestructExceptionObject 7696->7697 7704 10005671 RtlEnterCriticalSection 7697->7704 7700 100057be 7701 1000571e _free 20 API calls 7700->7701 7703 100057e8 7700->7703 7701->7703 7702 100057f5 _abort 7702->7692 7705 100057fd 7703->7705 7704->7700 7708 100056b9 RtlLeaveCriticalSection 7705->7708 7707 10005807 7707->7702 7708->7707 7710 10005815 ___DestructExceptionObject 7709->7710 7717 10005671 RtlEnterCriticalSection 7710->7717 7712 1000581f 7718 10005a7f 7712->7718 7714 10005832 7722 10005848 7714->7722 7716 10005840 _abort 7716->7695 7717->7712 7719 10005ab5 __fassign 7718->7719 7720 10005a8e __fassign 7718->7720 7719->7714 7720->7719 7721 10007cc2 __fassign 20 API calls 7720->7721 7721->7719 7725 100056b9 RtlLeaveCriticalSection 7722->7725 7724 10005852 7724->7716 7725->7724 7727 1000384b ___vcrt_freefls@4 7726->7727 7729 1000382d 7726->7729 7727->7649 7728 1000383b 7731 10003ba2 ___vcrt_FlsSetValue 6 API calls 7728->7731 7729->7728 7732 10003b67 7729->7732 7731->7727 7733 10003a82 try_get_function 5 API calls 7732->7733 7734 10003b81 7733->7734 7735 10003b99 TlsGetValue 7734->7735 7736 10003b8d 7734->7736 7735->7736 7736->7728 7743 10003856 7737->7743 7739 100023f1 7739->7639 7740 100053da 7739->7740 7741 10005b7a __dosmaperr 20 API calls 7740->7741 7742 100023fd 7741->7742 7742->7642 7742->7643 7744 10003862 GetLastError 7743->7744 7745 1000385f 7743->7745 7746 10003b67 ___vcrt_FlsGetValue 6 API calls 7744->7746 7745->7739 7747 10003877 7746->7747 7748 100038dc SetLastError 7747->7748 7749 10003ba2 ___vcrt_FlsSetValue 6 API calls 7747->7749 7754 10003896 7747->7754 7748->7739 7750 10003890 7749->7750 7751 100038b8 7750->7751 7752 10003ba2 ___vcrt_FlsSetValue 6 API calls 7750->7752 7750->7754 7753 10003ba2 ___vcrt_FlsSetValue 6 API calls 7751->7753 7751->7754 7752->7751 7753->7754 7754->7748 6130 1000281c 6133 10002882 6130->6133 6136 10003550 6133->6136 6135 1000282a 6137 1000358a 6136->6137 6138 1000355d 6136->6138 6137->6135 6138->6137 6139 100047e5 ___std_exception_copy 21 API calls 6138->6139 6140 1000357a 6139->6140 6140->6137 6142 1000544d 6140->6142 6143 1000545a 6142->6143 6145 10005468 6142->6145 6143->6145 6149 1000547f 6143->6149 6144 10006368 __dosmaperr 20 API calls 6146 10005470 6144->6146 6145->6144 6151 100062ac 6146->6151 6148 1000547a 6148->6137 6149->6148 6150 10006368 __dosmaperr 20 API calls 6149->6150 6150->6146 6154 10006231 6151->6154 6153 100062b8 6153->6148 6155 10005b7a __dosmaperr 20 API calls 6154->6155 6156 10006247 6155->6156 6157 10006255 6156->6157 6158 100062a6 6156->6158 6163 10002ada _ValidateLocalCookies 5 API calls 6157->6163 6165 100062bc IsProcessorFeaturePresent 6158->6165 6160 100062ab 6161 10006231 ___std_exception_copy 26 API calls 6160->6161 6162 100062b8 6161->6162 6162->6153 6164 1000627c 6163->6164 6164->6153 6166 100062c7 6165->6166 6169 100060e2 6166->6169 6170 100060fe ___scrt_fastfail 6169->6170 6171 1000612a IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 6170->6171 6174 100061fb ___scrt_fastfail 6171->6174 6172 10002ada _ValidateLocalCookies 5 API calls 6173 10006219 GetCurrentProcess TerminateProcess 6172->6173 6173->6160 6174->6172 7755 10004bdd 7756 10004c08 7755->7756 7757 10004bec 7755->7757 7759 10006d60 51 API calls 7756->7759 7757->7756 7758 10004bf2 7757->7758 7760 10006368 __dosmaperr 20 API calls 7758->7760 7761 10004c0f GetModuleFileNameA 7759->7761 7762 10004bf7 7760->7762 7763 10004c33 7761->7763 7764 100062ac ___std_exception_copy 26 API calls 7762->7764 7778 10004d01 7763->7778 7766 10004c01 7764->7766 7770 10004c72 7773 10004d01 38 API calls 7770->7773 7771 10004c66 7772 10006368 __dosmaperr 20 API calls 7771->7772 7777 10004c6b 7772->7777 7775 10004c88 7773->7775 7774 1000571e _free 20 API calls 7774->7766 7776 1000571e _free 20 API calls 7775->7776 7775->7777 7776->7777 7777->7774 7780 10004d26 7778->7780 7782 10004d86 7780->7782 7790 100070eb 7780->7790 7781 10004c50 7784 10004e76 7781->7784 7782->7781 7783 100070eb 38 API calls 7782->7783 7783->7782 7785 10004e8b 7784->7785 7786 10004c5d 7784->7786 7785->7786 7787 1000637b __dosmaperr 20 API calls 7785->7787 7786->7770 7786->7771 7788 10004eb9 7787->7788 7789 1000571e _free 20 API calls 7788->7789 7789->7786 7793 10007092 7790->7793 7794 100054a7 __fassign 38 API calls 7793->7794 7795 100070a6 7794->7795 7795->7780 7154 10007260 GetStartupInfoW 7155 10007286 7154->7155 7157 10007318 7154->7157 7155->7157 7160 10008be3 7155->7160 7158 100072af 7158->7157 7159 100072dd GetFileType 7158->7159 7159->7158 7161 10008bef ___DestructExceptionObject 7160->7161 7162 10008c13 7161->7162 7163 10008bfc 7161->7163 7173 10005671 RtlEnterCriticalSection 7162->7173 7164 10006368 __dosmaperr 20 API calls 7163->7164 7166 10008c01 7164->7166 7167 100062ac ___std_exception_copy 26 API calls 7166->7167 7168 10008c0b _abort 7167->7168 7168->7158 7169 10008c4b 7181 10008c72 7169->7181 7171 10008c1f 7171->7169 7174 10008b34 7171->7174 7173->7171 7175 1000637b __dosmaperr 20 API calls 7174->7175 7176 10008b46 7175->7176 7179 10005eb7 11 API calls 7176->7179 7180 10008b53 7176->7180 7177 1000571e _free 20 API calls 7178 10008ba5 7177->7178 7178->7171 7179->7176 7180->7177 7184 100056b9 RtlLeaveCriticalSection 7181->7184 7183 10008c79 7183->7168 7184->7183 7448 100081a0 7449 100081d9 7448->7449 7450 100081dd 7449->7450 7461 10008205 7449->7461 7451 10006368 __dosmaperr 20 API calls 7450->7451 7452 100081e2 7451->7452 7454 100062ac ___std_exception_copy 26 API calls 7452->7454 7453 10008529 7455 10002ada _ValidateLocalCookies 5 API calls 7453->7455 7456 100081ed 7454->7456 7457 10008536 7455->7457 7458 10002ada _ValidateLocalCookies 5 API calls 7456->7458 7460 100081f9 7458->7460 7461->7453 7462 100080c0 7461->7462 7463 100080db 7462->7463 7464 10002ada _ValidateLocalCookies 5 API calls 7463->7464 7465 10008152 7464->7465 7465->7461 7796 1000a1e0 7799 1000a1fe 7796->7799 7798 1000a1f6 7801 1000a203 7799->7801 7800 1000aa53 21 API calls 7803 1000a42f 7800->7803 7801->7800 7802 1000a298 7801->7802 7802->7798 7803->7798 7185 10009d61 7186 10009d81 7185->7186 7189 10009db8 7186->7189 7188 10009dab 7191 10009dbf 7189->7191 7190 10009e20 7192 1000a90e 7190->7192 7193 1000aa17 21 API calls 7190->7193 7191->7190 7195 10009ddf 7191->7195 7192->7188 7194 10009e6e 7193->7194 7194->7188 7195->7192 7196 1000aa17 21 API calls 7195->7196 7197 1000a93e 7196->7197 7197->7188 7466 100021a1 ___scrt_dllmain_exception_filter 5826 1000c7a7 5827 1000c7be 5826->5827 5831 1000c82c 5826->5831 5827->5831 5838 1000c7e6 GetModuleHandleA 5827->5838 5829 1000c835 GetModuleHandleA 5832 1000c83f 5829->5832 5830 1000c872 5831->5829 5831->5830 5831->5832 5832->5831 5833 1000c85f GetProcAddress 5832->5833 5833->5831 5834 1000c7dd 5834->5831 5834->5832 5835 1000c800 GetProcAddress 5834->5835 5835->5831 5836 1000c80d VirtualProtect 5835->5836 5836->5831 5837 1000c81c VirtualProtect 5836->5837 5837->5831 5839 1000c7ef 5838->5839 5847 1000c82c 5838->5847 5850 1000c803 GetProcAddress 5839->5850 5841 1000c7f4 5844 1000c800 GetProcAddress 5841->5844 5841->5847 5842 1000c835 GetModuleHandleA 5846 1000c83f 5842->5846 5843 1000c872 5845 1000c80d VirtualProtect 5844->5845 5844->5847 5845->5847 5848 1000c81c VirtualProtect 5845->5848 5846->5847 5849 1000c85f GetProcAddress 5846->5849 5847->5842 5847->5843 5847->5846 5848->5847 5849->5847 5851 1000c82c 5850->5851 5852 1000c80d VirtualProtect 5850->5852 5854 1000c872 5851->5854 5855 1000c835 GetModuleHandleA 5851->5855 5852->5851 5853 1000c81c VirtualProtect 5852->5853 5853->5851 5857 1000c83f 5855->5857 5856 1000c85f GetProcAddress 5856->5857 5857->5851 5857->5856 6175 1000742b 6176 10007430 6175->6176 6177 10007453 6176->6177 6179 10008bae 6176->6179 6180 10008bdd 6179->6180 6181 10008bbb 6179->6181 6180->6176 6182 10008bd7 6181->6182 6183 10008bc9 RtlDeleteCriticalSection 6181->6183 6184 1000571e _free 20 API calls 6182->6184 6183->6182 6183->6183 6184->6180 7198 1000ac6b 7199 1000ac84 __startOneArgErrorHandling 7198->7199 7201 1000acad __startOneArgErrorHandling 7199->7201 7202 1000b2f0 7199->7202 7203 1000b329 __startOneArgErrorHandling 7202->7203 7204 1000b5c1 __raise_exc RaiseException 7203->7204 7205 1000b350 __startOneArgErrorHandling 7203->7205 7204->7205 7206 1000b393 7205->7206 7207 1000b36e 7205->7207 7208 1000b8b2 __startOneArgErrorHandling 20 API calls 7206->7208 7213 1000b8e1 7207->7213 7210 1000b38e __startOneArgErrorHandling 7208->7210 7211 10002ada _ValidateLocalCookies 5 API calls 7210->7211 7212 1000b3b7 7211->7212 7212->7201 7214 1000b8f0 7213->7214 7215 1000b90f __startOneArgErrorHandling 7214->7215 7216 1000b964 __startOneArgErrorHandling 7214->7216 7217 100078a3 __startOneArgErrorHandling 5 API calls 7215->7217 7218 1000b8b2 __startOneArgErrorHandling 20 API calls 7216->7218 7219 1000b950 7217->7219 7221 1000b95d 7218->7221 7220 1000b8b2 __startOneArgErrorHandling 20 API calls 7219->7220 7219->7221 7220->7221 7221->7210 7467 100060ac 7468 100060b7 7467->7468 7470 100060dd 7467->7470 7469 100060c7 FreeLibrary 7468->7469 7468->7470 7469->7468 7222 1000506f 7223 10005081 7222->7223 7224 10005087 7222->7224 7225 10005000 20 API calls 7223->7225 7225->7224 6185 10005630 6186 1000563b 6185->6186 6188 10005664 6186->6188 6190 10005660 6186->6190 6191 10005eb7 6186->6191 6198 10005688 6188->6198 6192 10005c45 __dosmaperr 5 API calls 6191->6192 6193 10005ede 6192->6193 6194 10005efc InitializeCriticalSectionAndSpinCount 6193->6194 6196 10005ee7 6193->6196 6194->6196 6195 10002ada _ValidateLocalCookies 5 API calls 6197 10005f13 6195->6197 6196->6195 6197->6186 6199 100056b4 6198->6199 6200 10005695 6198->6200 6199->6190 6201 1000569f RtlDeleteCriticalSection 6200->6201 6201->6199 6201->6201 7226 10003370 7237 10003330 7226->7237 7238 10003342 7237->7238 7239 1000334f 7237->7239 7240 10002ada _ValidateLocalCookies 5 API calls 7238->7240 7240->7239 7804 100063f0 7805 10006400 7804->7805 7808 10006416 7804->7808 7806 10006368 __dosmaperr 20 API calls 7805->7806 7807 10006405 7806->7807 7810 100062ac ___std_exception_copy 26 API calls 7807->7810 7811 10006480 7808->7811 7815 10006561 7808->7815 7823 10006580 7808->7823 7809 10004e76 20 API calls 7817 100064e5 7809->7817 7818 1000640f 7810->7818 7811->7809 7813 100064ee 7814 1000571e _free 20 API calls 7813->7814 7814->7815 7843 1000679a 7815->7843 7817->7813 7820 10006573 7817->7820 7834 100085eb 7817->7834 7821 100062bc ___std_exception_copy 11 API calls 7820->7821 7822 1000657f 7821->7822 7824 1000658c 7823->7824 7824->7824 7825 1000637b __dosmaperr 20 API calls 7824->7825 7826 100065ba 7825->7826 7827 100085eb 26 API calls 7826->7827 7828 100065e6 7827->7828 7829 100062bc ___std_exception_copy 11 API calls 7828->7829 7830 10006615 ___scrt_fastfail 7829->7830 7831 100066b6 FindFirstFileExA 7830->7831 7832 10006705 7831->7832 7833 10006580 26 API calls 7832->7833 7837 1000853a 7834->7837 7835 1000854f 7836 10006368 __dosmaperr 20 API calls 7835->7836 7838 10008554 7835->7838 7842 1000857a 7836->7842 7837->7835 7837->7838 7840 1000858b 7837->7840 7838->7817 7839 100062ac ___std_exception_copy 26 API calls 7839->7838 7840->7838 7841 10006368 __dosmaperr 20 API calls 7840->7841 7841->7842 7842->7839 7844 100067a4 7843->7844 7845 100067b4 7844->7845 7846 1000571e _free 20 API calls 7844->7846 7847 1000571e _free 20 API calls 7845->7847 7846->7844 7848 100067bb 7847->7848 7848->7818 7241 10009e71 7242 10009e95 7241->7242 7243 10009ee6 7242->7243 7245 10009f71 __startOneArgErrorHandling 7242->7245 7246 10009ef8 7243->7246 7249 1000aa53 7243->7249 7247 1000b2f0 21 API calls 7245->7247 7248 1000acad __startOneArgErrorHandling 7245->7248 7247->7248 7250 1000aa70 RtlDecodePointer 7249->7250 7251 1000aa80 7249->7251 7250->7251 7252 1000ab0d 7251->7252 7255 1000ab02 7251->7255 7257 1000aab7 7251->7257 7252->7255 7256 10006368 __dosmaperr 20 API calls 7252->7256 7253 10002ada _ValidateLocalCookies 5 API calls 7254 1000ac67 7253->7254 7254->7246 7255->7253 7256->7255 7257->7255 7258 10006368 __dosmaperr 20 API calls 7257->7258 7258->7255 7475 10003eb3 7476 10005411 38 API calls 7475->7476 7477 10003ebb 7476->7477 6202 1000543d 6203 10005440 6202->6203 6206 100055a8 6203->6206 6217 10007613 6206->6217 6209 100055b8 6211 100055c2 IsProcessorFeaturePresent 6209->6211 6216 100055e0 6209->6216 6213 100055cd 6211->6213 6214 100060e2 _abort 8 API calls 6213->6214 6214->6216 6247 10004bc1 6216->6247 6250 10007581 6217->6250 6220 1000766e 6221 1000767a _abort 6220->6221 6222 10005b7a __dosmaperr 20 API calls 6221->6222 6226 100076a7 _abort 6221->6226 6228 100076a1 _abort 6221->6228 6222->6228 6223 100076f3 6224 10006368 __dosmaperr 20 API calls 6223->6224 6225 100076f8 6224->6225 6229 100062ac ___std_exception_copy 26 API calls 6225->6229 6232 1000771f 6226->6232 6264 10005671 RtlEnterCriticalSection 6226->6264 6228->6223 6228->6226 6246 100076d6 6228->6246 6229->6246 6233 1000777e 6232->6233 6235 10007776 6232->6235 6243 100077a9 6232->6243 6265 100056b9 RtlLeaveCriticalSection 6232->6265 6233->6243 6266 10007665 6233->6266 6238 10004bc1 _abort 28 API calls 6235->6238 6238->6233 6242 10007665 _abort 38 API calls 6242->6243 6269 1000782e 6243->6269 6244 1000780c 6245 10005af6 _abort 38 API calls 6244->6245 6244->6246 6245->6246 6293 1000bdc9 6246->6293 6297 1000499b 6247->6297 6253 10007527 6250->6253 6252 100055ad 6252->6209 6252->6220 6254 10007533 ___DestructExceptionObject 6253->6254 6259 10005671 RtlEnterCriticalSection 6254->6259 6256 10007541 6260 10007575 6256->6260 6258 10007568 _abort 6258->6252 6259->6256 6263 100056b9 RtlLeaveCriticalSection 6260->6263 6262 1000757f 6262->6258 6263->6262 6264->6232 6265->6235 6267 10005af6 _abort 38 API calls 6266->6267 6268 1000766a 6267->6268 6268->6242 6270 10007834 6269->6270 6271 100077fd 6269->6271 6296 100056b9 RtlLeaveCriticalSection 6270->6296 6271->6244 6271->6246 6273 10005af6 GetLastError 6271->6273 6274 10005b12 6273->6274 6275 10005b0c 6273->6275 6277 1000637b __dosmaperr 20 API calls 6274->6277 6279 10005b61 SetLastError 6274->6279 6276 10005e08 __dosmaperr 11 API calls 6275->6276 6276->6274 6278 10005b24 6277->6278 6280 10005b2c 6278->6280 6281 10005e5e __dosmaperr 11 API calls 6278->6281 6279->6244 6282 1000571e _free 20 API calls 6280->6282 6283 10005b41 6281->6283 6284 10005b32 6282->6284 6283->6280 6285 10005b48 6283->6285 6287 10005b6d SetLastError 6284->6287 6286 1000593c __dosmaperr 20 API calls 6285->6286 6288 10005b53 6286->6288 6289 100055a8 _abort 35 API calls 6287->6289 6290 1000571e _free 20 API calls 6288->6290 6291 10005b79 6289->6291 6292 10005b5a 6290->6292 6292->6279 6292->6287 6294 10002ada _ValidateLocalCookies 5 API calls 6293->6294 6295 1000bdd4 6294->6295 6295->6295 6296->6271 6298 100049a7 _abort 6297->6298 6305 100049bf 6298->6305 6319 10004af5 GetModuleHandleW 6298->6319 6302 10004a65 6336 10004aa5 6302->6336 6328 10005671 RtlEnterCriticalSection 6305->6328 6307 10004a3c 6309 10004a54 6307->6309 6332 10004669 6307->6332 6308 100049c7 6308->6302 6308->6307 6329 1000527a 6308->6329 6315 10004669 _abort 5 API calls 6309->6315 6310 10004a82 6339 10004ab4 6310->6339 6311 10004aae 6313 1000bdc9 _abort 5 API calls 6311->6313 6318 10004ab3 6313->6318 6315->6302 6320 100049b3 6319->6320 6320->6305 6321 10004b39 GetModuleHandleExW 6320->6321 6322 10004b63 GetProcAddress 6321->6322 6323 10004b78 6321->6323 6322->6323 6324 10004b95 6323->6324 6325 10004b8c FreeLibrary 6323->6325 6326 10002ada _ValidateLocalCookies 5 API calls 6324->6326 6325->6324 6327 10004b9f 6326->6327 6327->6305 6328->6308 6347 10005132 6329->6347 6333 10004698 6332->6333 6334 10002ada _ValidateLocalCookies 5 API calls 6333->6334 6335 100046c1 6334->6335 6335->6309 6369 100056b9 RtlLeaveCriticalSection 6336->6369 6338 10004a7e 6338->6310 6338->6311 6370 10006025 6339->6370 6342 10004ae2 6345 10004b39 _abort 8 API calls 6342->6345 6343 10004ac2 GetPEB 6343->6342 6344 10004ad2 GetCurrentProcess TerminateProcess 6343->6344 6344->6342 6346 10004aea ExitProcess 6345->6346 6350 100050e1 6347->6350 6349 10005156 6349->6307 6351 100050ed ___DestructExceptionObject 6350->6351 6358 10005671 RtlEnterCriticalSection 6351->6358 6353 100050fb 6359 1000515a 6353->6359 6357 10005119 _abort 6357->6349 6358->6353 6362 10005182 6359->6362 6363 1000517a 6359->6363 6360 10002ada _ValidateLocalCookies 5 API calls 6361 10005108 6360->6361 6365 10005126 6361->6365 6362->6363 6364 1000571e _free 20 API calls 6362->6364 6363->6360 6364->6363 6368 100056b9 RtlLeaveCriticalSection 6365->6368 6367 10005130 6367->6357 6368->6367 6369->6338 6371 10006040 6370->6371 6372 1000604a 6370->6372 6374 10002ada _ValidateLocalCookies 5 API calls 6371->6374 6373 10005c45 __dosmaperr 5 API calls 6372->6373 6373->6371 6375 10004abe 6374->6375 6375->6342 6375->6343 6376 10001f3f 6377 10001f4b ___DestructExceptionObject 6376->6377 6394 1000247c 6377->6394 6379 10001f52 6380 10002041 6379->6380 6381 10001f7c 6379->6381 6388 10001f57 ___scrt_is_nonwritable_in_current_image 6379->6388 6417 10002639 IsProcessorFeaturePresent 6380->6417 6405 100023de 6381->6405 6384 10002048 6385 10001f8b __RTC_Initialize 6385->6388 6408 100022fc RtlInitializeSListHead 6385->6408 6387 10001f99 ___scrt_initialize_default_local_stdio_options 6409 100046c5 6387->6409 6392 10001fb8 6392->6388 6393 10004669 _abort 5 API calls 6392->6393 6393->6388 6395 10002485 6394->6395 6421 10002933 IsProcessorFeaturePresent 6395->6421 6399 1000249a 6399->6379 6400 10002496 6400->6399 6432 100053c8 6400->6432 6403 100024b1 6403->6379 6506 100024b5 6405->6506 6407 100023e5 6407->6385 6408->6387 6410 100046dc 6409->6410 6411 10002ada _ValidateLocalCookies 5 API calls 6410->6411 6412 10001fad 6411->6412 6412->6388 6413 100023b3 6412->6413 6414 100023b8 ___scrt_release_startup_lock 6413->6414 6415 10002933 ___isa_available_init IsProcessorFeaturePresent 6414->6415 6416 100023c1 6414->6416 6415->6416 6416->6392 6418 1000264e ___scrt_fastfail 6417->6418 6419 100026f9 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 6418->6419 6420 10002744 ___scrt_fastfail 6419->6420 6420->6384 6422 10002491 6421->6422 6423 100034ea 6422->6423 6424 100034ef ___vcrt_initialize_winapi_thunks 6423->6424 6443 10003936 6424->6443 6428 10003505 6429 10003510 6428->6429 6457 10003972 6428->6457 6429->6400 6431 100034fd 6431->6400 6498 10007457 6432->6498 6435 10003529 6436 10003532 6435->6436 6437 10003543 6435->6437 6438 1000391b ___vcrt_uninitialize_ptd 6 API calls 6436->6438 6437->6399 6439 10003537 6438->6439 6440 10003972 ___vcrt_uninitialize_locks RtlDeleteCriticalSection 6439->6440 6441 1000353c 6440->6441 6502 10003c50 6441->6502 6444 1000393f 6443->6444 6446 10003968 6444->6446 6447 100034f9 6444->6447 6461 10003be0 6444->6461 6448 10003972 ___vcrt_uninitialize_locks RtlDeleteCriticalSection 6446->6448 6447->6431 6449 100038e8 6447->6449 6448->6447 6479 10003af1 6449->6479 6452 100038fd 6452->6428 6455 10003918 6455->6428 6458 1000399c 6457->6458 6459 1000397d 6457->6459 6458->6431 6460 10003987 RtlDeleteCriticalSection 6459->6460 6460->6458 6460->6460 6466 10003a82 6461->6466 6463 10003bfa 6464 10003c18 InitializeCriticalSectionAndSpinCount 6463->6464 6465 10003c03 6463->6465 6464->6465 6465->6444 6467 10003aaa 6466->6467 6471 10003aa6 __crt_fast_encode_pointer 6466->6471 6467->6471 6472 100039be 6467->6472 6470 10003ac4 GetProcAddress 6470->6471 6471->6463 6477 100039cd try_get_first_available_module 6472->6477 6473 10003a77 6473->6470 6473->6471 6474 100039ea LoadLibraryExW 6475 10003a05 GetLastError 6474->6475 6474->6477 6475->6477 6476 10003a60 FreeLibrary 6476->6477 6477->6473 6477->6474 6477->6476 6478 10003a38 LoadLibraryExW 6477->6478 6478->6477 6480 10003a82 try_get_function 5 API calls 6479->6480 6481 10003b0b 6480->6481 6482 10003b24 TlsAlloc 6481->6482 6483 100038f2 6481->6483 6483->6452 6484 10003ba2 6483->6484 6485 10003a82 try_get_function 5 API calls 6484->6485 6486 10003bbc 6485->6486 6487 10003bd7 TlsSetValue 6486->6487 6488 1000390b 6486->6488 6487->6488 6488->6455 6489 1000391b 6488->6489 6490 1000392b 6489->6490 6491 10003925 6489->6491 6490->6452 6493 10003b2c 6491->6493 6494 10003a82 try_get_function 5 API calls 6493->6494 6495 10003b46 6494->6495 6496 10003b5e TlsFree 6495->6496 6497 10003b52 6495->6497 6496->6497 6497->6490 6501 10007470 6498->6501 6499 10002ada _ValidateLocalCookies 5 API calls 6500 100024a3 6499->6500 6500->6403 6500->6435 6501->6499 6503 10003c7f 6502->6503 6504 10003c59 6502->6504 6503->6437 6504->6503 6505 10003c69 FreeLibrary 6504->6505 6505->6504 6507 100024c4 6506->6507 6508 100024c8 6506->6508 6507->6407 6509 10002639 ___scrt_fastfail 4 API calls 6508->6509 6511 100024d5 ___scrt_release_startup_lock 6508->6511 6510 10002559 6509->6510 6511->6407 7478 100067bf 7483 100067f4 7478->7483 7481 100067db 7482 1000571e _free 20 API calls 7482->7481 7484 10006806 7483->7484 7493 100067cd 7483->7493 7485 10006836 7484->7485 7486 1000680b 7484->7486 7485->7493 7494 100071d6 7485->7494 7487 1000637b __dosmaperr 20 API calls 7486->7487 7489 10006814 7487->7489 7490 1000571e _free 20 API calls 7489->7490 7490->7493 7491 10006851 7492 1000571e _free 20 API calls 7491->7492 7492->7493 7493->7481 7493->7482 7495 100071e1 7494->7495 7496 10007209 7495->7496 7497 100071fa 7495->7497 7500 10007218 7496->7500 7503 10008a98 7496->7503 7498 10006368 __dosmaperr 20 API calls 7497->7498 7502 100071ff ___scrt_fastfail 7498->7502 7510 10008acb 7500->7510 7502->7491 7504 10008aa3 7503->7504 7505 10008ab8 RtlSizeHeap 7503->7505 7506 10006368 __dosmaperr 20 API calls 7504->7506 7505->7500 7507 10008aa8 7506->7507 7508 100062ac ___std_exception_copy 26 API calls 7507->7508 7509 10008ab3 7508->7509 7509->7500 7511 10008ae3 7510->7511 7512 10008ad8 7510->7512 7514 10008aeb 7511->7514 7520 10008af4 __dosmaperr 7511->7520 7513 100056d0 21 API calls 7512->7513 7519 10008ae0 7513->7519 7517 1000571e _free 20 API calls 7514->7517 7515 10008af9 7518 10006368 __dosmaperr 20 API calls 7515->7518 7516 10008b1e RtlReAllocateHeap 7516->7519 7516->7520 7517->7519 7518->7519 7519->7502 7520->7515 7520->7516 7521 1000474f __dosmaperr 7 API calls 7520->7521 7521->7520 7849 10005bff 7857 10005d5c 7849->7857 7852 10005b7a __dosmaperr 20 API calls 7853 10005c1b 7852->7853 7854 10005c28 7853->7854 7855 10005c2b 11 API calls 7853->7855 7856 10005c13 7855->7856 7858 10005c45 __dosmaperr 5 API calls 7857->7858 7859 10005d83 7858->7859 7860 10005d9b TlsAlloc 7859->7860 7861 10005d8c 7859->7861 7860->7861 7862 10002ada _ValidateLocalCookies 5 API calls 7861->7862 7863 10005c09 7862->7863 7863->7852 7863->7856

                                      Executed Functions

                                      Function 100010F1 Relevance: 12.1, APIs: 8, Instructions: 88stringfileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 10001137
                                      • lstrcatW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001151
                                      • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000115C
                                      • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000116D
                                      • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000117C
                                      • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001193
                                      • FindNextFileW.KERNELBASE(00000000,00000010), ref: 100011D0
                                      • FindClose.KERNEL32(00000000), ref: 100011DB
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.3828225626.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000006.00000002.3828196501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000006.00000002.3828225626.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_10000000_Adobe.jbxd
                                      Similarity
                                      • API ID: lstrlen$Find$File$CloseFirstNextlstrcat
                                      • String ID:
                                      • API String ID: 1083526818-0
                                      • Opcode ID: 27fd7685666e3c989c46effb07117df397b19369cc2c037b590c32d569d2463a
                                      • Instruction ID: 89aa6ca17049c9a574106098fd68ded4b08ae6dd255c3979a52dcbc6bb9ed716
                                      • Opcode Fuzzy Hash: 27fd7685666e3c989c46effb07117df397b19369cc2c037b590c32d569d2463a
                                      • Instruction Fuzzy Hash: D22193715043586BE714EB649C49FDF7BDCEF84394F00092AFA58D3190E770D64487A6
                                      Function 100012EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 243stringCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • GetEnvironmentVariableW.KERNEL32(ProgramFiles,?,00000104), ref: 10001434
                                        • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 10001137
                                        • Part of subcall function 100010F1: lstrcatW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001151
                                        • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000115C
                                        • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000116D
                                        • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000117C
                                        • Part of subcall function 100010F1: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001193
                                        • Part of subcall function 100010F1: FindNextFileW.KERNELBASE(00000000,00000010), ref: 100011D0
                                        • Part of subcall function 100010F1: FindClose.KERNEL32(00000000), ref: 100011DB
                                      • lstrlenW.KERNEL32(?), ref: 100014C5
                                      • lstrlenW.KERNEL32(?), ref: 100014E0
                                      • lstrlenW.KERNEL32(?,?), ref: 1000150F
                                      • lstrcatW.KERNEL32(00000000), ref: 10001521
                                      • lstrlenW.KERNEL32(?,?), ref: 10001547
                                      • lstrcatW.KERNEL32(00000000), ref: 10001553
                                      • lstrlenW.KERNEL32(?,?), ref: 10001579
                                      • lstrcatW.KERNEL32(00000000), ref: 10001585
                                      • lstrlenW.KERNEL32(?,?), ref: 100015AB
                                      • lstrcatW.KERNEL32(00000000), ref: 100015B7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.3828225626.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000006.00000002.3828196501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000006.00000002.3828225626.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_10000000_Adobe.jbxd
                                      Similarity
                                      • API ID: lstrlen$lstrcat$Find$File$CloseEnvironmentFirstNextVariable
                                      • String ID: )$Foxmail$ProgramFiles
                                      • API String ID: 672098462-2938083778
                                      • Opcode ID: 70009fe3950369d2bec9de66e6564922956a7fdd4521fcb7cc54e78474496dcb
                                      • Instruction ID: 44b728d421a24f1832cbc0053e0d9d9aefaca4d51113d01ad6b93c48f87fe4b0
                                      • Opcode Fuzzy Hash: 70009fe3950369d2bec9de66e6564922956a7fdd4521fcb7cc54e78474496dcb
                                      • Instruction Fuzzy Hash: 4081A475A40358A9EB30D7A0DC86FDE7379EF84740F00059AF608EB191EBB16AC5CB95
                                      Function 1000C7E6 Relevance: 9.1, APIs: 6, Instructions: 65libraryloaderCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • GetModuleHandleA.KERNEL32(1000C7DD), ref: 1000C7E6
                                      • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 1000C860
                                        • Part of subcall function 1000C803: GetProcAddress.KERNEL32(00000000,1000C7F4), ref: 1000C804
                                        • Part of subcall function 1000C803: VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                                        • Part of subcall function 1000C803: VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.3828225626.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000006.00000002.3828196501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000006.00000002.3828225626.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_10000000_Adobe.jbxd
                                      Similarity
                                      • API ID: AddressHandleModuleProcProtectVirtual
                                      • String ID:
                                      • API String ID: 2099061454-0
                                      • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                      • Instruction ID: 210348daefc771ff09e919cc38fdfa0d839c8297c2798a32150270056baeab90
                                      • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                      • Instruction Fuzzy Hash: 0301D22094574A38BA51D7B40C06EBA5FD8DB176E0B24D756F1408619BDDA08906C3AE
                                      Function 1000C7A7 Relevance: 7.6, APIs: 5, Instructions: 100libraryloaderCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 79 1000c7a7-1000c7bc 80 1000c82d 79->80 81 1000c7be-1000c7c6 79->81 83 1000c82f-1000c833 80->83 81->80 82 1000c7c8-1000c7f6 call 1000c7e6 81->82 91 1000c7f8 82->91 92 1000c86c-1000c86e 82->92 85 1000c872 call 1000c877 83->85 86 1000c835-1000c83d GetModuleHandleA 83->86 89 1000c83f-1000c847 86->89 89->89 90 1000c849-1000c84c 89->90 90->83 93 1000c84e-1000c850 90->93 96 1000c7fa-1000c7fe 91->96 97 1000c85b-1000c85e 91->97 94 1000c870 92->94 95 1000c866-1000c86b 92->95 98 1000c852-1000c854 93->98 99 1000c856-1000c85a 93->99 94->90 95->92 102 1000c865 96->102 103 1000c800-1000c80b GetProcAddress 96->103 100 1000c85f-1000c860 GetProcAddress 97->100 98->100 99->97 100->102 102->95 103->80 104 1000c80d-1000c81a VirtualProtect 103->104 105 1000c82c 104->105 106 1000c81c-1000c82a VirtualProtect 104->106 105->80 106->105
                                      APIs
                                      • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 1000C860
                                        • Part of subcall function 1000C7E6: GetModuleHandleA.KERNEL32(1000C7DD), ref: 1000C7E6
                                        • Part of subcall function 1000C7E6: GetProcAddress.KERNEL32(00000000,1000C7F4), ref: 1000C804
                                        • Part of subcall function 1000C7E6: VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                                        • Part of subcall function 1000C7E6: VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.3828225626.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000006.00000002.3828196501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000006.00000002.3828225626.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_10000000_Adobe.jbxd
                                      Similarity
                                      • API ID: AddressHandleModuleProcProtectVirtual
                                      • String ID:
                                      • API String ID: 2099061454-0
                                      • Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                      • Instruction ID: abaa11d5974e3e1b05dfd32ec0224f7ddc3d76465740e120717e363e7a178845
                                      • Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                      • Instruction Fuzzy Hash: A921382140838A6FF711CBB44C05FA67FD8DB172E0F198696E040CB147DDA89845C3AE
                                      Function 1000C803 Relevance: 7.6, APIs: 5, Instructions: 54librarymemoryloaderCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 107 1000c803-1000c80b GetProcAddress 108 1000c82d 107->108 109 1000c80d-1000c81a VirtualProtect 107->109 112 1000c82f-1000c833 108->112 110 1000c82c 109->110 111 1000c81c-1000c82a VirtualProtect 109->111 110->108 111->110 113 1000c872 call 1000c877 112->113 114 1000c835-1000c83d GetModuleHandleA 112->114 116 1000c83f-1000c847 114->116 116->116 117 1000c849-1000c84c 116->117 117->112 118 1000c84e-1000c850 117->118 119 1000c852-1000c854 118->119 120 1000c856-1000c85e 118->120 121 1000c85f-1000c865 GetProcAddress 119->121 120->121 124 1000c866-1000c86e 121->124 126 1000c870 124->126 126->117
                                      APIs
                                      • GetProcAddress.KERNEL32(00000000,1000C7F4), ref: 1000C804
                                      • VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                                      • VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                                      • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 1000C860
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.3828225626.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000006.00000002.3828196501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000006.00000002.3828225626.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_10000000_Adobe.jbxd
                                      Similarity
                                      • API ID: AddressProcProtectVirtual$HandleModule
                                      • String ID:
                                      • API String ID: 2152742572-0
                                      • Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                      • Instruction ID: 9138b94afbcae90e12a8614b592989542e7cb6e8cba5f1d72008c399686a5f74
                                      • Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                      • Instruction Fuzzy Hash: B7F0C2619497893CFA21C7B40C45EBA5FCCCB276E0B249A56F600C718BDCA5890693FE

                                      Non-executed Functions

                                      Function 1000173A Relevance: 30.0, APIs: 5, Strings: 12, Instructions: 210COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 136 1000173a-100017fe call 1000c030 call 10002c40 * 2 143 10001803 call 10001cca 136->143 144 10001808-1000180c 143->144 145 10001812-10001816 144->145 146 100019ad-100019b1 144->146 145->146 147 1000181c-10001837 call 10001ede 145->147 150 1000183d-10001845 147->150 151 1000199f-100019ac call 10001ee7 * 2 147->151 153 10001982-10001985 150->153 154 1000184b-1000184e 150->154 151->146 156 10001995-10001999 153->156 157 10001987 153->157 154->153 158 10001854-10001881 call 100044b0 * 2 call 10001db7 154->158 156->150 156->151 161 1000198a-1000198d call 10002c40 157->161 170 10001887-1000189f call 100044b0 call 10001db7 158->170 171 1000193d-10001943 158->171 166 10001992 161->166 166->156 170->171 187 100018a5-100018a8 170->187 172 10001945-10001947 171->172 173 1000197e-10001980 171->173 172->173 175 10001949-1000194b 172->175 173->161 177 10001961-1000197c call 100016aa 175->177 178 1000194d-1000194f 175->178 177->166 180 10001951-10001953 178->180 181 10001955-10001957 178->181 180->177 180->181 184 10001959-1000195b 181->184 185 1000195d-1000195f 181->185 184->177 184->185 185->173 185->177 188 100018c4-100018dc call 100044b0 call 10001db7 187->188 189 100018aa-100018c2 call 100044b0 call 10001db7 187->189 188->156 198 100018e2-1000193b call 100016aa call 100015da call 10002c40 * 2 188->198 189->188 189->198 198->156
                                      APIs
                                        • Part of subcall function 10001CCA: CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D1B
                                        • Part of subcall function 10001CCA: CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 10001D37
                                        • Part of subcall function 10001CCA: DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D4B
                                      • _strlen.LIBCMT ref: 10001855
                                      • _strlen.LIBCMT ref: 10001869
                                      • _strlen.LIBCMT ref: 1000188B
                                      • _strlen.LIBCMT ref: 100018AE
                                      • _strlen.LIBCMT ref: 100018C8
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.3828225626.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000006.00000002.3828196501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000006.00000002.3828225626.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_10000000_Adobe.jbxd
                                      Similarity
                                      • API ID: _strlen$File$CopyCreateDelete
                                      • String ID: Acco$Acco$POP3$POP3$Pass$Pass$t$t$un$un$word$word
                                      • API String ID: 3296212668-3023110444
                                      • Opcode ID: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                      • Instruction ID: bb93a2ec4ecc4c0c7ac40ef0fbf5621e946fdf476ba73097d2750e43d9e064ca
                                      • Opcode Fuzzy Hash: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                      • Instruction Fuzzy Hash: 69612475D04218ABFF11CBE4C851BDEB7F9EF45280F00409AE604A7299EF706A45CF96
                                      Function 100019B2 Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 218COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.3828225626.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000006.00000002.3828196501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000006.00000002.3828225626.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_10000000_Adobe.jbxd
                                      Similarity
                                      • API ID: _strlen
                                      • String ID: %m$~$Gon~$~F@7$~dra
                                      • API String ID: 4218353326-230879103
                                      • Opcode ID: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                      • Instruction ID: 2a57ee3bda34e0ca62253b4f9cdd28a92c7aa5ebcaa9e167bfd7dd38749d7a78
                                      • Opcode Fuzzy Hash: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                      • Instruction Fuzzy Hash: 9371F5B5D002685BEF11DBB49895BDF7BFCDB05280F104096E644D7246EB74EB85CBA0
                                      Function 10007CC2 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 276 10007cc2-10007cd6 277 10007d44-10007d4c 276->277 278 10007cd8-10007cdd 276->278 280 10007d93-10007dab call 10007e35 277->280 281 10007d4e-10007d51 277->281 278->277 279 10007cdf-10007ce4 278->279 279->277 282 10007ce6-10007ce9 279->282 290 10007dae-10007db5 280->290 281->280 284 10007d53-10007d90 call 1000571e * 4 281->284 282->277 285 10007ceb-10007cf3 282->285 284->280 288 10007cf5-10007cf8 285->288 289 10007d0d-10007d15 285->289 288->289 292 10007cfa-10007d0c call 1000571e call 100090ba 288->292 295 10007d17-10007d1a 289->295 296 10007d2f-10007d43 call 1000571e * 2 289->296 293 10007dd4-10007dd8 290->293 294 10007db7-10007dbb 290->294 292->289 298 10007df0-10007dfc 293->298 299 10007dda-10007ddf 293->299 302 10007dd1 294->302 303 10007dbd-10007dc0 294->303 295->296 304 10007d1c-10007d2e call 1000571e call 100091b8 295->304 296->277 298->290 311 10007dfe-10007e0b call 1000571e 298->311 308 10007de1-10007de4 299->308 309 10007ded 299->309 302->293 303->302 313 10007dc2-10007dd0 call 1000571e * 2 303->313 304->296 308->309 316 10007de6-10007dec call 1000571e 308->316 309->298 313->302 316->309
                                      APIs
                                      • ___free_lconv_mon.LIBCMT ref: 10007D06
                                        • Part of subcall function 100090BA: _free.LIBCMT ref: 100090D7
                                        • Part of subcall function 100090BA: _free.LIBCMT ref: 100090E9
                                        • Part of subcall function 100090BA: _free.LIBCMT ref: 100090FB
                                        • Part of subcall function 100090BA: _free.LIBCMT ref: 1000910D
                                        • Part of subcall function 100090BA: _free.LIBCMT ref: 1000911F
                                        • Part of subcall function 100090BA: _free.LIBCMT ref: 10009131
                                        • Part of subcall function 100090BA: _free.LIBCMT ref: 10009143
                                        • Part of subcall function 100090BA: _free.LIBCMT ref: 10009155
                                        • Part of subcall function 100090BA: _free.LIBCMT ref: 10009167
                                        • Part of subcall function 100090BA: _free.LIBCMT ref: 10009179
                                        • Part of subcall function 100090BA: _free.LIBCMT ref: 1000918B
                                        • Part of subcall function 100090BA: _free.LIBCMT ref: 1000919D
                                        • Part of subcall function 100090BA: _free.LIBCMT ref: 100091AF
                                      • _free.LIBCMT ref: 10007CFB
                                        • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                        • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                      • _free.LIBCMT ref: 10007D1D
                                      • _free.LIBCMT ref: 10007D32
                                      • _free.LIBCMT ref: 10007D3D
                                      • _free.LIBCMT ref: 10007D5F
                                      • _free.LIBCMT ref: 10007D72
                                      • _free.LIBCMT ref: 10007D80
                                      • _free.LIBCMT ref: 10007D8B
                                      • _free.LIBCMT ref: 10007DC3
                                      • _free.LIBCMT ref: 10007DCA
                                      • _free.LIBCMT ref: 10007DE7
                                      • _free.LIBCMT ref: 10007DFF
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.3828225626.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000006.00000002.3828196501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000006.00000002.3828225626.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_10000000_Adobe.jbxd
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                      • String ID:
                                      • API String ID: 161543041-0
                                      • Opcode ID: 04f87de51616aa77c632626b63215b7c3e2981daeb02be256c48a4a07a0be686
                                      • Instruction ID: 6de9b84f5b51ee4e35cbeb1ed48e08772f21b212059d2ac72beb9c863e9ed859
                                      • Opcode Fuzzy Hash: 04f87de51616aa77c632626b63215b7c3e2981daeb02be256c48a4a07a0be686
                                      • Instruction Fuzzy Hash: 90313931A04645EFFB21DA38E941B6A77FAFF002D1F11446AE84DDB159DE3ABC809B14
                                      Function 100059D6 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • _free.LIBCMT ref: 100059EA
                                        • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                        • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                      • _free.LIBCMT ref: 100059F6
                                      • _free.LIBCMT ref: 10005A01
                                      • _free.LIBCMT ref: 10005A0C
                                      • _free.LIBCMT ref: 10005A17
                                      • _free.LIBCMT ref: 10005A22
                                      • _free.LIBCMT ref: 10005A2D
                                      • _free.LIBCMT ref: 10005A38
                                      • _free.LIBCMT ref: 10005A43
                                      • _free.LIBCMT ref: 10005A51
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.3828225626.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000006.00000002.3828196501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000006.00000002.3828225626.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_10000000_Adobe.jbxd
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast
                                      • String ID:
                                      • API String ID: 776569668-0
                                      • Opcode ID: c98d8f3bae8e62c9802464aaca1a5f37d2e9bc397092d84fe88d11ffaa9aaf75
                                      • Instruction ID: 60753d52f1e9cb5801f9add085180c5dd3fc305f79823ad6bc57240ee419c635
                                      • Opcode Fuzzy Hash: c98d8f3bae8e62c9802464aaca1a5f37d2e9bc397092d84fe88d11ffaa9aaf75
                                      • Instruction Fuzzy Hash: BE11B97E514548FFEB11DF58D842CDE3FA9EF04291B4540A1BD088F12ADA32EE50AB84
                                      Function 10001CCA Relevance: 13.6, APIs: 9, Instructions: 84fileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D1B
                                      • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 10001D37
                                      • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D4B
                                      • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D58
                                      • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D72
                                      • CloseHandle.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D7D
                                      • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D8A
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.3828225626.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000006.00000002.3828196501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000006.00000002.3828225626.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_10000000_Adobe.jbxd
                                      Similarity
                                      • API ID: File$Delete$CloseCopyCreateHandleReadSize
                                      • String ID:
                                      • API String ID: 1454806937-0
                                      • Opcode ID: 95ffba8e0906de61fbf41533eef9bce15325b0b0370a179d90a4a5ca68fedbfa
                                      • Instruction ID: 3114db45d92e83daf92c47a85baf70c14dd0292bf94a6379629bf72341f68b19
                                      • Opcode Fuzzy Hash: 95ffba8e0906de61fbf41533eef9bce15325b0b0370a179d90a4a5ca68fedbfa
                                      • Instruction Fuzzy Hash: 2221FCB594122CAFF710EBA08CCCFEF76ACEB08395F010566F515D2154D6709E458A70
                                      Function 10009492 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 377 10009492-100094ef GetConsoleCP 378 10009632-10009644 call 10002ada 377->378 379 100094f5-10009511 377->379 381 10009513-1000952a 379->381 382 1000952c-1000953d call 10007c19 379->382 384 10009566-10009575 call 100079e6 381->384 389 10009563-10009565 382->389 390 1000953f-10009542 382->390 384->378 391 1000957b-1000959b WideCharToMultiByte 384->391 389->384 392 10009548-1000955a call 100079e6 390->392 393 10009609-10009628 390->393 391->378 394 100095a1-100095b7 WriteFile 391->394 392->378 399 10009560-10009561 392->399 393->378 396 100095b9-100095ca 394->396 397 1000962a-10009630 GetLastError 394->397 396->378 400 100095cc-100095d0 396->400 397->378 399->391 401 100095d2-100095f0 WriteFile 400->401 402 100095fe-10009601 400->402 401->397 403 100095f2-100095f6 401->403 402->379 404 10009607 402->404 403->378 405 100095f8-100095fb 403->405 404->378 405->402
                                      APIs
                                      • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,10009C07,?,00000000,?,00000000,00000000), ref: 100094D4
                                      • __fassign.LIBCMT ref: 1000954F
                                      • __fassign.LIBCMT ref: 1000956A
                                      • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 10009590
                                      • WriteFile.KERNEL32(?,?,00000000,10009C07,00000000,?,?,?,?,?,?,?,?,?,10009C07,?), ref: 100095AF
                                      • WriteFile.KERNEL32(?,?,00000001,10009C07,00000000,?,?,?,?,?,?,?,?,?,10009C07,?), ref: 100095E8
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.3828225626.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000006.00000002.3828196501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000006.00000002.3828225626.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_10000000_Adobe.jbxd
                                      Similarity
                                      • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                      • String ID:
                                      • API String ID: 1324828854-0
                                      • Opcode ID: c8cde1f94c5a3c187481f919a86e285046f284bf183baf255f965bcae4dd5098
                                      • Instruction ID: 7b1e32e7ca62d622bc6abd4954a79b3a1191cf35157f5551c2bc05612337e78d
                                      • Opcode Fuzzy Hash: c8cde1f94c5a3c187481f919a86e285046f284bf183baf255f965bcae4dd5098
                                      • Instruction Fuzzy Hash: D7519271D00249AFEB10CFA4CC95BDEBBF8EF09350F15811AE955E7295D731AA41CB60
                                      Function 10003370 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 406 10003370-100033b5 call 10003330 call 100037a7 411 10003416-10003419 406->411 412 100033b7-100033c9 406->412 413 10003439-10003442 411->413 414 1000341b-10003428 call 10003790 411->414 412->413 415 100033cb 412->415 418 1000342d-10003436 call 10003330 414->418 417 100033d0-100033e7 415->417 419 100033e9-100033f7 call 10003740 417->419 420 100033fd 417->420 418->413 427 100033f9 419->427 428 1000340d-10003414 419->428 421 10003400-10003405 420->421 421->417 424 10003407-10003409 421->424 424->413 429 1000340b 424->429 430 10003443-1000344c 427->430 431 100033fb 427->431 428->418 429->418 432 10003486-10003496 call 10003774 430->432 433 1000344e-10003455 430->433 431->421 439 10003498-100034a7 call 10003790 432->439 440 100034aa-100034c6 call 10003330 call 10003758 432->440 433->432 434 10003457-10003466 call 1000bbe0 433->434 442 10003483 434->442 443 10003468-10003480 434->443 439->440 442->432 443->442
                                      APIs
                                      • _ValidateLocalCookies.LIBCMT ref: 1000339B
                                      • ___except_validate_context_record.LIBVCRUNTIME ref: 100033A3
                                      • _ValidateLocalCookies.LIBCMT ref: 10003431
                                      • __IsNonwritableInCurrentImage.LIBCMT ref: 1000345C
                                      • _ValidateLocalCookies.LIBCMT ref: 100034B1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.3828225626.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000006.00000002.3828196501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000006.00000002.3828225626.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_10000000_Adobe.jbxd
                                      Similarity
                                      • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                      • String ID: csm
                                      • API String ID: 1170836740-1018135373
                                      • Opcode ID: 314e045d64bd9dff90e147ebc0021a06731dbc25050b3dab86f6a1545ce1a07e
                                      • Instruction ID: 0a936c430148d26a69835db3fa9f683d01d5328c1142e13f0191aacd949c771e
                                      • Opcode Fuzzy Hash: 314e045d64bd9dff90e147ebc0021a06731dbc25050b3dab86f6a1545ce1a07e
                                      • Instruction Fuzzy Hash: D141D678E042189BEB12CF68C880A9FBBF9EF453A4F10C155E9159F25AD731FA01CB91
                                      Function 1000925D Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                        • Part of subcall function 10009221: _free.LIBCMT ref: 1000924A
                                      • _free.LIBCMT ref: 100092AB
                                        • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                        • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                      • _free.LIBCMT ref: 100092B6
                                      • _free.LIBCMT ref: 100092C1
                                      • _free.LIBCMT ref: 10009315
                                      • _free.LIBCMT ref: 10009320
                                      • _free.LIBCMT ref: 1000932B
                                      • _free.LIBCMT ref: 10009336
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.3828225626.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000006.00000002.3828196501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000006.00000002.3828225626.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_10000000_Adobe.jbxd
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast
                                      • String ID:
                                      • API String ID: 776569668-0
                                      • Opcode ID: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                      • Instruction ID: 62dea9ede071ec04ae7e8d39c2d2a9b8d59ba4565e42afa4a1a73bd13a3591d1
                                      • Opcode Fuzzy Hash: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                      • Instruction Fuzzy Hash: 3E118E35548B08FAFA20EBB0EC47FCB7B9DEF04780F400824BA9DB6097DA25B5249751
                                      Function 10008821 Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 488 10008821-1000883a 489 10008850-10008855 488->489 490 1000883c-1000884c call 10009341 488->490 491 10008862-10008886 MultiByteToWideChar 489->491 492 10008857-1000885f 489->492 490->489 500 1000884e 490->500 494 10008a19-10008a2c call 10002ada 491->494 495 1000888c-10008898 491->495 492->491 497 1000889a-100088ab 495->497 498 100088ec 495->498 501 100088ca-100088db call 100056d0 497->501 502 100088ad-100088bc call 1000bf20 497->502 504 100088ee-100088f0 498->504 500->489 506 10008a0e 501->506 516 100088e1 501->516 502->506 515 100088c2-100088c8 502->515 505 100088f6-10008909 MultiByteToWideChar 504->505 504->506 505->506 509 1000890f-1000892a call 10005f19 505->509 510 10008a10-10008a17 call 10008801 506->510 509->506 520 10008930-10008937 509->520 510->494 519 100088e7-100088ea 515->519 516->519 519->504 521 10008971-1000897d 520->521 522 10008939-1000893e 520->522 524 100089c9 521->524 525 1000897f-10008990 521->525 522->510 523 10008944-10008946 522->523 523->506 526 1000894c-10008966 call 10005f19 523->526 527 100089cb-100089cd 524->527 528 10008992-100089a1 call 1000bf20 525->528 529 100089ab-100089bc call 100056d0 525->529 526->510 543 1000896c 526->543 532 10008a07-10008a0d call 10008801 527->532 533 100089cf-100089e8 call 10005f19 527->533 528->532 541 100089a3-100089a9 528->541 529->532 542 100089be 529->542 532->506 533->532 546 100089ea-100089f1 533->546 545 100089c4-100089c7 541->545 542->545 543->506 545->527 547 100089f3-100089f4 546->547 548 10008a2d-10008a33 546->548 549 100089f5-10008a05 WideCharToMultiByte 547->549 548->549 549->532 550 10008a35-10008a3c call 10008801 549->550 550->510
                                      APIs
                                      • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,10006FFD,00000000,?,?,?,10008A72,?,?,00000100), ref: 1000887B
                                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,10008A72,?,?,00000100,5EFC4D8B,?,?), ref: 10008901
                                      • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,5EFC4D8B,00000100,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 100089FB
                                      • __freea.LIBCMT ref: 10008A08
                                        • Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702
                                      • __freea.LIBCMT ref: 10008A11
                                      • __freea.LIBCMT ref: 10008A36
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.3828225626.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000006.00000002.3828196501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000006.00000002.3828225626.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_10000000_Adobe.jbxd
                                      Similarity
                                      • API ID: ByteCharMultiWide__freea$AllocateHeap
                                      • String ID:
                                      • API String ID: 1414292761-0
                                      • Opcode ID: bbd44e65680a142b819532ff26adde273e0ccd3bd0c95f1520c1a5c0857fc469
                                      • Instruction ID: 3f57ce737592ef9202bcebfaa3f65c0582e3f3231b4dd00ae19a895c9b397c34
                                      • Opcode Fuzzy Hash: bbd44e65680a142b819532ff26adde273e0ccd3bd0c95f1520c1a5c0857fc469
                                      • Instruction Fuzzy Hash: 4F51CF72710216ABFB15CF60CC85EAB37A9FB417D0F11462AFC44D6148EB35EE509BA1
                                      Function 100015DA Relevance: 9.1, APIs: 6, Instructions: 84stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _strlen.LIBCMT ref: 10001607
                                      • _strcat.LIBCMT ref: 1000161D
                                      • lstrlenW.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,1000190E,?,?,00000000,?,00000000), ref: 10001643
                                      • lstrcatW.KERNEL32(?,?,?,?,?,?,1000190E,?,?,00000000,?,00000000,?,?,?,00000104), ref: 1000165A
                                      • lstrlenW.KERNEL32(?,?,?,?,?,1000190E,?,?,00000000,?,00000000,?,?,?,00000104,?), ref: 10001661
                                      • lstrcatW.KERNEL32(00001008,?,?,?,?,?,1000190E,?,?,00000000,?,00000000,?,?,?,00000104), ref: 10001686
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.3828225626.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000006.00000002.3828196501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000006.00000002.3828225626.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_10000000_Adobe.jbxd
                                      Similarity
                                      • API ID: lstrcatlstrlen$_strcat_strlen
                                      • String ID:
                                      • API String ID: 1922816806-0
                                      • Opcode ID: 315c55c979a72bdf3ac51594b752bef976f460307e9923370b73d2b1bd80b905
                                      • Instruction ID: a267a6945d1554df97f4c8e17fbec8689bbb0548aac84132402ab8fad08d9bbc
                                      • Opcode Fuzzy Hash: 315c55c979a72bdf3ac51594b752bef976f460307e9923370b73d2b1bd80b905
                                      • Instruction Fuzzy Hash: 9821A776900204ABEB05DBA4DC85FEE77B8EF88750F24401BF604AB185DF34B94587A9
                                      Function 10001000 Relevance: 9.1, APIs: 6, Instructions: 76stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • lstrcatW.KERNEL32(?,?,?,?,?,00000000), ref: 10001038
                                      • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 1000104B
                                      • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 10001061
                                      • lstrlenW.KERNEL32(?,?,?,?,?,00000000), ref: 10001075
                                      • GetFileAttributesW.KERNEL32(?,?,?,00000000), ref: 10001090
                                      • lstrlenW.KERNEL32(?,?,?,00000000), ref: 100010B8
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.3828225626.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000006.00000002.3828196501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000006.00000002.3828225626.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_10000000_Adobe.jbxd
                                      Similarity
                                      • API ID: lstrlen$AttributesFilelstrcat
                                      • String ID:
                                      • API String ID: 3594823470-0
                                      • Opcode ID: c62e9e5fa69f7526a4dcdb62aa87bf44082eca201cfcddb2e536fed9ba73336f
                                      • Instruction ID: f5da6160d3db499da992451a69b84f141dc83571de07cfa19ff2ab3d93a8fd2c
                                      • Opcode Fuzzy Hash: c62e9e5fa69f7526a4dcdb62aa87bf44082eca201cfcddb2e536fed9ba73336f
                                      • Instruction Fuzzy Hash: DB21E5359003289BEF10DBA0DC48EDF37B8EF44294F104556E999931A6DE709EC5CF50
                                      Function 10003856 Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLastError.KERNEL32(?,?,10003518,100023F1,10001F17), ref: 10003864
                                      • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 10003872
                                      • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 1000388B
                                      • SetLastError.KERNEL32(00000000,?,10003518,100023F1,10001F17), ref: 100038DD
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.3828225626.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000006.00000002.3828196501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000006.00000002.3828225626.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_10000000_Adobe.jbxd
                                      Similarity
                                      • API ID: ErrorLastValue___vcrt_
                                      • String ID:
                                      • API String ID: 3852720340-0
                                      • Opcode ID: 669731f2127195b9a905fed2c89c9d5b837464d933d8447bfa53086d9201cd33
                                      • Instruction ID: 2a33bd680f99e964f7cdf1ea0b0e713dcb61597015083b2077453114c578dac0
                                      • Opcode Fuzzy Hash: 669731f2127195b9a905fed2c89c9d5b837464d933d8447bfa53086d9201cd33
                                      • Instruction Fuzzy Hash: 0F012432608B225EF207D7796CCAA0B2BDDDB096F9B20C27AF510940E9EF219C009300
                                      Function 10005AF6 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetLastError.KERNEL32(?,?,10006C6C), ref: 10005AFA
                                      • _free.LIBCMT ref: 10005B2D
                                      • _free.LIBCMT ref: 10005B55
                                      • SetLastError.KERNEL32(00000000,?,?,10006C6C), ref: 10005B62
                                      • SetLastError.KERNEL32(00000000,?,?,10006C6C), ref: 10005B6E
                                      • _abort.LIBCMT ref: 10005B74
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.3828225626.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000006.00000002.3828196501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000006.00000002.3828225626.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_10000000_Adobe.jbxd
                                      Similarity
                                      • API ID: ErrorLast$_free$_abort
                                      • String ID:
                                      • API String ID: 3160817290-0
                                      • Opcode ID: c9cb188a03aa1811073f11ee06fa520bea6a831bfab7ff5292fc2b03e8e202de
                                      • Instruction ID: 6ab9c425fee0725613b21b3b36aaf5e4259b246f4cabca8c388d0d7fb541d563
                                      • Opcode Fuzzy Hash: c9cb188a03aa1811073f11ee06fa520bea6a831bfab7ff5292fc2b03e8e202de
                                      • Instruction Fuzzy Hash: 8FF0A47A508911AAF212E3346C4AF0F36AACBC55E3F264125F918A619DFF27B9024174
                                      Function 100011EA Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 90COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,?,?,?,100010DF,?,?,?,00000000), ref: 10001E9A
                                        • Part of subcall function 10001E89: lstrcatW.KERNEL32(?,?,?,100010DF,?,?,?,00000000), ref: 10001EAC
                                        • Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EB3
                                        • Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EC8
                                        • Part of subcall function 10001E89: lstrcatW.KERNEL32(?,100010DF,?,100010DF,?,?,?,00000000), ref: 10001ED3
                                      • GetFileAttributesW.KERNEL32(?,?,?,?), ref: 1000122A
                                        • Part of subcall function 1000173A: _strlen.LIBCMT ref: 10001855
                                        • Part of subcall function 1000173A: _strlen.LIBCMT ref: 10001869
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.3828225626.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000006.00000002.3828196501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000006.00000002.3828225626.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_10000000_Adobe.jbxd
                                      Similarity
                                      • API ID: lstrlen$_strlenlstrcat$AttributesFile
                                      • String ID: \Accounts\Account.rec0$\Data\AccCfg\Accounts.tdat$\Mail\$\Storage\
                                      • API String ID: 4036392271-1520055953
                                      • Opcode ID: 09c536ecd907401b0aa489f333ca62d314ebad464b807bf11bf7235871964734
                                      • Instruction ID: e2b7c7e1c3038021adfe9ab266432482c710e64fc4cfb1bae4cfd9c1521b4980
                                      • Opcode Fuzzy Hash: 09c536ecd907401b0aa489f333ca62d314ebad464b807bf11bf7235871964734
                                      • Instruction Fuzzy Hash: 4B21D579E142486AFB14D7A0EC92FED7339EF80754F000556F604EB1D5EBB16E818758
                                      Function 10004B39 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,10004AEA,?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000), ref: 10004B59
                                      • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 10004B6C
                                      • FreeLibrary.KERNEL32(00000000,?,?,?,10004AEA,?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000,00000001,10002082), ref: 10004B8F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.3828225626.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000006.00000002.3828196501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000006.00000002.3828225626.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_10000000_Adobe.jbxd
                                      Similarity
                                      • API ID: AddressFreeHandleLibraryModuleProc
                                      • String ID: CorExitProcess$mscoree.dll
                                      • API String ID: 4061214504-1276376045
                                      • Opcode ID: 497ca4813dea5db040ed96ba3988917c23aad912c76c67efd82f8c60daebc881
                                      • Instruction ID: e6e2f78cdd7cd30bdf2d4d174718ae12991e9b6ae5ca6a82eaba56a43cf4d13d
                                      • Opcode Fuzzy Hash: 497ca4813dea5db040ed96ba3988917c23aad912c76c67efd82f8c60daebc881
                                      • Instruction Fuzzy Hash: C8F03C71900218BBEB11AB94CC48BAEBFB9EF043D1F01416AE909A6164DF309941CAA5
                                      Function 10007153 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetEnvironmentStringsW.KERNEL32 ref: 1000715C
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1000717F
                                        • Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 100071A5
                                      • _free.LIBCMT ref: 100071B8
                                      • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 100071C7
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.3828225626.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000006.00000002.3828196501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000006.00000002.3828225626.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_10000000_Adobe.jbxd
                                      Similarity
                                      • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                      • String ID:
                                      • API String ID: 336800556-0
                                      • Opcode ID: dbf9df5b4a4e45fd59d7b0ba6c08b1d97dee470f846bf8241c04808ce4e83989
                                      • Instruction ID: fdf90bdbf822fabaf3dd9d310e80898d5fc59248e37e3ebe61ec6e18e74c85b1
                                      • Opcode Fuzzy Hash: dbf9df5b4a4e45fd59d7b0ba6c08b1d97dee470f846bf8241c04808ce4e83989
                                      • Instruction Fuzzy Hash: 6601D872A01225BB73129BBE5C8CDBF2A6DFBC69E0311012AFD0CC7288DB658C0181B0
                                      Function 10005B7A Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetLastError.KERNEL32(00000000,?,00000000,1000636D,10005713,00000000,?,10002249,?,?,10001D66,00000000,?,?,00000000), ref: 10005B7F
                                      • _free.LIBCMT ref: 10005BB4
                                      • _free.LIBCMT ref: 10005BDB
                                      • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10005BE8
                                      • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10005BF1
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.3828225626.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000006.00000002.3828196501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000006.00000002.3828225626.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_10000000_Adobe.jbxd
                                      Similarity
                                      • API ID: ErrorLast$_free
                                      • String ID:
                                      • API String ID: 3170660625-0
                                      • Opcode ID: 6445a1f563467e3e4669709244547b488691a64b9545451a4f80944232cffe94
                                      • Instruction ID: a404960836b3e2f032ab47abdd1028028b52a365ddf0c47563f665e512f3cffd
                                      • Opcode Fuzzy Hash: 6445a1f563467e3e4669709244547b488691a64b9545451a4f80944232cffe94
                                      • Instruction Fuzzy Hash: 5501F47A108A52A7F202E7345C85E1F3AAEDBC55F37220025FD19A615EEF73FD024164
                                      Function 10001E89 Relevance: 7.5, APIs: 5, Instructions: 41stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • lstrlenW.KERNEL32(?,?,?,?,?,100010DF,?,?,?,00000000), ref: 10001E9A
                                      • lstrcatW.KERNEL32(?,?,?,100010DF,?,?,?,00000000), ref: 10001EAC
                                      • lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EB3
                                      • lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EC8
                                      • lstrcatW.KERNEL32(?,100010DF,?,100010DF,?,?,?,00000000), ref: 10001ED3
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.3828225626.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000006.00000002.3828196501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000006.00000002.3828225626.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_10000000_Adobe.jbxd
                                      Similarity
                                      • API ID: lstrlen$lstrcat
                                      • String ID:
                                      • API String ID: 493641738-0
                                      • Opcode ID: 15c5d9995ac510f09c0b88b7baf044722e7f40351600db373de5a6e0e33856fc
                                      • Instruction ID: f5d9027fafc921fe84ae6627056796c55de3fa1ad923a59450c5185d8ca5453c
                                      • Opcode Fuzzy Hash: 15c5d9995ac510f09c0b88b7baf044722e7f40351600db373de5a6e0e33856fc
                                      • Instruction Fuzzy Hash: D8F082261002207AF621772AECC5FBF7B7CEFC6AA0F04001AFA0C83194DB54684292B5
                                      Function 100091B8 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 100091D0
                                        • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                        • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                      • _free.LIBCMT ref: 100091E2
                                      • _free.LIBCMT ref: 100091F4
                                      • _free.LIBCMT ref: 10009206
                                      • _free.LIBCMT ref: 10009218
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.3828225626.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000006.00000002.3828196501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000006.00000002.3828225626.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_10000000_Adobe.jbxd
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast
                                      • String ID:
                                      • API String ID: 776569668-0
                                      • Opcode ID: 531e654f2f11120a5df636ecca0a5618a09e043c7f3cd6e1a71cca3ab3857efc
                                      • Instruction ID: a08e021c65853776c99c3fd86fadada58ae96d962e635c5153d22f52a77de1c5
                                      • Opcode Fuzzy Hash: 531e654f2f11120a5df636ecca0a5618a09e043c7f3cd6e1a71cca3ab3857efc
                                      • Instruction Fuzzy Hash: 77F06DB161C650ABE664DB58EAC6C4B7BEDFB003E13608805FC4DD7549CB31FC809A64
                                      Function 10005351 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 1000536F
                                        • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                        • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                      • _free.LIBCMT ref: 10005381
                                      • _free.LIBCMT ref: 10005394
                                      • _free.LIBCMT ref: 100053A5
                                      • _free.LIBCMT ref: 100053B6
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.3828225626.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000006.00000002.3828196501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000006.00000002.3828225626.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_10000000_Adobe.jbxd
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast
                                      • String ID:
                                      • API String ID: 776569668-0
                                      • Opcode ID: 77e2762e1a20340d72e45a4044f221924c2ac7473818ed27067cb432955df604
                                      • Instruction ID: ba906e9feca9bc6e71cd1aa5ebacb8f64a9f241ffe6b13fedf7f16c4e4854dfa
                                      • Opcode Fuzzy Hash: 77e2762e1a20340d72e45a4044f221924c2ac7473818ed27067cb432955df604
                                      • Instruction Fuzzy Hash: 38F0F478C18934EBF741DF28ADC140A3BB5F718A91342C15AFC1497279DB36D9429B84
                                      Function 10004BDD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleFileNameA.KERNEL32(00000000,C:\ProgramData\Adobe\Adobe.exe,00000104), ref: 10004C1D
                                      • _free.LIBCMT ref: 10004CE8
                                      • _free.LIBCMT ref: 10004CF2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.3828225626.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000006.00000002.3828196501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000006.00000002.3828225626.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_10000000_Adobe.jbxd
                                      Similarity
                                      • API ID: _free$FileModuleName
                                      • String ID: C:\ProgramData\Adobe\Adobe.exe
                                      • API String ID: 2506810119-1403210833
                                      • Opcode ID: f4d765c9bb58478f6d614cb19d249666f691a76f34bd4fd838862d42c91d6eee
                                      • Instruction ID: 12f2da1a58c9c923660241357757b5dddff340f6d61411cdc8d35d961f62cc7a
                                      • Opcode Fuzzy Hash: f4d765c9bb58478f6d614cb19d249666f691a76f34bd4fd838862d42c91d6eee
                                      • Instruction Fuzzy Hash: EB31A0B5A01258EFFB51CF99CC81D9EBBFCEB88390F12806AF80497215DA709E41CB54
                                      Function 100086E4 Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                                      Download Yara Rule
                                      APIs
                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,00000100,00000020,00000000,00000000,5EFC4D8B,00000100,10006FFD,00000000,00000001,00000020,00000100,?,5EFC4D8B,00000000), ref: 10008731
                                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 100087BA
                                      • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 100087CC
                                      • __freea.LIBCMT ref: 100087D5
                                        • Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.3828225626.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000006.00000002.3828196501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000006.00000002.3828225626.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_10000000_Adobe.jbxd
                                      Similarity
                                      • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                      • String ID:
                                      • API String ID: 2652629310-0
                                      • Opcode ID: 11ee239c82756698d200c57d0e0d3564a08309f574ce1b92975b0cd3435ea26e
                                      • Instruction ID: 5b9b35b0a4db414dac5c81271493033b4f2f0f3dd9b893eeefd60fa04c8ec889
                                      • Opcode Fuzzy Hash: 11ee239c82756698d200c57d0e0d3564a08309f574ce1b92975b0cd3435ea26e
                                      • Instruction Fuzzy Hash: 2731AE32A0021AABEF15CF64CC85EAF7BA5EF44290F214129FC48D7158EB35DE50CBA0
                                      Function 10005CE1 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,10001D66,00000000,00000000,?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue), ref: 10005D13
                                      • GetLastError.KERNEL32(?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue,1000E190,FlsSetValue,00000000,00000364,?,10005BC8), ref: 10005D1F
                                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue,1000E190,FlsSetValue,00000000), ref: 10005D2D
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.3828225626.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000006.00000002.3828196501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000006.00000002.3828225626.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_10000000_Adobe.jbxd
                                      Similarity
                                      • API ID: LibraryLoad$ErrorLast
                                      • String ID:
                                      • API String ID: 3177248105-0
                                      • Opcode ID: 803c5c09655bb12e7a00387565e20d3af286ada8f732c439529cecb726329beb
                                      • Instruction ID: ab8c2af688280ff547417c348c7c3430721907d0b6a0cc88e9d35c15e8af339b
                                      • Opcode Fuzzy Hash: 803c5c09655bb12e7a00387565e20d3af286ada8f732c439529cecb726329beb
                                      • Instruction Fuzzy Hash: 59018436615732ABE7319B689C8CB4B7798EF056E2B214623F909D7158D731D801CAE0
                                      Function 100063F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 1000655C
                                        • Part of subcall function 100062BC: IsProcessorFeaturePresent.KERNEL32(00000017,100062AB,00000000,?,?,?,?,00000016,?,?,100062B8,00000000,00000000,00000000,00000000,00000000), ref: 100062BE
                                        • Part of subcall function 100062BC: GetCurrentProcess.KERNEL32(C0000417), ref: 100062E0
                                        • Part of subcall function 100062BC: TerminateProcess.KERNEL32(00000000), ref: 100062E7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.3828225626.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000006.00000002.3828196501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000006.00000002.3828225626.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_10000000_Adobe.jbxd
                                      Similarity
                                      • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
                                      • String ID: *?$.
                                      • API String ID: 2667617558-3972193922
                                      • Opcode ID: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
                                      • Instruction ID: 55016225c6cf3c2ad74d5bf99958d96f24b8fe448c0df4d83e2be8db5664878a
                                      • Opcode Fuzzy Hash: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
                                      • Instruction Fuzzy Hash: 2D519475E0060A9FEB14CFA8CC81AADB7F6FF4C394F258169E854E7349D635AE018B50
                                      Function 100016AA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.3828225626.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000006.00000002.3828196501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000006.00000002.3828225626.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_10000000_Adobe.jbxd
                                      Similarity
                                      • API ID: _strlen
                                      • String ID: : $Se.
                                      • API String ID: 4218353326-4089948878
                                      • Opcode ID: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                      • Instruction ID: 66f447a9efa091531784e06c0e565222335d100d85517175c1dac28435e0d9bb
                                      • Opcode Fuzzy Hash: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                      • Instruction Fuzzy Hash: 2F11E7B5904249AEDB11DFA8D841BDEFBFCEF09244F104056E545E7252E6706B02C765
                                      Function 10001EDE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                      Download Yara Rule
                                      APIs
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 10002903
                                        • Part of subcall function 100035D2: RaiseException.KERNEL32(?,?,?,10002925,00000000,00000000,00000000,?,?,?,?,?,10002925,?,100121B8), ref: 10003632
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 10002920
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.3828225626.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000006.00000002.3828196501.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000006.00000002.3828225626.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_10000000_Adobe.jbxd
                                      Similarity
                                      • API ID: Exception@8Throw$ExceptionRaise
                                      • String ID: Unknown exception
                                      • API String ID: 3476068407-410509341
                                      • Opcode ID: 00f05d2547b3034e4c7bbe2eae49a616f435d37e9c126e5e725cfb9fdfb6d2bb
                                      • Instruction ID: 696891806b75a506f07e96a947ab79166ff1ea0d2f17bc9dac180a151cc952bd
                                      • Opcode Fuzzy Hash: 00f05d2547b3034e4c7bbe2eae49a616f435d37e9c126e5e725cfb9fdfb6d2bb
                                      • Instruction Fuzzy Hash: 2BF0A47890420D77AB04E6E5EC4599D77ACDB006D0F508161FD1496499EF31FA658690

                                      Execution Graph

                                      Execution Coverage:6.1%
                                      Dynamic/Decrypted Code Coverage:9.2%
                                      Signature Coverage:0%
                                      Total number of Nodes:2000
                                      Total number of Limit Nodes:86
                                      execution_graph 40342 441819 40345 430737 40342->40345 40344 441825 40346 430756 40345->40346 40358 43076d 40345->40358 40347 430774 40346->40347 40348 43075f 40346->40348 40350 43034a memcpy 40347->40350 40366 4169a7 11 API calls 40348->40366 40353 43077e 40350->40353 40351 4307ce 40352 430819 memset 40351->40352 40359 415b2c 40351->40359 40352->40358 40353->40351 40356 4307fa 40353->40356 40353->40358 40355 4307e9 40355->40352 40355->40358 40367 4169a7 11 API calls 40356->40367 40358->40344 40360 415b46 40359->40360 40361 415b42 40359->40361 40360->40355 40361->40360 40362 415b94 40361->40362 40364 415b5a 40361->40364 40363 4438b5 10 API calls 40362->40363 40363->40360 40364->40360 40365 415b79 memcpy 40364->40365 40365->40360 40366->40358 40367->40358 37676 442ec6 19 API calls 37849 4152c6 malloc 37850 4152e2 37849->37850 37851 4152ef 37849->37851 37853 416760 11 API calls 37851->37853 37853->37850 37885 4466f4 37904 446904 37885->37904 37887 446700 GetModuleHandleA 37890 446710 __set_app_type __p__fmode __p__commode 37887->37890 37889 4467a4 37891 4467ac __setusermatherr 37889->37891 37892 4467b8 37889->37892 37890->37889 37891->37892 37905 4468f0 _controlfp 37892->37905 37894 4467bd _initterm __wgetmainargs _initterm 37896 44681e GetStartupInfoW 37894->37896 37897 446810 37894->37897 37898 446866 GetModuleHandleA 37896->37898 37906 41276d 37898->37906 37902 446896 exit 37903 44689d _cexit 37902->37903 37903->37897 37904->37887 37905->37894 37907 41277d 37906->37907 37949 4044a4 LoadLibraryW 37907->37949 37909 412785 37940 412789 37909->37940 37957 414b81 37909->37957 37912 4127c8 37963 412465 memset ??2@YAPAXI 37912->37963 37914 4127ea 37975 40ac21 37914->37975 37919 412813 37993 40dd07 memset 37919->37993 37920 412827 37998 40db69 memset 37920->37998 37924 412822 38019 4125b6 ??3@YAXPAX 37924->38019 37925 40ada2 _wcsicmp 37926 41283d 37925->37926 37926->37924 37929 412863 CoInitialize 37926->37929 38003 41268e 37926->38003 38023 4123e2 GetModuleHandleW RegisterClassW GetModuleHandleW CreateWindowExW 37929->38023 37933 41296f 38025 40b633 37933->38025 37935 412873 ShowWindow UpdateWindow GetModuleHandleW LoadAcceleratorsW GetMessageW 37941 412957 CoUninitialize 37935->37941 37946 4128ca 37935->37946 37940->37902 37940->37903 37941->37924 37942 4128d0 TranslateAcceleratorW 37943 412941 GetMessageW 37942->37943 37942->37946 37943->37941 37943->37942 37944 412909 IsDialogMessageW 37944->37943 37944->37946 37945 4128fd IsDialogMessageW 37945->37943 37945->37944 37946->37942 37946->37944 37946->37945 37947 41292b TranslateMessage DispatchMessageW 37946->37947 37948 41291f IsDialogMessageW 37946->37948 37947->37943 37948->37943 37948->37947 37950 4044cf GetProcAddress 37949->37950 37953 4044f7 37949->37953 37951 4044e8 FreeLibrary 37950->37951 37954 4044df 37950->37954 37952 4044f3 37951->37952 37951->37953 37952->37953 37955 404507 MessageBoxW 37953->37955 37956 40451e 37953->37956 37954->37951 37955->37909 37956->37909 37958 414b8a 37957->37958 37959 412794 SetErrorMode GetModuleHandleW EnumResourceTypesW 37957->37959 38029 40a804 memset 37958->38029 37959->37912 37962 414b9e GetProcAddress 37962->37959 37964 4124e0 37963->37964 37965 412505 ??2@YAPAXI 37964->37965 37966 41251c 37965->37966 37968 412521 37965->37968 38051 40e820 memset ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI 37966->38051 38040 444722 37968->38040 37974 41259b wcscpy 37974->37914 38056 40b1ab free free 37975->38056 37979 40a9ce malloc memcpy free free 37986 40ac5c 37979->37986 37980 40ad4b 37988 40ad76 37980->37988 38080 40a9ce 37980->38080 37982 40ace7 free 37982->37986 37986->37979 37986->37980 37986->37982 37986->37988 38060 40a8d0 37986->38060 38072 4099f4 37986->38072 37987 40a8d0 7 API calls 37987->37988 38057 40aa04 37988->38057 37989 40ada2 37990 40adc9 37989->37990 37991 40adaa 37989->37991 37990->37919 37990->37920 37991->37990 37992 40adb3 _wcsicmp 37991->37992 37992->37990 37992->37991 38085 40dce0 37993->38085 37995 40dd3a GetModuleHandleW 38090 40dba7 37995->38090 37999 40dce0 3 API calls 37998->37999 38000 40db99 37999->38000 38162 40dae1 38000->38162 38176 402f3a 38003->38176 38005 412766 38005->37924 38005->37929 38006 4126d3 _wcsicmp 38007 4126a8 38006->38007 38007->38005 38007->38006 38009 41270a 38007->38009 38210 4125f8 7 API calls 38007->38210 38009->38005 38179 411ac5 38009->38179 38020 4125da 38019->38020 38021 4125f0 38020->38021 38022 4125e6 DeleteObject 38020->38022 38024 40b1ab free free 38021->38024 38022->38021 38023->37935 38024->37933 38026 40b640 38025->38026 38027 40b639 free 38025->38027 38028 40b1ab free free 38026->38028 38027->38026 38028->37940 38030 40a83b GetSystemDirectoryW 38029->38030 38031 40a84c wcscpy 38029->38031 38030->38031 38036 409719 wcslen 38031->38036 38034 40a881 LoadLibraryW 38035 40a886 38034->38035 38035->37959 38035->37962 38037 409724 38036->38037 38038 409739 wcscat LoadLibraryW 38036->38038 38037->38038 38039 40972c wcscat 38037->38039 38038->38034 38038->38035 38039->38038 38041 444732 38040->38041 38042 444728 DeleteObject 38040->38042 38052 409cc3 38041->38052 38042->38041 38044 412551 38045 4010f9 38044->38045 38046 401130 38045->38046 38047 401134 GetModuleHandleW LoadIconW 38046->38047 38048 401107 wcsncat 38046->38048 38049 40a7be 38047->38049 38048->38046 38050 40a7d2 38049->38050 38050->37974 38050->38050 38051->37968 38055 409bfd memset wcscpy 38052->38055 38054 409cdb CreateFontIndirectW 38054->38044 38055->38054 38056->37986 38058 40aa14 38057->38058 38059 40aa0a free 38057->38059 38058->37989 38059->38058 38061 40a8eb 38060->38061 38062 40a8df wcslen 38060->38062 38063 40a906 free 38061->38063 38064 40a90f 38061->38064 38062->38061 38066 40a919 38063->38066 38065 4099f4 3 API calls 38064->38065 38065->38066 38067 40a932 38066->38067 38068 40a929 free 38066->38068 38070 4099f4 3 API calls 38067->38070 38069 40a93e memcpy 38068->38069 38069->37986 38071 40a93d 38070->38071 38071->38069 38073 409a41 38072->38073 38074 4099fb malloc 38072->38074 38073->37986 38076 409a37 38074->38076 38077 409a1c 38074->38077 38076->37986 38078 409a30 free 38077->38078 38079 409a20 memcpy 38077->38079 38078->38076 38079->38078 38081 40a9e7 38080->38081 38082 40a9dc free 38080->38082 38084 4099f4 3 API calls 38081->38084 38083 40a9f2 38082->38083 38083->37987 38084->38083 38109 409bca GetModuleFileNameW 38085->38109 38087 40dce6 wcsrchr 38088 40dcf5 38087->38088 38089 40dcf9 wcscat 38087->38089 38088->38089 38089->37995 38110 44db70 38090->38110 38094 40dbfd 38113 4447d9 38094->38113 38097 40dc34 wcscpy wcscpy 38139 40d6f5 38097->38139 38098 40dc1f wcscpy 38098->38097 38101 40d6f5 3 API calls 38102 40dc73 38101->38102 38103 40d6f5 3 API calls 38102->38103 38104 40dc89 38103->38104 38105 40d6f5 3 API calls 38104->38105 38106 40dc9c EnumResourceNamesW EnumResourceNamesW wcscpy 38105->38106 38145 40da80 38106->38145 38109->38087 38111 40dbb4 memset memset 38110->38111 38112 409bca GetModuleFileNameW 38111->38112 38112->38094 38115 4447f4 38113->38115 38114 40dc1b 38114->38097 38114->38098 38115->38114 38116 444807 ??2@YAPAXI 38115->38116 38117 44481f 38116->38117 38118 444873 _snwprintf 38117->38118 38119 4448ab wcscpy 38117->38119 38152 44474a 8 API calls 38118->38152 38121 4448bb 38119->38121 38153 44474a 8 API calls 38121->38153 38122 4448a7 38122->38119 38122->38121 38124 4448cd 38154 44474a 8 API calls 38124->38154 38126 4448e2 38155 44474a 8 API calls 38126->38155 38128 4448f7 38156 44474a 8 API calls 38128->38156 38130 44490c 38157 44474a 8 API calls 38130->38157 38132 444921 38158 44474a 8 API calls 38132->38158 38134 444936 38159 44474a 8 API calls 38134->38159 38136 44494b 38160 44474a 8 API calls 38136->38160 38138 444960 ??3@YAXPAX 38138->38114 38140 44db70 38139->38140 38141 40d702 memset GetPrivateProfileStringW 38140->38141 38142 40d752 38141->38142 38143 40d75c WritePrivateProfileStringW 38141->38143 38142->38143 38144 40d758 38142->38144 38143->38144 38144->38101 38146 44db70 38145->38146 38147 40da8d memset 38146->38147 38148 40daac LoadStringW 38147->38148 38149 40dac6 38148->38149 38149->38148 38151 40dade 38149->38151 38161 40d76e memset GetPrivateProfileStringW WritePrivateProfileStringW memset _itow 38149->38161 38151->37924 38152->38122 38153->38124 38154->38126 38155->38128 38156->38130 38157->38132 38158->38134 38159->38136 38160->38138 38161->38149 38172 409b98 GetFileAttributesW 38162->38172 38164 40daea 38165 40db63 38164->38165 38166 40daef wcscpy wcscpy GetPrivateProfileIntW 38164->38166 38165->37925 38173 40d65d GetPrivateProfileStringW 38166->38173 38168 40db3e 38174 40d65d GetPrivateProfileStringW 38168->38174 38170 40db4f 38175 40d65d GetPrivateProfileStringW 38170->38175 38172->38164 38173->38168 38174->38170 38175->38165 38211 40eaff 38176->38211 38180 411ae2 memset 38179->38180 38181 411b8f 38179->38181 38251 409bca GetModuleFileNameW 38180->38251 38193 411a8b 38181->38193 38183 411b0a wcsrchr 38184 411b22 wcscat 38183->38184 38185 411b1f 38183->38185 38252 414770 wcscpy wcscpy wcscpy CreateFileW CloseHandle 38184->38252 38185->38184 38187 411b67 38253 402afb 38187->38253 38191 411b7f 38309 40ea13 SendMessageW memset SendMessageW 38191->38309 38194 402afb 27 API calls 38193->38194 38195 411ac0 38194->38195 38196 4110dc 38195->38196 38197 41113e 38196->38197 38202 4110f0 38196->38202 38334 40969c LoadCursorW SetCursor 38197->38334 38199 411143 38335 4032b4 38199->38335 38353 444a54 38199->38353 38200 4110f7 _wcsicmp 38200->38202 38201 411157 38203 40ada2 _wcsicmp 38201->38203 38202->38197 38202->38200 38356 410c46 10 API calls 38202->38356 38206 411167 38203->38206 38204 4111af 38206->38204 38207 4111a6 qsort 38206->38207 38207->38204 38210->38007 38212 40eb10 38211->38212 38224 40e8e0 38212->38224 38215 40eb6c memcpy memcpy 38216 40ebb7 38215->38216 38216->38215 38217 40ebf2 ??2@YAPAXI ??2@YAPAXI 38216->38217 38220 40d134 16 API calls 38216->38220 38218 40ec2e ??2@YAPAXI 38217->38218 38221 40ec65 38217->38221 38218->38221 38220->38216 38221->38221 38234 40ea7f 38221->38234 38223 402f49 38223->38007 38225 40e8f2 38224->38225 38226 40e8eb ??3@YAXPAX 38224->38226 38227 40e900 38225->38227 38228 40e8f9 ??3@YAXPAX 38225->38228 38226->38225 38229 40e911 38227->38229 38230 40e90a ??3@YAXPAX 38227->38230 38228->38227 38231 40e931 ??2@YAPAXI ??2@YAPAXI 38229->38231 38232 40e921 ??3@YAXPAX 38229->38232 38233 40e92a ??3@YAXPAX 38229->38233 38230->38229 38231->38215 38232->38233 38233->38231 38235 40aa04 free 38234->38235 38236 40ea88 38235->38236 38237 40aa04 free 38236->38237 38238 40ea90 38237->38238 38239 40aa04 free 38238->38239 38240 40ea98 38239->38240 38241 40aa04 free 38240->38241 38242 40eaa0 38241->38242 38243 40a9ce 4 API calls 38242->38243 38244 40eab3 38243->38244 38245 40a9ce 4 API calls 38244->38245 38246 40eabd 38245->38246 38247 40a9ce 4 API calls 38246->38247 38248 40eac7 38247->38248 38249 40a9ce 4 API calls 38248->38249 38250 40ead1 38249->38250 38250->38223 38251->38183 38252->38187 38310 40b2cc 38253->38310 38255 402b0a 38256 40b2cc 27 API calls 38255->38256 38257 402b23 38256->38257 38258 40b2cc 27 API calls 38257->38258 38259 402b3a 38258->38259 38260 40b2cc 27 API calls 38259->38260 38261 402b54 38260->38261 38262 40b2cc 27 API calls 38261->38262 38263 402b6b 38262->38263 38264 40b2cc 27 API calls 38263->38264 38265 402b82 38264->38265 38266 40b2cc 27 API calls 38265->38266 38267 402b99 38266->38267 38268 40b2cc 27 API calls 38267->38268 38269 402bb0 38268->38269 38270 40b2cc 27 API calls 38269->38270 38271 402bc7 38270->38271 38272 40b2cc 27 API calls 38271->38272 38273 402bde 38272->38273 38274 40b2cc 27 API calls 38273->38274 38275 402bf5 38274->38275 38276 40b2cc 27 API calls 38275->38276 38277 402c0c 38276->38277 38278 40b2cc 27 API calls 38277->38278 38279 402c23 38278->38279 38280 40b2cc 27 API calls 38279->38280 38281 402c3a 38280->38281 38282 40b2cc 27 API calls 38281->38282 38283 402c51 38282->38283 38284 40b2cc 27 API calls 38283->38284 38285 402c68 38284->38285 38286 40b2cc 27 API calls 38285->38286 38287 402c7f 38286->38287 38288 40b2cc 27 API calls 38287->38288 38289 402c99 38288->38289 38290 40b2cc 27 API calls 38289->38290 38291 402cb3 38290->38291 38292 40b2cc 27 API calls 38291->38292 38293 402cd5 38292->38293 38294 40b2cc 27 API calls 38293->38294 38295 402cf0 38294->38295 38296 40b2cc 27 API calls 38295->38296 38297 402d0b 38296->38297 38298 40b2cc 27 API calls 38297->38298 38299 402d26 38298->38299 38300 40b2cc 27 API calls 38299->38300 38301 402d3e 38300->38301 38302 40b2cc 27 API calls 38301->38302 38303 402d59 38302->38303 38304 40b2cc 27 API calls 38303->38304 38305 402d78 38304->38305 38306 40b2cc 27 API calls 38305->38306 38307 402d93 38306->38307 38308 4018db GetWindowPlacement memset GetSystemMetrics GetSystemMetrics SetWindowPlacement 38307->38308 38308->38191 38309->38181 38313 40b58d 38310->38313 38312 40b2d1 38312->38255 38314 40b5a4 GetModuleHandleW FindResourceW 38313->38314 38315 40b62e 38313->38315 38316 40b5c2 LoadResource 38314->38316 38317 40b5e7 38314->38317 38315->38312 38316->38317 38318 40b5d0 SizeofResource LockResource 38316->38318 38317->38315 38326 40afcf 38317->38326 38318->38317 38320 40b608 memcpy 38329 40b4d3 memcpy 38320->38329 38322 40b61e 38330 40b3c1 18 API calls 38322->38330 38324 40b626 38331 40b04b 38324->38331 38327 40b04b ??3@YAXPAX 38326->38327 38328 40afd7 ??2@YAPAXI 38327->38328 38328->38320 38329->38322 38330->38324 38332 40b051 ??3@YAXPAX 38331->38332 38333 40b05f 38331->38333 38332->38333 38333->38315 38334->38199 38336 4032c4 38335->38336 38337 40b633 free 38336->38337 38338 403316 38337->38338 38357 44553b 38338->38357 38342 403480 38555 40368c 15 API calls 38342->38555 38344 403489 38345 40b633 free 38344->38345 38346 403495 38345->38346 38346->38201 38347 4033a9 memset memcpy 38348 4033ec wcscmp 38347->38348 38349 40333c 38347->38349 38348->38349 38349->38342 38349->38347 38349->38348 38553 4028e7 11 API calls 38349->38553 38554 40f508 6 API calls 38349->38554 38351 403421 _wcsicmp 38351->38349 38354 444a64 FreeLibrary 38353->38354 38355 444a83 38353->38355 38354->38355 38355->38201 38356->38202 38358 445548 38357->38358 38359 445599 38358->38359 38556 40c768 38358->38556 38360 4455a8 memset 38359->38360 38367 4457f2 38359->38367 38639 403988 38360->38639 38371 445854 38367->38371 38742 403e2d memset memset memset memset memset 38367->38742 38368 445672 38650 403fbe memset memset memset memset memset 38368->38650 38369 4458bb memset memset 38376 414c2e 16 API calls 38369->38376 38422 4458aa 38371->38422 38765 403c9c memset memset memset memset memset 38371->38765 38372 44557a 38419 44558c 38372->38419 38837 4136c0 CoTaskMemFree 38372->38837 38374 44595e memset memset 38381 414c2e 16 API calls 38374->38381 38375 4455e5 38375->38368 38384 44560f 38375->38384 38377 4458f9 38376->38377 38382 40b2cc 27 API calls 38377->38382 38379 445a00 memset memset 38788 414c2e 38379->38788 38380 445b22 38386 445bca 38380->38386 38387 445b38 memset memset memset 38380->38387 38391 44599c 38381->38391 38392 445909 38382->38392 38396 4087b3 338 API calls 38384->38396 38385 445849 38853 40b1ab free free 38385->38853 38393 445c8b memset memset 38386->38393 38461 445cf0 38386->38461 38397 445bd4 38387->38397 38398 445b98 38387->38398 38401 40b2cc 27 API calls 38391->38401 38402 409d1f 6 API calls 38392->38402 38405 414c2e 16 API calls 38393->38405 38394 445585 38838 41366b FreeLibrary 38394->38838 38395 44589f 38854 40b1ab free free 38395->38854 38403 445621 38396->38403 38411 414c2e 16 API calls 38397->38411 38398->38397 38407 445ba2 38398->38407 38404 4459ac 38401->38404 38415 445919 38402->38415 38839 4454bf 20 API calls 38403->38839 38417 409d1f 6 API calls 38404->38417 38418 445cc9 38405->38418 38926 4099c6 wcslen 38407->38926 38408 4456b2 38841 40b1ab free free 38408->38841 38410 40b2cc 27 API calls 38423 445a4f 38410->38423 38425 445be2 38411->38425 38412 403335 38552 4452e5 45 API calls 38412->38552 38413 445d3d 38445 40b2cc 27 API calls 38413->38445 38414 445d88 memset memset memset 38428 414c2e 16 API calls 38414->38428 38855 409b98 GetFileAttributesW 38415->38855 38416 445823 38416->38385 38427 4087b3 338 API calls 38416->38427 38429 4459bc 38417->38429 38430 409d1f 6 API calls 38418->38430 38623 444b06 38419->38623 38420 445879 38420->38395 38441 4087b3 338 API calls 38420->38441 38422->38369 38446 44594a 38422->38446 38803 409d1f wcslen wcslen 38423->38803 38434 40b2cc 27 API calls 38425->38434 38427->38416 38438 445dde 38428->38438 38922 409b98 GetFileAttributesW 38429->38922 38440 445ce1 38430->38440 38431 445bb3 38929 445403 memset 38431->38929 38432 445680 38432->38408 38673 4087b3 memset 38432->38673 38435 445bf3 38434->38435 38444 409d1f 6 API calls 38435->38444 38436 445928 38436->38446 38856 40b6ef 38436->38856 38447 40b2cc 27 API calls 38438->38447 38946 409b98 GetFileAttributesW 38440->38946 38441->38420 38455 445c07 38444->38455 38456 445d54 _wcsicmp 38445->38456 38446->38374 38460 4459ed 38446->38460 38459 445def 38447->38459 38448 4459cb 38448->38460 38469 40b6ef 252 API calls 38448->38469 38452 40b2cc 27 API calls 38453 445a94 38452->38453 38808 40ae18 38453->38808 38454 44566d 38454->38367 38724 413d4c 38454->38724 38465 445389 258 API calls 38455->38465 38466 445d71 38456->38466 38531 445d67 38456->38531 38458 445665 38840 40b1ab free free 38458->38840 38467 409d1f 6 API calls 38459->38467 38460->38379 38460->38380 38461->38412 38461->38413 38461->38414 38462 445389 258 API calls 38462->38386 38471 445c17 38465->38471 38947 445093 23 API calls 38466->38947 38474 445e03 38467->38474 38469->38460 38470 4456d8 38476 40b2cc 27 API calls 38470->38476 38477 40b2cc 27 API calls 38471->38477 38473 44563c 38473->38458 38479 4087b3 338 API calls 38473->38479 38948 409b98 GetFileAttributesW 38474->38948 38475 40b6ef 252 API calls 38475->38412 38481 4456e2 38476->38481 38482 445c23 38477->38482 38478 445d83 38478->38412 38479->38473 38842 413fa6 _wcsicmp _wcsicmp 38481->38842 38486 409d1f 6 API calls 38482->38486 38484 445e12 38491 445e6b 38484->38491 38497 40b2cc 27 API calls 38484->38497 38489 445c37 38486->38489 38487 445aa1 38490 445b17 38487->38490 38505 445ab2 memset 38487->38505 38518 409d1f 6 API calls 38487->38518 38815 40add4 38487->38815 38820 445389 38487->38820 38829 40ae51 38487->38829 38488 4456eb 38493 4456fd memset memset memset memset 38488->38493 38494 4457ea 38488->38494 38495 445389 258 API calls 38489->38495 38923 40aebe 38490->38923 38950 445093 23 API calls 38491->38950 38843 409c70 wcscpy wcsrchr 38493->38843 38846 413d29 38494->38846 38500 445c47 38495->38500 38501 445e33 38497->38501 38507 40b2cc 27 API calls 38500->38507 38508 409d1f 6 API calls 38501->38508 38503 445e7e 38504 445f67 38503->38504 38513 40b2cc 27 API calls 38504->38513 38509 40b2cc 27 API calls 38505->38509 38511 445c53 38507->38511 38512 445e47 38508->38512 38509->38487 38510 409c70 2 API calls 38514 44577e 38510->38514 38515 409d1f 6 API calls 38511->38515 38949 409b98 GetFileAttributesW 38512->38949 38517 445f73 38513->38517 38519 409c70 2 API calls 38514->38519 38520 445c67 38515->38520 38522 409d1f 6 API calls 38517->38522 38518->38487 38523 44578d 38519->38523 38524 445389 258 API calls 38520->38524 38521 445e56 38521->38491 38527 445e83 memset 38521->38527 38525 445f87 38522->38525 38523->38494 38530 40b2cc 27 API calls 38523->38530 38524->38386 38953 409b98 GetFileAttributesW 38525->38953 38529 40b2cc 27 API calls 38527->38529 38532 445eab 38529->38532 38533 4457a8 38530->38533 38531->38412 38531->38475 38534 409d1f 6 API calls 38532->38534 38535 409d1f 6 API calls 38533->38535 38536 445ebf 38534->38536 38537 4457b8 38535->38537 38538 40ae18 9 API calls 38536->38538 38845 409b98 GetFileAttributesW 38537->38845 38548 445ef5 38538->38548 38540 4457c7 38540->38494 38542 4087b3 338 API calls 38540->38542 38541 40ae51 9 API calls 38541->38548 38542->38494 38543 445f5c 38545 40aebe FindClose 38543->38545 38544 40add4 2 API calls 38544->38548 38545->38504 38546 40b2cc 27 API calls 38546->38548 38547 409d1f 6 API calls 38547->38548 38548->38541 38548->38543 38548->38544 38548->38546 38548->38547 38550 445f3a 38548->38550 38951 409b98 GetFileAttributesW 38548->38951 38952 445093 23 API calls 38550->38952 38552->38349 38553->38351 38554->38349 38555->38344 38557 40c775 38556->38557 38954 40b1ab free free 38557->38954 38559 40c788 38955 40b1ab free free 38559->38955 38561 40c790 38956 40b1ab free free 38561->38956 38563 40c798 38564 40aa04 free 38563->38564 38565 40c7a0 38564->38565 38957 40c274 memset 38565->38957 38570 40a8ab 9 API calls 38571 40c7c3 38570->38571 38572 40a8ab 9 API calls 38571->38572 38573 40c7d0 38572->38573 38986 40c3c3 38573->38986 38577 40c7e5 38578 40c877 38577->38578 38579 40c86c 38577->38579 38585 40c634 49 API calls 38577->38585 39011 40a706 38577->39011 38586 40bdb0 38578->38586 39028 4053fe 39 API calls 38579->39028 38585->38577 39196 404363 38586->39196 38589 40bf5d 39216 40440c 38589->39216 38591 40bdee 38591->38589 38594 40b2cc 27 API calls 38591->38594 38592 40bddf CredEnumerateW 38592->38591 38595 40be02 wcslen 38594->38595 38595->38589 38597 40be1e 38595->38597 38596 40be26 wcsncmp 38596->38597 38597->38589 38597->38596 38600 40be7d memset 38597->38600 38601 40bea7 memcpy 38597->38601 38602 40bf11 wcschr 38597->38602 38603 40b2cc 27 API calls 38597->38603 38605 40bf43 LocalFree 38597->38605 39219 40bd5d 28 API calls 38597->39219 39220 404423 38597->39220 38600->38597 38600->38601 38601->38597 38601->38602 38602->38597 38604 40bef6 _wcsnicmp 38603->38604 38604->38597 38604->38602 38605->38597 38606 4135f7 39233 4135e0 38606->39233 38609 40b2cc 27 API calls 38610 41360d 38609->38610 38611 40a804 8 API calls 38610->38611 38612 413613 38611->38612 38613 41361b 38612->38613 38614 41363e 38612->38614 38615 40b273 27 API calls 38613->38615 38616 4135e0 FreeLibrary 38614->38616 38617 413625 GetProcAddress 38615->38617 38618 413643 38616->38618 38617->38614 38619 413648 38617->38619 38618->38372 38620 413658 38619->38620 38621 4135e0 FreeLibrary 38619->38621 38620->38372 38622 413666 38621->38622 38622->38372 39236 4449b9 38623->39236 38626 444c1f 38626->38359 38627 4449b9 42 API calls 38629 444b4b 38627->38629 38628 444c15 38630 4449b9 42 API calls 38628->38630 38629->38628 39257 444972 GetVersionExW 38629->39257 38630->38626 38632 444b99 memcmp 38637 444b8c 38632->38637 38633 444c0b 39261 444a85 42 API calls 38633->39261 38637->38632 38637->38633 39258 444aa5 42 API calls 38637->39258 39259 40a7a0 GetVersionExW 38637->39259 39260 444a85 42 API calls 38637->39260 38640 40399d 38639->38640 39262 403a16 38640->39262 38642 403a09 39276 40b1ab free free 38642->39276 38644 4039a3 38644->38642 38648 4039f4 38644->38648 39273 40a02c CreateFileW 38644->39273 38645 403a12 wcsrchr 38645->38375 38648->38642 38649 4099c6 2 API calls 38648->38649 38649->38642 38651 414c2e 16 API calls 38650->38651 38652 404048 38651->38652 38653 414c2e 16 API calls 38652->38653 38654 404056 38653->38654 38655 409d1f 6 API calls 38654->38655 38656 404073 38655->38656 38657 409d1f 6 API calls 38656->38657 38658 40408e 38657->38658 38659 409d1f 6 API calls 38658->38659 38660 4040a6 38659->38660 38661 403af5 20 API calls 38660->38661 38662 4040ba 38661->38662 38663 403af5 20 API calls 38662->38663 38664 4040cb 38663->38664 39303 40414f memset 38664->39303 38666 404140 39317 40b1ab free free 38666->39317 38668 4040ec memset 38671 4040e0 38668->38671 38669 404148 38669->38432 38670 4099c6 2 API calls 38670->38671 38671->38666 38671->38668 38671->38670 38672 40a8ab 9 API calls 38671->38672 38672->38671 39330 40a6e6 WideCharToMultiByte 38673->39330 38675 4087ed 39331 4095d9 memset 38675->39331 38678 408953 38678->38432 38679 408809 memset memset memset memset memset 38680 40b2cc 27 API calls 38679->38680 38681 4088a1 38680->38681 38682 409d1f 6 API calls 38681->38682 38683 4088b1 38682->38683 38684 40b2cc 27 API calls 38683->38684 38685 4088c0 38684->38685 38686 409d1f 6 API calls 38685->38686 38687 4088d0 38686->38687 38688 40b2cc 27 API calls 38687->38688 38689 4088df 38688->38689 38690 409d1f 6 API calls 38689->38690 38691 4088ef 38690->38691 38692 40b2cc 27 API calls 38691->38692 38693 4088fe 38692->38693 38694 409d1f 6 API calls 38693->38694 38695 40890e 38694->38695 38696 40b2cc 27 API calls 38695->38696 38697 40891d 38696->38697 38698 409d1f 6 API calls 38697->38698 38699 40892d 38698->38699 39350 409b98 GetFileAttributesW 38699->39350 38701 40893e 38702 408943 38701->38702 38703 408958 38701->38703 39351 407fdf 75 API calls 38702->39351 39352 409b98 GetFileAttributesW 38703->39352 38725 40b633 free 38724->38725 38726 413d65 CreateToolhelp32Snapshot memset Process32FirstW 38725->38726 38727 413f00 Process32NextW 38726->38727 38728 413da5 OpenProcess 38727->38728 38729 413f17 CloseHandle 38727->38729 38730 413df3 memset 38728->38730 38735 413eb0 38728->38735 38729->38470 39630 413f27 38730->39630 38732 413ebf free 38732->38735 38733 4099f4 3 API calls 38733->38735 38735->38727 38735->38732 38735->38733 38736 413e37 GetModuleHandleW 38737 413e1f 38736->38737 38738 413e46 GetProcAddress 38736->38738 38737->38736 38739 413e6a QueryFullProcessImageNameW 38737->38739 39635 413959 38737->39635 39651 413ca4 38737->39651 38738->38737 38739->38737 38741 413ea2 CloseHandle 38741->38735 38743 414c2e 16 API calls 38742->38743 38744 403eb7 38743->38744 38745 414c2e 16 API calls 38744->38745 38746 403ec5 38745->38746 38747 409d1f 6 API calls 38746->38747 38748 403ee2 38747->38748 38749 409d1f 6 API calls 38748->38749 38750 403efd 38749->38750 38751 409d1f 6 API calls 38750->38751 38752 403f15 38751->38752 38753 403af5 20 API calls 38752->38753 38754 403f29 38753->38754 38755 403af5 20 API calls 38754->38755 38756 403f3a 38755->38756 38757 40414f 33 API calls 38756->38757 38758 403f4f 38757->38758 38759 403faf 38758->38759 38760 403f5b memset 38758->38760 38763 4099c6 2 API calls 38758->38763 38764 40a8ab 9 API calls 38758->38764 39665 40b1ab free free 38759->39665 38760->38758 38762 403fb7 38762->38416 38763->38758 38764->38758 38766 414c2e 16 API calls 38765->38766 38767 403d26 38766->38767 38768 414c2e 16 API calls 38767->38768 38769 403d34 38768->38769 38770 409d1f 6 API calls 38769->38770 38771 403d51 38770->38771 38772 409d1f 6 API calls 38771->38772 38773 403d6c 38772->38773 38774 409d1f 6 API calls 38773->38774 38775 403d84 38774->38775 38776 403af5 20 API calls 38775->38776 38777 403d98 38776->38777 38778 403af5 20 API calls 38777->38778 38779 403da9 38778->38779 38780 40414f 33 API calls 38779->38780 38781 403dbe 38780->38781 38782 403e1e 38781->38782 38783 403dca memset 38781->38783 38786 4099c6 2 API calls 38781->38786 38787 40a8ab 9 API calls 38781->38787 39666 40b1ab free free 38782->39666 38783->38781 38785 403e26 38785->38420 38786->38781 38787->38781 38789 414b81 9 API calls 38788->38789 38790 414c40 38789->38790 38791 414c73 memset 38790->38791 39667 409cea 38790->39667 38792 414c94 38791->38792 39670 414592 RegOpenKeyExW 38792->39670 38796 414c64 38796->38410 38797 414cc1 38798 414cf4 wcscpy 38797->38798 39671 414bb0 wcscpy 38797->39671 38798->38796 38800 414cd2 39672 4145ac RegQueryValueExW 38800->39672 38802 414ce9 RegCloseKey 38802->38798 38804 409d62 38803->38804 38805 409d43 wcscpy 38803->38805 38804->38452 38806 409719 2 API calls 38805->38806 38807 409d51 wcscat 38806->38807 38807->38804 38809 40aebe FindClose 38808->38809 38810 40ae21 38809->38810 38811 4099c6 2 API calls 38810->38811 38812 40ae35 38811->38812 38813 409d1f 6 API calls 38812->38813 38814 40ae49 38813->38814 38814->38487 38816 40ade0 38815->38816 38817 40ae0f 38815->38817 38816->38817 38818 40ade7 wcscmp 38816->38818 38817->38487 38818->38817 38819 40adfe wcscmp 38818->38819 38819->38817 38821 40ae18 9 API calls 38820->38821 38827 4453c4 38821->38827 38822 40ae51 9 API calls 38822->38827 38823 4453f3 38825 40aebe FindClose 38823->38825 38824 40add4 2 API calls 38824->38827 38826 4453fe 38825->38826 38826->38487 38827->38822 38827->38823 38827->38824 38828 445403 253 API calls 38827->38828 38828->38827 38830 40ae7b FindNextFileW 38829->38830 38831 40ae5c FindFirstFileW 38829->38831 38832 40ae94 38830->38832 38833 40ae8f 38830->38833 38831->38832 38834 40aeb6 38832->38834 38835 409d1f 6 API calls 38832->38835 38836 40aebe FindClose 38833->38836 38834->38487 38835->38834 38836->38832 38837->38394 38838->38419 38839->38473 38840->38454 38841->38454 38842->38488 38844 409c89 38843->38844 38844->38510 38845->38540 38847 413d39 38846->38847 38848 413d2f FreeLibrary 38846->38848 38849 40b633 free 38847->38849 38848->38847 38850 413d42 38849->38850 38851 40b633 free 38850->38851 38852 413d4a 38851->38852 38852->38367 38853->38371 38854->38422 38855->38436 38857 44db70 38856->38857 38858 40b6fc memset 38857->38858 38859 409c70 2 API calls 38858->38859 38860 40b732 wcsrchr 38859->38860 38861 40b743 38860->38861 38862 40b746 memset 38860->38862 38861->38862 38863 40b2cc 27 API calls 38862->38863 38864 40b76f 38863->38864 38865 409d1f 6 API calls 38864->38865 38866 40b783 38865->38866 39673 409b98 GetFileAttributesW 38866->39673 38868 40b792 38869 40b7c2 38868->38869 38870 409c70 2 API calls 38868->38870 39674 40bb98 38869->39674 38872 40b7a5 38870->38872 38874 40b2cc 27 API calls 38872->38874 38877 40b7b2 38874->38877 38875 40b837 CloseHandle 38879 40b83e memset 38875->38879 38876 40b817 39708 409a45 GetTempPathW 38876->39708 38881 409d1f 6 API calls 38877->38881 39707 40a6e6 WideCharToMultiByte 38879->39707 38881->38869 38882 40b827 CopyFileW 38882->38879 38883 40b866 38884 444432 121 API calls 38883->38884 38885 40b879 38884->38885 38886 40bad5 38885->38886 38887 40b273 27 API calls 38885->38887 38888 40baeb 38886->38888 38889 40bade DeleteFileW 38886->38889 38890 40b89a 38887->38890 38891 40b04b ??3@YAXPAX 38888->38891 38889->38888 38892 438552 134 API calls 38890->38892 38893 40baf3 38891->38893 38894 40b8a4 38892->38894 38893->38446 38895 40bacd 38894->38895 38897 4251c4 137 API calls 38894->38897 38896 443d90 111 API calls 38895->38896 38896->38886 38920 40b8b8 38897->38920 38898 40bac6 39720 424f26 123 API calls 38898->39720 38899 40b8bd memset 39711 425413 17 API calls 38899->39711 38902 425413 17 API calls 38902->38920 38905 40a71b MultiByteToWideChar 38905->38920 38906 40a734 MultiByteToWideChar 38906->38920 38909 40b9b5 memcmp 38909->38920 38910 4099c6 2 API calls 38910->38920 38911 404423 37 API calls 38911->38920 38913 40bb3e memset memcpy 39721 40a734 MultiByteToWideChar 38913->39721 38914 4251c4 137 API calls 38914->38920 38917 40bb88 LocalFree 38917->38920 38920->38898 38920->38899 38920->38902 38920->38905 38920->38906 38920->38909 38920->38910 38920->38911 38920->38913 38920->38914 38921 40ba5f memcmp 38920->38921 39712 4253ef 16 API calls 38920->39712 39713 40b64c SystemTimeToFileTime FileTimeToLocalFileTime 38920->39713 39714 4253af 17 API calls 38920->39714 39715 4253cf 17 API calls 38920->39715 39716 447280 memset 38920->39716 39717 447960 memset memcpy memcpy memcpy 38920->39717 39718 40afe8 ??2@YAPAXI memcpy ??3@YAXPAX 38920->39718 39719 447920 memcpy memcpy memcpy 38920->39719 38921->38920 38922->38448 38924 40aed1 38923->38924 38925 40aec7 FindClose 38923->38925 38924->38380 38925->38924 38927 4099d7 38926->38927 38928 4099da memcpy 38926->38928 38927->38928 38928->38431 38930 40b2cc 27 API calls 38929->38930 38931 44543f 38930->38931 38932 409d1f 6 API calls 38931->38932 38933 44544f 38932->38933 39813 409b98 GetFileAttributesW 38933->39813 38935 44545e 38936 445476 38935->38936 38937 40b6ef 252 API calls 38935->38937 38938 40b2cc 27 API calls 38936->38938 38937->38936 38939 445482 38938->38939 38940 409d1f 6 API calls 38939->38940 38941 445492 38940->38941 39814 409b98 GetFileAttributesW 38941->39814 38943 4454a1 38944 4454b9 38943->38944 38945 40b6ef 252 API calls 38943->38945 38944->38462 38945->38944 38946->38461 38947->38478 38948->38484 38949->38521 38950->38503 38951->38548 38952->38548 38953->38531 38954->38559 38955->38561 38956->38563 38958 414c2e 16 API calls 38957->38958 38959 40c2ae 38958->38959 39029 40c1d3 38959->39029 38964 40c3be 38981 40a8ab 38964->38981 38965 40afcf 2 API calls 38966 40c2fd FindFirstUrlCacheEntryW 38965->38966 38967 40c3b6 38966->38967 38968 40c31e wcschr 38966->38968 38969 40b04b ??3@YAXPAX 38967->38969 38970 40c331 38968->38970 38971 40c35e FindNextUrlCacheEntryW 38968->38971 38969->38964 38972 40a8ab 9 API calls 38970->38972 38971->38968 38973 40c373 GetLastError 38971->38973 38976 40c33e wcschr 38972->38976 38974 40c3ad FindCloseUrlCache 38973->38974 38975 40c37e 38973->38975 38974->38967 38977 40afcf 2 API calls 38975->38977 38976->38971 38978 40c34f 38976->38978 38979 40c391 FindNextUrlCacheEntryW 38977->38979 38980 40a8ab 9 API calls 38978->38980 38979->38968 38979->38974 38980->38971 39123 40a97a 38981->39123 38984 40a8cc 38984->38570 38985 40a8d0 7 API calls 38985->38984 39128 40b1ab free free 38986->39128 38988 40c3dd 38989 40b2cc 27 API calls 38988->38989 38990 40c3e7 38989->38990 39129 414592 RegOpenKeyExW 38990->39129 38992 40c3f4 38993 40c50e 38992->38993 38994 40c3ff 38992->38994 39008 405337 38993->39008 38995 40a9ce 4 API calls 38994->38995 38996 40c418 memset 38995->38996 39130 40aa1d 38996->39130 38999 40c471 39001 40c47a _wcsupr 38999->39001 39000 40c505 RegCloseKey 39000->38993 39002 40a8d0 7 API calls 39001->39002 39003 40c498 39002->39003 39004 40a8d0 7 API calls 39003->39004 39005 40c4ac memset 39004->39005 39006 40aa1d 39005->39006 39007 40c4e4 RegEnumValueW 39006->39007 39007->39000 39007->39001 39132 405220 39008->39132 39012 4099c6 2 API calls 39011->39012 39013 40a714 _wcslwr 39012->39013 39014 40c634 39013->39014 39189 405361 39014->39189 39017 40c65c wcslen 39192 4053b6 39 API calls 39017->39192 39018 40c71d wcslen 39018->38577 39020 40c677 39021 40c713 39020->39021 39193 40538b 39 API calls 39020->39193 39195 4053df 39 API calls 39021->39195 39024 40c6a5 39024->39021 39025 40c6a9 memset 39024->39025 39026 40c6d3 39025->39026 39194 40c589 43 API calls 39026->39194 39028->38578 39030 40ae18 9 API calls 39029->39030 39036 40c210 39030->39036 39031 40ae51 9 API calls 39031->39036 39032 40c264 39033 40aebe FindClose 39032->39033 39035 40c26f 39033->39035 39034 40add4 2 API calls 39034->39036 39041 40e5ed memset memset 39035->39041 39036->39031 39036->39032 39036->39034 39037 40c231 _wcsicmp 39036->39037 39038 40c1d3 35 API calls 39036->39038 39037->39036 39039 40c248 39037->39039 39038->39036 39054 40c084 22 API calls 39039->39054 39042 414c2e 16 API calls 39041->39042 39043 40e63f 39042->39043 39044 409d1f 6 API calls 39043->39044 39045 40e658 39044->39045 39055 409b98 GetFileAttributesW 39045->39055 39047 40e667 39048 40e680 39047->39048 39050 409d1f 6 API calls 39047->39050 39056 409b98 GetFileAttributesW 39048->39056 39050->39048 39051 40e68f 39052 40c2d8 39051->39052 39057 40e4b2 39051->39057 39052->38964 39052->38965 39054->39036 39055->39047 39056->39051 39078 40e01e 39057->39078 39059 40e593 39061 40e5b0 39059->39061 39062 40e59c DeleteFileW 39059->39062 39060 40e521 39060->39059 39101 40e175 39060->39101 39063 40b04b ??3@YAXPAX 39061->39063 39062->39061 39064 40e5bb 39063->39064 39066 40e5c4 CloseHandle 39064->39066 39067 40e5cc 39064->39067 39066->39067 39069 40b633 free 39067->39069 39068 40e573 39070 40e584 39068->39070 39071 40e57c CloseHandle 39068->39071 39072 40e5db 39069->39072 39122 40b1ab free free 39070->39122 39071->39070 39075 40b633 free 39072->39075 39074 40e540 39074->39068 39121 40e2ab 30 API calls 39074->39121 39076 40e5e3 39075->39076 39076->39052 39079 406214 22 API calls 39078->39079 39080 40e03c 39079->39080 39081 40e16b 39080->39081 39082 40dd85 75 API calls 39080->39082 39081->39060 39083 40e06b 39082->39083 39083->39081 39084 40afcf ??2@YAPAXI ??3@YAXPAX 39083->39084 39085 40e08d OpenProcess 39084->39085 39086 40e0a4 GetCurrentProcess DuplicateHandle 39085->39086 39090 40e152 39085->39090 39087 40e0d0 GetFileSize 39086->39087 39088 40e14a CloseHandle 39086->39088 39091 409a45 GetTempPathW GetWindowsDirectoryW GetTempFileNameW 39087->39091 39088->39090 39089 40e160 39093 40b04b ??3@YAXPAX 39089->39093 39090->39089 39092 406214 22 API calls 39090->39092 39094 40e0ea 39091->39094 39092->39089 39093->39081 39095 4096dc CreateFileW 39094->39095 39096 40e0f1 CreateFileMappingW 39095->39096 39097 40e140 CloseHandle CloseHandle 39096->39097 39098 40e10b MapViewOfFile 39096->39098 39097->39088 39099 40e13b CloseHandle 39098->39099 39100 40e11f WriteFile UnmapViewOfFile 39098->39100 39099->39097 39100->39099 39102 40e18c 39101->39102 39103 406b90 11 API calls 39102->39103 39104 40e19f 39103->39104 39105 40e1a7 memset 39104->39105 39106 40e299 39104->39106 39111 40e1e8 39105->39111 39107 4069a3 ??3@YAXPAX free 39106->39107 39108 40e2a4 39107->39108 39108->39074 39109 406e8f 13 API calls 39109->39111 39110 406b53 SetFilePointerEx ReadFile 39110->39111 39111->39109 39111->39110 39112 40e283 39111->39112 39113 40dd50 _wcsicmp 39111->39113 39117 40742e 8 API calls 39111->39117 39118 40aae3 wcslen wcslen _memicmp 39111->39118 39119 40e244 _snwprintf 39111->39119 39114 40e291 39112->39114 39115 40e288 free 39112->39115 39113->39111 39116 40aa04 free 39114->39116 39115->39114 39116->39106 39117->39111 39118->39111 39120 40a8d0 7 API calls 39119->39120 39120->39111 39121->39074 39122->39059 39125 40a980 39123->39125 39124 40a8bb 39124->38984 39124->38985 39125->39124 39126 40a995 _wcsicmp 39125->39126 39127 40a99c wcscmp 39125->39127 39126->39125 39127->39125 39128->38988 39129->38992 39131 40aa23 RegEnumValueW 39130->39131 39131->38999 39131->39000 39133 405335 39132->39133 39134 40522a 39132->39134 39133->38577 39135 40b2cc 27 API calls 39134->39135 39136 405234 39135->39136 39137 40a804 8 API calls 39136->39137 39138 40523a 39137->39138 39177 40b273 39138->39177 39140 405248 _mbscpy _mbscat GetProcAddress 39141 40b273 27 API calls 39140->39141 39142 405279 39141->39142 39180 405211 GetProcAddress 39142->39180 39144 405282 39145 40b273 27 API calls 39144->39145 39146 40528f 39145->39146 39181 405211 GetProcAddress 39146->39181 39148 405298 39149 40b273 27 API calls 39148->39149 39150 4052a5 39149->39150 39182 405211 GetProcAddress 39150->39182 39152 4052ae 39153 40b273 27 API calls 39152->39153 39154 4052bb 39153->39154 39183 405211 GetProcAddress 39154->39183 39156 4052c4 39157 40b273 27 API calls 39156->39157 39158 4052d1 39157->39158 39184 405211 GetProcAddress 39158->39184 39160 4052da 39161 40b273 27 API calls 39160->39161 39162 4052e7 39161->39162 39185 405211 GetProcAddress 39162->39185 39164 4052f0 39165 40b273 27 API calls 39164->39165 39166 4052fd 39165->39166 39186 405211 GetProcAddress 39166->39186 39168 405306 39169 40b273 27 API calls 39168->39169 39170 405313 39169->39170 39187 405211 GetProcAddress 39170->39187 39172 40531c 39173 40b273 27 API calls 39172->39173 39174 405329 39173->39174 39188 405211 GetProcAddress 39174->39188 39176 405332 39176->39133 39178 40b58d 27 API calls 39177->39178 39179 40b18c 39178->39179 39179->39140 39180->39144 39181->39148 39182->39152 39183->39156 39184->39160 39185->39164 39186->39168 39187->39172 39188->39176 39190 405220 39 API calls 39189->39190 39191 405369 39190->39191 39191->39017 39191->39018 39192->39020 39193->39024 39194->39021 39195->39018 39197 40440c FreeLibrary 39196->39197 39198 40436d 39197->39198 39199 40a804 8 API calls 39198->39199 39200 404377 39199->39200 39201 404383 39200->39201 39202 404405 39200->39202 39203 40b273 27 API calls 39201->39203 39202->38589 39202->38591 39202->38592 39204 40438d GetProcAddress 39203->39204 39205 40b273 27 API calls 39204->39205 39206 4043a7 GetProcAddress 39205->39206 39207 40b273 27 API calls 39206->39207 39208 4043ba GetProcAddress 39207->39208 39209 40b273 27 API calls 39208->39209 39210 4043ce GetProcAddress 39209->39210 39211 40b273 27 API calls 39210->39211 39212 4043e2 GetProcAddress 39211->39212 39213 4043f1 39212->39213 39214 4043f7 39213->39214 39215 40440c FreeLibrary 39213->39215 39214->39202 39215->39202 39217 404413 FreeLibrary 39216->39217 39218 40441e 39216->39218 39217->39218 39218->38606 39219->38597 39221 40442e 39220->39221 39222 40447e 39220->39222 39223 40b2cc 27 API calls 39221->39223 39222->38597 39224 404438 39223->39224 39225 40a804 8 API calls 39224->39225 39226 40443e 39225->39226 39227 404445 39226->39227 39228 404467 39226->39228 39229 40b273 27 API calls 39227->39229 39228->39222 39230 404475 FreeLibrary 39228->39230 39231 40444f GetProcAddress 39229->39231 39230->39222 39231->39228 39232 404460 39231->39232 39232->39228 39234 4135f6 39233->39234 39235 4135eb FreeLibrary 39233->39235 39234->38609 39235->39234 39237 4449c4 39236->39237 39238 444a52 39236->39238 39239 40b2cc 27 API calls 39237->39239 39238->38626 39238->38627 39240 4449cb 39239->39240 39241 40a804 8 API calls 39240->39241 39242 4449d1 39241->39242 39243 40b273 27 API calls 39242->39243 39244 4449dc GetProcAddress 39243->39244 39245 40b273 27 API calls 39244->39245 39246 4449f3 GetProcAddress 39245->39246 39247 40b273 27 API calls 39246->39247 39248 444a04 GetProcAddress 39247->39248 39249 40b273 27 API calls 39248->39249 39250 444a15 GetProcAddress 39249->39250 39251 40b273 27 API calls 39250->39251 39252 444a26 GetProcAddress 39251->39252 39253 40b273 27 API calls 39252->39253 39254 444a37 GetProcAddress 39253->39254 39255 40b273 27 API calls 39254->39255 39256 444a48 GetProcAddress 39255->39256 39256->39238 39257->38637 39258->38637 39259->38637 39260->38637 39261->38628 39263 403a29 39262->39263 39277 403bed memset memset 39263->39277 39265 403ae7 39290 40b1ab free free 39265->39290 39266 403a3f memset 39272 403a2f 39266->39272 39268 403aef 39268->38644 39269 409b98 GetFileAttributesW 39269->39272 39270 40a8d0 7 API calls 39270->39272 39271 409d1f 6 API calls 39271->39272 39272->39265 39272->39266 39272->39269 39272->39270 39272->39271 39274 40a051 GetFileTime CloseHandle 39273->39274 39275 4039ca CompareFileTime 39273->39275 39274->39275 39275->38644 39276->38645 39278 414c2e 16 API calls 39277->39278 39279 403c38 39278->39279 39280 409719 2 API calls 39279->39280 39281 403c3f wcscat 39280->39281 39282 414c2e 16 API calls 39281->39282 39283 403c61 39282->39283 39284 409719 2 API calls 39283->39284 39285 403c68 wcscat 39284->39285 39291 403af5 39285->39291 39288 403af5 20 API calls 39289 403c95 39288->39289 39289->39272 39290->39268 39292 403b02 39291->39292 39293 40ae18 9 API calls 39292->39293 39301 403b37 39293->39301 39294 403bdb 39296 40aebe FindClose 39294->39296 39295 40add4 wcscmp wcscmp 39295->39301 39297 403be6 39296->39297 39297->39288 39298 40ae18 9 API calls 39298->39301 39299 40ae51 9 API calls 39299->39301 39300 40aebe FindClose 39300->39301 39301->39294 39301->39295 39301->39298 39301->39299 39301->39300 39302 40a8d0 7 API calls 39301->39302 39302->39301 39304 409d1f 6 API calls 39303->39304 39305 404190 39304->39305 39318 409b98 GetFileAttributesW 39305->39318 39307 40419c 39308 4041a7 6 API calls 39307->39308 39309 40435c 39307->39309 39311 40424f 39308->39311 39309->38671 39311->39309 39312 40425e memset 39311->39312 39314 409d1f 6 API calls 39311->39314 39315 40a8ab 9 API calls 39311->39315 39319 414842 39311->39319 39312->39311 39313 404296 wcscpy 39312->39313 39313->39311 39314->39311 39316 4042b6 memset memset _snwprintf wcscpy 39315->39316 39316->39311 39317->38669 39318->39307 39322 41443e 39319->39322 39321 414866 39321->39311 39323 41444b 39322->39323 39324 414451 39323->39324 39325 4144a3 GetPrivateProfileStringW 39323->39325 39326 414491 39324->39326 39327 414455 wcschr 39324->39327 39325->39321 39328 414495 WritePrivateProfileStringW 39326->39328 39327->39326 39329 414463 _snwprintf 39327->39329 39328->39321 39329->39328 39330->38675 39332 40b2cc 27 API calls 39331->39332 39333 409615 39332->39333 39334 409d1f 6 API calls 39333->39334 39335 409625 39334->39335 39360 409b98 GetFileAttributesW 39335->39360 39337 409634 39338 409648 39337->39338 39361 4091b8 memset 39337->39361 39340 40b2cc 27 API calls 39338->39340 39342 408801 39338->39342 39341 40965d 39340->39341 39343 409d1f 6 API calls 39341->39343 39342->38678 39342->38679 39344 40966d 39343->39344 39413 409b98 GetFileAttributesW 39344->39413 39346 40967c 39346->39342 39347 409681 39346->39347 39414 409529 72 API calls 39347->39414 39349 409690 39349->39342 39350->38701 39351->38678 39360->39337 39415 40a6e6 WideCharToMultiByte 39361->39415 39363 409202 39416 444432 39363->39416 39366 40b273 27 API calls 39367 409236 39366->39367 39462 438552 39367->39462 39370 409383 39372 40b273 27 API calls 39370->39372 39374 409399 39372->39374 39376 438552 134 API calls 39374->39376 39394 4093a3 39376->39394 39380 4094ff 39491 443d90 39380->39491 39383 4251c4 137 API calls 39383->39394 39385 409507 39393 40951d 39385->39393 39387 4093df 39490 424f26 123 API calls 39387->39490 39391 4253cf 17 API calls 39391->39394 39393->39338 39394->39380 39394->39383 39394->39387 39394->39391 39396 4093e4 39394->39396 39488 4253af 17 API calls 39396->39488 39403 4093ed 39489 4253af 17 API calls 39403->39489 39406 4093f9 39406->39387 39413->39346 39414->39349 39415->39363 39512 4438b5 39416->39512 39418 44444c 39424 409215 39418->39424 39526 415a6d 39418->39526 39421 444486 39423 4444b9 memcpy 39421->39423 39461 4444a4 39421->39461 39422 44469e 39422->39424 39426 443d90 111 API calls 39422->39426 39530 415258 39423->39530 39424->39366 39424->39393 39426->39424 39427 444524 39428 444541 39427->39428 39429 44452a 39427->39429 39533 444316 39428->39533 39567 416935 39429->39567 39433 444316 18 API calls 39434 444563 39433->39434 39435 444316 18 API calls 39434->39435 39436 44456f 39435->39436 39437 444316 18 API calls 39436->39437 39580 4442e6 11 API calls 39461->39580 39581 438460 39462->39581 39464 409240 39464->39370 39465 4251c4 39464->39465 39593 424f07 39465->39593 39467 4251e4 39468 4251f7 39467->39468 39469 4251e8 39467->39469 39601 4250f8 39468->39601 39600 4446ea 11 API calls 39469->39600 39471 4251f2 39488->39403 39489->39406 39490->39380 39492 443da3 39491->39492 39493 443db6 39491->39493 39614 41707a 39492->39614 39493->39385 39513 4438d0 39512->39513 39523 4438c9 39512->39523 39514 415378 memcpy memcpy 39513->39514 39515 4438d5 39514->39515 39516 4154e2 10 API calls 39515->39516 39517 443906 39515->39517 39515->39523 39516->39517 39518 443970 memset 39517->39518 39517->39523 39520 44398b 39518->39520 39519 4439a0 39521 415700 10 API calls 39519->39521 39519->39523 39520->39519 39522 41975c 10 API calls 39520->39522 39524 4439c0 39521->39524 39522->39519 39523->39418 39524->39523 39525 418981 10 API calls 39524->39525 39525->39523 39527 415a77 39526->39527 39528 415a8d 39527->39528 39529 415a7e memset 39527->39529 39528->39421 39529->39528 39531 4438b5 11 API calls 39530->39531 39532 41525d 39531->39532 39532->39427 39534 444328 39533->39534 39535 444423 39534->39535 39536 44434e 39534->39536 39537 4446ea 11 API calls 39535->39537 39538 432d4e memset memset memcpy 39536->39538 39544 444381 39537->39544 39539 44435a 39538->39539 39541 444375 39539->39541 39546 44438b 39539->39546 39540 432d4e memset memset memcpy 39542 4443ec 39540->39542 39543 416935 16 API calls 39541->39543 39542->39544 39545 416935 16 API calls 39542->39545 39543->39544 39544->39433 39545->39544 39546->39540 39568 41693e 39567->39568 39574 41698e 39567->39574 39569 422fd1 memset 39568->39569 39570 41694c 39568->39570 39569->39570 39571 4165a0 11 API calls 39570->39571 39570->39574 39572 416972 39571->39572 39573 422b84 15 API calls 39572->39573 39572->39574 39573->39574 39574->39461 39580->39422 39582 41703f 11 API calls 39581->39582 39583 43847a 39582->39583 39584 43848a 39583->39584 39585 43847e 39583->39585 39587 438270 134 API calls 39584->39587 39586 4446ea 11 API calls 39585->39586 39589 438488 39586->39589 39588 4384aa 39587->39588 39588->39589 39590 424f26 123 API calls 39588->39590 39589->39464 39591 4384bb 39590->39591 39592 438270 134 API calls 39591->39592 39592->39589 39594 424f1f 39593->39594 39595 424f0c 39593->39595 39597 424eea 11 API calls 39594->39597 39596 416760 11 API calls 39595->39596 39598 424f18 39596->39598 39599 424f24 39597->39599 39598->39467 39599->39467 39600->39471 39602 425108 39601->39602 39608 42510d 39601->39608 39657 413f4f 39630->39657 39633 413f37 K32GetModuleFileNameExW 39634 413f4a 39633->39634 39634->38737 39636 413969 wcscpy 39635->39636 39637 41396c wcschr 39635->39637 39649 413a3a 39636->39649 39637->39636 39639 41398e 39637->39639 39662 4097f7 wcslen wcslen _memicmp 39639->39662 39641 41399a 39642 4139a4 memset 39641->39642 39643 4139e6 39641->39643 39663 409dd5 GetWindowsDirectoryW wcscpy 39642->39663 39645 413a31 wcscpy 39643->39645 39646 4139ec memset 39643->39646 39645->39649 39664 409dd5 GetWindowsDirectoryW wcscpy 39646->39664 39647 4139c9 wcscpy wcscat 39647->39649 39649->38737 39650 413a11 memcpy wcscat 39650->39649 39652 413cb0 GetModuleHandleW 39651->39652 39653 413cda 39651->39653 39652->39653 39654 413cbf GetProcAddress 39652->39654 39655 413ce3 GetProcessTimes 39653->39655 39656 413cf6 39653->39656 39654->39653 39655->38741 39656->38741 39658 413f2f 39657->39658 39659 413f54 39657->39659 39658->39633 39658->39634 39660 40a804 8 API calls 39659->39660 39661 413f5f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 39660->39661 39661->39658 39662->39641 39663->39647 39664->39650 39665->38762 39666->38785 39668 409cf9 GetVersionExW 39667->39668 39669 409d0a 39667->39669 39668->39669 39669->38791 39669->38796 39670->38797 39671->38800 39672->38802 39673->38868 39675 40bba5 39674->39675 39722 40cc26 39675->39722 39678 40bd4b 39743 40cc0c 39678->39743 39683 40b2cc 27 API calls 39684 40bbef 39683->39684 39750 40ccf0 _wcsicmp 39684->39750 39686 40bbf5 39686->39678 39751 40ccb4 6 API calls 39686->39751 39688 40bc26 39689 40cf04 17 API calls 39688->39689 39690 40bc2e 39689->39690 39691 40bd43 39690->39691 39692 40b2cc 27 API calls 39690->39692 39693 40cc0c 4 API calls 39691->39693 39694 40bc40 39692->39694 39693->39678 39752 40ccf0 _wcsicmp 39694->39752 39696 40bc46 39696->39691 39697 40bc61 memset memset WideCharToMultiByte 39696->39697 39753 40103c strlen 39697->39753 39699 40bcc0 39700 40b273 27 API calls 39699->39700 39701 40bcd0 memcmp 39700->39701 39701->39691 39702 40bce2 39701->39702 39703 404423 37 API calls 39702->39703 39704 40bd10 39703->39704 39704->39691 39705 40bd3a LocalFree 39704->39705 39706 40bd1f memcpy 39704->39706 39705->39691 39706->39705 39707->38883 39709 409a74 GetTempFileNameW 39708->39709 39710 409a66 GetWindowsDirectoryW 39708->39710 39709->38882 39710->39709 39711->38920 39712->38920 39713->38920 39714->38920 39715->38920 39716->38920 39717->38920 39718->38920 39719->38920 39720->38895 39721->38917 39754 4096c3 CreateFileW 39722->39754 39724 40cc34 39725 40cc3d GetFileSize 39724->39725 39733 40bbca 39724->39733 39726 40afcf 2 API calls 39725->39726 39727 40cc64 39726->39727 39755 40a2ef ReadFile 39727->39755 39729 40cc71 39756 40ab4a MultiByteToWideChar 39729->39756 39731 40cc95 CloseHandle 39732 40b04b ??3@YAXPAX 39731->39732 39732->39733 39733->39678 39734 40cf04 39733->39734 39735 40b633 free 39734->39735 39736 40cf14 39735->39736 39762 40b1ab free free 39736->39762 39738 40bbdd 39738->39678 39738->39683 39739 40cf1b 39739->39738 39741 40cfef 39739->39741 39763 40cd4b 39739->39763 39742 40cd4b 14 API calls 39741->39742 39742->39738 39744 40b633 free 39743->39744 39745 40cc15 39744->39745 39746 40aa04 free 39745->39746 39747 40cc1d 39746->39747 39812 40b1ab free free 39747->39812 39749 40b7d4 memset CreateFileW 39749->38875 39749->38876 39750->39686 39751->39688 39752->39696 39753->39699 39754->39724 39755->39729 39757 40ab6b 39756->39757 39761 40ab93 39756->39761 39758 40a9ce 4 API calls 39757->39758 39759 40ab74 39758->39759 39760 40ab7c MultiByteToWideChar 39759->39760 39760->39761 39761->39731 39762->39739 39764 40cd7b 39763->39764 39797 40aa29 39764->39797 39766 40cef5 39767 40aa04 free 39766->39767 39768 40cefd 39767->39768 39768->39739 39770 40aa29 6 API calls 39771 40ce1d 39770->39771 39772 40aa29 6 API calls 39771->39772 39773 40ce3e 39772->39773 39774 40ce6a 39773->39774 39805 40abb7 wcslen memmove 39773->39805 39775 40ce9f 39774->39775 39808 40abb7 wcslen memmove 39774->39808 39777 40a8d0 7 API calls 39775->39777 39780 40ceb5 39777->39780 39778 40ce56 39806 40aa71 wcslen 39778->39806 39786 40a8d0 7 API calls 39780->39786 39782 40ce8b 39809 40aa71 wcslen 39782->39809 39783 40ce5e 39807 40abb7 wcslen memmove 39783->39807 39789 40cecb 39786->39789 39787 40ce93 39810 40abb7 wcslen memmove 39787->39810 39811 40d00b malloc memcpy free free 39789->39811 39791 40cedd 39792 40aa04 free 39791->39792 39793 40cee5 39792->39793 39794 40aa04 free 39793->39794 39795 40ceed 39794->39795 39796 40aa04 free 39795->39796 39796->39766 39798 40aa33 39797->39798 39799 40aa63 39797->39799 39800 40aa44 39798->39800 39801 40aa38 wcslen 39798->39801 39799->39766 39799->39770 39802 40a9ce malloc memcpy free free 39800->39802 39801->39800 39803 40aa4d 39802->39803 39803->39799 39804 40aa51 memcpy 39803->39804 39804->39799 39805->39778 39806->39783 39807->39774 39808->39782 39809->39787 39810->39775 39811->39791 39812->39749 39813->38935 39814->38943 39824 44def7 39825 44df07 39824->39825 39826 44df00 ??3@YAXPAX 39824->39826 39827 44df17 39825->39827 39828 44df10 ??3@YAXPAX 39825->39828 39826->39825 39829 44df27 39827->39829 39830 44df20 ??3@YAXPAX 39827->39830 39828->39827 39831 44df37 39829->39831 39832 44df30 ??3@YAXPAX 39829->39832 39830->39829 39832->39831 37668 44dea5 37669 44deb5 FreeLibrary 37668->37669 37670 44dec3 37668->37670 37669->37670 37854 4426a9 37859 4324d3 37854->37859 37856 4426d2 37873 431a7b 148 API calls 37856->37873 37858 4426e3 37860 4324e3 37859->37860 37861 4324da 37859->37861 37865 4324e8 37860->37865 37878 43240a 12 API calls 37860->37878 37874 415a91 37861->37874 37864 4324fd 37866 432513 37864->37866 37867 432508 37864->37867 37865->37856 37880 43034a 37866->37880 37879 4325ad memset 37867->37879 37869 43250e 37869->37856 37871 432548 37872 43034a memcpy 37871->37872 37872->37869 37873->37858 37875 415a9d 37874->37875 37876 415ab3 37875->37876 37877 415aa4 memset 37875->37877 37876->37860 37877->37876 37878->37864 37879->37869 37881 430359 37880->37881 37882 43034e 37880->37882 37881->37871 37884 415c23 memcpy 37882->37884 37884->37881 39833 4148b6 FindResourceW 39834 4148f9 39833->39834 39835 4148cf SizeofResource 39833->39835 39835->39834 39836 4148e0 LoadResource 39835->39836 39836->39834 39837 4148ee LockResource 39836->39837 39837->39834 37671 415320 realloc 37672 415340 37671->37672 37673 41534d 37671->37673 37675 416760 11 API calls 37673->37675 37675->37672 39838 441b3f 39848 43a9f6 39838->39848 39840 441b61 40021 4386af memset 39840->40021 39842 44189a 39843 4418e2 39842->39843 39847 442bd4 39842->39847 39845 4418ea 39843->39845 40022 4414a9 12 API calls 39843->40022 39847->39845 40023 441409 memset 39847->40023 39849 43aa20 39848->39849 39850 43aadf 39848->39850 39849->39850 39851 43aa34 memset 39849->39851 39850->39840 39852 43aa56 39851->39852 39853 43aa4d 39851->39853 40024 43a6e7 39852->40024 40032 42c02e memset 39853->40032 39858 43aad3 40034 4169a7 11 API calls 39858->40034 39859 43aaae 39859->39850 39859->39858 39874 43aae5 39859->39874 39860 43ac18 39863 43ac47 39860->39863 40036 42bbd5 memcpy memcpy memcpy memset memcpy 39860->40036 39864 43aca8 39863->39864 40037 438eed 16 API calls 39863->40037 39867 43acd5 39864->39867 40039 4233ae 11 API calls 39864->40039 40040 423426 11 API calls 39867->40040 39868 43ac87 40038 4233c5 16 API calls 39868->40038 39872 43ace1 40041 439811 164 API calls 39872->40041 39873 43a9f6 162 API calls 39873->39874 39874->39850 39874->39860 39874->39873 40035 439bbb 22 API calls 39874->40035 39876 43acfd 39882 43ad2c 39876->39882 40042 438eed 16 API calls 39876->40042 39878 43ad19 40043 4233c5 16 API calls 39878->40043 39879 43ad58 40044 44081d 164 API calls 39879->40044 39882->39879 39885 43add9 39882->39885 39884 43ae3a memset 39886 43ae73 39884->39886 39885->39885 40048 423426 11 API calls 39885->40048 40049 42e1c0 148 API calls 39886->40049 39887 43adab 40046 438c4e 164 API calls 39887->40046 39890 43ad6c 39890->39850 39890->39887 40045 42370b memset memcpy memset 39890->40045 39891 43adcc 40047 440f84 12 API calls 39891->40047 39892 43ae96 40050 42e1c0 148 API calls 39892->40050 39896 43aea8 39897 43aec1 39896->39897 40051 42e199 148 API calls 39896->40051 39898 43af00 39897->39898 40052 42e1c0 148 API calls 39897->40052 39898->39850 39902 43af1a 39898->39902 39903 43b3d9 39898->39903 40053 438eed 16 API calls 39902->40053 39908 43b3f6 39903->39908 39909 43b4c8 39903->39909 39905 43b60f 39905->39850 40112 4393a5 17 API calls 39905->40112 39906 43af2f 40054 4233c5 16 API calls 39906->40054 40094 432878 12 API calls 39908->40094 39918 43b4f2 39909->39918 40100 42bbd5 memcpy memcpy memcpy memset memcpy 39909->40100 39911 43af51 40055 423426 11 API calls 39911->40055 39914 43af7d 40056 423426 11 API calls 39914->40056 40101 43a76c 21 API calls 39918->40101 39919 43b529 40102 44081d 164 API calls 39919->40102 39920 43b462 40096 423330 11 API calls 39920->40096 39921 43af94 40057 423330 11 API calls 39921->40057 39925 43b47e 39930 43b497 39925->39930 40097 42374a memcpy memset memcpy memcpy memcpy 39925->40097 39926 43b544 39931 43b55c 39926->39931 40103 42c02e memset 39926->40103 39927 43b428 39927->39920 40095 432b60 16 API calls 39927->40095 39928 43afca 40058 423330 11 API calls 39928->40058 40098 4233ae 11 API calls 39930->40098 40104 43a87a 164 API calls 39931->40104 39932 43afdb 40059 4233ae 11 API calls 39932->40059 39938 43b56c 39941 43b58a 39938->39941 40105 423330 11 API calls 39938->40105 39939 43b4b1 40099 423399 11 API calls 39939->40099 39940 43afee 40060 44081d 164 API calls 39940->40060 40106 440f84 12 API calls 39941->40106 39946 43b4c1 40108 42db80 164 API calls 39946->40108 39948 43b592 40107 43a82f 16 API calls 39948->40107 39951 43b5b4 40109 438c4e 164 API calls 39951->40109 39953 43b5cf 40110 42c02e memset 39953->40110 39955 43b005 39955->39850 39959 43b01f 39955->39959 40061 42d836 164 API calls 39955->40061 39956 43b1ef 40071 4233c5 16 API calls 39956->40071 39959->39956 40069 423330 11 API calls 39959->40069 40070 42d71d 164 API calls 39959->40070 39960 43b212 40072 423330 11 API calls 39960->40072 39961 43b087 40062 4233ae 11 API calls 39961->40062 39962 43add4 39962->39905 40111 438f86 16 API calls 39962->40111 39967 43b22a 40073 42ccb5 11 API calls 39967->40073 39969 43b23f 40074 4233ae 11 API calls 39969->40074 39970 43b10f 40065 423330 11 API calls 39970->40065 39972 43b257 40075 4233ae 11 API calls 39972->40075 39976 43b129 40066 4233ae 11 API calls 39976->40066 39977 43b26e 40076 4233ae 11 API calls 39977->40076 39980 43b09a 39980->39970 40063 42cc15 19 API calls 39980->40063 40064 4233ae 11 API calls 39980->40064 39981 43b282 40077 43a87a 164 API calls 39981->40077 39983 43b13c 40067 440f84 12 API calls 39983->40067 39985 43b29d 40078 423330 11 API calls 39985->40078 39988 43b15f 40068 4233ae 11 API calls 39988->40068 39989 43b2af 39991 43b2b8 39989->39991 39992 43b2ce 39989->39992 40079 4233ae 11 API calls 39991->40079 40080 440f84 12 API calls 39992->40080 39995 43b2c9 40082 4233ae 11 API calls 39995->40082 39996 43b2da 40081 42370b memset memcpy memset 39996->40081 39999 43b2f9 40083 423330 11 API calls 39999->40083 40001 43b30b 40084 423330 11 API calls 40001->40084 40003 43b325 40085 423399 11 API calls 40003->40085 40005 43b332 40086 4233ae 11 API calls 40005->40086 40007 43b354 40087 423399 11 API calls 40007->40087 40009 43b364 40088 43a82f 16 API calls 40009->40088 40011 43b370 40089 42db80 164 API calls 40011->40089 40013 43b380 40090 438c4e 164 API calls 40013->40090 40015 43b39e 40091 423399 11 API calls 40015->40091 40017 43b3ae 40092 43a76c 21 API calls 40017->40092 40019 43b3c3 40093 423399 11 API calls 40019->40093 40021->39842 40022->39845 40023->39847 40025 43a6f5 40024->40025 40027 43a765 40024->40027 40025->40027 40113 42a115 40025->40113 40027->39850 40033 4397fd memset 40027->40033 40030 43a73d 40030->40027 40031 42a115 148 API calls 40030->40031 40031->40027 40032->39852 40033->39859 40034->39850 40035->39874 40036->39863 40037->39868 40038->39864 40039->39867 40040->39872 40041->39876 40042->39878 40043->39882 40044->39890 40045->39887 40046->39891 40047->39962 40048->39884 40049->39892 40050->39896 40051->39897 40052->39897 40053->39906 40054->39911 40055->39914 40056->39921 40057->39928 40058->39932 40059->39940 40060->39955 40061->39961 40062->39980 40063->39980 40064->39980 40065->39976 40066->39983 40067->39988 40068->39959 40069->39959 40070->39959 40071->39960 40072->39967 40073->39969 40074->39972 40075->39977 40076->39981 40077->39985 40078->39989 40079->39995 40080->39996 40081->39995 40082->39999 40083->40001 40084->40003 40085->40005 40086->40007 40087->40009 40088->40011 40089->40013 40090->40015 40091->40017 40092->40019 40093->39962 40094->39927 40095->39920 40096->39925 40097->39930 40098->39939 40099->39946 40100->39918 40101->39919 40102->39926 40103->39931 40104->39938 40105->39941 40106->39948 40107->39946 40108->39951 40109->39953 40110->39962 40111->39905 40112->39850 40114 42a175 40113->40114 40116 42a122 40113->40116 40114->40027 40119 42b13b 148 API calls 40114->40119 40116->40114 40117 42a115 148 API calls 40116->40117 40120 43a174 40116->40120 40144 42a0a8 148 API calls 40116->40144 40117->40116 40119->40030 40134 43a196 40120->40134 40135 43a19e 40120->40135 40121 43a306 40121->40134 40160 4388c4 14 API calls 40121->40160 40124 42a115 148 API calls 40124->40135 40125 415a91 memset 40125->40135 40126 43a642 40126->40134 40164 4169a7 11 API calls 40126->40164 40130 43a635 40163 42c02e memset 40130->40163 40134->40116 40135->40121 40135->40124 40135->40125 40135->40134 40145 42ff8c 40135->40145 40153 4165ff 40135->40153 40156 439504 13 API calls 40135->40156 40157 4312d0 148 API calls 40135->40157 40158 42be4c memcpy memcpy memcpy memset memcpy 40135->40158 40159 43a121 11 API calls 40135->40159 40137 4169a7 11 API calls 40138 43a325 40137->40138 40138->40126 40138->40130 40138->40134 40138->40137 40139 42b5b5 memset memcpy 40138->40139 40140 42bf4c 14 API calls 40138->40140 40143 4165ff 11 API calls 40138->40143 40161 42b63e 14 API calls 40138->40161 40162 42bfcf memcpy 40138->40162 40139->40138 40140->40138 40143->40138 40144->40116 40165 43817e 40145->40165 40147 42ff99 40148 42ffe3 40147->40148 40149 42ffd0 40147->40149 40152 42ff9d 40147->40152 40170 4169a7 11 API calls 40148->40170 40169 4169a7 11 API calls 40149->40169 40152->40135 40321 4165a0 40153->40321 40156->40135 40157->40135 40158->40135 40159->40135 40160->40138 40161->40138 40162->40138 40163->40126 40164->40134 40166 438187 40165->40166 40168 438192 40165->40168 40171 4380f6 40166->40171 40168->40147 40169->40152 40170->40152 40173 43811f 40171->40173 40172 438164 40172->40168 40173->40172 40175 4300e8 3 API calls 40173->40175 40176 437e5e 40173->40176 40175->40173 40199 437d3c 40176->40199 40178 437eb3 40178->40173 40179 437ea9 40179->40178 40184 437f22 40179->40184 40214 41f432 40179->40214 40182 437f06 40262 415c56 11 API calls 40182->40262 40186 432d4e 3 API calls 40184->40186 40187 437f7f 40184->40187 40185 437f95 40263 415c56 11 API calls 40185->40263 40186->40187 40187->40185 40188 43802b 40187->40188 40190 4165ff 11 API calls 40188->40190 40191 438054 40190->40191 40225 437371 40191->40225 40194 43806b 40195 438094 40194->40195 40264 42f50e 139 API calls 40194->40264 40197 4300e8 3 API calls 40195->40197 40198 437fa3 40195->40198 40197->40198 40198->40178 40265 41f638 104 API calls 40198->40265 40200 437d69 40199->40200 40203 437d80 40199->40203 40266 437ccb 11 API calls 40200->40266 40202 437d76 40202->40179 40203->40202 40204 437da3 40203->40204 40206 437d90 40203->40206 40207 438460 134 API calls 40204->40207 40206->40202 40270 437ccb 11 API calls 40206->40270 40210 437dcb 40207->40210 40208 437de8 40269 424f26 123 API calls 40208->40269 40210->40208 40267 444283 13 API calls 40210->40267 40212 437dfc 40268 437ccb 11 API calls 40212->40268 40215 41f54d 40214->40215 40221 41f44f 40214->40221 40216 41f466 40215->40216 40300 41c635 memset memset 40215->40300 40216->40182 40216->40184 40221->40216 40223 41f50b 40221->40223 40271 41f1a5 40221->40271 40296 41c06f memcmp 40221->40296 40297 41f3b1 90 API calls 40221->40297 40298 41f398 86 API calls 40221->40298 40223->40215 40223->40216 40299 41c295 86 API calls 40223->40299 40301 41703f 40225->40301 40227 437399 40228 43739d 40227->40228 40230 4373ac 40227->40230 40309 4446ea 11 API calls 40228->40309 40231 416935 16 API calls 40230->40231 40232 4373ca 40231->40232 40233 438460 134 API calls 40232->40233 40238 4251c4 137 API calls 40232->40238 40242 415a91 memset 40232->40242 40245 43758f 40232->40245 40257 437584 40232->40257 40261 437d3c 135 API calls 40232->40261 40308 415304 free 40232->40308 40310 425433 13 API calls 40232->40310 40311 425413 17 API calls 40232->40311 40312 42533e 16 API calls 40232->40312 40313 42538f 16 API calls 40232->40313 40314 42453e 123 API calls 40232->40314 40233->40232 40234 4375bc 40317 415c7d 16 API calls 40234->40317 40237 4375d2 40259 4373a7 40237->40259 40318 4442e6 11 API calls 40237->40318 40238->40232 40240 4375e2 40240->40259 40319 444283 13 API calls 40240->40319 40242->40232 40315 42453e 123 API calls 40245->40315 40248 4375f4 40251 437620 40248->40251 40252 43760b 40248->40252 40250 43759f 40253 416935 16 API calls 40250->40253 40255 416935 16 API calls 40251->40255 40320 444283 13 API calls 40252->40320 40253->40257 40255->40259 40257->40234 40316 42453e 123 API calls 40257->40316 40258 437612 memcpy 40258->40259 40259->40194 40261->40232 40262->40178 40263->40198 40264->40195 40265->40178 40266->40202 40267->40212 40268->40208 40269->40202 40270->40202 40272 41bc3b 101 API calls 40271->40272 40273 41f1b4 40272->40273 40274 41edad 86 API calls 40273->40274 40281 41f282 40273->40281 40275 41f1cb 40274->40275 40276 41f1f5 memcmp 40275->40276 40277 41f20e 40275->40277 40275->40281 40276->40277 40278 41f21b memcmp 40277->40278 40277->40281 40279 41f326 40278->40279 40282 41f23d 40278->40282 40280 41ee6b 86 API calls 40279->40280 40279->40281 40280->40281 40281->40221 40282->40279 40283 41f28e memcmp 40282->40283 40285 41c8df 56 API calls 40282->40285 40283->40279 40284 41f2a9 40283->40284 40284->40279 40287 41f308 40284->40287 40288 41f2d8 40284->40288 40286 41f269 40285->40286 40286->40279 40289 41f287 40286->40289 40290 41f27a 40286->40290 40287->40279 40294 4446ce 11 API calls 40287->40294 40291 41ee6b 86 API calls 40288->40291 40289->40283 40292 41ee6b 86 API calls 40290->40292 40293 41f2e0 40291->40293 40292->40281 40295 41b1ca memset 40293->40295 40294->40279 40295->40281 40296->40221 40297->40221 40298->40221 40299->40215 40300->40216 40302 417044 40301->40302 40303 41705c 40301->40303 40305 416760 11 API calls 40302->40305 40307 417055 40302->40307 40304 417075 40303->40304 40306 41707a 11 API calls 40303->40306 40304->40227 40305->40307 40306->40302 40307->40227 40308->40232 40309->40259 40310->40232 40311->40232 40312->40232 40313->40232 40314->40232 40315->40250 40316->40234 40317->40237 40318->40240 40319->40248 40320->40258 40326 415cfe 40321->40326 40330 415d23 __aullrem __aulldvrm 40326->40330 40333 41628e 40326->40333 40327 4163ca 40340 416422 11 API calls 40327->40340 40329 416172 memset 40329->40330 40330->40327 40330->40329 40331 416422 10 API calls 40330->40331 40332 415cb9 10 API calls 40330->40332 40330->40333 40331->40330 40332->40330 40334 416520 40333->40334 40335 416527 40334->40335 40339 416574 40334->40339 40337 416544 40335->40337 40335->40339 40341 4156aa 11 API calls 40335->40341 40338 416561 memcpy 40337->40338 40337->40339 40338->40339 40339->40135 40340->40333 40341->40337 40368 41493c EnumResourceNamesW 37677 4287c1 37678 4287d2 37677->37678 37679 429ac1 37677->37679 37680 428818 37678->37680 37681 42881f 37678->37681 37687 425711 37678->37687 37692 425ad6 37679->37692 37747 415c56 11 API calls 37679->37747 37714 42013a 37680->37714 37742 420244 97 API calls 37681->37742 37686 4260dd 37741 424251 120 API calls 37686->37741 37687->37679 37689 4259da 37687->37689 37695 422aeb memset memcpy memcpy 37687->37695 37696 429a4d 37687->37696 37699 4260a1 37687->37699 37710 4259c2 37687->37710 37713 425a38 37687->37713 37730 4227f0 memset memcpy 37687->37730 37731 422b84 15 API calls 37687->37731 37732 422b5d memset memcpy memcpy 37687->37732 37733 422640 13 API calls 37687->37733 37735 4241fc 11 API calls 37687->37735 37736 42413a 90 API calls 37687->37736 37740 416760 11 API calls 37689->37740 37695->37687 37697 429a66 37696->37697 37701 429a9b 37696->37701 37743 415c56 11 API calls 37697->37743 37739 415c56 11 API calls 37699->37739 37702 429a96 37701->37702 37745 416760 11 API calls 37701->37745 37746 424251 120 API calls 37702->37746 37704 429a7a 37744 416760 11 API calls 37704->37744 37710->37692 37734 415c56 11 API calls 37710->37734 37713->37710 37737 422640 13 API calls 37713->37737 37738 4226e0 12 API calls 37713->37738 37715 42014c 37714->37715 37718 420151 37714->37718 37757 41e466 97 API calls 37715->37757 37717 420162 37717->37687 37718->37717 37719 4201b3 37718->37719 37720 420229 37718->37720 37721 4201b8 37719->37721 37722 4201dc 37719->37722 37720->37717 37723 41fd5e 86 API calls 37720->37723 37748 41fbdb 37721->37748 37722->37717 37726 4201ff 37722->37726 37754 41fc4c 37722->37754 37723->37717 37726->37717 37729 42013a 97 API calls 37726->37729 37729->37717 37730->37687 37731->37687 37732->37687 37733->37687 37734->37689 37735->37687 37736->37687 37737->37713 37738->37713 37739->37689 37740->37686 37741->37692 37742->37687 37743->37704 37744->37702 37745->37702 37746->37679 37747->37689 37749 41fbf1 37748->37749 37750 41fbf8 37748->37750 37753 41fc39 37749->37753 37772 4446ce 11 API calls 37749->37772 37762 41ee26 37750->37762 37753->37717 37758 41fd5e 37753->37758 37755 41ee6b 86 API calls 37754->37755 37756 41fc5d 37755->37756 37756->37722 37757->37718 37760 41fd65 37758->37760 37759 41fdab 37759->37717 37760->37759 37761 41fbdb 86 API calls 37760->37761 37761->37760 37763 41ee41 37762->37763 37764 41ee32 37762->37764 37773 41edad 37763->37773 37776 4446ce 11 API calls 37764->37776 37768 41ee3c 37768->37749 37770 41ee58 37770->37768 37778 41ee6b 37770->37778 37772->37753 37782 41be52 37773->37782 37776->37768 37777 41eb85 11 API calls 37777->37770 37779 41ee70 37778->37779 37780 41ee78 37778->37780 37835 41bf99 86 API calls 37779->37835 37780->37768 37783 41be6f 37782->37783 37784 41be5f 37782->37784 37789 41be8c 37783->37789 37814 418c63 memset memset 37783->37814 37813 4446ce 11 API calls 37784->37813 37786 41be69 37786->37768 37786->37777 37788 41bee7 37788->37786 37818 41a453 86 API calls 37788->37818 37789->37786 37789->37788 37790 41bf3a 37789->37790 37792 41bed1 37789->37792 37817 4446ce 11 API calls 37790->37817 37794 41bef0 37792->37794 37797 41bee2 37792->37797 37794->37788 37795 41bf01 37794->37795 37796 41bf24 memset 37795->37796 37798 41bf14 37795->37798 37815 418a6d memset memcpy memset 37795->37815 37796->37786 37803 41ac13 37797->37803 37816 41a223 memset memcpy memset 37798->37816 37802 41bf20 37802->37796 37804 41ac52 37803->37804 37805 41ac3f memset 37803->37805 37808 41ac6a 37804->37808 37819 41dc14 19 API calls 37804->37819 37806 41acd9 37805->37806 37806->37788 37809 41aca1 37808->37809 37820 41519d 37808->37820 37809->37806 37811 41acc0 memset 37809->37811 37812 41accd memcpy 37809->37812 37811->37806 37812->37806 37813->37786 37814->37789 37815->37798 37816->37802 37817->37788 37819->37808 37823 4175ed 37820->37823 37831 417570 SetFilePointer 37823->37831 37826 41760a ReadFile 37827 417637 37826->37827 37828 417627 GetLastError 37826->37828 37829 4151b3 37827->37829 37830 41763e memset 37827->37830 37828->37829 37829->37809 37830->37829 37832 4175b2 37831->37832 37833 41759c GetLastError 37831->37833 37832->37826 37832->37829 37833->37832 37834 4175a8 GetLastError 37833->37834 37834->37832 37835->37780 37836 417bc5 37838 417c61 37836->37838 37842 417bda 37836->37842 37837 417bf6 UnmapViewOfFile CloseHandle 37837->37837 37837->37842 37840 417c2c 37840->37842 37848 41851e 20 API calls 37840->37848 37842->37837 37842->37838 37842->37840 37843 4175b7 37842->37843 37844 4175d6 CloseHandle 37843->37844 37845 4175c8 37844->37845 37846 4175df 37844->37846 37845->37846 37847 4175ce Sleep 37845->37847 37846->37842 37847->37844 37848->37840 39815 4147f3 39818 414561 39815->39818 39817 414813 39819 41456d 39818->39819 39820 41457f GetPrivateProfileIntW 39818->39820 39823 4143f1 memset _itow WritePrivateProfileStringW 39819->39823 39820->39817 39822 41457a 39822->39817 39823->39822

                                      Executed Functions

                                      Function 0040DD85 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 212filenativeCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 338 40dd85-40ddeb memset call 409bca CreateFileW 341 40ddf1-40de09 call 40afcf call 41352f 338->341 346 40de0b-40de1a NtQuerySystemInformation 341->346 347 40de1c 341->347 348 40de20-40de27 346->348 347->348 349 40de29-40de39 348->349 350 40de3b-40de52 CloseHandle GetCurrentProcessId 348->350 349->341 349->350 351 40de54-40de58 350->351 352 40de7a-40de8e call 413cfa call 413d4c 350->352 351->352 353 40de5a 351->353 362 40de94-40debb call 40e6ad call 409c52 _wcsicmp 352->362 363 40e00c-40e01b call 413d29 352->363 356 40de5d-40de63 353->356 358 40de74-40de78 356->358 359 40de65-40de6c 356->359 358->352 358->356 359->358 361 40de6e-40de71 359->361 361->358 370 40dee7-40def7 OpenProcess 362->370 371 40debd-40dece _wcsicmp 362->371 373 40dff8-40dffb 370->373 374 40defd-40df02 370->374 371->370 372 40ded0-40dee1 _wcsicmp 371->372 372->370 375 40dffd-40e006 372->375 373->363 373->375 376 40df08 374->376 377 40dfef-40dff2 CloseHandle 374->377 375->362 375->363 378 40df0b-40df10 376->378 377->373 379 40df16-40df1d 378->379 380 40dfbd-40dfcb 378->380 379->380 382 40df23-40df4a GetCurrentProcess DuplicateHandle 379->382 380->378 381 40dfd1-40dfd3 380->381 381->377 382->380 383 40df4c-40df76 memset call 41352f 382->383 386 40df78-40df8a 383->386 387 40df8f-40dfbb CloseHandle call 409c52 * 2 _wcsicmp 383->387 386->387 387->380 392 40dfd5-40dfed 387->392 392->377
                                      APIs
                                      • memset.MSVCRT ref: 0040DDAD
                                        • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                      • CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                        • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                        • Part of subcall function 0041352F: GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                        • Part of subcall function 0041352F: GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                        • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                        • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                        • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                        • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                        • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                        • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                        • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                      • NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                      • CloseHandle.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                      • GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                      • _wcsicmp.MSVCRT ref: 0040DEB2
                                      • _wcsicmp.MSVCRT ref: 0040DEC5
                                      • _wcsicmp.MSVCRT ref: 0040DED8
                                      • OpenProcess.KERNEL32(00000040,00000000,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DEEC
                                      • GetCurrentProcess.KERNEL32(C0000004,80000000,00000000,00000002,?,000000FF,00000000,00000104), ref: 0040DF32
                                      • DuplicateHandle.KERNELBASE(00000104,?,00000000,?,000000FF,00000000,00000104), ref: 0040DF41
                                      • memset.MSVCRT ref: 0040DF5F
                                      • CloseHandle.KERNEL32(C0000004,?,?,?,?,000000FF,00000000,00000104), ref: 0040DF92
                                      • _wcsicmp.MSVCRT ref: 0040DFB2
                                      • CloseHandle.KERNEL32(00000104,?,000000FF,00000000,00000104), ref: 0040DFF2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: AddressProc$Handle$_wcsicmp$CloseProcess$CurrentFileModulememset$??2@CreateDuplicateInformationNameOpenQuerySystem
                                      • String ID: dllhost.exe$taskhost.exe$taskhostex.exe
                                      • API String ID: 708747863-3398334509
                                      • Opcode ID: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                                      • Instruction ID: 75e999e9478e2cd8c236028a88c267773407d5e0538ee9298daa3020847ac7a6
                                      • Opcode Fuzzy Hash: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                                      • Instruction Fuzzy Hash: 57818F71D00209AFEB10EF95CC81AAEBBB5FF04345F20407AF915B6291DB399E95CB58
                                      Function 00418758 Relevance: 4.6, APIs: 3, Instructions: 79COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00418680: GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                        • Part of subcall function 00418680: malloc.MSVCRT ref: 004186B7
                                        • Part of subcall function 00418680: free.MSVCRT ref: 004186C7
                                        • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                      • GetDiskFreeSpaceW.KERNELBASE(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187D2
                                      • GetDiskFreeSpaceA.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187FA
                                      • free.MSVCRT ref: 00418803
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: DiskFreeSpacefree$FullNamePathVersionmalloc
                                      • String ID:
                                      • API String ID: 1355100292-0
                                      • Opcode ID: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                                      • Instruction ID: 9f5aa8738ec5ca8fa6c7af21032fcab0d24b7c3e7281463e4f88d86f77cdc7da
                                      • Opcode Fuzzy Hash: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                                      • Instruction Fuzzy Hash: 2A218776904118AEEB11EBA4CC849EF77BCEF05704F2404AFE551D7181EB784EC58769
                                      Function 0040AE51 Relevance: 3.0, APIs: 2, Instructions: 39fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE67
                                      • FindNextFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE83
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: FileFind$FirstNext
                                      • String ID:
                                      • API String ID: 1690352074-0
                                      • Opcode ID: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                      • Instruction ID: bc213c2af839868520f9a45b85e911a0cf9bcc257b6b56acf9ba21b23a9e6198
                                      • Opcode Fuzzy Hash: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                      • Instruction Fuzzy Hash: 34F0C877040B005BD761C774D8489C733D89F84320B20063EF56AD32C0EB3899098755
                                      Function 00418981 Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 0041898C
                                      • GetSystemInfo.KERNELBASE(004725C0,?,00000000,004439D6,?,00445FAE,?,?,?,?,?,?), ref: 00418995
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: InfoSystemmemset
                                      • String ID:
                                      • API String ID: 3558857096-0
                                      • Opcode ID: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                                      • Instruction ID: bf8bfd662ffca2911032058da6995c9eeb4a28626cb6ee34ade21af96d3a2c90
                                      • Opcode Fuzzy Hash: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                                      • Instruction Fuzzy Hash: C0E06531A0163097F22077766C067DF25949F41395F04407BB9049A186EBAC4D8546DE
                                      Function 0044553B Relevance: 44.5, APIs: 23, Strings: 2, Instructions: 758COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 0 44553b-445558 call 44db70 3 445599-4455a2 0->3 4 44555a-44557c call 40c768 call 40bdb0 call 4135f7 0->4 5 4455a8-4455e3 memset call 403988 wcsrchr 3->5 6 4457fb 3->6 38 44558e-445594 call 444b06 4->38 39 44557e-44558c call 4136c0 call 41366b 4->39 15 4455e5 5->15 16 4455e8-4455f9 5->16 10 445800-445809 6->10 13 445856-44585f 10->13 14 44580b-44581e call 40a889 call 403e2d 10->14 18 445861-445874 call 40a889 call 403c9c 13->18 19 4458ac-4458b5 13->19 42 445823-445826 14->42 15->16 22 445672-445683 call 40a889 call 403fbe 16->22 23 4455fb-445601 16->23 49 445879-44587c 18->49 24 44594f-445958 19->24 25 4458bb-44592b memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 19->25 82 445685 22->82 83 4456b2-4456b5 call 40b1ab 22->83 34 445605-445607 23->34 35 445603 23->35 32 4459f2-4459fa 24->32 33 44595e-4459ce memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 24->33 134 44592d-445945 call 40b6ef 25->134 135 44594a 25->135 44 445a00-445aa1 memset * 2 call 414c2e call 40b2cc call 409d1f call 40b2cc call 40ae18 32->44 45 445b29-445b32 32->45 153 4459d0-4459e8 call 40b6ef 33->153 154 4459ed 33->154 34->22 41 445609-44560d 34->41 35->34 38->3 39->38 41->22 50 44560f-445641 call 4087b3 call 40a889 call 4454bf 41->50 51 44584c-445854 call 40b1ab 42->51 52 445828 42->52 182 445b08-445b15 call 40ae51 44->182 53 445c7c-445c85 45->53 54 445b38-445b96 memset * 3 45->54 63 4458a2-4458aa call 40b1ab 49->63 64 44587e 49->64 150 445665-445670 call 40b1ab 50->150 151 445643-445663 call 40a9b5 call 4087b3 50->151 51->13 66 44582e-445847 call 40a9b5 call 4087b3 52->66 60 445d1c-445d25 53->60 61 445c8b-445cf3 memset * 2 call 414c2e call 409d1f call 409b98 53->61 67 445bd4-445c72 call 414c2e call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 54->67 68 445b98-445ba0 54->68 87 445fae-445fb2 60->87 88 445d2b-445d3b 60->88 168 445cf5 61->168 169 445cfc-445d03 61->169 63->19 80 445884-44589d call 40a9b5 call 4087b3 64->80 137 445849 66->137 247 445c77 67->247 68->67 81 445ba2-445bcf call 4099c6 call 445403 call 445389 68->81 156 44589f 80->156 81->53 99 44568b-4456a4 call 40a9b5 call 4087b3 82->99 115 4456ba-4456c4 83->115 89 445d3d-445d65 call 409c52 call 40b2cc _wcsicmp 88->89 90 445d88-445e15 memset * 3 call 414c2e call 40b2cc call 409d1f call 409b98 88->90 162 445d67-445d6c 89->162 163 445d71-445d83 call 445093 89->163 196 445e17 90->196 197 445e1e-445e25 90->197 158 4456a9-4456b0 99->158 129 4457f9 115->129 130 4456ca-4456d3 call 413cfa call 413d4c 115->130 129->6 172 4456d8-4456f7 call 40b2cc call 413fa6 130->172 134->135 135->24 137->51 150->115 151->150 153->154 154->32 156->63 158->83 158->99 174 445fa1-445fa9 call 40b6ef 162->174 163->87 168->169 179 445d05-445d13 169->179 180 445d17 169->180 205 4456fd-445796 memset * 4 call 409c70 * 3 172->205 206 4457ea-4457f7 call 413d29 172->206 174->87 179->180 180->60 200 445b17-445b27 call 40aebe 182->200 201 445aa3-445ab0 call 40add4 182->201 196->197 202 445e27-445e59 call 40b2cc call 409d1f call 409b98 197->202 203 445e6b-445e7e call 445093 197->203 200->45 201->182 219 445ab2-445b03 memset call 40b2cc call 409d1f call 445389 201->219 242 445e62-445e69 202->242 243 445e5b 202->243 218 445f67-445f99 call 40b2cc call 409d1f call 409b98 203->218 205->206 246 445798-4457ca call 40b2cc call 409d1f call 409b98 205->246 206->10 218->87 255 445f9b 218->255 219->182 242->203 248 445e83-445ef5 memset call 40b2cc call 409d1f call 40ae18 242->248 243->242 246->206 265 4457cc-4457e5 call 4087b3 246->265 247->53 264 445f4d-445f5a call 40ae51 248->264 255->174 269 445ef7-445f04 call 40add4 264->269 270 445f5c-445f62 call 40aebe 264->270 265->206 269->264 274 445f06-445f38 call 40b2cc call 409d1f call 409b98 269->274 270->218 274->264 281 445f3a-445f48 call 445093 274->281 281->264
                                      APIs
                                      • memset.MSVCRT ref: 004455C2
                                      • wcsrchr.MSVCRT ref: 004455DA
                                      • memset.MSVCRT ref: 0044570D
                                      • memset.MSVCRT ref: 00445725
                                        • Part of subcall function 0040C768: _wcslwr.MSVCRT ref: 0040C817
                                        • Part of subcall function 0040C768: wcslen.MSVCRT ref: 0040C82C
                                        • Part of subcall function 0040BDB0: CredEnumerateW.SECHOST(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                        • Part of subcall function 0040BDB0: wcslen.MSVCRT ref: 0040BE06
                                        • Part of subcall function 0040BDB0: wcsncmp.MSVCRT ref: 0040BE38
                                        • Part of subcall function 0040BDB0: memset.MSVCRT ref: 0040BE91
                                        • Part of subcall function 0040BDB0: memcpy.MSVCRT(?,?,?,00000001,?,?,?,00000000,?), ref: 0040BEB2
                                        • Part of subcall function 004135F7: GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                      • memset.MSVCRT ref: 0044573D
                                      • memset.MSVCRT ref: 00445755
                                      • memset.MSVCRT ref: 004458CB
                                      • memset.MSVCRT ref: 004458E3
                                      • memset.MSVCRT ref: 0044596E
                                      • memset.MSVCRT ref: 00445A10
                                      • memset.MSVCRT ref: 00445A28
                                      • memset.MSVCRT ref: 00445AC6
                                        • Part of subcall function 00445093: GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                        • Part of subcall function 00445093: ??2@YAPAXI@Z.MSVCRT(0000000A,?,?,00000104), ref: 004450BE
                                        • Part of subcall function 00445093: memset.MSVCRT ref: 004450CD
                                        • Part of subcall function 00445093: ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004450F0
                                        • Part of subcall function 00445093: CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                      • memset.MSVCRT ref: 00445B52
                                      • memset.MSVCRT ref: 00445B6A
                                      • memset.MSVCRT ref: 00445C9B
                                      • memset.MSVCRT ref: 00445CB3
                                      • _wcsicmp.MSVCRT ref: 00445D56
                                      • memset.MSVCRT ref: 00445B82
                                        • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                        • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                        • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                        • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                        • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                        • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040ADF3
                                        • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040AE04
                                      • memset.MSVCRT ref: 00445986
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                        • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memset$wcslen$File$wcscmpwcsrchr$??2@??3@AddressAttributesCloseCreateCredEnumerateHandleProcSize_wcsicmp_wcslwrmemcpywcscatwcscpywcsncmp
                                      • String ID: *.*$Apple Computer\Preferences\keychain.plist
                                      • API String ID: 2263259095-3798722523
                                      • Opcode ID: 60142fc224ce82f33f024026baff3817031bc91c0ca8ee6e0e9eeeaa230f4715
                                      • Instruction ID: 0d822d17a5609fa1e1b699618fc72e24fb48bc28b5d87ede4d5502c71e25afa2
                                      • Opcode Fuzzy Hash: 60142fc224ce82f33f024026baff3817031bc91c0ca8ee6e0e9eeeaa230f4715
                                      • Instruction Fuzzy Hash: ED4278B29005196BEB10E761DD46EDFB37CEF45358F1001ABF508A2193EB385E948B9A
                                      Function 0041276D Relevance: 35.1, APIs: 17, Strings: 3, Instructions: 149COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                        • Part of subcall function 004044A4: LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                                        • Part of subcall function 004044A4: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                        • Part of subcall function 004044A4: FreeLibrary.KERNEL32(00000000), ref: 004044E9
                                        • Part of subcall function 004044A4: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                      • SetErrorMode.KERNELBASE(00008001), ref: 00412799
                                      • GetModuleHandleW.KERNEL32(00000000,0041493C,00000000), ref: 004127B2
                                      • EnumResourceTypesW.KERNEL32(00000000), ref: 004127B9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: Library$AddressEnumErrorFreeHandleLoadMessageModeModuleProcResourceTypes
                                      • String ID: $/deleteregkey$/savelangfile
                                      • API String ID: 2744995895-28296030
                                      • Opcode ID: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                                      • Instruction ID: bb1d383b9f388563dc7403a66819e695bb2bbb53a4e653fbe84b6d7681309d95
                                      • Opcode Fuzzy Hash: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                                      • Instruction Fuzzy Hash: FC51BEB1608346ABD710AFA6DD88A9F77ECFF81304F40092EF644D2161D778E8558B2A
                                      Function 0040B6EF Relevance: 30.1, APIs: 15, Strings: 2, Instructions: 388fileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • memset.MSVCRT ref: 0040B71C
                                        • Part of subcall function 00409C70: wcscpy.MSVCRT ref: 00409C75
                                        • Part of subcall function 00409C70: wcsrchr.MSVCRT ref: 00409C7D
                                      • wcsrchr.MSVCRT ref: 0040B738
                                      • memset.MSVCRT ref: 0040B756
                                      • memset.MSVCRT ref: 0040B7F5
                                      • CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                      • CopyFileW.KERNEL32(00445FAE,?,00000000,?,?), ref: 0040B82D
                                      • CloseHandle.KERNELBASE(00000000,?,?), ref: 0040B838
                                      • memset.MSVCRT ref: 0040B851
                                      • memset.MSVCRT ref: 0040B8CA
                                      • memcmp.MSVCRT(?,v10,00000003), ref: 0040B9BF
                                        • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                        • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                      • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0040BAE5
                                      • memset.MSVCRT ref: 0040BB53
                                      • memcpy.MSVCRT(?,00000000,?,00000000,00000000,?), ref: 0040BB66
                                      • LocalFree.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 0040BB8D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memset$File$Freewcsrchr$AddressCloseCopyCreateDeleteHandleLibraryLocalProcmemcmpmemcpywcscpy
                                      • String ID: chp$v10
                                      • API String ID: 4165125987-2783969131
                                      • Opcode ID: aa7ff03ddb8a60b54c19e14ecab6b10a2ad5bd81823861da0c4d13f19dc0bdfc
                                      • Instruction ID: 8b5aa87907ec6e815121f1c024adfc7170cbdef62e19f7af032d1a0a82a34a86
                                      • Opcode Fuzzy Hash: aa7ff03ddb8a60b54c19e14ecab6b10a2ad5bd81823861da0c4d13f19dc0bdfc
                                      • Instruction Fuzzy Hash: 32D17372900218AFEB11EB95DC41EEE77B8EF44304F1044BAF509B7191DB789F858B99
                                      Function 004091B8 Relevance: 25.8, APIs: 16, Strings: 1, Instructions: 272COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 504 4091b8-40921b memset call 40a6e6 call 444432 509 409520-409526 504->509 510 409221-40923b call 40b273 call 438552 504->510 514 409240-409248 510->514 515 409383-4093ab call 40b273 call 438552 514->515 516 40924e-409258 call 4251c4 514->516 528 4093b1 515->528 529 4094ff-40950b call 443d90 515->529 521 40937b-40937e call 424f26 516->521 522 40925e-409291 call 4253cf * 2 call 4253af * 2 516->522 521->515 522->521 552 409297-409299 522->552 532 4093d3-4093dd call 4251c4 528->532 529->509 538 40950d-409511 529->538 539 4093b3-4093cc call 4253cf * 2 532->539 540 4093df 532->540 538->509 542 409513-40951d call 408f2f 538->542 539->532 555 4093ce-4093d1 539->555 543 4094f7-4094fa call 424f26 540->543 542->509 543->529 552->521 554 40929f-4092a3 552->554 554->521 556 4092a9-4092ba 554->556 555->532 557 4093e4-4093fb call 4253af * 2 555->557 558 4092bc 556->558 559 4092be-4092e3 memcpy memcmp 556->559 557->543 569 409401-409403 557->569 558->559 560 409333-409345 memcmp 559->560 561 4092e5-4092ec 559->561 560->521 564 409347-40935f memcpy 560->564 561->521 563 4092f2-409331 memcpy * 2 561->563 566 409363-409378 memcpy 563->566 564->566 566->521 569->543 570 409409-40941b memcmp 569->570 570->543 571 409421-409433 memcmp 570->571 572 4094a4-4094b6 memcmp 571->572 573 409435-40943c 571->573 572->543 575 4094b8-4094ed memcpy * 2 572->575 573->543 574 409442-4094a2 memcpy * 3 573->574 576 4094f4 574->576 575->576 576->543
                                      APIs
                                      • memset.MSVCRT ref: 004091E2
                                        • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                      • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
                                      • memcmp.MSVCRT(00000000,0045A4F0,00000006,?,?,?,?,?,?,?,?,?,?,?,?,00000143), ref: 004092D9
                                      • memcpy.MSVCRT(?,00000023,?), ref: 0040930C
                                      • memcpy.MSVCRT(?,?,00000010), ref: 00409325
                                      • memcmp.MSVCRT(00000000,0045A4E8,00000006), ref: 0040933B
                                      • memcpy.MSVCRT(?,00000015,?), ref: 00409357
                                      • memcpy.MSVCRT(?,?,00000010), ref: 00409370
                                      • memcmp.MSVCRT(00000000,004599B8,00000010), ref: 00409411
                                      • memcmp.MSVCRT(00000000,0045A500,00000006), ref: 00409429
                                      • memcpy.MSVCRT(?,00000023,?), ref: 00409462
                                      • memcpy.MSVCRT(?,?,00000010), ref: 0040947E
                                      • memcpy.MSVCRT(?,?,00000020), ref: 0040949A
                                      • memcmp.MSVCRT(00000000,0045A4F8,00000006), ref: 004094AC
                                      • memcpy.MSVCRT(?,00000015,?), ref: 004094D0
                                      • memcpy.MSVCRT(?,?,00000020), ref: 004094E8
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memcpy$memcmp$ByteCharMultiWidememset
                                      • String ID:
                                      • API String ID: 3715365532-3916222277
                                      • Opcode ID: 84d8fa7e2563b014b86416b64341180d82413736d9254b8658418cb4f91a0b1c
                                      • Instruction ID: d5c0d9b4f94ac501fd0f2fb5594fd033b2d13f4c98b4255323c8c53c7695c3f7
                                      • Opcode Fuzzy Hash: 84d8fa7e2563b014b86416b64341180d82413736d9254b8658418cb4f91a0b1c
                                      • Instruction Fuzzy Hash: DDA1BA71900605ABDB21EF65D885BAFB7BCAF44304F01043FF945E6282EB78EA458B59
                                      Function 00413D4C Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 142processlibraryloaderCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 577 413d4c-413da0 call 40b633 CreateToolhelp32Snapshot memset Process32FirstW 580 413f00-413f11 Process32NextW 577->580 581 413da5-413ded OpenProcess 580->581 582 413f17-413f24 CloseHandle 580->582 583 413eb0-413eb5 581->583 584 413df3-413e26 memset call 413f27 581->584 583->580 585 413eb7-413ebd 583->585 592 413e79-413e9d call 413959 call 413ca4 584->592 593 413e28-413e35 584->593 587 413ec8-413eda call 4099f4 585->587 588 413ebf-413ec6 free 585->588 590 413edb-413ee2 587->590 588->590 596 413ee4 590->596 597 413ee7-413efe 590->597 604 413ea2-413eae CloseHandle 592->604 598 413e61-413e68 593->598 599 413e37-413e44 GetModuleHandleW 593->599 596->597 597->580 598->592 602 413e6a-413e77 QueryFullProcessImageNameW 598->602 599->598 601 413e46-413e5c GetProcAddress 599->601 601->598 602->592 604->583
                                      APIs
                                        • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,?), ref: 00413D6A
                                      • memset.MSVCRT ref: 00413D7F
                                      • Process32FirstW.KERNEL32(00000000,?), ref: 00413D9B
                                      • OpenProcess.KERNEL32(00000410,00000000,?,?,?,?), ref: 00413DE0
                                      • memset.MSVCRT ref: 00413E07
                                      • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 00413E3C
                                      • GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameW), ref: 00413E56
                                      • QueryFullProcessImageNameW.KERNELBASE(00000000,00000000,?,00000104,00000000,?), ref: 00413E77
                                      • CloseHandle.KERNEL32(?,?,?,?,00000000,?), ref: 00413EA8
                                      • free.MSVCRT ref: 00413EC1
                                      • Process32NextW.KERNEL32(00000000,0000022C), ref: 00413F0A
                                      • CloseHandle.KERNEL32(00000000,00000000,0000022C), ref: 00413F1A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: Handle$CloseProcessProcess32freememset$AddressCreateFirstFullImageModuleNameNextOpenProcQuerySnapshotToolhelp32
                                      • String ID: QueryFullProcessImageNameW$kernel32.dll
                                      • API String ID: 3536422406-1740548384
                                      • Opcode ID: d01459b62e4562fe598c3dda65fe2a12e31c3c57d7bea03f0a3dc75513a8eb61
                                      • Instruction ID: a891ebf292d3308fa7e32b9fbc5d589fb36fb38cf1b6cbdc37d41f3709903cdc
                                      • Opcode Fuzzy Hash: d01459b62e4562fe598c3dda65fe2a12e31c3c57d7bea03f0a3dc75513a8eb61
                                      • Instruction Fuzzy Hash: B4518FB2C00218ABDB10DF5ACC84ADEF7B9AF95305F1041ABE509A3251D7795F84CFA9
                                      Function 0040E01E Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 120fileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                        • Part of subcall function 0040DD85: memset.MSVCRT ref: 0040DDAD
                                        • Part of subcall function 0040DD85: CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                        • Part of subcall function 0040DD85: NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                        • Part of subcall function 0040DD85: CloseHandle.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                        • Part of subcall function 0040DD85: GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                        • Part of subcall function 0040DD85: _wcsicmp.MSVCRT ref: 0040DEB2
                                        • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                      • OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                      • GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                      • DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                      • GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                        • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                        • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                        • Part of subcall function 00409A45: GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                        • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                      • CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                      • MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                      • WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                      • UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                      • CloseHandle.KERNELBASE(?), ref: 0040E13E
                                      • CloseHandle.KERNEL32(00000000), ref: 0040E143
                                      • CloseHandle.KERNEL32(?), ref: 0040E148
                                      • CloseHandle.KERNEL32(?), ref: 0040E14D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: File$Handle$Close$CreateProcess$CurrentTempView$??2@DirectoryDuplicateInformationMappingNameOpenPathQuerySizeSystemUnmapWindowsWrite_wcsicmpmemset
                                      • String ID: bhv
                                      • API String ID: 4234240956-2689659898
                                      • Opcode ID: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                                      • Instruction ID: 69536691d8562172d0558c987aea6dfe4ed17d6a9a6de0cf2c6621a9a97a0e87
                                      • Opcode Fuzzy Hash: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                                      • Instruction Fuzzy Hash: 15412775800218FBCF119FA6CC489DFBFB9FF09750F148466F504A6250D7748A50CBA8
                                      Function 00413F4F Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 29libraryloaderCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 633 413f4f-413f52 634 413fa5 633->634 635 413f54-413f5a call 40a804 633->635 637 413f5f-413fa4 GetProcAddress * 5 635->637 637->634
                                      APIs
                                        • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                        • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                        • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                        • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                        • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                        • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                      • GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                      • GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                      • GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                      • GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                      • GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                      • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                      • API String ID: 2941347001-70141382
                                      • Opcode ID: 39c22376907c33733211e363db3c4349312dc982ad78c4cc463d34b505bb12c7
                                      • Instruction ID: 7b3d606b7d389a8205b465373562f67d85acf78e859b2fe1c5436fc88fb80995
                                      • Opcode Fuzzy Hash: 39c22376907c33733211e363db3c4349312dc982ad78c4cc463d34b505bb12c7
                                      • Instruction Fuzzy Hash: BBF03470840340AECB706F769809E06BEF0EFD8B097318C2EE6C557291E3BD9098DE48
                                      Function 004466F4 Relevance: 18.1, APIs: 12, Instructions: 134COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 638 4466f4-44670e call 446904 GetModuleHandleA 641 446710-44671b 638->641 642 44672f-446732 638->642 641->642 643 44671d-446726 641->643 644 44675b-4467aa __set_app_type __p__fmode __p__commode call 4153f2 642->644 646 446747-44674b 643->646 647 446728-44672d 643->647 652 4467ac-4467b7 __setusermatherr 644->652 653 4467b8-44680e call 4468f0 _initterm __wgetmainargs _initterm 644->653 646->642 648 44674d-44674f 646->648 647->642 650 446734-44673b 647->650 651 446755-446758 648->651 650->642 654 44673d-446745 650->654 651->644 652->653 657 446810-446819 653->657 658 44681e-446825 653->658 654->651 659 4468d8-4468dd call 44693d 657->659 660 446827-446832 658->660 661 44686c-446870 658->661 664 446834-446838 660->664 665 44683a-44683e 660->665 662 446845-44684b 661->662 663 446872-446877 661->663 667 446853-446864 GetStartupInfoW 662->667 668 44684d-446851 662->668 663->661 664->660 664->665 665->662 669 446840-446842 665->669 671 446866-44686a 667->671 672 446879-44687b 667->672 668->667 668->669 669->662 673 44687c-446894 GetModuleHandleA call 41276d 671->673 672->673 676 446896-446897 exit 673->676 677 44689d-4468d6 _cexit 673->677 676->677 677->659
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: HandleModule_initterm$InfoStartup__p__commode__p__fmode__set_app_type__setusermatherr__wgetmainargs_cexitexit
                                      • String ID:
                                      • API String ID: 2827331108-0
                                      • Opcode ID: 7ba7b2652c13871cd0d5cae79e0f4a701fe2602556b2c3d333f15f3a91922bbb
                                      • Instruction ID: 0e3254bf032efe29fc581ce6ca9889a5a3d5d0d8e47fd2ea34fa35870f4f4cb9
                                      • Opcode Fuzzy Hash: 7ba7b2652c13871cd0d5cae79e0f4a701fe2602556b2c3d333f15f3a91922bbb
                                      • Instruction Fuzzy Hash: 9D51C474C41314DFEB21AF65D8499AD7BB0FB0A715F21452BE82197291D7788C82CF1E
                                      Function 0040C274 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • memset.MSVCRT ref: 0040C298
                                        • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E60F
                                        • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E629
                                        • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                      • FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                      • wcschr.MSVCRT ref: 0040C324
                                      • wcschr.MSVCRT ref: 0040C344
                                      • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                      • GetLastError.KERNEL32 ref: 0040C373
                                      • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C39F
                                      • FindCloseUrlCache.WININET(?), ref: 0040C3B0
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: CacheFind$Entrymemset$Nextwcschr$??2@CloseErrorFirstLast
                                      • String ID: visited:
                                      • API String ID: 1157525455-1702587658
                                      • Opcode ID: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                                      • Instruction ID: 6629d855392f08d41decd2a192e4b6579142cf3eaa95f33c860a05aa0b18639b
                                      • Opcode Fuzzy Hash: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                                      • Instruction Fuzzy Hash: DA417F71D00219ABDB10EF92DC85AEFBBB8FF45714F10416AE904F7281D7389A45CBA9
                                      Function 0040E175 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 91COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 704 40e175-40e1a1 call 40695d call 406b90 709 40e1a7-40e1e5 memset 704->709 710 40e299-40e2a8 call 4069a3 704->710 712 40e1e8-40e1fa call 406e8f 709->712 716 40e270-40e27d call 406b53 712->716 717 40e1fc-40e219 call 40dd50 * 2 712->717 716->712 722 40e283-40e286 716->722 717->716 728 40e21b-40e21d 717->728 725 40e291-40e294 call 40aa04 722->725 726 40e288-40e290 free 722->726 725->710 726->725 728->716 729 40e21f-40e235 call 40742e 728->729 729->716 732 40e237-40e242 call 40aae3 729->732 732->716 735 40e244-40e26b _snwprintf call 40a8d0 732->735 735->716
                                      APIs
                                        • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                      • memset.MSVCRT ref: 0040E1BD
                                        • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                      • free.MSVCRT ref: 0040E28B
                                        • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                        • Part of subcall function 0040AAE3: wcslen.MSVCRT ref: 0040AAF2
                                        • Part of subcall function 0040AAE3: _memicmp.MSVCRT ref: 0040AB20
                                      • _snwprintf.MSVCRT ref: 0040E257
                                        • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                        • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                        • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                        • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: free$_wcsicmpmemsetwcslen$_memicmp_snwprintfmemcpy
                                      • String ID: $ContainerId$Container_%I64d$Containers$Name
                                      • API String ID: 2804212203-2982631422
                                      • Opcode ID: 3097c73213ec0a6a1db6d887d8be9a96c969786007a4d3e1c3bc36e7f6b4a6bd
                                      • Instruction ID: de93d03617a61f3aa6bbe184beafcfad76b4f566d35596b706efacabd7485ccb
                                      • Opcode Fuzzy Hash: 3097c73213ec0a6a1db6d887d8be9a96c969786007a4d3e1c3bc36e7f6b4a6bd
                                      • Instruction Fuzzy Hash: 74318272D002196ADF10EFA6DC45ADEB7B8AF04344F1105BFE508B3191DB38AE598F99
                                      Function 0040BB98 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 145COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                        • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                        • Part of subcall function 0040CC26: CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                        • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                      • memset.MSVCRT ref: 0040BC75
                                      • memset.MSVCRT ref: 0040BC8C
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,0044E518,000000FF,?,00000FFF,00000000,00000000,?,?,?,0040B7D4,?,?), ref: 0040BCA8
                                      • memcmp.MSVCRT(?,00000000,00000005,?,?,?,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE), ref: 0040BCD6
                                      • memcpy.MSVCRT(00000024,?,00000020,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD2B
                                      • LocalFree.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD3D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memset$ByteCharCloseFileFreeHandleLocalMultiSizeWide_wcsicmpmemcmpmemcpy
                                      • String ID:
                                      • API String ID: 115830560-3916222277
                                      • Opcode ID: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                                      • Instruction ID: 00a8249a540342db609c93f8c1f67c79963b4134db5221072d0e6ece1bb2d715
                                      • Opcode Fuzzy Hash: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                                      • Instruction Fuzzy Hash: 3F41B372900219ABDB10ABA5CC85ADEB7ACEF04314F01057BB509F7292D7789E45CA99
                                      Function 0041837F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 140fileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 789 41837f-4183bf 790 4183c1-4183cc call 418197 789->790 791 4183dc-4183ec call 418160 789->791 796 4183d2-4183d8 790->796 797 418517-41851d 790->797 798 4183f6-41840b 791->798 799 4183ee-4183f1 791->799 796->791 800 418417-418423 798->800 801 41840d-418415 798->801 799->797 802 418427-418442 call 41739b 800->802 801->802 805 418444-41845d CreateFileW 802->805 806 41845f-418475 CreateFileA 802->806 807 418477-41847c 805->807 806->807 808 4184c2-4184c7 807->808 809 41847e-418495 GetLastError free 807->809 812 4184d5-418501 memset call 418758 808->812 813 4184c9-4184d3 808->813 810 4184b5-4184c0 call 444706 809->810 811 418497-4184b3 call 41837f 809->811 810->797 811->797 819 418506-418515 free 812->819 813->812 819->797
                                      APIs
                                      • CreateFileW.KERNELBASE(?,-7FBE829D,00000003,00000000,?,?,00000000), ref: 00418457
                                      • CreateFileA.KERNEL32(?,-7FBE829D,00000003,00000000,|A,00417CE3,00000000), ref: 0041846F
                                      • GetLastError.KERNEL32 ref: 0041847E
                                      • free.MSVCRT ref: 0041848B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: CreateFile$ErrorLastfree
                                      • String ID: |A
                                      • API String ID: 77810686-1717621600
                                      • Opcode ID: b73738cfafb11dafaf653c45b8d30767a4f0487cb759c2014a2d8a4f30590433
                                      • Instruction ID: 73005d91fce95ddd83c4435d1527c7398ec28b7193468e33704956b81d718a95
                                      • Opcode Fuzzy Hash: b73738cfafb11dafaf653c45b8d30767a4f0487cb759c2014a2d8a4f30590433
                                      • Instruction Fuzzy Hash: 50412472508306AFD710CF25DC4179BBBE5FF84328F14492EF8A492290EB78D9448B96
                                      Function 00412465 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88windowCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • memset.MSVCRT ref: 0041249C
                                      • ??2@YAPAXI@Z.MSVCRT(00002A88), ref: 004124D2
                                      • ??2@YAPAXI@Z.MSVCRT(00000350), ref: 00412510
                                      • GetModuleHandleW.KERNEL32(00000000,0000000E), ref: 00412582
                                      • LoadIconW.USER32(00000000,00000065), ref: 0041258B
                                      • wcscpy.MSVCRT ref: 004125A0
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: ??2@$HandleIconLoadModulememsetwcscpy
                                      • String ID: r!A
                                      • API String ID: 2791114272-628097481
                                      • Opcode ID: c8dffcb2de6473715ddac6d72e3c76979a49d8854762dd44dbb162fd21f04a95
                                      • Instruction ID: f2e108ad35b37ee9f58e8ef6409d1766b43f0b07df47584fb449e80907097569
                                      • Opcode Fuzzy Hash: c8dffcb2de6473715ddac6d72e3c76979a49d8854762dd44dbb162fd21f04a95
                                      • Instruction Fuzzy Hash: 0431A1B19013889FEB30EF669C896CAB7E8FF44314F00852FE90CCB241DBB946548B49
                                      Function 0040C768 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 87COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                        • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1AE
                                        • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1B6
                                        • Part of subcall function 0040AA04: free.MSVCRT ref: 0040AA0B
                                        • Part of subcall function 0040C274: memset.MSVCRT ref: 0040C298
                                        • Part of subcall function 0040C274: FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                        • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C324
                                        • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C344
                                        • Part of subcall function 0040C274: FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                        • Part of subcall function 0040C274: GetLastError.KERNEL32 ref: 0040C373
                                        • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C439
                                        • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                        • Part of subcall function 0040C3C3: _wcsupr.MSVCRT ref: 0040C481
                                        • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C4D0
                                        • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                      • _wcslwr.MSVCRT ref: 0040C817
                                        • Part of subcall function 0040C634: wcslen.MSVCRT ref: 0040C65F
                                        • Part of subcall function 0040C634: memset.MSVCRT ref: 0040C6BF
                                      • wcslen.MSVCRT ref: 0040C82C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memset$free$CacheEntryEnumFindValuewcschrwcslen$ErrorFirstLastNext_wcslwr_wcsupr
                                      • String ID: /$/$http://www.facebook.com/$https://login.yahoo.com/config/login$https://www.google.com/accounts/servicelogin
                                      • API String ID: 2936932814-4196376884
                                      • Opcode ID: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                                      • Instruction ID: 5b72bd72183a146cc5fb8da473a5bce975bbff0c760a192580a28ed18ba85502
                                      • Opcode Fuzzy Hash: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                                      • Instruction Fuzzy Hash: 42218272A00244A6CF10BB6A9C8589E7B68EF44744B10457BB804B7293D67CDE85DB9D
                                      Function 0040B58D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNEL32(00000000,00000000,?,?), ref: 0040B5A5
                                      • FindResourceW.KERNELBASE(00000000,00000032,BIN), ref: 0040B5B6
                                      • LoadResource.KERNEL32(00000000,00000000), ref: 0040B5C4
                                      • SizeofResource.KERNEL32(?,00000000), ref: 0040B5D4
                                      • LockResource.KERNEL32(00000000), ref: 0040B5DD
                                      • memcpy.MSVCRT(00000000,00000000,00000000), ref: 0040B60D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: Resource$FindHandleLoadLockModuleSizeofmemcpy
                                      • String ID: BIN
                                      • API String ID: 1668488027-1015027815
                                      • Opcode ID: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                                      • Instruction ID: e905eb6dc449d61379ecdc49350c1a2f8866219970738eecada31b95dd052af9
                                      • Opcode Fuzzy Hash: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                                      • Instruction Fuzzy Hash: 5E11C636C00225BBD7116BE2DC09AAFBA78FF85755F010476F81072292DB794D018BED
                                      Function 0040BDB0 Relevance: 12.2, APIs: 8, Instructions: 151COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                        • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                        • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                        • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                        • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                      • CredEnumerateW.SECHOST(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                      • wcslen.MSVCRT ref: 0040BE06
                                      • wcsncmp.MSVCRT ref: 0040BE38
                                      • memset.MSVCRT ref: 0040BE91
                                      • memcpy.MSVCRT(?,?,?,00000001,?,?,?,00000000,?), ref: 0040BEB2
                                      • _wcsnicmp.MSVCRT ref: 0040BEFC
                                      • wcschr.MSVCRT ref: 0040BF24
                                      • LocalFree.KERNEL32(?,?,?,?,00000001,?,?,?,00000000,?), ref: 0040BF48
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: AddressProc$CredEnumerateFreeLocal_wcsnicmpmemcpymemsetwcschrwcslenwcsncmp
                                      • String ID:
                                      • API String ID: 697348961-0
                                      • Opcode ID: 4320d3521706fdf8c6ed48fb05be967b0956d3d4dbd01890db6896aba47bd834
                                      • Instruction ID: 79a9ca8399314c5bcb3e205da5602351372edcdcc58f79068602210d8f55f42f
                                      • Opcode Fuzzy Hash: 4320d3521706fdf8c6ed48fb05be967b0956d3d4dbd01890db6896aba47bd834
                                      • Instruction Fuzzy Hash: 1851E9B5D002099FCF20DFA5C8859AEBBF9FF48304F10452AE919F7251E734A9458F69
                                      Function 00403C9C Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 00403CBF
                                      • memset.MSVCRT ref: 00403CD4
                                      • memset.MSVCRT ref: 00403CE9
                                      • memset.MSVCRT ref: 00403CFE
                                      • memset.MSVCRT ref: 00403D13
                                        • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                        • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                        • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                        • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                        • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                        • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                        • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                        • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                        • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                        • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                      • memset.MSVCRT ref: 00403DDA
                                        • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                        • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memset$wcscpy$wcslen$Close_snwprintfmemcpywcscat
                                      • String ID: Waterfox$Waterfox\Profiles
                                      • API String ID: 3527940856-11920434
                                      • Opcode ID: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                                      • Instruction ID: d72014143a293005b417e5222852f61d3cfc405123c5957a7e6d01a12b636873
                                      • Opcode Fuzzy Hash: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                                      • Instruction Fuzzy Hash: 1E4133B294012C7ADB20EB56DC85ECF777CEF85314F1180ABB509B2181DA745B948FAA
                                      Function 00403E2D Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 00403E50
                                      • memset.MSVCRT ref: 00403E65
                                      • memset.MSVCRT ref: 00403E7A
                                      • memset.MSVCRT ref: 00403E8F
                                      • memset.MSVCRT ref: 00403EA4
                                        • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                        • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                        • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                        • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                        • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                        • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                        • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                        • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                        • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                        • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                      • memset.MSVCRT ref: 00403F6B
                                        • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                        • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memset$wcscpy$wcslen$Close_snwprintfmemcpywcscat
                                      • String ID: Mozilla\SeaMonkey$Mozilla\SeaMonkey\Profiles
                                      • API String ID: 3527940856-2068335096
                                      • Opcode ID: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                                      • Instruction ID: badb9319ce56d3a3e0b5d4601891faab39f88fc9b3936f94b46873e2979bc7df
                                      • Opcode Fuzzy Hash: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                                      • Instruction Fuzzy Hash: F94133B294012CBADB20EB56DC85FCF777CAF85314F1180A7B509F2181DA785B848F6A
                                      Function 00403FBE Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 00403FE1
                                      • memset.MSVCRT ref: 00403FF6
                                      • memset.MSVCRT ref: 0040400B
                                      • memset.MSVCRT ref: 00404020
                                      • memset.MSVCRT ref: 00404035
                                        • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                        • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                        • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                        • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                        • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                        • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                        • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                        • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                        • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                        • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                      • memset.MSVCRT ref: 004040FC
                                        • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                        • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memset$wcscpy$wcslen$Close_snwprintfmemcpywcscat
                                      • String ID: Mozilla\Firefox$Mozilla\Firefox\Profiles
                                      • API String ID: 3527940856-3369679110
                                      • Opcode ID: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                                      • Instruction ID: a33c26704871042caa7cb74448a1974e70df039046fe21947f04a6d8cbe9f93a
                                      • Opcode Fuzzy Hash: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                                      • Instruction Fuzzy Hash: 354134B294012CBADB20EB56DC85ECF777CAF85314F1180A7B509B3181EA745B948F6A
                                      Function 00444432 Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 217COMMON
                                      Download Yara Rule
                                      APIs
                                      • memcpy.MSVCRT(00000048,00451D40,0000002C,000003FF,00445FAE,?,00000000,?,0040B879), ref: 004444E3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memcpy
                                      • String ID: BINARY$NOCASE$RTRIM$main$no such vfs: %s$temp
                                      • API String ID: 3510742995-2641926074
                                      • Opcode ID: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                      • Instruction ID: 565814064bb2237b40e40c3ad6633df45ffc5137317807aec9a32ad89077b3bf
                                      • Opcode Fuzzy Hash: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                      • Instruction Fuzzy Hash: BA7119B1600701BFE710AF16CC81B66B7A8BB85319F11452FF4189B742D7BDED908B99
                                      Function 004032B4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 119COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                        • Part of subcall function 0044553B: memset.MSVCRT ref: 004455C2
                                        • Part of subcall function 0044553B: wcsrchr.MSVCRT ref: 004455DA
                                      • memset.MSVCRT ref: 004033B7
                                      • memcpy.MSVCRT(?,00000000,0000121C), ref: 004033D0
                                      • wcscmp.MSVCRT ref: 004033FC
                                      • _wcsicmp.MSVCRT ref: 00403439
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memset$_wcsicmpfreememcpywcscmpwcsrchr
                                      • String ID: $0.@
                                      • API String ID: 2758756878-1896041820
                                      • Opcode ID: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                                      • Instruction ID: ab192eb15c9642abc1a13bae453f9d52c7669558764b377fc560e22e349fc473
                                      • Opcode Fuzzy Hash: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                                      • Instruction Fuzzy Hash: 6B414A71A0C3819BD770EF65C885A8BB7E8AF86314F004D2FE48C97681DB3899458B5B
                                      Function 004449B9 Relevance: 10.6, APIs: 7, Instructions: 61libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                        • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                        • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                        • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                        • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                        • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                      • String ID:
                                      • API String ID: 2941347001-0
                                      • Opcode ID: 71f7015b8efbcabf0d8a3174310d871b9f234e636c99dab6741889365bf8ff35
                                      • Instruction ID: 45112ec7679d7541be2eaee67b01953ccf91f0241e5cd71b41190719d78dca83
                                      • Opcode Fuzzy Hash: 71f7015b8efbcabf0d8a3174310d871b9f234e636c99dab6741889365bf8ff35
                                      • Instruction Fuzzy Hash: 2E115871840700EDEA207F72DD0FF2B7AA5EF40B14F10882EF555594E1EBB6A8119E9C
                                      Function 00403BED Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 57COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 00403C09
                                      • memset.MSVCRT ref: 00403C1E
                                        • Part of subcall function 00409719: wcslen.MSVCRT ref: 0040971A
                                        • Part of subcall function 00409719: wcscat.MSVCRT ref: 00409732
                                      • wcscat.MSVCRT ref: 00403C47
                                        • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                        • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                        • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                      • wcscat.MSVCRT ref: 00403C70
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memsetwcscat$Closewcscpywcslen
                                      • String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
                                      • API String ID: 3249829328-1174173950
                                      • Opcode ID: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                                      • Instruction ID: 5219a381a5be6f9fff484f4b9c8ff18b49dc44b18064e24db21ac924a7a96902
                                      • Opcode Fuzzy Hash: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                                      • Instruction Fuzzy Hash: 4401A9B294032C76DB207B669C86ECF672C9F45358F01447FB504B7182D9785E844AA9
                                      Function 0040A804 Relevance: 9.0, APIs: 6, Instructions: 40libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 0040A824
                                      • GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                      • wcscpy.MSVCRT ref: 0040A854
                                      • wcscat.MSVCRT ref: 0040A86A
                                      • LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                      • LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                      • String ID:
                                      • API String ID: 669240632-0
                                      • Opcode ID: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                                      • Instruction ID: 21688b76284891f368be2c5f4feed5723597baa153f24eadc702144372ba9d0b
                                      • Opcode Fuzzy Hash: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                                      • Instruction Fuzzy Hash: A6F0A472D0022467DF207B65AC46B8A3B6CBF01754F008072F908B71D2EB789A55CFDA
                                      Function 0041443E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
                                      Download Yara Rule
                                      APIs
                                      • wcschr.MSVCRT ref: 00414458
                                      • _snwprintf.MSVCRT ref: 0041447D
                                      • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 0041449B
                                      • GetPrivateProfileStringW.KERNEL32(?,?,?,?,?,?), ref: 004144B3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: PrivateProfileString$Write_snwprintfwcschr
                                      • String ID: "%s"
                                      • API String ID: 1343145685-3297466227
                                      • Opcode ID: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                                      • Instruction ID: 05c1b6e2b8d8aed92df8b5d38884bf02313f678dea9e3ece4dcd1a0b753c0483
                                      • Opcode Fuzzy Hash: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                                      • Instruction Fuzzy Hash: 7201AD3240421ABBEF219F81DC09FDB3F6AFF09305F14806ABA08501A1D339C5A5EB58
                                      Function 00413CA4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloadertimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNEL32(kernel32.dll,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CB5
                                      • GetProcAddress.KERNEL32(00000000,GetProcessTimes), ref: 00413CCF
                                      • GetProcessTimes.KERNELBASE(00000000,?,?,?,?,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CF2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: AddressHandleModuleProcProcessTimes
                                      • String ID: GetProcessTimes$kernel32.dll
                                      • API String ID: 1714573020-3385500049
                                      • Opcode ID: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                      • Instruction ID: 0a9fc9a7fb2a98cd878f934f387e3824ef844cc6c25aa3dbb33b58617c33e237
                                      • Opcode Fuzzy Hash: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                      • Instruction Fuzzy Hash: F5F03036204309AFEF008FA6FD06B963BA8BB04742F044066FA0CD1561D7B5D6B0EF99
                                      Function 004087B3 Relevance: 7.7, APIs: 6, Instructions: 190COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 004087D6
                                        • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                        • Part of subcall function 004095D9: memset.MSVCRT ref: 004095FC
                                      • memset.MSVCRT ref: 00408828
                                      • memset.MSVCRT ref: 00408840
                                      • memset.MSVCRT ref: 00408858
                                      • memset.MSVCRT ref: 00408870
                                      • memset.MSVCRT ref: 00408888
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                        • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memset$wcslen$AttributesByteCharFileMultiWidewcscatwcscpy
                                      • String ID:
                                      • API String ID: 2911713577-0
                                      • Opcode ID: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                                      • Instruction ID: a7e5ca25de4111a2a05fe91eb9e7b9268c7acadad77a1a504b595fc773a76dc1
                                      • Opcode Fuzzy Hash: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                                      • Instruction Fuzzy Hash: BD5146B280011D7EEB50E751DC46EEF776CDF05318F0040BEB948B6182EA745F948BA9
                                      Function 0041F1A5 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 165COMMON
                                      Download Yara Rule
                                      APIs
                                      • memcmp.MSVCRT(?,?,00000004,?,00000065,004381DF,00000065,00000000,00000007,?,00000000), ref: 0041F202
                                      • memcmp.MSVCRT(?,SQLite format 3,00000010,?,00000065,004381DF,00000065,00000000), ref: 0041F22D
                                      • memcmp.MSVCRT(?,@ ,00000003,?,?,00000065,004381DF,00000065,00000000), ref: 0041F299
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memcmp
                                      • String ID: @ $SQLite format 3
                                      • API String ID: 1475443563-3708268960
                                      • Opcode ID: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                      • Instruction ID: a5e199d7c3355b23248e204991ed7883f9cb1cefd3641e4a8180bf992d12f390
                                      • Opcode Fuzzy Hash: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                      • Instruction Fuzzy Hash: 9051C1719002199BDF10DFA9C4817DEB7F4AF44314F1541AAEC14EB246E778EA8ACB88
                                      Function 00414C2E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77registryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00414B81: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4
                                      • memset.MSVCRT ref: 00414C87
                                      • RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                      • wcscpy.MSVCRT ref: 00414CFC
                                        • Part of subcall function 00409CEA: GetVersionExW.KERNEL32(0045D340,0000001A,00414C4F,?,00000000), ref: 00409D04
                                      Strings
                                      • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00414CA2, 00414CB2
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: AddressCloseProcVersionmemsetwcscpy
                                      • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                      • API String ID: 2705122986-2036018995
                                      • Opcode ID: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                                      • Instruction ID: cfba8ba70a3d5c5eb0df7add68d4968905301debfffe1ddd107e81ced3c7690c
                                      • Opcode Fuzzy Hash: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                                      • Instruction Fuzzy Hash: EE110B31802224ABDB24A7999C4E9EF736CDBD1315F2200A7F80562151F6685EC5C6DE
                                      Function 004110DC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: _wcsicmpqsort
                                      • String ID: /nosort$/sort
                                      • API String ID: 1579243037-1578091866
                                      • Opcode ID: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                                      • Instruction ID: 59a4a6edbc2c6816dd96362f3638b70d105e8990563e463c72bda517b6347aa4
                                      • Opcode Fuzzy Hash: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                                      • Instruction Fuzzy Hash: C8213770700201AFD714FB36C880E96F3AAFF58314F11012EE61897692DB39BC918B4A
                                      Function 0040E5ED Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 61COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 0040E60F
                                      • memset.MSVCRT ref: 0040E629
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                        • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                      Strings
                                      • Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 0040E647
                                      • Microsoft\Windows\WebCache\WebCacheV24.dat, xrefs: 0040E66F
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memsetwcslen$AttributesFilewcscatwcscpy
                                      • String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$Microsoft\Windows\WebCache\WebCacheV24.dat
                                      • API String ID: 3354267031-2114579845
                                      • Opcode ID: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                                      • Instruction ID: 2f29c334d396001d9fe1cebc89c879271eb53039ccc8e03d5a3365d75131e7c5
                                      • Opcode Fuzzy Hash: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                                      • Instruction Fuzzy Hash: 66118AB3D4012C66EB10E755EC85FDB73ACAF14319F1408B7B904F11C2E6B89F984998
                                      Function 004148B6 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                      Download Yara Rule
                                      APIs
                                      • FindResourceW.KERNELBASE(?,?,?), ref: 004148C3
                                      • SizeofResource.KERNEL32(?,00000000), ref: 004148D4
                                      • LoadResource.KERNEL32(?,00000000), ref: 004148E4
                                      • LockResource.KERNEL32(00000000), ref: 004148EF
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: Resource$FindLoadLockSizeof
                                      • String ID:
                                      • API String ID: 3473537107-0
                                      • Opcode ID: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                      • Instruction ID: 8a72e2f5d7590eb6bb033c3ed88c96ec9d5eb8bcd973c23d1c6560583cb0a60d
                                      • Opcode Fuzzy Hash: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                      • Instruction Fuzzy Hash: 0101D2727402156B8B294FB6DD4999BBFAEFFC6391308803AF809D6331DA31C851C688
                                      Function 0044DEF7 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: ??3@
                                      • String ID:
                                      • API String ID: 613200358-0
                                      • Opcode ID: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                      • Instruction ID: aa45652f999bbb0892b85dcd7393972dd4dfe4e89c7b59a5f1a68188070d07e1
                                      • Opcode Fuzzy Hash: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                      • Instruction Fuzzy Hash: 5EE08C60F0830052BA31EBBABD40E2723EC5E1AB4271A842FB905C3282CE2CC880C02D
                                      Function 0043A9F6 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 979COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      • only a single result allowed for a SELECT that is part of an expression, xrefs: 0043AAD3
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memset
                                      • String ID: only a single result allowed for a SELECT that is part of an expression
                                      • API String ID: 2221118986-1725073988
                                      • Opcode ID: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                                      • Instruction ID: 0c5fbdb45af1b87466ede92b40025f4dfba1e1eb7e0419b48c64bc8603b8f36f
                                      • Opcode Fuzzy Hash: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                                      • Instruction Fuzzy Hash: 5D827A71608340AFD720DF15C881B1BBBE1FF88318F14491EFA9987262D779E954CB96
                                      Function 004125B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                      Download Yara Rule
                                      APIs
                                      • ??3@YAXPAX@Z.MSVCRT(?,?,00412966,/deleteregkey,/savelangfile), ref: 004125C3
                                      • DeleteObject.GDI32(00000000), ref: 004125E7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: ??3@DeleteObject
                                      • String ID: r!A
                                      • API String ID: 1103273653-628097481
                                      • Opcode ID: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                                      • Instruction ID: d381ae2e1f6c469d4091c7bd434485f036f098756071eb86a226830a39d2e28c
                                      • Opcode Fuzzy Hash: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                                      • Instruction Fuzzy Hash: 72E04F75000302DFD7115F26E400782B7F5FF85315F11455EE89497151EBB96164CE19
                                      Function 0040D092 Relevance: 5.1, APIs: 4, Instructions: 51COMMON
                                      Download Yara Rule
                                      APIs
                                      • ??2@YAPAXI@Z.MSVCRT(00000000,0040D142,00402E6F), ref: 0040D0CC
                                      • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040D142,00402E6F), ref: 0040D0EA
                                      • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,0040D142,00402E6F), ref: 0040D108
                                      • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000,0040D142,00402E6F), ref: 0040D126
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: ??2@
                                      • String ID:
                                      • API String ID: 1033339047-0
                                      • Opcode ID: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                      • Instruction ID: 5f4fc1bc6a90e200713bb7744dd8ab6a017b0cf4e98027731d5581fdeff4b0c3
                                      • Opcode Fuzzy Hash: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                      • Instruction Fuzzy Hash: B00121B2A413005EEB7ADF38EE5772966A0AF4C351F01453EA246CD1F6EEF58480CB49
                                      Function 00444B06 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 108COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                        • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                        • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                        • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                        • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                        • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                        • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                      • memcmp.MSVCRT(?,0044EC68,00000010,?,00000000,?), ref: 00444BA5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: AddressProc$memcmp
                                      • String ID: $$8
                                      • API String ID: 2808797137-435121686
                                      • Opcode ID: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                      • Instruction ID: 2c4e4273d6b09173b98ec99ba1a72f96ebc6587eba5c15334d9e54441f883a66
                                      • Opcode Fuzzy Hash: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                      • Instruction Fuzzy Hash: 04314171A00209ABEB10DFA6CDC1BAEB7B9FF88314F11055AE515A3241D778ED048B69
                                      Function 00430737 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 94COMMON
                                      Download Yara Rule
                                      Strings
                                      • duplicate column name: %s, xrefs: 004307FE
                                      • too many columns on %s, xrefs: 00430763
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: duplicate column name: %s$too many columns on %s
                                      • API String ID: 0-1445880494
                                      • Opcode ID: d71f1f637ec18e5f8a62c501b2db333135d8de05f3daff8c641ff98159ef3fea
                                      • Instruction ID: 332525b9e829d337f3b342900587a6bcab00951879d739311f42b30c77ca79e1
                                      • Opcode Fuzzy Hash: d71f1f637ec18e5f8a62c501b2db333135d8de05f3daff8c641ff98159ef3fea
                                      • Instruction Fuzzy Hash: 5E314735500705AFCB109F55C891ABEB7B5EF88318F24815BE8969B342C738F841CB99
                                      Function 0040E4B2 Relevance: 4.6, APIs: 3, Instructions: 87fileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040E01E: OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                        • Part of subcall function 0040E01E: GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                        • Part of subcall function 0040E01E: DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                        • Part of subcall function 0040E01E: GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                        • Part of subcall function 0040E01E: CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                        • Part of subcall function 0040E01E: MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                        • Part of subcall function 0040E01E: WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                        • Part of subcall function 0040E01E: UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                        • Part of subcall function 0040E01E: CloseHandle.KERNELBASE(?), ref: 0040E13E
                                      • CloseHandle.KERNELBASE(000000FF,000000FF,00000000,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E582
                                        • Part of subcall function 0040E2AB: memset.MSVCRT ref: 0040E380
                                        • Part of subcall function 0040E2AB: wcschr.MSVCRT ref: 0040E3B8
                                        • Part of subcall function 0040E2AB: memcpy.MSVCRT(?,-00000121,00000008,0044E518,00000000,00000000,76F92EE0), ref: 0040E3EC
                                      • DeleteFileW.KERNELBASE(?,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5A3
                                      • CloseHandle.KERNEL32(000000FF,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5CA
                                        • Part of subcall function 0040E175: memset.MSVCRT ref: 0040E1BD
                                        • Part of subcall function 0040E175: _snwprintf.MSVCRT ref: 0040E257
                                        • Part of subcall function 0040E175: free.MSVCRT ref: 0040E28B
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: File$Handle$Close$ProcessViewmemset$CreateCurrentDeleteDuplicateMappingOpenSizeUnmapWrite_snwprintffreememcpywcschr
                                      • String ID:
                                      • API String ID: 1979745280-0
                                      • Opcode ID: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                                      • Instruction ID: 90d235a97b45fa8760f9e747b2c38a4e83ddeae1161d8ec943a7631d31c9d9e7
                                      • Opcode Fuzzy Hash: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                                      • Instruction Fuzzy Hash: DA312CB1C00618ABCF60DF96CD456CEF7B8AF44318F1006AB9518B31A1DB755E95CF58
                                      Function 00403A16 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 67COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C09
                                        • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C1E
                                        • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C47
                                        • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C70
                                      • memset.MSVCRT ref: 00403A55
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                        • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                        • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                        • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                        • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                        • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memsetwcscatwcslen$free$AttributesFilememcpywcscpy
                                      • String ID: history.dat$places.sqlite
                                      • API String ID: 2641622041-467022611
                                      • Opcode ID: 05f9737078ef75c1c81c27231a8cbd2d8a2d76354893ce3757c3369515f6e8ef
                                      • Instruction ID: 4d52d99a2018a06e8b3479be55870673e402391ac5db5fe9af26a684ed702786
                                      • Opcode Fuzzy Hash: 05f9737078ef75c1c81c27231a8cbd2d8a2d76354893ce3757c3369515f6e8ef
                                      • Instruction Fuzzy Hash: CA112EB2A0111866DB10FA66CD4AACE77BCAF54354F1001B7B915B20C2EB3CAF45CA69
                                      Function 004175ED Relevance: 4.5, APIs: 3, Instructions: 49fileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00417570: SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                        • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A2
                                        • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A8
                                      • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0041761D
                                      • GetLastError.KERNEL32 ref: 00417627
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: ErrorLast$File$PointerRead
                                      • String ID:
                                      • API String ID: 839530781-0
                                      • Opcode ID: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                                      • Instruction ID: c9208e3d43fc8ff2949f7201360c8f82def2114e122364bdeb0a9035ecfb973e
                                      • Opcode Fuzzy Hash: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                                      • Instruction Fuzzy Hash: D001A236208204BBEB008F69DC45BDA3B78FB153B4F100427F908C6640E275D89096EA
                                      Function 0040C1D3 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 45COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: FileFindFirst
                                      • String ID: *.*$index.dat
                                      • API String ID: 1974802433-2863569691
                                      • Opcode ID: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                                      • Instruction ID: 5c3219b8572ff4376619b1de75d6d1d1b7443a793578eadcc31bed7d77429009
                                      • Opcode Fuzzy Hash: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                                      • Instruction Fuzzy Hash: 0E01257180125895EB20E761DC467DF766C9F04314F5002FB9818F21D6E7389F958F9A
                                      Function 00417570 Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                      • GetLastError.KERNEL32 ref: 004175A2
                                      • GetLastError.KERNEL32 ref: 004175A8
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: ErrorLast$FilePointer
                                      • String ID:
                                      • API String ID: 1156039329-0
                                      • Opcode ID: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                      • Instruction ID: d6bca62a971eeae6b8c8b5ba9af71e52dcee60bc35e592f51b1cb5e4efccb3e3
                                      • Opcode Fuzzy Hash: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                      • Instruction Fuzzy Hash: 03F03071918115FBCB009B75DC009AA7ABAFB05360B104726E822D7690E730E9409AA8
                                      Function 0040A02C Relevance: 4.5, APIs: 3, Instructions: 26filetimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                      • GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                      • CloseHandle.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: File$CloseCreateHandleTime
                                      • String ID:
                                      • API String ID: 3397143404-0
                                      • Opcode ID: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                      • Instruction ID: 1a7e7c0172e67e076cb3c0c47f72e507911c66c01d2121fa3096849e88919459
                                      • Opcode Fuzzy Hash: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                      • Instruction Fuzzy Hash: 23E04F3624036077E2311B2BAC0CF4B2E69FBCBB21F150639F565B21E086704915C665
                                      Function 00409A45 Relevance: 4.5, APIs: 3, Instructions: 26COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                      • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                      • GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: Temp$DirectoryFileNamePathWindows
                                      • String ID:
                                      • API String ID: 1125800050-0
                                      • Opcode ID: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                      • Instruction ID: b144c37017a21c6b5a3d1d2b3cfc872714830df517851edcd0bc871ed666fd71
                                      • Opcode Fuzzy Hash: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                      • Instruction Fuzzy Hash: ACE0927A500218A7DB109B61DC4DFC777BCFB45304F0001B1B945E2161EB349A848BA8
                                      Function 004175B7 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 24sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • Sleep.KERNEL32(00000064), ref: 004175D0
                                      • CloseHandle.KERNELBASE(?,00000000,?,0045DBC0,00417C24,?,00000000,00000000,?,00417DE1,?,00000000), ref: 004175D9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: CloseHandleSleep
                                      • String ID: }A
                                      • API String ID: 252777609-2138825249
                                      • Opcode ID: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                      • Instruction ID: 75b622f9be81829505acbf4f2e76dfbd2ea822dc2a3448742147a61f3b6dc806
                                      • Opcode Fuzzy Hash: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                      • Instruction Fuzzy Hash: B7E0CD3B1045156ED500577DDCC099773E9EF892347144226F171C25D0C6759C828524
                                      Function 004099F4 Relevance: 3.8, APIs: 3, Instructions: 38COMMON
                                      Download Yara Rule
                                      APIs
                                      • malloc.MSVCRT ref: 00409A10
                                      • memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                      • free.MSVCRT ref: 00409A31
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: freemallocmemcpy
                                      • String ID:
                                      • API String ID: 3056473165-0
                                      • Opcode ID: a8c2b4a2abbe370f156afd1ac3a64450955b5e367f985048e5f3f029e510ba1a
                                      • Instruction ID: 1240433d41d023da9ba75aa62d017d874606d7cfbee4c78203c9aa8101697722
                                      • Opcode Fuzzy Hash: a8c2b4a2abbe370f156afd1ac3a64450955b5e367f985048e5f3f029e510ba1a
                                      • Instruction Fuzzy Hash: 88F0E9727092219FC708AE75A98180BB79DAF55314B12482FF404E3282D7389C50CB58
                                      Function 00415320 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      • failed memory resize %u to %u bytes, xrefs: 00415358
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: realloc
                                      • String ID: failed memory resize %u to %u bytes
                                      • API String ID: 471065373-2134078882
                                      • Opcode ID: e5ae129d454b891eada76ccbfa458d0a6592737a0e8831e28bd7d44ced5f0510
                                      • Instruction ID: af22f86c8d97814ed0bf188a45fefa7fc909daabc8cee38fca791e75313f3e85
                                      • Opcode Fuzzy Hash: e5ae129d454b891eada76ccbfa458d0a6592737a0e8831e28bd7d44ced5f0510
                                      • Instruction Fuzzy Hash: 49F027B3A01605A7D2109A55DC418CBF3DCDFC4655B06082FF998D3201E168E88083B6
                                      Function 00437371 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 243COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: d
                                      • API String ID: 0-2564639436
                                      • Opcode ID: 9081757c99ca3a842b21ef208fcf0aba28da60ac56b45099a1a2f4719e1e1e22
                                      • Instruction ID: 98c7df9677761670a5e344a1c7628a8b006f0a2246df1cf6f5c5c4488f8f87fd
                                      • Opcode Fuzzy Hash: 9081757c99ca3a842b21ef208fcf0aba28da60ac56b45099a1a2f4719e1e1e22
                                      • Instruction Fuzzy Hash: 4591ABB0508302AFDB20DF19D88196FBBE4BF88358F50192FF88497251D778D985CB9A
                                      Function 0041EED2 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 174COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memset
                                      • String ID: BINARY
                                      • API String ID: 2221118986-907554435
                                      • Opcode ID: 791c3fd1504af4fac70d2b15fe323b793bb873d26b5eb9345bfe372344e0595c
                                      • Instruction ID: 089a0534c11c2c8a1092ab46fa13594887108ded84822111f9e073e703b485f9
                                      • Opcode Fuzzy Hash: 791c3fd1504af4fac70d2b15fe323b793bb873d26b5eb9345bfe372344e0595c
                                      • Instruction Fuzzy Hash: 41518B71A047059FDB21CF69C881BEA7BE4EF48350F14446AF849CB342E738D995CBA9
                                      Function 0041268E Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: _wcsicmp
                                      • String ID: /stext
                                      • API String ID: 2081463915-3817206916
                                      • Opcode ID: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                                      • Instruction ID: 10e6e7fbaeb1b3fbdbf907bfc38f809d5841ace5bac79d7196eddb000c1bc607
                                      • Opcode Fuzzy Hash: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                                      • Instruction Fuzzy Hash: 19218E30B00605AFD704EF6ACAC1AD9F7A9FF44304F10416AA419D7342DB79ADA18B95
                                      Function 0040CC26 Relevance: 3.1, APIs: 2, Instructions: 53COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                      • GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                        • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                        • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                        • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB63
                                        • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB88
                                      • CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                        • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT(00000000,00401B44,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040B052
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: File$ByteCharMultiWide$??2@??3@CloseCreateHandleReadSize
                                      • String ID:
                                      • API String ID: 2445788494-0
                                      • Opcode ID: 5551154f09d9ac0fe1cac7a20b9391cb02a4855cbb9d966ae120c46d578013b8
                                      • Instruction ID: dc8783d9a6c7baf78a377756874cfbd60b78407a6d3acdf6d1052ad5173bbb79
                                      • Opcode Fuzzy Hash: 5551154f09d9ac0fe1cac7a20b9391cb02a4855cbb9d966ae120c46d578013b8
                                      • Instruction Fuzzy Hash: 91118275804208AFDB10AF6ADC45C8A7F75FF01364711C27AF525A72A1D6349A18CBA5
                                      Function 00404423 Relevance: 3.1, APIs: 2, Instructions: 51libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                        • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                        • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                        • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                        • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                        • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                      • GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                      • FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                      • String ID:
                                      • API String ID: 3150196962-0
                                      • Opcode ID: e13bd3a8970da8505fcd32bc3817dd57930a815364b2861f31204fc1a755a47e
                                      • Instruction ID: e973b1bd6c29085855c002f2d91bff7161adaf38cfdf5e3d51a6561f1cc66020
                                      • Opcode Fuzzy Hash: e13bd3a8970da8505fcd32bc3817dd57930a815364b2861f31204fc1a755a47e
                                      • Instruction Fuzzy Hash: D90192B1100211AAD6319FA6CC04D1BFAE9EFC0750B20883FF1D9E25A0D7B49881DB69
                                      Function 004152C6 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 27COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      • failed to allocate %u bytes of memory, xrefs: 004152F0
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: malloc
                                      • String ID: failed to allocate %u bytes of memory
                                      • API String ID: 2803490479-1168259600
                                      • Opcode ID: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                                      • Instruction ID: 101c51dc2fc609bd9d1e0073b1fda66f00508c6688545faad3e4fa21ce9dc4bd
                                      • Opcode Fuzzy Hash: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                                      • Instruction Fuzzy Hash: 11E0DFB7B02A12A3C200561AED01AC667959FC122572B013BF92CD3681E638D89687A9
                                      Function 0041BC3B Relevance: 2.7, APIs: 2, Instructions: 195COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 0041BDDF
                                      • memcmp.MSVCRT(00001388,?,00000010,?,00000065,00000065,?,?,?,?,?,0041F1B4,?,00000065,004381DF,00000065), ref: 0041BDF1
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memcmpmemset
                                      • String ID:
                                      • API String ID: 1065087418-0
                                      • Opcode ID: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                                      • Instruction ID: cf105cae5e27f97c9cd1c3f46a8d5e16e2707a712041142e317bfb3d1f631299
                                      • Opcode Fuzzy Hash: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                                      • Instruction Fuzzy Hash: 2A615B71A01349EBDB14EFA495815EEB7B4EB04308F1440AFE609D3241E738AED4DB99
                                      Function 004104FB Relevance: 2.6, APIs: 2, Instructions: 140COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040ECF9
                                        • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 0040EDC0
                                      • GetStdHandle.KERNEL32(000000F5), ref: 00410530
                                      • CloseHandle.KERNELBASE(?), ref: 00410654
                                        • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                        • Part of subcall function 0040973C: GetLastError.KERNEL32 ref: 00409750
                                        • Part of subcall function 0040973C: _snwprintf.MSVCRT ref: 0040977D
                                        • Part of subcall function 0040973C: MessageBoxW.USER32(?,?,Error,00000030), ref: 00409796
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: Handle$??2@??3@CloseCreateErrorFileLastMessage_snwprintf
                                      • String ID:
                                      • API String ID: 1381354015-0
                                      • Opcode ID: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
                                      • Instruction ID: c777e68e994987bb064ab7fb99de871126f79ef1b866bcb434911d427814d160
                                      • Opcode Fuzzy Hash: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
                                      • Instruction Fuzzy Hash: BE417231A00204EFCB25AF65C885A9E77B6EF84711F20446FF446A7291C7B99EC0DE59
                                      Function 004300E8 Relevance: 2.6, APIs: 2, Instructions: 103COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 004301AD
                                      • memcpy.MSVCRT(000001A8,?,00000020,?,00000000,00000000,00443DCE,00000000,00000000,00000000,?,00445FAE,?), ref: 004301CD
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memcpymemset
                                      • String ID:
                                      • API String ID: 1297977491-0
                                      • Opcode ID: b6c8b344e63531bca6e6aefc5e8eb99709ec7ba8fcdd06e77ba93d6293000e49
                                      • Instruction ID: 4c6ebae2fd17f46eb6a701b53e5b2159fa076c350f721ddb3a961165d25aeca7
                                      • Opcode Fuzzy Hash: b6c8b344e63531bca6e6aefc5e8eb99709ec7ba8fcdd06e77ba93d6293000e49
                                      • Instruction Fuzzy Hash: F331BE72A00214EBDF10DF59C881A9EB7B4EF48714F24959AE804AF242C775EE41CB98
                                      Function 0040B1AB Relevance: 2.5, APIs: 2, Instructions: 14COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: free
                                      • String ID:
                                      • API String ID: 1294909896-0
                                      • Opcode ID: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                      • Instruction ID: 7f33cc2486ffea160e999b9abaf125df84647c5341351ad01334bd221cd3bada
                                      • Opcode Fuzzy Hash: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                      • Instruction Fuzzy Hash: 32D042B0404B008ED7B0DF39D401602BBF0AB093143118D2E90AAC2A50E775A0149F08
                                      Function 00403988 Relevance: 1.6, APIs: 1, Instructions: 56timeCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00403A16: memset.MSVCRT ref: 00403A55
                                        • Part of subcall function 0040A02C: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                        • Part of subcall function 0040A02C: GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                        • Part of subcall function 0040A02C: CloseHandle.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                      • CompareFileTime.KERNEL32(?,?,00000000,?,00000000), ref: 004039D4
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: File$Time$CloseCompareCreateHandlememset
                                      • String ID:
                                      • API String ID: 2154303073-0
                                      • Opcode ID: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                                      • Instruction ID: d476be81a684c5cf971044fbd14bb177a9e73989d843208b34704cc982626f94
                                      • Opcode Fuzzy Hash: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                                      • Instruction Fuzzy Hash: 11111CB6D00218ABCB11EFA5D9415DEBBB9EF44315F20407BE841F7281DA389F45CB95
                                      Function 004135F7 Relevance: 1.5, APIs: 1, Instructions: 44libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 004135E0: FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                        • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                        • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                        • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                        • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                        • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                        • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                      • GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                      • String ID:
                                      • API String ID: 3150196962-0
                                      • Opcode ID: 102e9bd218bff8034664a90f9159d5d227e7736aeb8d0cece17e8d9bf5f2cb6a
                                      • Instruction ID: 35a9ad0fe6b4507ee66bae46934dcfd2e139bf0842d10804986ce3ee8b034d80
                                      • Opcode Fuzzy Hash: 102e9bd218bff8034664a90f9159d5d227e7736aeb8d0cece17e8d9bf5f2cb6a
                                      • Instruction Fuzzy Hash: BBF0A4311447126AE6306B7AAC02BE762849F00725F10862EB425D55D1EFA8D5C046AC
                                      Function 004062A6 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000,00000000,004068F9,00000000,00000000,?,00000000,0040627C), ref: 004062C2
                                        • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: File$PointerRead
                                      • String ID:
                                      • API String ID: 3154509469-0
                                      • Opcode ID: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                      • Instruction ID: d794e9b43e5f56b2d2e2073d65b81241c22a9a75ad02cc9b2284f18e77a2fe0f
                                      • Opcode Fuzzy Hash: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                      • Instruction Fuzzy Hash: 45E01276100100FFE6619B05DC06F57FBB9FBD4710F14883DB59596174C6326851CB25
                                      Function 00414561 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetPrivateProfileIntW.KERNEL32(?,?,?,?), ref: 00414588
                                        • Part of subcall function 004143F1: memset.MSVCRT ref: 00414410
                                        • Part of subcall function 004143F1: _itow.MSVCRT ref: 00414427
                                        • Part of subcall function 004143F1: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 00414436
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: PrivateProfile$StringWrite_itowmemset
                                      • String ID:
                                      • API String ID: 4232544981-0
                                      • Opcode ID: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                      • Instruction ID: 104e910b762de94586eb11e4c264cf061db1895f8dce3fe8c281d71359574313
                                      • Opcode Fuzzy Hash: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                      • Instruction Fuzzy Hash: 8EE09232000209ABDF125F91EC01AA93B66FF54315F548469F95C05520D33295B0AB59
                                      Function 00444A54 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                      Download Yara Rule
                                      APIs
                                      • FreeLibrary.KERNELBASE(?,?,004452FB,?,?,?,0040333C,?), ref: 00444A65
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: FreeLibrary
                                      • String ID:
                                      • API String ID: 3664257935-0
                                      • Opcode ID: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                      • Instruction ID: 9043d1e372537a54137ae43dcd20834ee918eeaa55a47e8e1dedab4d47514996
                                      • Opcode Fuzzy Hash: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                      • Instruction Fuzzy Hash: E2E0F6B5900B018FD3708F1BE944406FBF8BFE56113108A1FD4AAC2A24D7B4A1898F54
                                      Function 00413F27 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                        • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                        • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                        • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                        • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                      • K32GetModuleFileNameExW.KERNEL32(00000104,00000000,00413E1F,00000104,00413E1F,00000000,?), ref: 00413F46
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: AddressProc$FileModuleName
                                      • String ID:
                                      • API String ID: 3859505661-0
                                      • Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                      • Instruction ID: eb737a8a997ed41d0f7a348c178ce8d4b8225706e43eb580f21eee6dbde26bc7
                                      • Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                      • Instruction Fuzzy Hash: 6FD02231B083007BEA20EE70CC00FCBA2F47F40F12F008C5AB191D2080C374C9495305
                                      Function 0040A2EF Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: FileRead
                                      • String ID:
                                      • API String ID: 2738559852-0
                                      • Opcode ID: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                      • Instruction ID: df780c2d30ec27a436fe2e8938b9b3026ee6fdf868a35847a3a0dbf755fefbc9
                                      • Opcode Fuzzy Hash: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                      • Instruction Fuzzy Hash: 6DD0C97505020DFBDF01CF81DC06FDD7B7DFB05359F108054BA0095060C7759A15AB55
                                      Function 0040A30E Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • WriteFile.KERNELBASE(?,00000009,?,00000000,00000000,?,?,00402F9B,?,00000000,00000000,00000000,0000017E), ref: 0040A325
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: FileWrite
                                      • String ID:
                                      • API String ID: 3934441357-0
                                      • Opcode ID: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                      • Instruction ID: 3280266517864b8de079c100525e5277478ec149926fcdeece843fe2c70d8c86
                                      • Opcode Fuzzy Hash: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                      • Instruction Fuzzy Hash: CFD0C93501020DFBDF01CF81DC06FDD7BBDFB04359F108054BA1095060D7B59A20AB94
                                      Function 00413D29 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                      Download Yara Rule
                                      APIs
                                      • FreeLibrary.KERNELBASE(00000000,004457F2,00000000,000001F7,00000000), ref: 00413D30
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: FreeLibrary
                                      • String ID:
                                      • API String ID: 3664257935-0
                                      • Opcode ID: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                                      • Instruction ID: 8f6381f957debc367d4a0444659be52de1bfd3a154b3998764173f6a98a011bd
                                      • Opcode Fuzzy Hash: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                                      • Instruction Fuzzy Hash: 1DD0C9765002229BDB10AF26EC057857378FF00712B110425E810B7594D778BEE68ADC
                                      Function 004096C3 Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: CreateFile
                                      • String ID:
                                      • API String ID: 823142352-0
                                      • Opcode ID: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                      • Instruction ID: 15e4bfb1af8ab284213ec8af4af1ca3ed9a3c322684c6da9746693c795416a08
                                      • Opcode Fuzzy Hash: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                      • Instruction Fuzzy Hash: A8C092B0280200BEFE224B10EC15F36755CE744700F2008247E40F40E0C1605E108524
                                      Function 004096DC Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: CreateFile
                                      • String ID:
                                      • API String ID: 823142352-0
                                      • Opcode ID: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                      • Instruction ID: 13aef0f41518da9c32968a96bed17b980f0e8f352a8d1793a660c4ee04e7d177
                                      • Opcode Fuzzy Hash: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                      • Instruction Fuzzy Hash: B8C012F02903007EFF204B10AC0AF37755DF784700F2048207E40F40E1C2B15C008524
                                      Function 0040B04B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • ??3@YAXPAX@Z.MSVCRT(00000000,00401B44,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040B052
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: ??3@
                                      • String ID:
                                      • API String ID: 613200358-0
                                      • Opcode ID: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                      • Instruction ID: 6ff791ec813821c2e9e24527ebed0d702daabad41f6d5d50af9b89e3d4ad0470
                                      • Opcode Fuzzy Hash: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                      • Instruction Fuzzy Hash: ADC09BB15117014BE7305F15D40471373D49F11727F318C1DA5D1914C2D77CD4408518
                                      Function 004135E0 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                      Download Yara Rule
                                      APIs
                                      • FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: FreeLibrary
                                      • String ID:
                                      • API String ID: 3664257935-0
                                      • Opcode ID: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                      • Instruction ID: 97b2006ec1e2dd28fddd19cbcf35086f2a6b1d7d6d8af37d8808782836c913ed
                                      • Opcode Fuzzy Hash: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                      • Instruction Fuzzy Hash: C1C04C355107129BE7318F22C849793B3E8BB00767F40C818A56A85454D7BCE594CE28
                                      Function 0041493C Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                      Download Yara Rule
                                      APIs
                                      • EnumResourceNamesW.KERNELBASE(?,?,Function_000148B6,00000000), ref: 0041494B
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: EnumNamesResource
                                      • String ID:
                                      • API String ID: 3334572018-0
                                      • Opcode ID: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                      • Instruction ID: 4cd0fc1a45efe5f4a77ff86a676eea9814a6d41529a344ef69fdb726e0e13cac
                                      • Opcode Fuzzy Hash: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                      • Instruction Fuzzy Hash: 5CC09B355943819FD711DF108C05F1A76D5BF95705F104C397151940A0C7614014A60A
                                      Function 0044DEA5 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                      Download Yara Rule
                                      APIs
                                      • FreeLibrary.KERNELBASE(?), ref: 0044DEB6
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: FreeLibrary
                                      • String ID:
                                      • API String ID: 3664257935-0
                                      • Opcode ID: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                      • Instruction ID: c12df66a07a312a107e4de7a98dbd39cb061029a89fa16cd2619b088cce9516a
                                      • Opcode Fuzzy Hash: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                      • Instruction Fuzzy Hash: 95C04C35D10311ABFB31AB11ED4975232A5BB00717F52006494128D065D7B8E454CB2D
                                      Function 0040AEBE Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                      Download Yara Rule
                                      APIs
                                      • FindClose.KERNELBASE(?,0040AE21,?,00000000,00445EF5,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AEC8
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: CloseFind
                                      • String ID:
                                      • API String ID: 1863332320-0
                                      • Opcode ID: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                      • Instruction ID: 0a5868f0c47a417661f40efe111cada53839b745ef6d73ffe26d621af3302058
                                      • Opcode Fuzzy Hash: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                      • Instruction Fuzzy Hash: 06C092341506058BD62C5F38DC9A42A77A0BF4A3303B40F6CA0F3D24F0E73888538A04
                                      Function 00414592 Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: Open
                                      • String ID:
                                      • API String ID: 71445658-0
                                      • Opcode ID: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                      • Instruction ID: 4e31294bd56c0fd8f54a78566f459ab053e1b17b284f5820c9a90ca28514d216
                                      • Opcode Fuzzy Hash: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                      • Instruction Fuzzy Hash: C4C09B35544311BFDE114F40FD09F09BB61BB84B05F004414B254640B182714414EB17
                                      Function 00409B98 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: AttributesFile
                                      • String ID:
                                      • API String ID: 3188754299-0
                                      • Opcode ID: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                      • Instruction ID: 3e515636d229e53f9e638efbf3d1d2cf0185fd636b5c9b7db17c068ea44c501e
                                      • Opcode Fuzzy Hash: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                      • Instruction Fuzzy Hash: B9B012792104005BCB0807349C4904D35507F456317200B3CF033C00F0D730CC61BA00
                                      Function 0041BE52 Relevance: 1.3, APIs: 1, Instructions: 99COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 519045b8856ea86e6d8d1e97e8a9a2cac293cdb0bbecd69caab4774d1a49c2e8
                                      • Instruction ID: 186a7b248be49691fb09735f75239c469d17650efe27a5986e87276cb9a2b443
                                      • Opcode Fuzzy Hash: 519045b8856ea86e6d8d1e97e8a9a2cac293cdb0bbecd69caab4774d1a49c2e8
                                      • Instruction Fuzzy Hash: E8318B31901616EFDF24AF25D8417DA73A0FF04314F10416BF91497251DB38ADE18BDA
                                      Function 004095D9 Relevance: 1.3, APIs: 1, Instructions: 66COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 004095FC
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                        • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                        • Part of subcall function 004091B8: memset.MSVCRT ref: 004091E2
                                        • Part of subcall function 004091B8: memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
                                        • Part of subcall function 004091B8: memcmp.MSVCRT(00000000,0045A4F0,00000006,?,?,?,?,?,?,?,?,?,?,?,?,00000143), ref: 004092D9
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memsetwcslen$AttributesFilememcmpmemcpywcscatwcscpy
                                      • String ID:
                                      • API String ID: 3655998216-0
                                      • Opcode ID: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                                      • Instruction ID: 072a19641c33d96fdc78833b4ff670bebeeceb9371718ab52934a970b5968781
                                      • Opcode Fuzzy Hash: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                                      • Instruction Fuzzy Hash: F311607290021D6AEF20A662DC4AE9B376CEF41318F10047BB908E51D2EA79DE548659
                                      Function 00415B2C Relevance: 1.3, APIs: 1, Instructions: 62COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c75aee8a2a8dfae17061e24b09256e9f24568c4c4acdadc464b978748c80593b
                                      • Instruction ID: 56811e6a31311fae19106e74f332fd481794b0d175407c03959d21f12539f693
                                      • Opcode Fuzzy Hash: c75aee8a2a8dfae17061e24b09256e9f24568c4c4acdadc464b978748c80593b
                                      • Instruction Fuzzy Hash: 4201E572109E01E6DB1029278C81AF766899FC0399F14016FF94886281EEA8EEC542AE
                                      Function 00445403 Relevance: 1.3, APIs: 1, Instructions: 60COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 00445426
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                        • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                        • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                        • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                        • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                        • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                        • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memset$Filewcslen$AttributesCreatewcscatwcscpywcsrchr
                                      • String ID:
                                      • API String ID: 1828521557-0
                                      • Opcode ID: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                                      • Instruction ID: 9d1500c39017731ad640c46c84131142cb98d7893e2d711cbdbff08f65233ce4
                                      • Opcode Fuzzy Hash: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                                      • Instruction Fuzzy Hash: 4B1186B294011D7BEB10E751DC4AFDB776CEF51328F10047FB518A50C2E6B8AAC486A9
                                      Function 00406B90 Relevance: 1.3, APIs: 1, Instructions: 56COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: _wcsicmp
                                      • String ID:
                                      • API String ID: 2081463915-0
                                      • Opcode ID: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
                                      • Instruction ID: 44e68c08f8902dbc9d3bec9e3d7b81d72528a2b8c41660eeece459a1934edfa0
                                      • Opcode Fuzzy Hash: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
                                      • Instruction Fuzzy Hash: 0C118CB1600205AFD710DF65C8809AAB7F8FF44314F11843EE55AE7240EB34F9658B68
                                      Function 00406214 Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00406294: CloseHandle.KERNEL32(000000FF,00406224,00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF), ref: 0040629C
                                        • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                      • GetLastError.KERNEL32(00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF,?,00000104), ref: 00406281
                                        • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: File$CloseCreateErrorHandleLastRead
                                      • String ID:
                                      • API String ID: 2136311172-0
                                      • Opcode ID: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                      • Instruction ID: 5eec059ee86d0bbb8aaa5289f200f29bbda103cdac5cb86a40c163b72aa3aa4c
                                      • Opcode Fuzzy Hash: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                      • Instruction Fuzzy Hash: 3F01D6B14017018FD7206B70CD05BA273D8EF10319F11897EE55BE62D1EB3C9861866E
                                      Function 0040AFCF Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT(00000000,00401B44,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040B052
                                      • ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: ??2@??3@
                                      • String ID:
                                      • API String ID: 1936579350-0
                                      • Opcode ID: d9146978952df4032bb52ee1fc914549b8afd9994305f4c2f79ca13836f6df5d
                                      • Instruction ID: 89dc8af08517091935dcea8fd058adf4401913b4726dbdea6cb301b2924d739e
                                      • Opcode Fuzzy Hash: d9146978952df4032bb52ee1fc914549b8afd9994305f4c2f79ca13836f6df5d
                                      • Instruction Fuzzy Hash: 8FC02B7240C2100FD730FF74340205736D4CE422203028C2FE0E4D3101DB3C840103C8
                                      Function 0040B633 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: free
                                      • String ID:
                                      • API String ID: 1294909896-0
                                      • Opcode ID: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                                      • Instruction ID: 84c58710a9e867f17c2d1ed9f7495b278bdfae561cd9e9721482330d0bfefd66
                                      • Opcode Fuzzy Hash: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                                      • Instruction Fuzzy Hash: 48C00272510B018FEB209E16C405762B3E4AF5173BF928C1D949591481D77CE4448A1D
                                      Function 0040AA04 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: free
                                      • String ID:
                                      • API String ID: 1294909896-0
                                      • Opcode ID: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                                      • Instruction ID: 146ea39d6618054f0b1de7ea1636ea0e57db3b52e0d7afa8327ef8e2ad9437d0
                                      • Opcode Fuzzy Hash: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                                      • Instruction Fuzzy Hash: 18C012B29107018BFB308E15C409322B2E4AF0072BFA18C0D9090910C2C77CD080CA18
                                      Function 00415304 Relevance: 1.3, APIs: 1, Instructions: 6COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: free
                                      • String ID:
                                      • API String ID: 1294909896-0
                                      • Opcode ID: c64955702a5dc36c53a796a23ab56cc8adc6c768dfa77ba71ac51c435adf9ecd
                                      • Instruction ID: e7ff0dbf640816315c9486a8db62c76896ac9b8339bf6d895034c27267ad2de3
                                      • Opcode Fuzzy Hash: c64955702a5dc36c53a796a23ab56cc8adc6c768dfa77ba71ac51c435adf9ecd
                                      • Instruction Fuzzy Hash: A5A022A200820023CC00AB3CCC02A0A33880EE323EB320B0EB032C20C2CF38C830B00E

                                      Non-executed Functions

                                      Function 004098E2 Relevance: 16.6, APIs: 11, Instructions: 59clipboardmemoryfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • EmptyClipboard.USER32 ref: 004098EC
                                        • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                      • GetFileSize.KERNEL32(00000000,00000000), ref: 00409909
                                      • GlobalAlloc.KERNEL32(00002000,00000002), ref: 0040991A
                                      • GlobalLock.KERNEL32(00000000), ref: 00409927
                                      • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040993A
                                      • GlobalUnlock.KERNEL32(00000000), ref: 0040994C
                                      • SetClipboardData.USER32(0000000D,00000000), ref: 00409955
                                      • GetLastError.KERNEL32 ref: 0040995D
                                      • CloseHandle.KERNEL32(?), ref: 00409969
                                      • GetLastError.KERNEL32 ref: 00409974
                                      • CloseClipboard.USER32 ref: 0040997D
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleLockReadSizeUnlock
                                      • String ID:
                                      • API String ID: 3604893535-0
                                      • Opcode ID: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                                      • Instruction ID: b216396755dc4e0bfb1664a9ae46c4c33dbc75b884417c11e98c88a04b476fe2
                                      • Opcode Fuzzy Hash: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                                      • Instruction Fuzzy Hash: 3D113D7A540204BBE7105FA6DC4CA9E7B78FB06356F10457AF902E22A1DB748901CB69
                                      Function 0040987A Relevance: 12.0, APIs: 8, Instructions: 42clipboardmemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • EmptyClipboard.USER32 ref: 00409882
                                      • wcslen.MSVCRT ref: 0040988F
                                      • GlobalAlloc.KERNEL32(00002000,00000002,?,?,?,?,00411A1E,-00000210), ref: 0040989F
                                      • GlobalLock.KERNEL32(00000000), ref: 004098AC
                                      • memcpy.MSVCRT(00000000,?,00000002,?,?,?,00411A1E,-00000210), ref: 004098B5
                                      • GlobalUnlock.KERNEL32(00000000), ref: 004098BE
                                      • SetClipboardData.USER32(0000000D,00000000), ref: 004098C7
                                      • CloseClipboard.USER32 ref: 004098D7
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: ClipboardGlobal$AllocCloseDataEmptyLockUnlockmemcpywcslen
                                      • String ID:
                                      • API String ID: 1213725291-0
                                      • Opcode ID: ef81b411bc32b98b0d58beac2f1626bda71a649682fb6f24e39e44ffb2f3f244
                                      • Instruction ID: b754b6ca90195c8d8a6f67e3e00c953256c5cf8724ac1a445a604cc17dd28da6
                                      • Opcode Fuzzy Hash: ef81b411bc32b98b0d58beac2f1626bda71a649682fb6f24e39e44ffb2f3f244
                                      • Instruction Fuzzy Hash: 4AF0967B1402246BD2112FA6AC4DD2B772CFB86B56B05013AF90592251DA3448004779
                                      Function 004182CE Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLastError.KERNEL32 ref: 004182D7
                                        • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                      • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 004182FE
                                      • FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 00418327
                                      • LocalFree.KERNEL32(?), ref: 00418342
                                      • free.MSVCRT ref: 00418370
                                        • Part of subcall function 00417434: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,76F8DF80,?,0041755F,?), ref: 00417452
                                        • Part of subcall function 00417434: malloc.MSVCRT ref: 00417459
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: FormatMessage$ByteCharErrorFreeLastLocalMultiVersionWidefreemalloc
                                      • String ID: OsError 0x%x (%u)
                                      • API String ID: 2360000266-2664311388
                                      • Opcode ID: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                                      • Instruction ID: 20f22e5b187e4483f2e635e74e626e0383ca95cf640bb4168ff376264581b0c9
                                      • Opcode Fuzzy Hash: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                                      • Instruction Fuzzy Hash: 6011B634901128FBCB11ABE2DC49CDF7F78FF85B54B10405AF811A2251DB754A81D7A9
                                      Function 00401806 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: ??2@??3@memcpymemset
                                      • String ID:
                                      • API String ID: 1865533344-0
                                      • Opcode ID: f3de4b73387da6c78884f7b0b81a8c47798430fc751eec9b9c4e2da2d29500ae
                                      • Instruction ID: 142cde259e2f0f6626273334703b570cf32d48e622dac596d848113b95f58250
                                      • Opcode Fuzzy Hash: f3de4b73387da6c78884f7b0b81a8c47798430fc751eec9b9c4e2da2d29500ae
                                      • Instruction Fuzzy Hash: D7113C71900209EFDF10AF95C805AAE3B71FF09325F04C16AFD15662A1C7798E21EF5A
                                      Function 0041739B Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetVersionExW.KERNEL32(?), ref: 004173BE
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: Version
                                      • String ID:
                                      • API String ID: 1889659487-0
                                      • Opcode ID: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
                                      • Instruction ID: 34334e4c1a53cba42546035453d5331cf18162d9798f59f763323439a3546438
                                      • Opcode Fuzzy Hash: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
                                      • Instruction Fuzzy Hash: BAE0463590131CCFEB24DB34DB0B7C676F5AB08B46F0104F4C20AC2092D3789688CA2A
                                      Function 004018C0 Relevance: 1.5, APIs: 1, Instructions: 6nativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • NtdllDefWindowProc_W.NTDLL(?,?,?,?,00401B0D,?,?,?), ref: 004018D2
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: NtdllProc_Window
                                      • String ID:
                                      • API String ID: 4255912815-0
                                      • Opcode ID: 3de349333402391b5f3bd83c09a178b3b388cc2d8cda5cc5e9d51b86f8a07b54
                                      • Instruction ID: 27e4c09127093a565ccbabfb03fa630377511b1425115cef73ae3fc8c8acf6c4
                                      • Opcode Fuzzy Hash: 3de349333402391b5f3bd83c09a178b3b388cc2d8cda5cc5e9d51b86f8a07b54
                                      • Instruction Fuzzy Hash: BEC0483A108200FFCA024B81DD08D0ABFA2BB98320F00C868B2AC0403187338022EB02
                                      Function 00402279 Relevance: 110.5, APIs: 9, Strings: 54, Instructions: 285COMMON
                                      Download Yara Rule
                                      APIs
                                      • _wcsicmp.MSVCRT ref: 004022A6
                                      • _wcsicmp.MSVCRT ref: 004022D7
                                      • _wcsicmp.MSVCRT ref: 00402305
                                      • _wcsicmp.MSVCRT ref: 00402333
                                        • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                        • Part of subcall function 0040AA29: memcpy.MSVCRT(?,?,00000000,00000001,00401B3C,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040AA5B
                                      • memset.MSVCRT ref: 0040265F
                                      • memcpy.MSVCRT(?,?,00000011), ref: 0040269B
                                        • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                        • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                      • memcpy.MSVCRT(?,?,0000001C,?,?,00000000,?), ref: 004026FF
                                      • LocalFree.KERNEL32(?,?,?,00000000,?,?,00000000,?), ref: 00402764
                                      • FreeLibrary.KERNEL32(00000000,?,?,00000000,?), ref: 00402775
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: _wcsicmp$Freememcpy$Library$AddressLocalProcmemsetwcslen
                                      • String ID: !$#$$$&$&$'$)$/$0$2$8$=$>$>$@$A$Account$Data$F$H$H$I$K$K$L$O$Path$S$X$\$^$`$a$b$com.apple.Safari$com.apple.WebKit2WebProcess$g$h$n$n$q$server$t$t$t$u$u$w$y$y$z${$}$~
                                      • API String ID: 577499730-1134094380
                                      • Opcode ID: 9397f4940cefbe0ceec442a857739dd93941f810d0ac8ce2dbc103f0b42f9f84
                                      • Instruction ID: 24bcbd005531c38afe4d7004bd238553ea51a424b60caac2517de9c8923e7683
                                      • Opcode Fuzzy Hash: 9397f4940cefbe0ceec442a857739dd93941f810d0ac8ce2dbc103f0b42f9f84
                                      • Instruction Fuzzy Hash: 8FE1F32010C7C19DD332D678884978BBFD45BA7328F484B9EF1E89A2D2D7B98509C767
                                      Function 0040C87B Relevance: 54.5, APIs: 27, Strings: 4, Instructions: 285stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: _wcsicmpmemset$_wcsnicmpwcslen$ByteCharMultiWidewcschrwcscpy$memcpystrchrstrlen
                                      • String ID: :stringdata$ftp://$http://$https://
                                      • API String ID: 2787044678-1921111777
                                      • Opcode ID: 5cfdb451540a99f12352c14b787623eda213fcfbf47060a2a7a9031bc80669e4
                                      • Instruction ID: 1dd8f84a331a8d1f0195812dc1f06ff326a48265e58e3ad24d859c5fcdf3acb9
                                      • Opcode Fuzzy Hash: 5cfdb451540a99f12352c14b787623eda213fcfbf47060a2a7a9031bc80669e4
                                      • Instruction Fuzzy Hash: C191C571540219AEEF10EF65DC82EEF776DEF41318F01016AF948B7181EA38ED518BA9
                                      Function 00414002 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 265COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDlgItem.USER32(?,000003E9), ref: 0041402F
                                      • GetDlgItem.USER32(?,000003E8), ref: 0041403B
                                      • GetWindowLongW.USER32(00000000,000000F0), ref: 0041404A
                                      • GetWindowLongW.USER32(?,000000F0), ref: 00414056
                                      • GetWindowLongW.USER32(00000000,000000EC), ref: 0041405F
                                      • GetWindowLongW.USER32(?,000000EC), ref: 0041406B
                                      • GetWindowRect.USER32(00000000,?), ref: 0041407D
                                      • GetWindowRect.USER32(?,?), ref: 00414088
                                      • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041409C
                                      • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004140AA
                                      • GetDC.USER32 ref: 004140E3
                                      • wcslen.MSVCRT ref: 00414123
                                      • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00414134
                                      • ReleaseDC.USER32(?,?), ref: 00414181
                                      • _snwprintf.MSVCRT ref: 00414244
                                      • SetWindowTextW.USER32(?,?), ref: 00414258
                                      • SetWindowTextW.USER32(?,00000000), ref: 00414276
                                      • GetDlgItem.USER32(?,00000001), ref: 004142AC
                                      • GetWindowRect.USER32(00000000,?), ref: 004142BC
                                      • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004142CA
                                      • GetClientRect.USER32(?,?), ref: 004142E1
                                      • GetWindowRect.USER32(?,?), ref: 004142EB
                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 00414331
                                      • GetClientRect.USER32(?,?), ref: 0041433B
                                      • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 00414373
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Release_snwprintfwcslen
                                      • String ID: %s:$EDIT$STATIC
                                      • API String ID: 2080319088-3046471546
                                      • Opcode ID: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                                      • Instruction ID: eff71af8639f47ea0b7533f6321954d8b94ad3b67000e3ed03306cc56154d199
                                      • Opcode Fuzzy Hash: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                                      • Instruction Fuzzy Hash: F8B1DF71108301AFD721DFA9C985E6BBBF9FF88704F004A2DF69582261DB75E9448F16
                                      Function 004131DC Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 214windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • EndDialog.USER32(?,?), ref: 00413221
                                      • GetDlgItem.USER32(?,000003EA), ref: 00413239
                                      • SendMessageW.USER32(00000000,000000B1,00000000,0000FFFF), ref: 00413257
                                      • SendMessageW.USER32(?,00000301,00000000,00000000), ref: 00413263
                                      • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0041326B
                                      • memset.MSVCRT ref: 00413292
                                      • memset.MSVCRT ref: 004132B4
                                      • memset.MSVCRT ref: 004132CD
                                      • memset.MSVCRT ref: 004132E1
                                      • memset.MSVCRT ref: 004132FB
                                      • memset.MSVCRT ref: 00413310
                                      • GetCurrentProcess.KERNEL32 ref: 00413318
                                      • ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0041333B
                                      • ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0041336D
                                      • memset.MSVCRT ref: 004133C0
                                      • GetCurrentProcessId.KERNEL32 ref: 004133CE
                                      • memcpy.MSVCRT(?,0045AA90,0000021C), ref: 004133FC
                                      • wcscpy.MSVCRT ref: 0041341F
                                      • _snwprintf.MSVCRT ref: 0041348E
                                      • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004134A6
                                      • GetDlgItem.USER32(?,000003EA), ref: 004134B0
                                      • SetFocus.USER32(00000000), ref: 004134B7
                                      Strings
                                      • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 00413483
                                      • {Unknown}, xrefs: 004132A6
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
                                      • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
                                      • API String ID: 4111938811-1819279800
                                      • Opcode ID: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                                      • Instruction ID: fb691a4f2f0ee0f23db40d54bf7b3fb7beca904c55697b54c7815e943e903c38
                                      • Opcode Fuzzy Hash: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                                      • Instruction Fuzzy Hash: A97182B280021DBFEB219F51DC45EEA3B7CFB08355F0440B6F508A6161DB799E948F69
                                      Function 00401198 Relevance: 39.2, APIs: 26, Instructions: 185COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDlgItem.USER32(?,000003EC), ref: 004011F0
                                      • ChildWindowFromPoint.USER32(?,?,?), ref: 00401202
                                      • GetDlgItem.USER32(?,000003EE), ref: 00401238
                                      • ChildWindowFromPoint.USER32(?,?,?), ref: 00401245
                                      • GetDlgItem.USER32(?,000003EC), ref: 00401273
                                      • ChildWindowFromPoint.USER32(?,?,?), ref: 00401285
                                      • GetModuleHandleW.KERNEL32(00000000,?,?), ref: 0040128E
                                      • LoadCursorW.USER32(00000000,00000067), ref: 00401297
                                      • SetCursor.USER32(00000000,?,?), ref: 0040129E
                                      • GetDlgItem.USER32(?,000003EE), ref: 004012BF
                                      • ChildWindowFromPoint.USER32(?,?,?), ref: 004012CC
                                      • GetDlgItem.USER32(?,000003EC), ref: 004012E6
                                      • SetBkMode.GDI32(?,00000001), ref: 004012F2
                                      • SetTextColor.GDI32(?,00C00000), ref: 00401300
                                      • GetSysColorBrush.USER32(0000000F), ref: 00401308
                                      • GetDlgItem.USER32(?,000003EE), ref: 00401329
                                      • EndDialog.USER32(?,?), ref: 0040135E
                                      • DeleteObject.GDI32(?), ref: 0040136A
                                      • GetDlgItem.USER32(?,000003ED), ref: 0040138F
                                      • ShowWindow.USER32(00000000), ref: 00401398
                                      • GetDlgItem.USER32(?,000003EE), ref: 004013A4
                                      • ShowWindow.USER32(00000000), ref: 004013A7
                                      • SetDlgItemTextW.USER32(?,000003EE,0045D778), ref: 004013B8
                                      • SetWindowTextW.USER32(?,00000000), ref: 004013CA
                                      • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004013E2
                                      • SetDlgItemTextW.USER32(?,000003EC,?), ref: 004013F3
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
                                      • String ID:
                                      • API String ID: 829165378-0
                                      • Opcode ID: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                                      • Instruction ID: caa3714a391556dce09a7e5fb0b25e31ef738818e6d8753142f97b5ec5ee2caf
                                      • Opcode Fuzzy Hash: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                                      • Instruction Fuzzy Hash: 0051B134500708AFEB32AF61DC85E6E7BB9FB44301F10093AF552A61F1C7B9A991DB19
                                      Function 0040414F Relevance: 35.1, APIs: 13, Strings: 7, Instructions: 145COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 00404172
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                        • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                      • wcscpy.MSVCRT ref: 004041D6
                                      • wcscpy.MSVCRT ref: 004041E7
                                      • memset.MSVCRT ref: 00404200
                                      • memset.MSVCRT ref: 00404215
                                      • _snwprintf.MSVCRT ref: 0040422F
                                      • wcscpy.MSVCRT ref: 00404242
                                      • memset.MSVCRT ref: 0040426E
                                      • memset.MSVCRT ref: 004042CD
                                      • memset.MSVCRT ref: 004042E2
                                      • _snwprintf.MSVCRT ref: 004042FE
                                      • wcscpy.MSVCRT ref: 00404311
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memset$wcscpy$_snwprintfwcslen$AttributesFilewcscat
                                      • String ID: AE$General$IsRelative$Path$Profile%d$profiles.ini$EA
                                      • API String ID: 2454223109-1580313836
                                      • Opcode ID: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                                      • Instruction ID: 5f54f20862f9259acc4f568515dc65a5c395277ecd0331c6beb9e3a358a2eb32
                                      • Opcode Fuzzy Hash: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                                      • Instruction Fuzzy Hash: 18512FB294012CBADB20EB55DC45ECFB7BCBF55744F0040E6B50CA2142EA795B84CFAA
                                      Function 00411346 Relevance: 31.8, APIs: 13, Strings: 5, Instructions: 263windowregistryclipboardCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040D407: LoadMenuW.USER32(00000000), ref: 0040D40F
                                      • SetMenu.USER32(?,00000000), ref: 00411453
                                      • SendMessageW.USER32(00000000,00000404,00000001,?), ref: 00411486
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 00411495
                                      • LoadImageW.USER32(00000000,00000068,00000000,00000000,00000000,00009060), ref: 004114A2
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 004114D9
                                      • CreateWindowExW.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000,00000000), ref: 00411500
                                      • memcpy.MSVCRT(?,?,00002008,/nosaveload,00000000,00000001), ref: 004115C8
                                      • ShowWindow.USER32(?,?), ref: 004115FE
                                      • GetFileAttributesW.KERNEL32(0045E078), ref: 0041162F
                                      • GetTempPathW.KERNEL32(00000104,0045E078), ref: 0041163F
                                      • RegisterClipboardFormatW.USER32(commdlg_FindReplace), ref: 0041167A
                                      • SendMessageW.USER32(?,00000404,00000002,?), ref: 004116B4
                                      • SendMessageW.USER32(?,0000040B,00001001,00000000), ref: 004116C7
                                        • Part of subcall function 00404592: wcslen.MSVCRT ref: 004045AF
                                        • Part of subcall function 00404592: SendMessageW.USER32(?,00001061,?,?), ref: 004045D3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: MessageSend$HandleLoadMenuModuleWindow$AttributesClipboardCreateFileFormatImagePathRegisterShowTempmemcpywcslen
                                      • String ID: /nosaveload$SysListView32$commdlg_FindReplace$report.html$xE
                                      • API String ID: 4054529287-3175352466
                                      • Opcode ID: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                                      • Instruction ID: 800f7bfcdfcb1fd3e7c20450dd8eb4425a557a8a4e928c852398501c1500280f
                                      • Opcode Fuzzy Hash: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                                      • Instruction Fuzzy Hash: CBA1A271640388AFEB11DF69CC89FCA3FA5AF55304F0404B9FE48AF292C6B59548CB65
                                      Function 0041352F Relevance: 31.5, APIs: 9, Strings: 9, Instructions: 41libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                      • GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                      • GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                      • GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                      • GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                      • GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                      • GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                      • GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                      • GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: AddressProc$HandleModule
                                      • String ID: NtLoadDriver$NtOpenSymbolicLinkObject$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeProcess$NtSuspendProcess$NtUnloadDriver$ntdll.dll
                                      • API String ID: 667068680-2887671607
                                      • Opcode ID: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                      • Instruction ID: 8dd6b0f06cc06780b82abcfa5335c49c30c65db347d43124f897848efd9f6b7c
                                      • Opcode Fuzzy Hash: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                      • Instruction Fuzzy Hash: 8C015E75D48324AACB339F75AD09A053FB1EF04797B1004B7A80492266DAF9815CDE4C
                                      Function 0041019A Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 122COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: _snwprintf$memset$wcscpy
                                      • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                      • API String ID: 2000436516-3842416460
                                      • Opcode ID: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                                      • Instruction ID: 0effb7443b15cd0e53e626898d2c9f551e6481245c02f09bcd1282082c9ffe88
                                      • Opcode Fuzzy Hash: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                                      • Instruction Fuzzy Hash: C74163B194021D7AEB20EF55DC46EEB73BCFF45304F0440ABB908A2141E7759B988F66
                                      Function 004035AD Relevance: 27.1, APIs: 18, Instructions: 93windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0041083A: memset.MSVCRT ref: 0041087D
                                        • Part of subcall function 0041083A: memset.MSVCRT ref: 00410892
                                        • Part of subcall function 0041083A: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                        • Part of subcall function 0041083A: SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                        • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                        • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                        • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                        • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                        • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                        • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                        • Part of subcall function 0041083A: GetSysColor.USER32(0000000F), ref: 00410999
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 004035BF
                                      • LoadIconW.USER32(00000000,00000072), ref: 004035CA
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 004035DF
                                      • LoadIconW.USER32(00000000,00000074), ref: 004035E4
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 004035F3
                                      • LoadIconW.USER32(00000000,00000073), ref: 004035F8
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 00403607
                                      • LoadIconW.USER32(00000000,00000075), ref: 0040360C
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 0040361B
                                      • LoadIconW.USER32(00000000,0000006F), ref: 00403620
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 0040362F
                                      • LoadIconW.USER32(00000000,00000076), ref: 00403634
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 00403643
                                      • LoadIconW.USER32(00000000,00000077), ref: 00403648
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 00403657
                                      • LoadIconW.USER32(00000000,00000070), ref: 0040365C
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 0040366B
                                      • LoadIconW.USER32(00000000,00000078), ref: 00403670
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: HandleLoadModule$Icon$ImageMessageSendmemset$ColorDirectoryFileInfoWindows
                                      • String ID:
                                      • API String ID: 1043902810-0
                                      • Opcode ID: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                      • Instruction ID: 42406aa8c1b655767e81280a563d2f976f29c17d6cb42a8b032fada3297a07e5
                                      • Opcode Fuzzy Hash: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                      • Instruction Fuzzy Hash: B1212EA0B857087AF63137B2DC4BF7B7A5EDF81B89F214410F35C990E0C9E6AC108929
                                      Function 0040E2AB Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 165COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                        • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                      • free.MSVCRT ref: 0040E49A
                                        • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                      • memset.MSVCRT ref: 0040E380
                                        • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                        • Part of subcall function 0040AA29: memcpy.MSVCRT(?,?,00000000,00000001,00401B3C,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040AA5B
                                      • wcschr.MSVCRT ref: 0040E3B8
                                      • memcpy.MSVCRT(?,-00000121,00000008,0044E518,00000000,00000000,76F92EE0), ref: 0040E3EC
                                      • memcpy.MSVCRT(?,-00000121,00000008,0044E518,00000000,00000000,76F92EE0), ref: 0040E407
                                      • memcpy.MSVCRT(?,-00000220,00000008,0044E518,00000000,00000000,76F92EE0), ref: 0040E422
                                      • memcpy.MSVCRT(?,-00000220,00000008,0044E518,00000000,00000000,76F92EE0), ref: 0040E43D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memcpy$_wcsicmpmemset$freewcschrwcslen
                                      • String ID: $AccessCount$AccessedTime$CreationTime$EntryID$ExpiryTime$ModifiedTime$Url
                                      • API String ID: 3849927982-2252543386
                                      • Opcode ID: c30480054a5ca474dc40abe6212bc187cfeb1b733cbf080f7a891c76daa1d321
                                      • Instruction ID: 3bb3cf654da2d90f893253d259683e8481abe175d229eeda5eb464894a91a1db
                                      • Opcode Fuzzy Hash: c30480054a5ca474dc40abe6212bc187cfeb1b733cbf080f7a891c76daa1d321
                                      • Instruction Fuzzy Hash: DA512071E00309ABDF10EFA6DC45B9EB7B8AF54305F15443BA904F7291E678AA14CB58
                                      Function 004447D9 Relevance: 26.4, APIs: 4, Strings: 11, Instructions: 139COMMON
                                      Download Yara Rule
                                      APIs
                                      • ??2@YAPAXI@Z.MSVCRT(?,?,0040DC1B,?,00000000), ref: 0044480A
                                      • _snwprintf.MSVCRT ref: 0044488A
                                      • wcscpy.MSVCRT ref: 004448B4
                                      • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,OriginalFileName,00000000,?,LegalCopyright,00000000,?,InternalName,00000000,?,CompanyName,00000000,?,ProductVersion), ref: 00444964
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: ??2@??3@_snwprintfwcscpy
                                      • String ID: %4.4X%4.4X$040904E4$CompanyName$FileDescription$FileVersion$InternalName$LegalCopyright$OriginalFileName$ProductName$ProductVersion$\VarFileInfo\Translation
                                      • API String ID: 2899246560-1542517562
                                      • Opcode ID: e17f1f04e88a4cb48931d1772d94f5796c3f29ffdcb1b521dadae3bcfb684220
                                      • Instruction ID: ddb1140ba30d93f946c39142265044aeba6ebe712c4753dd77c76fa61262b17a
                                      • Opcode Fuzzy Hash: e17f1f04e88a4cb48931d1772d94f5796c3f29ffdcb1b521dadae3bcfb684220
                                      • Instruction Fuzzy Hash: 434127B2900218BAD704EFA1DC82DDEB7BCBF49305B110167BD05B3152DB78A655CBE8
                                      Function 00408560 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 182stringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                      • GetFileSize.KERNEL32(00000000,00000000,?,00000001,00000000,?,004089ED,?,?,?,0000001E,?,?,00000104), ref: 00408589
                                      • ??2@YAPAXI@Z.MSVCRT(00000001,?,004089ED,?,?,?,0000001E,?,?,00000104,?,?,00000104,?,?,00000104), ref: 0040859D
                                        • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                      • memset.MSVCRT ref: 004085CF
                                      • memset.MSVCRT ref: 004085F1
                                      • memset.MSVCRT ref: 00408606
                                      • strcmp.MSVCRT ref: 00408645
                                      • _mbscpy.MSVCRT(?,?,?,?,?,?), ref: 004086DB
                                      • _mbscpy.MSVCRT(?,?,?,?,?,?), ref: 004086FA
                                      • memset.MSVCRT ref: 0040870E
                                      • strcmp.MSVCRT ref: 0040876B
                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000001E), ref: 0040879D
                                      • CloseHandle.KERNEL32(?,?,004089ED,?,?,?,0000001E,?,?,00000104,?,?,00000104,?,?,00000104), ref: 004087A6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memset$File$_mbscpystrcmp$??2@??3@CloseCreateHandleReadSize
                                      • String ID: ---
                                      • API String ID: 3437578500-2854292027
                                      • Opcode ID: c5c02c04611bcd29229c4833ebed6afde2d02892c84083fd30bc2caee93791c4
                                      • Instruction ID: 4c5fbc017ddd4a43d5b0f69e9578b2b0908928dff5e121bfcb53d45818d158f6
                                      • Opcode Fuzzy Hash: c5c02c04611bcd29229c4833ebed6afde2d02892c84083fd30bc2caee93791c4
                                      • Instruction Fuzzy Hash: 256191B2C0421DAADF20DB948D819DEBBBCAB15314F1140FFE558B3141DA399BC4CBA9
                                      Function 0041083A Relevance: 21.1, APIs: 14, Instructions: 137windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 0041087D
                                      • memset.MSVCRT ref: 00410892
                                      • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                      • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                      • SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                      • SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                      • LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                      • LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                      • GetSysColor.USER32(0000000F), ref: 00410999
                                      • DeleteObject.GDI32(?), ref: 004109D0
                                      • DeleteObject.GDI32(?), ref: 004109D6
                                      • SendMessageW.USER32(00000000,00001208,00000000,?), ref: 004109F3
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: MessageSend$DeleteHandleImageLoadModuleObjectmemset$ColorDirectoryFileInfoWindows
                                      • String ID:
                                      • API String ID: 1010922700-0
                                      • Opcode ID: 9f32c972fd3bed260489b92fc8884ca82be835491797332215144efe3993187c
                                      • Instruction ID: e9b684d61d60cc1afb152275eb3c8de820581b68aaecd99ee02cab8be193ddee
                                      • Opcode Fuzzy Hash: 9f32c972fd3bed260489b92fc8884ca82be835491797332215144efe3993187c
                                      • Instruction Fuzzy Hash: 48418575640304BFF720AF61DC8AF97779CFB09744F000829F399A51E1D6F6A8909B29
                                      Function 00418680 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 88COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                      • GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                      • malloc.MSVCRT ref: 004186B7
                                      • free.MSVCRT ref: 004186C7
                                      • GetFullPathNameW.KERNEL32(00000000,-00000003,00000000,00000000), ref: 004186DB
                                      • free.MSVCRT ref: 004186E0
                                      • GetFullPathNameA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186F6
                                      • malloc.MSVCRT ref: 004186FE
                                      • GetFullPathNameA.KERNEL32(00000000,-00000003,00000000,00000000), ref: 00418711
                                      • free.MSVCRT ref: 00418716
                                      • free.MSVCRT ref: 0041872A
                                      • free.MSVCRT ref: 00418749
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: free$FullNamePath$malloc$Version
                                      • String ID: |A
                                      • API String ID: 3356672799-1717621600
                                      • Opcode ID: 66b970c2726a19c6cf161dcebd973c19408ec610aa0d83d05880a80435803f02
                                      • Instruction ID: f8a1ad7f3386c3a0ca67e8408a701755caa4d882ef8d2f884b3bc60851bd4b4d
                                      • Opcode Fuzzy Hash: 66b970c2726a19c6cf161dcebd973c19408ec610aa0d83d05880a80435803f02
                                      • Instruction Fuzzy Hash: F5217432900118BFEF11BFA6DC46CDFBB79DF41368B22006FF804A2161DA799E91995D
                                      Function 004125F8 Relevance: 21.1, APIs: 7, Strings: 7, Instructions: 70COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: _wcsicmp
                                      • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                                      • API String ID: 2081463915-1959339147
                                      • Opcode ID: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
                                      • Instruction ID: 8733bd8b557f913067c5021fbfe18d0583d9fd94efe92a6f612d034962822ca0
                                      • Opcode Fuzzy Hash: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
                                      • Instruction Fuzzy Hash: A401843328931228FA2538663D07F834F48CB52BBBF32405BF800D81C6FE8C4565605E
                                      Function 004138C1 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 49libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                        • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                        • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                        • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                        • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                        • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                      • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004138ED
                                      • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004138FE
                                      • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 0041390F
                                      • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00413920
                                      • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 00413931
                                      • FreeLibrary.KERNEL32(00000000), ref: 00413951
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                      • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                      • API String ID: 2012295524-70141382
                                      • Opcode ID: de34bece31b7142a998ab6ccb1b4abbedb6e98f3c738f5240e3b00242a7e4309
                                      • Instruction ID: 1ed0e205fb1d3ca6b4a3c81c58fecbd4dea9624ac3f9f6029147382c5f000437
                                      • Opcode Fuzzy Hash: de34bece31b7142a998ab6ccb1b4abbedb6e98f3c738f5240e3b00242a7e4309
                                      • Instruction Fuzzy Hash: 7301B5B1905312DAD7705F31AE40B6B2FA45B81FA7B10003BEA00D1286DBFCC8C5DA6E
                                      Function 0041383D Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNEL32(kernel32.dll,?,0041339D), ref: 0041384C
                                      • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 00413865
                                      • GetProcAddress.KERNEL32(00000000,Module32First), ref: 00413876
                                      • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 00413887
                                      • GetProcAddress.KERNEL32(00000000,Process32First), ref: 00413898
                                      • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 004138A9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: AddressProc$HandleModule
                                      • String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
                                      • API String ID: 667068680-3953557276
                                      • Opcode ID: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                                      • Instruction ID: ced2a49a11d8a5ad7e856d80fa96ce31c371be68fc2c17877008b9264e9f9212
                                      • Opcode Fuzzy Hash: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                                      • Instruction Fuzzy Hash: 58F08631900317A9E7206F357D41B672AE45B86F83714017BFC04D12D9DB7CE98A9B6D
                                      Function 00412172 Relevance: 19.7, APIs: 13, Instructions: 189windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDC.USER32(00000000), ref: 004121FF
                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041220A
                                      • ReleaseDC.USER32(00000000,00000000), ref: 0041221F
                                      • SetBkMode.GDI32(?,00000001), ref: 00412232
                                      • SetTextColor.GDI32(?,00FF0000), ref: 00412240
                                      • SelectObject.GDI32(?,?), ref: 00412251
                                      • DrawTextExW.USER32(?,?,000000FF,?,00000024,?), ref: 00412285
                                      • SelectObject.GDI32(00000014,00000005), ref: 00412291
                                        • Part of subcall function 00411FC6: GetCursorPos.USER32(?), ref: 00411FD0
                                        • Part of subcall function 00411FC6: GetSubMenu.USER32(?,00000000), ref: 00411FDE
                                        • Part of subcall function 00411FC6: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0041200F
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 004122AC
                                      • LoadCursorW.USER32(00000000,00000067), ref: 004122B5
                                      • SetCursor.USER32(00000000), ref: 004122BC
                                      • PostMessageW.USER32(?,00000428,00000000,00000000), ref: 00412304
                                      • memcpy.MSVCRT(?,?,00002008), ref: 0041234D
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: Cursor$MenuObjectSelectText$CapsColorDeviceDrawHandleLoadMessageModeModulePopupPostReleaseTrackmemcpy
                                      • String ID:
                                      • API String ID: 1700100422-0
                                      • Opcode ID: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                                      • Instruction ID: eb413d4c014922f01c1be241ee45634b3e5b5e29cfe5fc1015c733cb557b7a75
                                      • Opcode Fuzzy Hash: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                                      • Instruction Fuzzy Hash: 0F61D331600109AFDB149F74CE89BEA77A5BB45300F10052AFA25D7291DBBC9CB1DB59
                                      Function 004111C1 Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetClientRect.USER32(?,?), ref: 004111E0
                                      • GetWindowRect.USER32(?,?), ref: 004111F6
                                      • GetWindowRect.USER32(?,?), ref: 0041120C
                                      • GetDlgItem.USER32(00000000,0000040D), ref: 00411246
                                      • GetWindowRect.USER32(00000000), ref: 0041124D
                                      • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0041125D
                                      • BeginDeferWindowPos.USER32(00000004), ref: 00411281
                                      • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 004112A4
                                      • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 004112C3
                                      • DeferWindowPos.USER32(?,?,00000000,00000000,000000DC,?,?,00000004), ref: 004112EE
                                      • DeferWindowPos.USER32(?,00000000,00000000,00000000,?,?,000000DC,00000004), ref: 00411306
                                      • EndDeferWindowPos.USER32(?), ref: 0041130B
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: Window$Defer$Rect$BeginClientItemPoints
                                      • String ID:
                                      • API String ID: 552707033-0
                                      • Opcode ID: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                      • Instruction ID: 1a89c9de14f4e003cb1acc22e2fe5cfe68aec74c13575a54a2aa846d798aa5ff
                                      • Opcode Fuzzy Hash: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                      • Instruction Fuzzy Hash: 3B41D375900209FFEB11DFA8DD89FEEBBBAFB48300F104469F655A61A0C771AA50DB14
                                      Function 0040C084 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 110stringfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,?,?,?,0040C255,?,?,*.*,0040C2BF,00000000), ref: 0040C0A4
                                        • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                      • GetFileSize.KERNEL32(00000000,00000000), ref: 0040C0D4
                                        • Part of subcall function 0040BFF3: _memicmp.MSVCRT ref: 0040C00D
                                        • Part of subcall function 0040BFF3: memcpy.MSVCRT(?,?,00000004,00000000,?,?,?,?,?,?,?,?,*.*,0040C2BF,00000000), ref: 0040C024
                                      • memcpy.MSVCRT(00000000,?,00000004,00000000,?,?,?,?), ref: 0040C11B
                                      • strchr.MSVCRT ref: 0040C140
                                      • strchr.MSVCRT ref: 0040C151
                                      • _strlwr.MSVCRT ref: 0040C15F
                                      • memset.MSVCRT ref: 0040C17A
                                      • CloseHandle.KERNEL32(00000000), ref: 0040C1C7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: File$memcpystrchr$CloseCreateHandlePointerSize_memicmp_strlwrmemset
                                      • String ID: 4$h
                                      • API String ID: 4066021378-1856150674
                                      • Opcode ID: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                                      • Instruction ID: ad7b68c589633d756b108d453181f98220e50dbf4ed18f1a1dc8c2c6e1bbf79d
                                      • Opcode Fuzzy Hash: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                                      • Instruction Fuzzy Hash: F531C2B2800218FEEB20EB54CC85EEE73BCEF05354F14416AF508A6181D7389F558FA9
                                      Function 00414621 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 99COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memset$_snwprintf
                                      • String ID: %%0.%df
                                      • API String ID: 3473751417-763548558
                                      • Opcode ID: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
                                      • Instruction ID: e3e507119e413e1699737691dcc770ce903c50d69a4f0c7cc4f670013a5326e5
                                      • Opcode Fuzzy Hash: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
                                      • Instruction Fuzzy Hash: 2D318F71800129BBEB20DF95CC85FEB77BCFF49304F0104EAB509A2155E7349A94CBA9
                                      Function 004060A4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97timewindowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SetTimer.USER32(?,00000041,00000064,00000000), ref: 004060C7
                                      • KillTimer.USER32(?,00000041), ref: 004060D7
                                      • KillTimer.USER32(?,00000041), ref: 004060E8
                                      • GetTickCount.KERNEL32 ref: 0040610B
                                      • GetParent.USER32(?), ref: 00406136
                                      • SendMessageW.USER32(00000000), ref: 0040613D
                                      • BeginDeferWindowPos.USER32(00000004), ref: 0040614B
                                      • EndDeferWindowPos.USER32(00000000), ref: 0040619B
                                      • InvalidateRect.USER32(?,?,00000001), ref: 004061A7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: Timer$DeferKillWindow$BeginCountInvalidateMessageParentRectSendTick
                                      • String ID: A
                                      • API String ID: 2892645895-3554254475
                                      • Opcode ID: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                      • Instruction ID: 3d646c34c65c30a23a549f03b0efc12359fcfb722ff8df3f2fd47db5f06942f8
                                      • Opcode Fuzzy Hash: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                      • Instruction Fuzzy Hash: 67318F75240304BBEB205F62DC85F6A7B6ABB44742F018539F3067A5E1C7F998A18B58
                                      Function 0040D957 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadMenuW.USER32(?,?), ref: 0040D97F
                                        • Part of subcall function 0040D7A7: GetMenuItemCount.USER32(?), ref: 0040D7BD
                                        • Part of subcall function 0040D7A7: memset.MSVCRT ref: 0040D7DC
                                        • Part of subcall function 0040D7A7: GetMenuItemInfoW.USER32 ref: 0040D818
                                        • Part of subcall function 0040D7A7: wcschr.MSVCRT ref: 0040D830
                                      • DestroyMenu.USER32(00000000), ref: 0040D99D
                                      • CreateDialogParamW.USER32(?,?,00000000,0040D952,00000000), ref: 0040D9F2
                                      • GetDesktopWindow.USER32 ref: 0040D9FD
                                      • CreateDialogParamW.USER32(?,?,00000000), ref: 0040DA0A
                                      • memset.MSVCRT ref: 0040DA23
                                      • GetWindowTextW.USER32(00000005,?,00001000), ref: 0040DA3A
                                      • EnumChildWindows.USER32(00000005,Function_0000D898,00000000), ref: 0040DA67
                                      • DestroyWindow.USER32(00000005), ref: 0040DA70
                                        • Part of subcall function 0040D5D6: _snwprintf.MSVCRT ref: 0040D5FB
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: Menu$Window$CreateDestroyDialogItemParammemset$ChildCountDesktopEnumInfoLoadTextWindows_snwprintfwcschr
                                      • String ID: caption
                                      • API String ID: 973020956-4135340389
                                      • Opcode ID: 5e414436bb8e275bf9a16e2693900a7463b03ad76ebaf029bad5c7ef584cf34d
                                      • Instruction ID: d77e6bedd7727d4aace6f5c0bd160524984489d6dc7b24eaa8e7ecc9459ec1fc
                                      • Opcode Fuzzy Hash: 5e414436bb8e275bf9a16e2693900a7463b03ad76ebaf029bad5c7ef584cf34d
                                      • Instruction Fuzzy Hash: 60319072900208BFEF11AF91DC85EAA3B78FF04315F10843AF909A61A1D7799D58CF59
                                      Function 00410A60 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 90COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      • <meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00410ADD
                                      • <table dir="rtl"><tr><td>, xrefs: 00410B00
                                      • <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 00410A70
                                      • <br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 00410B3C
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memset$_snwprintf$wcscpy
                                      • String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>
                                      • API String ID: 1283228442-2366825230
                                      • Opcode ID: 2928c1e4db6f8540118cb54ef1ff53e3c28d5a36283f281326c9c00f9b8dcb63
                                      • Instruction ID: da896b014e5ee892582fb8e7d48e4383de9842bc572d8210300f5843ce7472f7
                                      • Opcode Fuzzy Hash: 2928c1e4db6f8540118cb54ef1ff53e3c28d5a36283f281326c9c00f9b8dcb63
                                      • Instruction Fuzzy Hash: 5C2182B69002197BDB21AB95CC41EDE77BCAF08785F0040ABF549D3151DA789F888BA9
                                      Function 00413959 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 82COMMON
                                      Download Yara Rule
                                      APIs
                                      • wcschr.MSVCRT ref: 00413972
                                      • wcscpy.MSVCRT ref: 00413982
                                        • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
                                        • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
                                        • Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B
                                      • wcscpy.MSVCRT ref: 004139D1
                                      • wcscat.MSVCRT ref: 004139DC
                                      • memset.MSVCRT ref: 004139B8
                                        • Part of subcall function 00409DD5: GetWindowsDirectoryW.KERNEL32(0045DC58,00000104,?,00413A11,?,?,00000000,00000208,?), ref: 00409DEB
                                        • Part of subcall function 00409DD5: wcscpy.MSVCRT ref: 00409DFB
                                      • memset.MSVCRT ref: 00413A00
                                      • memcpy.MSVCRT(?,?,00000004,?,?,00000000,00000208,?), ref: 00413A1B
                                      • wcscat.MSVCRT ref: 00413A27
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: wcscpy$memsetwcscatwcslen$DirectoryWindows_memicmpmemcpywcschr
                                      • String ID: \systemroot
                                      • API String ID: 4173585201-1821301763
                                      • Opcode ID: e4551322c16c9acef98fc86a4838192e22c045fa3321ccd57a54cdfa3ae28df9
                                      • Instruction ID: a9582ad2fab6187976d7b5f1d827ce349b207672d34ede1993470c6c3fb504e1
                                      • Opcode Fuzzy Hash: e4551322c16c9acef98fc86a4838192e22c045fa3321ccd57a54cdfa3ae28df9
                                      • Instruction Fuzzy Hash: 7D21F6F68053146AE720FB619C86EEF73EC9F06719F20415FF115A20C6EA7C9A844B5E
                                      Function 0040D2AB Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: Menu$Itemmemset$CountInfoModifywcscatwcschr
                                      • String ID: 0$6
                                      • API String ID: 4066108131-3849865405
                                      • Opcode ID: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                                      • Instruction ID: 23fd2219eb4cf2a86962fa47610fb6a66e7712bfbd77636794901fa2ff6d3352
                                      • Opcode Fuzzy Hash: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                                      • Instruction Fuzzy Hash: 1C317C72808344AFDB209F95D84499FB7E8FF84314F00493EFA48A2291D775D949CB5B
                                      Function 004082C7 Relevance: 15.2, APIs: 10, Instructions: 229COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 004082EF
                                        • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                      • memset.MSVCRT ref: 00408362
                                      • memset.MSVCRT ref: 00408377
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memset$ByteCharMultiWide
                                      • String ID:
                                      • API String ID: 290601579-0
                                      • Opcode ID: 0f4830a1bd5c139c57c95e775b3a7e0dd93a0ba2de61a1ec6096e44496360a03
                                      • Instruction ID: eff1c4cb9ad8ed09cf65616da307521f953f8cb6273bc8e87bbfe44e88666a06
                                      • Opcode Fuzzy Hash: 0f4830a1bd5c139c57c95e775b3a7e0dd93a0ba2de61a1ec6096e44496360a03
                                      • Instruction Fuzzy Hash: E1716C72E0421DAFEF10EFA1EC82AEDB7B9EF04314F14406FE104B6191EB795A458B59
                                      Function 004028E7 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 190COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: free$wcslen
                                      • String ID:
                                      • API String ID: 3592753638-3916222277
                                      • Opcode ID: c7ce2940fe04b4405a0b219ffbd3b3dbc0b14a035c74dd75871d5eb09ab59b8c
                                      • Instruction ID: 6c84a66137f0c35b9d0eb965e4703c645d554f15bb1c6f80accdbf0b715e4580
                                      • Opcode Fuzzy Hash: c7ce2940fe04b4405a0b219ffbd3b3dbc0b14a035c74dd75871d5eb09ab59b8c
                                      • Instruction Fuzzy Hash: 78614A70E0421ADADF28AF95E6485EEB771FF04315F60807BE411B62D1EBB84981CB5D
                                      Function 0040A45A Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 0040A47B
                                      • _snwprintf.MSVCRT ref: 0040A4AE
                                      • wcslen.MSVCRT ref: 0040A4BA
                                      • memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                      • wcslen.MSVCRT ref: 0040A4E0
                                      • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memcpywcslen$_snwprintfmemset
                                      • String ID: %s (%s)$YV@
                                      • API String ID: 3979103747-598926743
                                      • Opcode ID: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                                      • Instruction ID: 06bfc13611ed198a4270a5cd43788582667178ba612a9453d6f3368808cd6753
                                      • Opcode Fuzzy Hash: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                                      • Instruction Fuzzy Hash: 31216F72900219BBDF21DF55CC45D8BB7B8BF04318F018466E948AB106DB74EA188BD9
                                      Function 004044A4 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                                      • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                      • FreeLibrary.KERNEL32(00000000), ref: 004044E9
                                      • MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: Library$AddressFreeLoadMessageProc
                                      • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                      • API String ID: 2780580303-317687271
                                      • Opcode ID: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                      • Instruction ID: 703d86131c3dcb59aab6256491fb2853d543806c906e0642a055f98632e98cc8
                                      • Opcode Fuzzy Hash: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                      • Instruction Fuzzy Hash: B201D6757502217BE7112FB69C49F7B7A9CFF82749B000035E601E2180EAB8D901926D
                                      Function 0040A661 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarywindowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,?,?,?,00409764,?), ref: 0040A686
                                      • FormatMessageW.KERNEL32(00001100,00000000,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6A4
                                      • wcslen.MSVCRT ref: 0040A6B1
                                      • wcscpy.MSVCRT ref: 0040A6C1
                                      • LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6CB
                                      • wcscpy.MSVCRT ref: 0040A6DB
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
                                      • String ID: Unknown Error$netmsg.dll
                                      • API String ID: 2767993716-572158859
                                      • Opcode ID: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
                                      • Instruction ID: f30f617898fcbe25dfcd40b25f3134c3ee1324ef56ff669fd92f7ad18b117fee
                                      • Opcode Fuzzy Hash: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
                                      • Instruction Fuzzy Hash: 77014772104214BFE7151B61EC46E9F7B3DEF06795F24043AF902B10D0DA7A5E10D69D
                                      Function 0040DAE1 Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                      • wcscpy.MSVCRT ref: 0040DAFB
                                      • wcscpy.MSVCRT ref: 0040DB0B
                                      • GetPrivateProfileIntW.KERNEL32(0045D668,rtl,00000000,0045D458), ref: 0040DB1C
                                        • Part of subcall function 0040D65D: GetPrivateProfileStringW.KERNEL32(0045D668,?,0044E518,0045D6F8,?,0045D458), ref: 0040D679
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: PrivateProfilewcscpy$AttributesFileString
                                      • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                                      • API String ID: 3176057301-2039793938
                                      • Opcode ID: 3fbe58534c285a30a84b282ab535004845ea1880fa40ce6c2a5f8ae528691bae
                                      • Instruction ID: a06b33177ff8c9e83df2ed587696004ed0fecc3b70d630751f385571f4afffd7
                                      • Opcode Fuzzy Hash: 3fbe58534c285a30a84b282ab535004845ea1880fa40ce6c2a5f8ae528691bae
                                      • Instruction Fuzzy Hash: A8F0F661EC061236D2213A761C07F2E26149FA3B93F05447BBC08771C7CA7E4A4DC69E
                                      Function 0042F5F4 Relevance: 13.8, APIs: 2, Strings: 7, Instructions: 250COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      • database %s is already in use, xrefs: 0042F6C5
                                      • unable to open database: %s, xrefs: 0042F84E
                                      • database is already attached, xrefs: 0042F721
                                      • cannot ATTACH database within transaction, xrefs: 0042F663
                                      • too many attached databases - max %d, xrefs: 0042F64D
                                      • out of memory, xrefs: 0042F865
                                      • attached databases must use the same text encoding as main database, xrefs: 0042F76F
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memcpymemset
                                      • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                                      • API String ID: 1297977491-2001300268
                                      • Opcode ID: bc1e043490782c929c709f26cda1c8b0ebc87db0ce4dfb41b9d8c8297906dfd0
                                      • Instruction ID: 2d624c67d108d3170f37657fe85980b6deaf3b4166a4b31ce602698a835437d0
                                      • Opcode Fuzzy Hash: bc1e043490782c929c709f26cda1c8b0ebc87db0ce4dfb41b9d8c8297906dfd0
                                      • Instruction Fuzzy Hash: 4791C131B00315AFDB10DF65E481B9ABBB0AF44318F94807FE8059B252D778E949CB59
                                      Function 0040EAFF Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 160COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8EC
                                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8FA
                                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E90B
                                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E922
                                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E92B
                                      • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040EB3F
                                      • ??2@YAPAXI@Z.MSVCRT(00000000,00000000), ref: 0040EB5B
                                      • memcpy.MSVCRT(?,0045A248,00000014), ref: 0040EB80
                                      • memcpy.MSVCRT(?,0045A234,00000014,?,0045A248,00000014), ref: 0040EB94
                                      • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040EC17
                                      • ??2@YAPAXI@Z.MSVCRT(0000000C,00000000), ref: 0040EC21
                                      • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040EC59
                                        • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                        • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                        • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                        • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                        • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                        • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: ??2@??3@$memcpy$HandleModule$LoadStringwcscpywcslen
                                      • String ID: ($d
                                      • API String ID: 1140211610-1915259565
                                      • Opcode ID: 2d8781ba105db3adf58cafe694f4c442d3862c9e44634e011589b3902fbf09db
                                      • Instruction ID: 92dd2811bdb74a70ba85f750b5b6098557f3982e7a927aadba8bcdb4291d1afd
                                      • Opcode Fuzzy Hash: 2d8781ba105db3adf58cafe694f4c442d3862c9e44634e011589b3902fbf09db
                                      • Instruction Fuzzy Hash: D7518D71601704AFD724DF2AC586A5AB7F8FF48314F10892EE55ACB381DB75E9408B48
                                      Function 00417887 Relevance: 13.6, APIs: 9, Instructions: 126filesleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004178DF
                                      • Sleep.KERNEL32(00000001), ref: 004178E9
                                      • GetLastError.KERNEL32 ref: 004178FB
                                      • UnlockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004179D3
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: File$ErrorLastLockSleepUnlock
                                      • String ID:
                                      • API String ID: 3015003838-0
                                      • Opcode ID: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                                      • Instruction ID: bb7e89fefddb53edf96b8819cb9ac805ac4f8ca395f1f2490f4f27a155f14dd5
                                      • Opcode Fuzzy Hash: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                                      • Instruction Fuzzy Hash: C741FFB515C3029FE3209F219C05BA7B7F1BFC4714F20092EF5A556280CBB9D8898A6E
                                      Function 0041851E Relevance: 13.6, APIs: 9, Instructions: 67sleepfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • DeleteFileW.KERNEL32(00000000,?,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 00418548
                                      • GetFileAttributesW.KERNEL32(00000000), ref: 0041854F
                                      • GetLastError.KERNEL32 ref: 0041855C
                                      • Sleep.KERNEL32(00000064), ref: 00418571
                                      • DeleteFileA.KERNEL32(00000000,?,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 0041857A
                                      • GetFileAttributesA.KERNEL32(00000000), ref: 00418581
                                      • GetLastError.KERNEL32 ref: 0041858E
                                      • Sleep.KERNEL32(00000064), ref: 004185A3
                                      • free.MSVCRT ref: 004185AC
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: File$AttributesDeleteErrorLastSleep$free
                                      • String ID:
                                      • API String ID: 2802642348-0
                                      • Opcode ID: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                                      • Instruction ID: d61f765991b085217c17e58d7c3851c8d0f597f546fc635256e60a728691d00d
                                      • Opcode Fuzzy Hash: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                                      • Instruction Fuzzy Hash: A011C639540624BBC61027716CC89BE3676E75B335B210A2EFA22912D0DF6C4CC2557E
                                      Function 00413A3F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141COMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenProcess.KERNEL32(00000410,00000000,00000000,?,?,00000000,?,004133E1,00000000,?), ref: 00413A7A
                                      • memset.MSVCRT ref: 00413ADC
                                      • memset.MSVCRT ref: 00413AEC
                                        • Part of subcall function 00413959: wcscpy.MSVCRT ref: 00413982
                                      • memset.MSVCRT ref: 00413BD7
                                      • wcscpy.MSVCRT ref: 00413BF8
                                      • CloseHandle.KERNEL32(?,3A,?,?,?,004133E1,00000000,?), ref: 00413C4E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memset$wcscpy$CloseHandleOpenProcess
                                      • String ID: 3A
                                      • API String ID: 3300951397-293699754
                                      • Opcode ID: 8542788a6fbd662e622ac6317d91a932690acc9b8880ba19fbfc79209a0c02cc
                                      • Instruction ID: 1dd795ac5698d536b98d54c3d0ab6bca04534a71b571f2ddc62e59a9adc8dd8d
                                      • Opcode Fuzzy Hash: 8542788a6fbd662e622ac6317d91a932690acc9b8880ba19fbfc79209a0c02cc
                                      • Instruction Fuzzy Hash: 3C514D71108341AFD720DF25DC84ADBB7E8FF84705F004A2EF59992291EB75DA44CBAA
                                      Function 0040D134 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                      • wcscpy.MSVCRT ref: 0040D1B5
                                        • Part of subcall function 0040D626: memset.MSVCRT ref: 0040D639
                                        • Part of subcall function 0040D626: _itow.MSVCRT ref: 0040D647
                                      • wcslen.MSVCRT ref: 0040D1D3
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                      • LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                      • memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                        • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,0040D142,00402E6F), ref: 0040D0CC
                                        • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040D142,00402E6F), ref: 0040D0EA
                                        • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,0040D142,00402E6F), ref: 0040D108
                                        • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000,0040D142,00402E6F), ref: 0040D126
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
                                      • String ID: strings
                                      • API String ID: 3166385802-3030018805
                                      • Opcode ID: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                                      • Instruction ID: f4589d763452722e7ce024d248fd6f149fceb83749f413ad0df853fa0cd60d20
                                      • Opcode Fuzzy Hash: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                                      • Instruction Fuzzy Hash: 78418D75D003109BD7369FA8ED809263365FF48306700047EE942972A7DEB9E886CB5D
                                      Function 00411AC5 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 59COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 00411AF6
                                        • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                      • wcsrchr.MSVCRT ref: 00411B14
                                      • wcscat.MSVCRT ref: 00411B2E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: FileModuleNamememsetwcscatwcsrchr
                                      • String ID: AE$.cfg$General$EA
                                      • API String ID: 776488737-1622828088
                                      • Opcode ID: b6de0e43a8c0916aab6107a9d450eab560a3e9a3f2f4477a4909840308f89baa
                                      • Instruction ID: 09e7cc653f6f297407560738dd106e03d424c3973b250f6ebd227ee33dbedd02
                                      • Opcode Fuzzy Hash: b6de0e43a8c0916aab6107a9d450eab560a3e9a3f2f4477a4909840308f89baa
                                      • Instruction Fuzzy Hash: 9611B93250022C66DF20EF51DC85ACE7378FF54754F1004ABE908B7142DB74ABC88B99
                                      Function 0040D898 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 0040D8BD
                                      • GetDlgCtrlID.USER32(?), ref: 0040D8C8
                                      • GetWindowTextW.USER32(?,?,00001000), ref: 0040D8DF
                                      • memset.MSVCRT ref: 0040D906
                                      • GetClassNameW.USER32(?,?,000000FF), ref: 0040D91D
                                      • _wcsicmp.MSVCRT ref: 0040D92F
                                        • Part of subcall function 0040D76E: memset.MSVCRT ref: 0040D781
                                        • Part of subcall function 0040D76E: _itow.MSVCRT ref: 0040D78F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memset$ClassCtrlNameTextWindow_itow_wcsicmp
                                      • String ID: sysdatetimepick32
                                      • API String ID: 1028950076-4169760276
                                      • Opcode ID: eb3a53bf7b2f710d742758b2cc733c17be47e3e423eab4b3bd20e98515a4ffe8
                                      • Instruction ID: 7fefccf0184427ff86f81c2eca1e08be5bb75bf3b76f29e65549559b88306b24
                                      • Opcode Fuzzy Hash: eb3a53bf7b2f710d742758b2cc733c17be47e3e423eab4b3bd20e98515a4ffe8
                                      • Instruction Fuzzy Hash: 061177769002197AEB10EB91DC49EDF7BACEF05750F0040BAF508D2192EB749A85CA59
                                      Function 0041B7D9 Relevance: 12.3, APIs: 6, Strings: 2, Instructions: 269COMMON
                                      Download Yara Rule
                                      APIs
                                      • memcpy.MSVCRT(00000000,00000000,00000000,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B911
                                      • memcpy.MSVCRT(?,00000000,00000000,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B923
                                      • memcpy.MSVCRT(?,-journal,00000008,?,?,?,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B93B
                                      • memcpy.MSVCRT(?,00000000,00000000,?,?,?,?,?,?,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B958
                                      • memcpy.MSVCRT(?,-wal,00000004,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0041B970
                                      • memset.MSVCRT ref: 0041BA3D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memcpy$memset
                                      • String ID: -journal$-wal
                                      • API String ID: 438689982-2894717839
                                      • Opcode ID: 4ac88023d002366decc5273a510af2ce11e9bf28f765889455521809b037904a
                                      • Instruction ID: 9370885b9bf0560d7aa4477d28ce4586d78acc2621466e64c0ac2b95c9c5353a
                                      • Opcode Fuzzy Hash: 4ac88023d002366decc5273a510af2ce11e9bf28f765889455521809b037904a
                                      • Instruction Fuzzy Hash: CBA1EFB1A04606EFCB14DF69C8417DAFBB4FF04314F14826EE46897381D738AA95CB99
                                      Function 0041881C Relevance: 12.1, APIs: 8, Instructions: 70timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetSystemTime.KERNEL32(?), ref: 00418836
                                      • memcpy.MSVCRT(?,?,00000010), ref: 00418845
                                      • GetCurrentProcessId.KERNEL32 ref: 00418856
                                      • memcpy.MSVCRT(?,?,00000004), ref: 00418869
                                      • GetTickCount.KERNEL32 ref: 0041887D
                                      • memcpy.MSVCRT(?,?,00000004), ref: 00418890
                                      • QueryPerformanceCounter.KERNEL32(?), ref: 004188A6
                                      • memcpy.MSVCRT(?,?,00000008), ref: 004188B6
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memcpy$CountCounterCurrentPerformanceProcessQuerySystemTickTime
                                      • String ID:
                                      • API String ID: 4218492932-0
                                      • Opcode ID: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                      • Instruction ID: a427a134a5f43ecd7f569dc5a6dbdc76404a49e7a1b6a3986382666b5299f542
                                      • Opcode Fuzzy Hash: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                      • Instruction Fuzzy Hash: 141184B39001286BEB00AFA5DC899DEB7ACEB1A210F454837FA15D7144E634E2488795
                                      Function 0044A7C0 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 203COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6EB
                                        • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6FB
                                        • Part of subcall function 0044A6E0: memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0044A75D
                                        • Part of subcall function 0044A6E0: memcpy.MSVCRT(?,?,?,?,?,00000000,?,?,00000000), ref: 0044A7AA
                                      • memcpy.MSVCRT(?,?,00000040), ref: 0044A8BF
                                      • memcpy.MSVCRT(?,?,00000004,00000000), ref: 0044A90C
                                      • memcpy.MSVCRT(?,?,00000040), ref: 0044A988
                                        • Part of subcall function 0044A3F0: memcpy.MSVCRT(?,0044A522,00000040,?,?,?,0044A522,?,?,?,?,0044A93F,?,?,?,00000000), ref: 0044A422
                                        • Part of subcall function 0044A3F0: memcpy.MSVCRT(?,0044A522,00000008,?,?,?,0044A522,?,?,?,?,0044A93F,?,?,?,00000000), ref: 0044A46E
                                      • memcpy.MSVCRT(?,?,00000000), ref: 0044A9D8
                                      • memcpy.MSVCRT(?,?,00000020,?,?,?,?,00000000), ref: 0044AA19
                                      • memcpy.MSVCRT(00000000,?,00000020,?,?,?,?,?,?,?,00000000), ref: 0044AA4A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memcpy$memset
                                      • String ID: gj
                                      • API String ID: 438689982-4203073231
                                      • Opcode ID: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                      • Instruction ID: 6893d0ddfb5a5ce8f484e87047b84ef7868cce638272d7e844f470f6f9013d76
                                      • Opcode Fuzzy Hash: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                      • Instruction Fuzzy Hash: 2E71D6F39083449BE310EF25D84059FB7E9ABD5348F050E2EF88997205E639DA19C797
                                      Function 00405A0E Relevance: 10.6, APIs: 7, Instructions: 125windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDlgItem.USER32(?,000003E9), ref: 00405A25
                                      • SendMessageW.USER32(00000000,00001009,00000000,00000000), ref: 00405A3E
                                      • SendMessageW.USER32(?,00001036,00000000,00000026), ref: 00405A4B
                                      • SendMessageW.USER32(?,0000101C,00000000,00000000), ref: 00405A57
                                      • memset.MSVCRT ref: 00405ABB
                                      • SendMessageW.USER32(?,0000105F,?,?), ref: 00405AF0
                                      • SetFocus.USER32(?), ref: 00405B76
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: MessageSend$FocusItemmemset
                                      • String ID:
                                      • API String ID: 4281309102-0
                                      • Opcode ID: efd53bebf051b2277f9dab0bebba2bcddea9ab5f54e930dc2bb54400b8a4bf25
                                      • Instruction ID: 6f3680249e95162a2c17081b35fa045d6cf646e1ea5253f38cdaf521fbeb1c86
                                      • Opcode Fuzzy Hash: efd53bebf051b2277f9dab0bebba2bcddea9ab5f54e930dc2bb54400b8a4bf25
                                      • Instruction Fuzzy Hash: 86414B75900219BBDB20DF95CC85EAFBFB8FF04754F10406AF508A6291D3759A90CFA4
                                      Function 0040FA33 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 103COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: _snwprintfwcscat
                                      • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                                      • API String ID: 384018552-4153097237
                                      • Opcode ID: e2d8d0cbab619b5be06ee0f81a04f929cebd05eebf119826ccd3725ad5dc4e14
                                      • Instruction ID: 690b9c6e7bf42a1b777b65718bd5b5c6a61f2cd8039d9a9c88f4ff4500a270e2
                                      • Opcode Fuzzy Hash: e2d8d0cbab619b5be06ee0f81a04f929cebd05eebf119826ccd3725ad5dc4e14
                                      • Instruction Fuzzy Hash: D8319E31A00209AFDF14AF55CC86AAE7BB5FF45320F10007AE804AB292D775AE49DB94
                                      Function 0040D7A7 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: ItemMenu$CountInfomemsetwcschr
                                      • String ID: 0$6
                                      • API String ID: 2029023288-3849865405
                                      • Opcode ID: 391c38dbba120c466a74104014748036d1901581f04e0d37adf97963ab497765
                                      • Instruction ID: 35075b9e4b0179943f9cc9fcb0392e174ec026107191ec1d659f896637aaeb19
                                      • Opcode Fuzzy Hash: 391c38dbba120c466a74104014748036d1901581f04e0d37adf97963ab497765
                                      • Instruction Fuzzy Hash: A321AB32905300ABD720AF91DC8599FB7B8FB85754F000A3FF954A2280E779D944CB9A
                                      Function 0040541F Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 78COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 004055A4: GetLastError.KERNEL32(?,00000000,00405522,?,?,?,00000000,00000000,?,00408E1C,?,?,00000060,00000000), ref: 004055B9
                                      • memset.MSVCRT ref: 00405455
                                      • memset.MSVCRT ref: 0040546C
                                      • memset.MSVCRT ref: 00405483
                                      • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00405498
                                      • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004054AD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memset$memcpy$ErrorLast
                                      • String ID: 6$\
                                      • API String ID: 404372293-1284684873
                                      • Opcode ID: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                                      • Instruction ID: af38dfd20ac5a94c77b7ead9800c7a3089711b207e9f3183cf3669ed78e53beb
                                      • Opcode Fuzzy Hash: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                                      • Instruction Fuzzy Hash: 572141B280112CBBDF11AF99DC45EDF7BACDF15304F0080A6B509E2156E6398B988F65
                                      Function 0040A06C Relevance: 10.6, APIs: 7, Instructions: 63timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A088
                                      • GetDateFormatW.KERNEL32(00000400,00000001,000007C1,00000000,?,00000080), ref: 0040A0B4
                                      • GetTimeFormatW.KERNEL32(00000400,00000000,000007C1,00000000,?,00000080), ref: 0040A0C9
                                      • wcscpy.MSVCRT ref: 0040A0D9
                                      • wcscat.MSVCRT ref: 0040A0E6
                                      • wcscat.MSVCRT ref: 0040A0F5
                                      • wcscpy.MSVCRT ref: 0040A107
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: Time$Formatwcscatwcscpy$DateFileSystem
                                      • String ID:
                                      • API String ID: 1331804452-0
                                      • Opcode ID: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                                      • Instruction ID: 70f18838178cd2dbc623065d80ced1a8b0c5b1489d8a310e1ceaee9f81d034e1
                                      • Opcode Fuzzy Hash: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                                      • Instruction Fuzzy Hash: 321191B284011DBFEB10AF95DC45DEF777CEB01745F104076B904B6091E6399E858B7A
                                      Function 00404363 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040440C: FreeLibrary.KERNEL32(?,0040436D,00000000,00000000,?,0040BDCC,?,00000000,?), ref: 00404414
                                        • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                        • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                        • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                        • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                        • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                        • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                      • GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                      • GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                      • GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                      • GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                      • GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                      • String ID: advapi32.dll
                                      • API String ID: 2012295524-4050573280
                                      • Opcode ID: 65f3d33700ac9d510cc5e5eb6f652d35bee5e6265e8d5a0c26d000a27f9b730c
                                      • Instruction ID: 6b6c0a27b71384d3bff991c3c7ca7c9b0301c8735f49a3ee57333cb8f9a5f734
                                      • Opcode Fuzzy Hash: 65f3d33700ac9d510cc5e5eb6f652d35bee5e6265e8d5a0c26d000a27f9b730c
                                      • Instruction Fuzzy Hash: 5F119470440700DDE6307F62EC0AF2777A4DF80714F104A3FE541565E1DBB8A8519AAD
                                      Function 00410030 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 54COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      • <%s>, xrefs: 004100A6
                                      • <?xml version="1.0" ?>, xrefs: 0041007C
                                      • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 00410083
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memset$_snwprintf
                                      • String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                      • API String ID: 3473751417-2880344631
                                      • Opcode ID: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                                      • Instruction ID: 2862698e7f89dc449948c814091faf4507903f68b21858a7dbdf66e33a92e1a6
                                      • Opcode Fuzzy Hash: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                                      • Instruction Fuzzy Hash: F501C8F2E402197BD720AA559C41FEAB6ACEF48345F0040B7B608B3151D6389F494B99
                                      Function 0040A178 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: wcscat$_snwprintfmemset
                                      • String ID: %2.2X
                                      • API String ID: 2521778956-791839006
                                      • Opcode ID: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                                      • Instruction ID: 672bbb69153a15f1984629f72f86def8939f314c78adde6f8276b735d3b02408
                                      • Opcode Fuzzy Hash: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                                      • Instruction Fuzzy Hash: 2101D472A403297AF7206756AC46BBA33ACAB41714F11407BFC14AA1C2EA7C9A54469A
                                      Function 0040D5D6 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 26COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: _snwprintfwcscpy
                                      • String ID: dialog_%d$general$menu_%d$strings
                                      • API String ID: 999028693-502967061
                                      • Opcode ID: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
                                      • Instruction ID: 4b5f4d23dee208ad245a1fa3262b8d520e9fbefe09054bf07968a47f6ed58b46
                                      • Opcode Fuzzy Hash: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
                                      • Instruction Fuzzy Hash: 1AE04FB5E8870035E92519A10C03B2A155086A6B5BF740C2BFD0AB11D2E47F955DA40F
                                      Function 0040C3C3 Relevance: 9.1, APIs: 6, Instructions: 109registryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1AE
                                        • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1B6
                                        • Part of subcall function 00414592: RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                        • Part of subcall function 0040A9CE: free.MSVCRT ref: 0040A9DD
                                      • memset.MSVCRT ref: 0040C439
                                      • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                      • _wcsupr.MSVCRT ref: 0040C481
                                        • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                        • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                        • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                        • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                      • memset.MSVCRT ref: 0040C4D0
                                      • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,?), ref: 0040C508
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: free$EnumValuememset$CloseOpen_wcsuprmemcpywcslen
                                      • String ID:
                                      • API String ID: 4131475296-0
                                      • Opcode ID: 82fa03ba5326a94bf532841c06629f00165d9272e62604655f27a07229e6f7ea
                                      • Instruction ID: d2440758a7fd93b52fc88bd6111275bc9aa4df1ffeb01c53d5483546710cd2f3
                                      • Opcode Fuzzy Hash: 82fa03ba5326a94bf532841c06629f00165d9272e62604655f27a07229e6f7ea
                                      • Instruction Fuzzy Hash: A4411CB2900219BBDB00EF95DC85EEFB7BCAF48304F10417AB505F6191D7749A44CBA5
                                      Function 004116DD Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 82COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 004116FF
                                        • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                        • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                        • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                        • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                        • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                        • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                        • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                        • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                        • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                        • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                        • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                        • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                        • Part of subcall function 0040A279: wcscpy.MSVCRT ref: 0040A2DF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                      • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                      • API String ID: 2618321458-3614832568
                                      • Opcode ID: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
                                      • Instruction ID: 2af34abd3473d77be096866f654b5876edf67c2d942e61680e34910f62553c8c
                                      • Opcode Fuzzy Hash: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
                                      • Instruction Fuzzy Hash: 71310DB1D013589BDB10EFA9DC816DDBBB4FB08345F10407BE548BB282DB385A468F99
                                      Function 004185CA Relevance: 9.1, APIs: 6, Instructions: 78COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: AttributesFilefreememset
                                      • String ID:
                                      • API String ID: 2507021081-0
                                      • Opcode ID: afcad17dad9998b86119828d1b617f81507b1c6ffb5a90d063004130875e5eff
                                      • Instruction ID: e31a4ad29e7632976921f0390f19c15604a95804a640e9d04457ce0419b5f72c
                                      • Opcode Fuzzy Hash: afcad17dad9998b86119828d1b617f81507b1c6ffb5a90d063004130875e5eff
                                      • Instruction Fuzzy Hash: 1211E632A04115EFDB209FA49DC59FF73A8EB45318B21013FF911E2280DF789D8196AE
                                      Function 004174F5 Relevance: 9.1, APIs: 6, Instructions: 61COMMON
                                      Download Yara Rule
                                      APIs
                                      • AreFileApisANSI.KERNEL32 ref: 004174FC
                                      • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041751A
                                      • malloc.MSVCRT ref: 00417524
                                      • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041753B
                                      • free.MSVCRT ref: 00417544
                                      • free.MSVCRT ref: 00417562
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: ByteCharMultiWidefree$ApisFilemalloc
                                      • String ID:
                                      • API String ID: 4131324427-0
                                      • Opcode ID: 5d21432bc65b929392c7d49bf17a02b877e07d349bc8417fbf8b7ee350a515ff
                                      • Instruction ID: 8d188238c5fd2fb6163cec5331830b967abe0ebba74b79ef9884251e0929a2bc
                                      • Opcode Fuzzy Hash: 5d21432bc65b929392c7d49bf17a02b877e07d349bc8417fbf8b7ee350a515ff
                                      • Instruction Fuzzy Hash: 9701D4726081257BEB215B7A9C41DEF3AAEDF463B47210226FC14E3280EA38DD4141BD
                                      Function 00418197 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetTempPathW.KERNEL32(000000E6,?,?,00417D63), ref: 004181DB
                                      • GetTempPathA.KERNEL32(000000E6,?,?,00417D63), ref: 00418203
                                      • free.MSVCRT ref: 0041822B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: PathTemp$free
                                      • String ID: %s\etilqs_$etilqs_
                                      • API String ID: 924794160-1420421710
                                      • Opcode ID: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                                      • Instruction ID: b359b55a6514fc6c55a0405950767d5f88b37029f74eadb26d8a0dc7501745d5
                                      • Opcode Fuzzy Hash: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                                      • Instruction Fuzzy Hash: 43313931A046169BE725A3669C41BFB735C9B64308F2004AFE881C2283EF7CDEC54A5D
                                      Function 00414770 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • wcscpy.MSVCRT ref: 0041477F
                                      • wcscpy.MSVCRT ref: 0041479A
                                      • CreateFileW.KERNEL32(00000002,40000000,00000000,00000000,00000002,00000000,00000000,?,00000000,?,00411B67,?,General), ref: 004147C1
                                      • CloseHandle.KERNEL32(00000000), ref: 004147C8
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: wcscpy$CloseCreateFileHandle
                                      • String ID: General
                                      • API String ID: 999786162-26480598
                                      • Opcode ID: d203a37054ecec13293c6845d931113d91e33057b6480a05be5df7ab04b5f2c3
                                      • Instruction ID: 029e45c8424a23c50dbc4d8c1dfe1f9d14d00e2cf8bd1bf10ef2c4f99c7741b7
                                      • Opcode Fuzzy Hash: d203a37054ecec13293c6845d931113d91e33057b6480a05be5df7ab04b5f2c3
                                      • Instruction Fuzzy Hash: 52F024B30083146FF7205B509C85EAF769CEB86369F25482FF05592092C7398C448669
                                      Function 0040973C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: ErrorLastMessage_snwprintf
                                      • String ID: Error$Error %d: %s
                                      • API String ID: 313946961-1552265934
                                      • Opcode ID: a33dc607cfdbe5323d0e9dcae57c7c504b94496520966edc9fba833a94f57729
                                      • Instruction ID: 46023337ddced075b6ccb796d059e6b1f6412beb8ed51135551ede388a9512b7
                                      • Opcode Fuzzy Hash: a33dc607cfdbe5323d0e9dcae57c7c504b94496520966edc9fba833a94f57729
                                      • Instruction Fuzzy Hash: C1F0A7765402086BDB11A795DC06FDA73BCFB45785F0404ABB544A3181DAB4EA484A59
                                      Function 00435A61 Relevance: 7.9, APIs: 1, Strings: 4, Instructions: 394COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: foreign key constraint failed$new$oid$old
                                      • API String ID: 0-1953309616
                                      • Opcode ID: d53188324c3bf6180e19a573ea0f2635551865f2e98adbc70dd2d072c3df9dad
                                      • Instruction ID: 109d2bbf80905f1e2503505ff3b1f335ff26ebd6ff49ac5ca42eb4ed0232da3f
                                      • Opcode Fuzzy Hash: d53188324c3bf6180e19a573ea0f2635551865f2e98adbc70dd2d072c3df9dad
                                      • Instruction Fuzzy Hash: 71E19271E00318EFDF14DFA5D882AAEBBB5EF08304F54406EE805AB351DB799A01CB65
                                      Function 00431671 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 231COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      • unknown column "%s" in foreign key definition, xrefs: 00431858
                                      • foreign key on %s should reference only one column of table %T, xrefs: 004316CD
                                      • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 004316F5
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memcpy
                                      • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                                      • API String ID: 3510742995-272990098
                                      • Opcode ID: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                      • Instruction ID: d29657cdd308451ad819b70b0710bc7d1770ace047979dc07f2e4ef1020519d4
                                      • Opcode Fuzzy Hash: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                      • Instruction Fuzzy Hash: B7913E75A00205DFCB14DF99C481AAEBBF1FF49314F25815AE805AB312DB35E941CF99
                                      Function 0044A6E0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 84COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 0044A6EB
                                      • memset.MSVCRT ref: 0044A6FB
                                      • memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0044A75D
                                      • memcpy.MSVCRT(?,?,?,?,?,00000000,?,?,00000000), ref: 0044A7AA
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memcpymemset
                                      • String ID: gj
                                      • API String ID: 1297977491-4203073231
                                      • Opcode ID: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
                                      • Instruction ID: b45f8a370873a883e9703370fbfe8b0477d3556cf02d11e6db591a78d085f858
                                      • Opcode Fuzzy Hash: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
                                      • Instruction Fuzzy Hash: 95213DB67403002BE7209A39CC4165B7B6D9FC6318F0A481EF6464B346E67DD605C756
                                      Function 0040E946 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8EC
                                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8FA
                                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E90B
                                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E922
                                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E92B
                                      • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000), ref: 0040E961
                                      • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000), ref: 0040E974
                                      • ??3@YAXPAX@Z.MSVCRT(00000001,?,00411CA8,00000000,?,00412766,00000000,00000000), ref: 0040E987
                                      • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000), ref: 0040E99A
                                      • free.MSVCRT ref: 0040E9D3
                                        • Part of subcall function 0040AA04: free.MSVCRT ref: 0040AA0B
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: ??3@$free
                                      • String ID:
                                      • API String ID: 2241099983-0
                                      • Opcode ID: 2f3d1febb6567f1c65e15d924abe411323abe179da33a997404dc77986320892
                                      • Instruction ID: 098569c1990a85f87ddbd530571c52e66e2f7ba0f471894b996c1416d461d1fd
                                      • Opcode Fuzzy Hash: 2f3d1febb6567f1c65e15d924abe411323abe179da33a997404dc77986320892
                                      • Instruction Fuzzy Hash: 5001A932A01A2097C665BB27A50195EB354BE86B24316896FF844773C1CB3C6C61C6DF
                                      Function 0041748F Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                                      Download Yara Rule
                                      APIs
                                      • AreFileApisANSI.KERNEL32 ref: 00417497
                                      • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 004174B7
                                      • malloc.MSVCRT ref: 004174BD
                                      • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 004174DB
                                      • free.MSVCRT ref: 004174E4
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: ByteCharMultiWide$ApisFilefreemalloc
                                      • String ID:
                                      • API String ID: 4053608372-0
                                      • Opcode ID: 26b6d0d827bb447631a2da2f7ad9fad7d37cc7249bf214c4621a9d0d58d44de2
                                      • Instruction ID: 68224c9aa4b31b20fa5037399352f9c2f04b40a845063e8f60522cdb36b448b3
                                      • Opcode Fuzzy Hash: 26b6d0d827bb447631a2da2f7ad9fad7d37cc7249bf214c4621a9d0d58d44de2
                                      • Instruction Fuzzy Hash: DE01A4B150412DBEAF115FA99C80CAF7E7CEA463FC721422AF514E2290DA345E405AB9
                                      Function 0040D441 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetParent.USER32(?), ref: 0040D453
                                      • GetWindowRect.USER32(?,?), ref: 0040D460
                                      • GetClientRect.USER32(00000000,?), ref: 0040D46B
                                      • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0040D47B
                                      • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 0040D497
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: Window$Rect$ClientParentPoints
                                      • String ID:
                                      • API String ID: 4247780290-0
                                      • Opcode ID: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                      • Instruction ID: 8744084584fea1eb3916f9079d499296a2dd08f7759f51c0708cf8f54c9212ed
                                      • Opcode Fuzzy Hash: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                      • Instruction Fuzzy Hash: 62018836801129BBDB11EBA6CC49EFFBFBCFF06310F048069F901A2180D778A5018BA5
                                      Function 00445093 Relevance: 7.5, APIs: 5, Instructions: 46COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                      • GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                      • ??2@YAPAXI@Z.MSVCRT(0000000A,?,?,00000104), ref: 004450BE
                                      • memset.MSVCRT ref: 004450CD
                                        • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                      • ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004450F0
                                        • Part of subcall function 00444E84: memchr.MSVCRT ref: 00444EBF
                                        • Part of subcall function 00444E84: memcpy.MSVCRT(?,0044EB0C,0000000B,?,?,?,00000000,00000000,00000000), ref: 00444F63
                                        • Part of subcall function 00444E84: memcpy.MSVCRT(?,00000001,00000008,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00444F75
                                        • Part of subcall function 00444E84: memcpy.MSVCRT(?,?,00000010,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00444F9D
                                      • CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: Filememcpy$??2@??3@CloseCreateHandleReadSizememchrmemset
                                      • String ID:
                                      • API String ID: 1471605966-0
                                      • Opcode ID: 2aed10359402c50519c1c236b6adb34ede6eedef97d485569bed8d1556fc9971
                                      • Instruction ID: af7e2442fb2a0afe256a59df9b01c6fa6c67666c78107f96d02934f32f814c95
                                      • Opcode Fuzzy Hash: 2aed10359402c50519c1c236b6adb34ede6eedef97d485569bed8d1556fc9971
                                      • Instruction Fuzzy Hash: D8F0C2765002107BE5207736AC8AEAB3A5CDF96771F11893FF416921D2EE698814C1BD
                                      Function 0044474A Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 45COMMON
                                      Download Yara Rule
                                      APIs
                                      • wcscpy.MSVCRT ref: 0044475F
                                      • wcscat.MSVCRT ref: 0044476E
                                      • wcscat.MSVCRT ref: 0044477F
                                      • wcscat.MSVCRT ref: 0044478E
                                        • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                        • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                        • Part of subcall function 00409A90: lstrcpyW.KERNEL32(?,?,004447CD,?,?,?,00000000,?), ref: 00409AA5
                                        • Part of subcall function 00409A90: lstrlenW.KERNEL32(?), ref: 00409AAC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: wcscat$lstrcpylstrlenmemcpywcscpywcslen
                                      • String ID: \StringFileInfo\
                                      • API String ID: 102104167-2245444037
                                      • Opcode ID: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
                                      • Instruction ID: e4f437c51a7ffcfb72b972a214432876dbdec8abc2c75880463b8380eb377783
                                      • Opcode Fuzzy Hash: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
                                      • Instruction Fuzzy Hash: 41018FB290021DB6EF10EAA1DC45EDF73BCAB05304F0004B7B514F2052EE38DB969B69
                                      Function 0040E8E0 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                      Download Yara Rule
                                      APIs
                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8EC
                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8FA
                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E90B
                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E922
                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E92B
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: ??3@
                                      • String ID:
                                      • API String ID: 613200358-0
                                      • Opcode ID: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                                      • Instruction ID: 8b058f36177a858601f18eb469b8e3bd7c1df3fc7b9e847ab044313c89d6339d
                                      • Opcode Fuzzy Hash: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                                      • Instruction Fuzzy Hash: 98F012B25047015FD760AF6AA8C491BF3E9AB597147668C3FF149D3641CB38FC508A1C
                                      Function 0040AAE3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: _memicmpwcslen
                                      • String ID: @@@@$History
                                      • API String ID: 1872909662-685208920
                                      • Opcode ID: 3ad5d2c3b3ee2b52e24687d5059668d8296d000cbab4a3a90200832106c23410
                                      • Instruction ID: 0314511eba11a06c501d0b319d6753a7178557fc2485e08f734f24cb460fdfed
                                      • Opcode Fuzzy Hash: 3ad5d2c3b3ee2b52e24687d5059668d8296d000cbab4a3a90200832106c23410
                                      • Instruction Fuzzy Hash: F1F0CD3310471157D210DE199C41A2BF7F8DB813A5F11063FF991A31C2D739EC658657
                                      Function 004100D7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 004100FB
                                      • memset.MSVCRT ref: 00410112
                                        • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                        • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                      • _snwprintf.MSVCRT ref: 00410141
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memset$_snwprintf_wcslwrwcscpy
                                      • String ID: </%s>
                                      • API String ID: 3400436232-259020660
                                      • Opcode ID: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                                      • Instruction ID: d6b380c41b5e3e458bf6abeca455f552dea24a705517b0a2e3702c553642f250
                                      • Opcode Fuzzy Hash: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                                      • Instruction Fuzzy Hash: 9B01DBF3D0012977D730A755CC46FEA76ACEF45304F0000B6BB08B3186DB78DA458A99
                                      Function 0040D553 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 0040D58D
                                      • SetWindowTextW.USER32(?,?), ref: 0040D5BD
                                      • EnumChildWindows.USER32(?,Function_0000D4F5,00000000), ref: 0040D5CD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: ChildEnumTextWindowWindowsmemset
                                      • String ID: caption
                                      • API String ID: 1523050162-4135340389
                                      • Opcode ID: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                                      • Instruction ID: dcfab03f3ae0740f4c11e1fd8af26e22289cdce227bdcda27870e2dbaf68b2c3
                                      • Opcode Fuzzy Hash: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                                      • Instruction Fuzzy Hash: 50F08131D0031876FB206B95CC4EB8A3268AB04744F000076BE04B61D2DBB8EA44C69D
                                      Function 00401137 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00409BFD: memset.MSVCRT ref: 00409C07
                                        • Part of subcall function 00409BFD: wcscpy.MSVCRT ref: 00409C47
                                      • CreateFontIndirectW.GDI32(?), ref: 00401156
                                      • SendDlgItemMessageW.USER32(?,000003EC,00000030,00000000,00000000), ref: 00401175
                                      • SendDlgItemMessageW.USER32(?,000003EE,00000030,?,00000000), ref: 00401193
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: ItemMessageSend$CreateFontIndirectmemsetwcscpy
                                      • String ID: MS Sans Serif
                                      • API String ID: 210187428-168460110
                                      • Opcode ID: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                                      • Instruction ID: 44e142790c58e2983bb51e892a2c7280827b5342727586ee11fe1c2be2fb852b
                                      • Opcode Fuzzy Hash: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                                      • Instruction Fuzzy Hash: 7CF082B5A4030877EB326BA1DC46F9A77BDBB44B01F040935F721B91D1D3F4A585C658
                                      Function 0041D893 Relevance: 6.3, APIs: 5, Instructions: 82COMMON
                                      Download Yara Rule
                                      APIs
                                      • memcpy.MSVCRT(?,00000000,00000030,00000000), ref: 0041D8A6
                                      • memcpy.MSVCRT(?,-00000030,00000030,?,00000000,00000030,00000000), ref: 0041D8BC
                                      • memcmp.MSVCRT(?,?,00000030,?,-00000030,00000030,?,00000000,00000030,00000000), ref: 0041D8CB
                                      • memcmp.MSVCRT(?,?,00000030,?,?,?,?,?,?,?,?,00000000), ref: 0041D913
                                      • memcpy.MSVCRT(?,?,00000030,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0041D92E
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memcpy$memcmp
                                      • String ID:
                                      • API String ID: 3384217055-0
                                      • Opcode ID: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                                      • Instruction ID: f5df6941464580ef2fdae31f27b7f31021858bb2d0e37ec30fcb1df3a02010a9
                                      • Opcode Fuzzy Hash: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                                      • Instruction Fuzzy Hash: 8821B2B2E10249ABDB14EA91DC46EDF73FC9B44704F01442AF512D7181EB28E644C725
                                      Function 00412A2A Relevance: 6.3, APIs: 5, Instructions: 50COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memset$memcpy
                                      • String ID:
                                      • API String ID: 368790112-0
                                      • Opcode ID: 97945d52b79a003f2428fc236831fd74eb0a020fff419a73dba27ff1a1f4f0ec
                                      • Instruction ID: abb90bdd0bd5c960a46cc99acd1c91865272cbbdb433919b32c204757dd19146
                                      • Opcode Fuzzy Hash: 97945d52b79a003f2428fc236831fd74eb0a020fff419a73dba27ff1a1f4f0ec
                                      • Instruction Fuzzy Hash: 0201FCB5740B007BF235AB35CC03F9A73A8AF52724F004A1EF153966C2DBF8A554819D
                                      Function 004055C5 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 122COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 0040560C
                                        • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                        • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                        • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                        • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                        • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                        • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                        • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                        • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                        • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                        • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                        • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                        • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                        • Part of subcall function 0040A212: wcscpy.MSVCRT ref: 0040A269
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                      • String ID: *.*$dat$wand.dat
                                      • API String ID: 2618321458-1828844352
                                      • Opcode ID: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                                      • Instruction ID: e27ea46a2f82f1f177a07810d763c9ecc86b2647b265d762bc330c580f82b585
                                      • Opcode Fuzzy Hash: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                                      • Instruction Fuzzy Hash: BF419B71600205AFDB10AF65DC85EAEB7B9FF40314F10802BF909AB1D1EF7999958F89
                                      Function 00412018 Relevance: 6.1, APIs: 4, Instructions: 99windowkeyboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 00412057
                                        • Part of subcall function 0040A116: ShellExecuteW.SHELL32(?,open,?,0044E518,0044E518,00000005), ref: 0040A12C
                                      • SendMessageW.USER32(00000000,00000423,00000000,00000000), ref: 004120C7
                                      • GetMenuStringW.USER32(?,00000103,?,0000004F,00000000), ref: 004120E1
                                      • GetKeyState.USER32(00000010), ref: 0041210D
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: ExecuteMenuMessageSendShellStateStringmemset
                                      • String ID:
                                      • API String ID: 3550944819-0
                                      • Opcode ID: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                                      • Instruction ID: 97bad96470fefb965444fbd8e179d7ef3b872eae7f66eff2ef5a186de824ffeb
                                      • Opcode Fuzzy Hash: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                                      • Instruction Fuzzy Hash: 5341C330600305EBDB209F15CD88B9677A8AB54324F10817AEA699B2E2D7B89DD1CB14
                                      Function 0040F508 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                                      Download Yara Rule
                                      APIs
                                      • free.MSVCRT ref: 0040F561
                                      • memcpy.MSVCRT(00000000,?,00000001,g4@,00000000,0000121C,?,?,?,00403467), ref: 0040F573
                                      • memcpy.MSVCRT(00000000,?,?,00000000), ref: 0040F5A6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memcpy$free
                                      • String ID: g4@
                                      • API String ID: 2888793982-2133833424
                                      • Opcode ID: 37ff6d91120af751e53e18efb23c18060f8529393ff4323a563ff9c980eac345
                                      • Instruction ID: 6372a4083673351870aa2a156e9431cadfa41d37230e9e7fabcd635cb7c3c96e
                                      • Opcode Fuzzy Hash: 37ff6d91120af751e53e18efb23c18060f8529393ff4323a563ff9c980eac345
                                      • Instruction Fuzzy Hash: D2217A30900604EFCB20DF29C94182ABBF5FF447247204A7EE852A3B91E735EE119B04
                                      Function 0041298C Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                      Download Yara Rule
                                      APIs
                                      • memcpy.MSVCRT(?,?,00000040,00000001,0044EB0C,?,?,004131CA,?,0044EB0C), ref: 004129CF
                                      • memcpy.MSVCRT(?,?,00000040,00000001,0044EB0C,?,?,004131CA,?,0044EB0C), ref: 004129F9
                                      • memcpy.MSVCRT(?,?,00000013,00000001,0044EB0C,?,?,004131CA,?,0044EB0C), ref: 00412A1D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memcpy
                                      • String ID: @
                                      • API String ID: 3510742995-2766056989
                                      • Opcode ID: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                                      • Instruction ID: b25eae0e74258469ce0af521155fdf6a80f479b4e9ffe9ec94392e3587c9c40c
                                      • Opcode Fuzzy Hash: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                                      • Instruction Fuzzy Hash: 65115EF2A003057FDB349E15D980C9A77A8EF50394B00062FF90AD6151E7B8DEA5C7D9
                                      Function 004144BB Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 004144E7
                                        • Part of subcall function 0040A353: _snwprintf.MSVCRT ref: 0040A398
                                        • Part of subcall function 0040A353: memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 0040A3A8
                                      • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00414510
                                      • memset.MSVCRT ref: 0041451A
                                      • GetPrivateProfileStringW.KERNEL32(?,?,0044E518,?,00002000,?), ref: 0041453C
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
                                      • String ID:
                                      • API String ID: 1127616056-0
                                      • Opcode ID: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                                      • Instruction ID: e03fcf36bb778615f94f946172f2cadce4c7e53e7889dedf6030812535802df7
                                      • Opcode Fuzzy Hash: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                                      • Instruction Fuzzy Hash: 9A1170B1500119BFEF115F65EC02EDA7B69EF04714F100066FB09B2060E6319A60DB9D
                                      Function 00417434 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                      Download Yara Rule
                                      APIs
                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,76F8DF80,?,0041755F,?), ref: 00417452
                                      • malloc.MSVCRT ref: 00417459
                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000,?,76F8DF80,?,0041755F,?), ref: 00417478
                                      • free.MSVCRT ref: 0041747F
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: ByteCharMultiWide$freemalloc
                                      • String ID:
                                      • API String ID: 2605342592-0
                                      • Opcode ID: 393c83f8647a4e4e905b151b9ea1406947fc62e9018515f0e7f821d7fee9a8df
                                      • Instruction ID: 8389f0226c663b3c6d8c6253af8546a3d73aba679155ae8f7c82d0c1376384d0
                                      • Opcode Fuzzy Hash: 393c83f8647a4e4e905b151b9ea1406947fc62e9018515f0e7f821d7fee9a8df
                                      • Instruction Fuzzy Hash: 1DF0E9B620D21E3F7B006AB55CC0C7B7B9CD7862FCB11072FF51091180E9594C1116B6
                                      Function 004123E2 Relevance: 6.0, APIs: 4, Instructions: 47registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 00412403
                                      • RegisterClassW.USER32(?), ref: 00412428
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 0041242F
                                      • CreateWindowExW.USER32(00000000,00000000,0044E518,00CF0000,00000000,00000000,00000280,000001E0,00000000,00000000,00000000), ref: 00412455
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: HandleModule$ClassCreateRegisterWindow
                                      • String ID:
                                      • API String ID: 2678498856-0
                                      • Opcode ID: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                                      • Instruction ID: 2742b6e08e64d4f702ac0bdc031c2178a10537c5a2141806c9029dd5a11ba4c1
                                      • Opcode Fuzzy Hash: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                                      • Instruction Fuzzy Hash: E601E5B1941228ABD7119FA68C89ADFBEBCFF09B14F10411AF514A2240D7B456408BE9
                                      Function 0040F64E Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 0040F673
                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00007FFF,00000000,00000000,?,<item>), ref: 0040F690
                                      • strlen.MSVCRT ref: 0040F6A2
                                      • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F6B3
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: ByteCharFileMultiWideWritememsetstrlen
                                      • String ID:
                                      • API String ID: 2754987064-0
                                      • Opcode ID: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
                                      • Instruction ID: e5447571fde1e0de43d26e7f5909b1ba013d3ab3fbf9ce0dfcc5e01eb4e41d37
                                      • Opcode Fuzzy Hash: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
                                      • Instruction Fuzzy Hash: 03F062B680102C7FEB81A794DC81DEB77ACEB05258F0080B2B715D2140E9749F484F7D
                                      Function 0040F6BD Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 0040F6E2
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF,00000000,00000000,?,<item>), ref: 0040F6FB
                                      • strlen.MSVCRT ref: 0040F70D
                                      • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F71E
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: ByteCharFileMultiWideWritememsetstrlen
                                      • String ID:
                                      • API String ID: 2754987064-0
                                      • Opcode ID: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
                                      • Instruction ID: 4069f22fd96ae38f7b0fbed24adb75974e75abfa9f51d26af0f678a77882025e
                                      • Opcode Fuzzy Hash: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
                                      • Instruction Fuzzy Hash: C8F06DB780022CBFFB059B94DCC8DEB77ACEB05254F0000A2B715D2042E6749F448BB8
                                      Function 0041437B Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00409D7F: memset.MSVCRT ref: 00409D9E
                                        • Part of subcall function 00409D7F: GetClassNameW.USER32(?,00000000,000000FF), ref: 00409DB5
                                        • Part of subcall function 00409D7F: _wcsicmp.MSVCRT ref: 00409DC7
                                      • SetBkMode.GDI32(?,00000001), ref: 004143A2
                                      • SetBkColor.GDI32(?,00FFFFFF), ref: 004143B0
                                      • SetTextColor.GDI32(?,00C00000), ref: 004143BE
                                      • GetStockObject.GDI32(00000000), ref: 004143C6
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: Color$ClassModeNameObjectStockText_wcsicmpmemset
                                      • String ID:
                                      • API String ID: 764393265-0
                                      • Opcode ID: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                      • Instruction ID: 55a1794077c12dabf0ba6e1c8d3319674f3f2ba5a0574a39bcd6537ad23d1771
                                      • Opcode Fuzzy Hash: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                      • Instruction Fuzzy Hash: 3AF06835200219BBCF112FA5EC06EDD3F25BF05321F104536FA25A45F1CBB59D609759
                                      Function 0040A751 Relevance: 6.0, APIs: 4, Instructions: 34timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A76D
                                      • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?,?,?), ref: 0040A77D
                                      • SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 0040A78C
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: Time$System$File$LocalSpecific
                                      • String ID:
                                      • API String ID: 979780441-0
                                      • Opcode ID: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                      • Instruction ID: f583aad53f3de4022dcae7e9f33737e8013f67213d7447df07319dea818b2b95
                                      • Opcode Fuzzy Hash: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                      • Instruction Fuzzy Hash: 48F08272900219AFEB019BB1DC49FBBB3FCBB0570AF04443AE112E1090D774D0058B65
                                      Function 004134C6 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                      Download Yara Rule
                                      APIs
                                      • memcpy.MSVCRT(0045A808,?,00000050,?,0040155D,?), ref: 004134E0
                                      • memcpy.MSVCRT(0045A538,?,000002CC,0045A808,?,00000050,?,0040155D,?), ref: 004134F2
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 00413505
                                      • DialogBoxParamW.USER32(00000000,0000006B,?,Function_000131DC,00000000), ref: 00413519
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memcpy$DialogHandleModuleParam
                                      • String ID:
                                      • API String ID: 1386444988-0
                                      • Opcode ID: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                      • Instruction ID: 364e94b7bdcda47f4d7f1f8d7aeee0d56301a77e6e21c3ce81869cca2c347424
                                      • Opcode Fuzzy Hash: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                      • Instruction Fuzzy Hash: 80F0E272A843207BF7207FA5AC0AB477E94FB05B03F114826F600E50D2C2B988518F8D
                                      Function 0040F75C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                      Download Yara Rule
                                      APIs
                                      • wcschr.MSVCRT ref: 0040F79E
                                      • wcschr.MSVCRT ref: 0040F7AC
                                        • Part of subcall function 0040AA8C: wcslen.MSVCRT ref: 0040AAA8
                                        • Part of subcall function 0040AA8C: memcpy.MSVCRT(00000000,?,00000000,00000000,?,0000002C,?,0040F7F4,?,?,?,?,004032AB,?), ref: 0040AACB
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: wcschr$memcpywcslen
                                      • String ID: "
                                      • API String ID: 1983396471-123907689
                                      • Opcode ID: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
                                      • Instruction ID: b5ec2b97dc3a1d34b4ae52474db4a85f3d32b900c8044ec90cdce640e07fed14
                                      • Opcode Fuzzy Hash: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
                                      • Instruction Fuzzy Hash: 7C315532904204ABDF24EFA6C8419EEB7B4EF44324F20457BEC10B75D1DB789A46CE99
                                      Function 0040A353 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                                      Download Yara Rule
                                      APIs
                                      • _snwprintf.MSVCRT ref: 0040A398
                                      • memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 0040A3A8
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: _snwprintfmemcpy
                                      • String ID: %2.2X
                                      • API String ID: 2789212964-323797159
                                      • Opcode ID: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                                      • Instruction ID: 802357eb4f50a043e47c8b78e7782d62930b20b04af67ea92e1f933aeb07fc5a
                                      • Opcode Fuzzy Hash: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                                      • Instruction Fuzzy Hash: 71118E32900309BFEB10DFE8D8829AFB3B9FB05314F108476ED11E7141D6789A258B96
                                      Function 0040F9B5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: _snwprintf
                                      • String ID: %%-%d.%ds
                                      • API String ID: 3988819677-2008345750
                                      • Opcode ID: ff7c17540168d96ed4966b56b0a467b3337874ab214ea8a90bdbbe2252cfc3dc
                                      • Instruction ID: 7541af853baca77dfc804340e5f0ab0fe899c5989b891af63cf45e557cb41de3
                                      • Opcode Fuzzy Hash: ff7c17540168d96ed4966b56b0a467b3337874ab214ea8a90bdbbe2252cfc3dc
                                      • Instruction Fuzzy Hash: B801DE71200204BFD720EE59CC82D5AB7E8FB48308B00443AF846A7692D636E854CB65
                                      Function 0040E758 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 0040E770
                                      • SendMessageW.USER32(F^@,0000105F,00000000,?), ref: 0040E79F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: MessageSendmemset
                                      • String ID: F^@
                                      • API String ID: 568519121-3652327722
                                      • Opcode ID: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
                                      • Instruction ID: 5049a961280a3e8282645b70ff0f7bf8ff78c54eb6baa8beabb6daf17925e322
                                      • Opcode Fuzzy Hash: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
                                      • Instruction Fuzzy Hash: A701A239900204ABEB209F5ACC81EABB7F8FF44B45F008429E854A7291D3349855CF79
                                      Function 004018DB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: PlacementWindowmemset
                                      • String ID: WinPos
                                      • API String ID: 4036792311-2823255486
                                      • Opcode ID: 43a26fe09d4836415a0f9153b5f51c370111d8f5fda2234af2192006d5bb601b
                                      • Instruction ID: 942d740d8c3c01bede0812328a3a4706cce13fdf2e849e9dfea5930b7654417c
                                      • Opcode Fuzzy Hash: 43a26fe09d4836415a0f9153b5f51c370111d8f5fda2234af2192006d5bb601b
                                      • Instruction Fuzzy Hash: D4F096B0600204EFEB04DF55D899F6A33E8EF04701F1440B9F909DB1D1E7B89A04C729
                                      Function 0042B9BD Relevance: 5.2, APIs: 4, Instructions: 181COMMON
                                      Download Yara Rule
                                      APIs
                                      • memcpy.MSVCRT(?,?,00000000,?), ref: 0042BA5F
                                      • memcpy.MSVCRT(?,?,?,?), ref: 0042BA98
                                      • memset.MSVCRT ref: 0042BAAE
                                      • memcpy.MSVCRT(?,?,00000000,?,?,?,?,?,?,?), ref: 0042BAE7
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memcpy$memset
                                      • String ID:
                                      • API String ID: 438689982-0
                                      • Opcode ID: ef116662622e1dd2984e515fcaedae38b96dc359db8ee055bda91140f73fb117
                                      • Instruction ID: 797e1fd24865db6de4a95defd5ca955254a0dec7c2ff798398e4890fb9874305
                                      • Opcode Fuzzy Hash: ef116662622e1dd2984e515fcaedae38b96dc359db8ee055bda91140f73fb117
                                      • Instruction Fuzzy Hash: 1B51A2B5A00219EBDF14DF55D882BAEBBB5FF04340F54806AE904AA245E7389E50DBD8
                                      Function 0040E820 Relevance: 5.1, APIs: 4, Instructions: 70COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040A13C: memset.MSVCRT ref: 0040A14A
                                      • ??2@YAPAXI@Z.MSVCRT ref: 0040E84D
                                      • ??2@YAPAXI@Z.MSVCRT(00000014), ref: 0040E874
                                      • ??2@YAPAXI@Z.MSVCRT(00000014), ref: 0040E895
                                      • ??2@YAPAXI@Z.MSVCRT(00000014), ref: 0040E8B6
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: ??2@$memset
                                      • String ID:
                                      • API String ID: 1860491036-0
                                      • Opcode ID: 96af4030734a5e2f6ef23c2ae6277f6dabdb1784b135b246f31e93988d402875
                                      • Instruction ID: 7dda0de82ffecb18951b1be6aadeef514c87807746e1e94fbb8d74dd8fa57bec
                                      • Opcode Fuzzy Hash: 96af4030734a5e2f6ef23c2ae6277f6dabdb1784b135b246f31e93988d402875
                                      • Instruction Fuzzy Hash: 4F21F3B1A003008FDB219F2B9445912FBE8FF90310B2AC8AF9158CB2B2D7B8C454CF15
                                      Function 0040A8D0 Relevance: 5.1, APIs: 4, Instructions: 69COMMON
                                      Download Yara Rule
                                      APIs
                                      • wcslen.MSVCRT ref: 0040A8E2
                                        • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                        • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                        • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                      • free.MSVCRT ref: 0040A908
                                      • free.MSVCRT ref: 0040A92B
                                      • memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: free$memcpy$mallocwcslen
                                      • String ID:
                                      • API String ID: 726966127-0
                                      • Opcode ID: e8e6c2fed7f9440c8640dc4717368e77cb96f6303dd1ec86a793a42355efe2a9
                                      • Instruction ID: f32a9ac0308abec2140ef864181b54c8d04bf3279582b466e144db770ea3622c
                                      • Opcode Fuzzy Hash: e8e6c2fed7f9440c8640dc4717368e77cb96f6303dd1ec86a793a42355efe2a9
                                      • Instruction Fuzzy Hash: 64217CB2200704EFC720DF18D88189AB3F9FF453247118A2EF866AB6A1CB35AD15CB55
                                      Function 0040B1D1 Relevance: 5.1, APIs: 4, Instructions: 67COMMON
                                      Download Yara Rule
                                      APIs
                                      • wcslen.MSVCRT ref: 0040B1DE
                                      • free.MSVCRT ref: 0040B201
                                        • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                        • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                        • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                      • free.MSVCRT ref: 0040B224
                                      • memcpy.MSVCRT(?,00000000,-00000002,00000000,00000000,?,?,?,?,0040B319,0040B432,00000000,?,?,0040B432,00000000), ref: 0040B248
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: free$memcpy$mallocwcslen
                                      • String ID:
                                      • API String ID: 726966127-0
                                      • Opcode ID: 6421ea3f553dae7d25363b5bd64276aec0fbe05fa0d8b4b2605bf4838246495e
                                      • Instruction ID: 71128cbd9221161776fa816c6212d75478d488e0bdd8d9cf72ea7cd81dda7be0
                                      • Opcode Fuzzy Hash: 6421ea3f553dae7d25363b5bd64276aec0fbe05fa0d8b4b2605bf4838246495e
                                      • Instruction Fuzzy Hash: 02215BB2500604EFD720DF18D881CAAB7F9EF49324B114A6EE452976A1CB35B9158B98
                                      Function 00408ADC Relevance: 5.1, APIs: 4, Instructions: 63COMMON
                                      Download Yara Rule
                                      APIs
                                      • memcmp.MSVCRT(?,004599B8,00000010,00000000,00409690,?,00408C27,00409690,?,00409690,00408801,00000000), ref: 00408AF3
                                        • Part of subcall function 00408A6E: memcmp.MSVCRT(00409690,00408B12,00000004,000000FF), ref: 00408A8C
                                        • Part of subcall function 00408A6E: memcpy.MSVCRT(00000363,004096AA,4415FF50,?), ref: 00408ABB
                                        • Part of subcall function 00408A6E: memcpy.MSVCRT(-00000265,004096AF,00000060,00000363,004096AA,4415FF50,?), ref: 00408AD0
                                      • memcmp.MSVCRT(?,00000000,0000000E,00000000,00409690,?,00408C27,00409690,?,00409690,00408801,00000000), ref: 00408B2B
                                      • memcmp.MSVCRT(?,00000000,0000000B,00000000,00409690,?,00408C27,00409690,?,00409690,00408801,00000000), ref: 00408B5C
                                      • memcpy.MSVCRT(0000023E,00409690,?), ref: 00408B79
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memcmp$memcpy
                                      • String ID:
                                      • API String ID: 231171946-0
                                      • Opcode ID: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
                                      • Instruction ID: 684d12db3f6cc64b33ac9287d8c213aaad77bc3869a84850190dd4d7d2050874
                                      • Opcode Fuzzy Hash: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
                                      • Instruction Fuzzy Hash: 8411A9F1600308AAFF202A129D07F5A3658DB21768F25443FFC84641D2FE7DAA50C55E
                                      Function 0040B0D1 Relevance: 5.1, APIs: 4, Instructions: 55stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • strlen.MSVCRT ref: 0040B0D8
                                      • free.MSVCRT ref: 0040B0FB
                                        • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                        • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                        • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                      • free.MSVCRT ref: 0040B12C
                                      • memcpy.MSVCRT(?,?,00000000,00000000,0040B35A,?), ref: 0040B159
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: free$memcpy$mallocstrlen
                                      • String ID:
                                      • API String ID: 3669619086-0
                                      • Opcode ID: 1049280fa2475c497c1b628b605c6dc2082e028c9e0fefa85919baabf6481477
                                      • Instruction ID: 61abf4b4d63bdfee40e3433ef4540d9b033b11d4199be086b3082c0bee804e2f
                                      • Opcode Fuzzy Hash: 1049280fa2475c497c1b628b605c6dc2082e028c9e0fefa85919baabf6481477
                                      • Instruction Fuzzy Hash: CA113A712042019FD711DB98FC499267B66EB8733AB25833BF4045A2A3CBB99834865F
                                      Function 004173E4 Relevance: 5.0, APIs: 4, Instructions: 41COMMON
                                      Download Yara Rule
                                      APIs
                                      • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,00417D63,?,?,00417D63,00418178,00000000,?,004183E5,?,00000000), ref: 004173FF
                                      • malloc.MSVCRT ref: 00417407
                                      • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,?,00417D63,00418178,00000000,?,004183E5,?,00000000,00000000,?), ref: 0041741E
                                      • free.MSVCRT ref: 00417425
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1494617163.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: ByteCharMultiWide$freemalloc
                                      • String ID:
                                      • API String ID: 2605342592-0
                                      • Opcode ID: c62e76641e050cafa551b594d013d2ba0ec055e9779dbb9c6b02089c0e2d57f7
                                      • Instruction ID: cad4d062c051d68cf548c6c9b5623cfc012c7edadb1d539185634ca375d1558c
                                      • Opcode Fuzzy Hash: c62e76641e050cafa551b594d013d2ba0ec055e9779dbb9c6b02089c0e2d57f7
                                      • Instruction Fuzzy Hash: E7F0377620921E7BDA1029655C40D77779CEB8B675B11072BBA10D21C1ED59D81005B5