Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
6122.scr.exe

Overview

General Information

Sample name:6122.scr.exe
renamed because original name is a hash value
Original sample name:DN ISF S CLS930 KHH-TOLEDO(VIA NYC) SO#66158152 WKH2406122.scr.exe
Analysis ID:1519262
MD5:44fa8131343f26aaf5303090d7bba260
SHA1:6ae8634d960f8e659ad166d4e1d95297ac114de3
SHA256:ae72b0b7e4c361d0016ed97ac0664e0c8f3d31dd9627c993b635b5fac24d7255
Tags:exeuser-threatcat_ch
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Contains functionality to bypass UAC (CMSTPLUA)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates autostart registry keys with suspicious names
Delayed program exit found
Drops executable to a common third party application directory
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Yara detected WebBrowserPassView password recovery tool
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evaded block containing many API calls
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 6122.scr.exe (PID: 6044 cmdline: "C:\Users\user\Desktop\6122.scr.exe" MD5: 44FA8131343F26AAF5303090D7BBA260)
    • 6122.scr.exe (PID: 6180 cmdline: "C:\Users\user\Desktop\6122.scr.exe" MD5: 44FA8131343F26AAF5303090D7BBA260)
      • Adobe.exe (PID: 4500 cmdline: "C:\ProgramData\Adobe\Adobe.exe" MD5: 44FA8131343F26AAF5303090D7BBA260)
        • Adobe.exe (PID: 528 cmdline: "C:\ProgramData\Adobe\Adobe.exe" MD5: 44FA8131343F26AAF5303090D7BBA260)
          • Adobe.exe (PID: 6948 cmdline: C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\kdsjilcrslq" MD5: 44FA8131343F26AAF5303090D7BBA260)
          • Adobe.exe (PID: 5988 cmdline: C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\vxgujvmlgtiaot" MD5: 44FA8131343F26AAF5303090D7BBA260)
          • Adobe.exe (PID: 6608 cmdline: C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\xrlnjoxmubafqzncq" MD5: 44FA8131343F26AAF5303090D7BBA260)
  • Adobe.exe (PID: 728 cmdline: "C:\ProgramData\Adobe\Adobe.exe" MD5: 44FA8131343F26AAF5303090D7BBA260)
    • Adobe.exe (PID: 1784 cmdline: "C:\ProgramData\Adobe\Adobe.exe" MD5: 44FA8131343F26AAF5303090D7BBA260)
  • Adobe.exe (PID: 5968 cmdline: "C:\ProgramData\Adobe\Adobe.exe" MD5: 44FA8131343F26AAF5303090D7BBA260)
    • Adobe.exe (PID: 2220 cmdline: "C:\ProgramData\Adobe\Adobe.exe" MD5: 44FA8131343F26AAF5303090D7BBA260)
  • Adobe.exe (PID: 6020 cmdline: "C:\ProgramData\Adobe\Adobe.exe" MD5: 44FA8131343F26AAF5303090D7BBA260)
    • Adobe.exe (PID: 4476 cmdline: "C:\ProgramData\Adobe\Adobe.exe" MD5: 44FA8131343F26AAF5303090D7BBA260)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "104.250.180.178:7902:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "Adobe.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Adobe-OTOIRK", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.4500036931.00000000012B8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    0000000D.00000002.2250791131.0000000000DD7000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000000.00000002.2059716240.0000000004D2C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        00000000.00000002.2059716240.0000000004D2C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
          00000000.00000002.2059716240.0000000004D2C000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
          • 0x6b9c8:$a1: Remcos restarted by watchdog!
          • 0x6bf40:$a3: %02i:%02i:%02i:%03i
          Click to see the 24 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          3.2.6122.scr.exe.400000.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
            3.2.6122.scr.exe.400000.0.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
              3.2.6122.scr.exe.400000.0.unpackWindows_Trojan_Remcos_b296e965unknownunknown
              • 0x6aaa8:$a1: Remcos restarted by watchdog!
              • 0x6b020:$a3: %02i:%02i:%02i:%03i
              3.2.6122.scr.exe.400000.0.unpackREMCOS_RAT_variantsunknownunknown
              • 0x64afc:$str_a1: C:\Windows\System32\cmd.exe
              • 0x64a78:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
              • 0x64a78:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
              • 0x64f78:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
              • 0x657a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
              • 0x64b6c:$str_b2: Executing file:
              • 0x65bec:$str_b3: GetDirectListeningPort
              • 0x65598:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
              • 0x65718:$str_b7: \update.vbs
              • 0x64b94:$str_b9: Downloaded file:
              • 0x64b80:$str_b10: Downloading file:
              • 0x64c24:$str_b12: Failed to upload file:
              • 0x65bb4:$str_b13: StartForward
              • 0x65bd4:$str_b14: StopForward
              • 0x65670:$str_b15: fso.DeleteFile "
              • 0x65604:$str_b16: On Error Resume Next
              • 0x656a0:$str_b17: fso.DeleteFolder "
              • 0x64c14:$str_b18: Uploaded file:
              • 0x64bd4:$str_b19: Unable to delete:
              • 0x65638:$str_b20: while fso.FileExists("
              • 0x650b1:$str_c0: [Firefox StoredLogins not found]
              3.2.6122.scr.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
              • 0x649e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
              • 0x6497c:$s1: CoGetObject
              • 0x64990:$s1: CoGetObject
              • 0x649ac:$s1: CoGetObject
              • 0x6e938:$s1: CoGetObject
              • 0x6493c:$s2: Elevation:Administrator!new:
              Click to see the 23 entries

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: CurrentVersion Autorun Keys Modification
              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\ProgramData\Adobe\Adobe.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\6122.scr.exe, ProcessId: 6180, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Adobe-OTOIRK
              Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\ProgramData\Adobe\Adobe.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\6122.scr.exe, ProcessId: 6180, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe-OTOIRK

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-09-26T09:25:51.543848+020020365941Malware Command and Control Activity Detected192.168.2.549707104.250.180.1787902TCP
              2024-09-26T09:25:53.715689+020020365941Malware Command and Control Activity Detected192.168.2.549709104.250.180.1787902TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-09-26T09:25:53.398729+020028033043Unknown Traffic192.168.2.549710178.237.33.5080TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Found malware configuration
              Source: 00000005.00000002.4500036931.00000000012B8000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "104.250.180.178:7902:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "Adobe.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Adobe-OTOIRK", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
              Multi AV Scanner detection for dropped file
              Source: C:\ProgramData\Adobe\Adobe.exeReversingLabs: Detection: 28%
              Multi AV Scanner detection for submitted file
              Source: 6122.scr.exeReversingLabs: Detection: 28%
              Yara detected Remcos RAT
              Source: Yara matchFile source: 3.2.6122.scr.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.6122.scr.exe.42f0650.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.6122.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.6122.scr.exe.4d2cf20.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.6122.scr.exe.4d2cf20.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.6122.scr.exe.42f0650.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000005.00000002.4500036931.00000000012B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000D.00000002.2250791131.0000000000DD7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2059716240.0000000004D2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.2159549546.0000000001397000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.2323206616.00000000016C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2059716240.0000000004229000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.2048067973.0000000000CA7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: 6122.scr.exe PID: 6044, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: 6122.scr.exe PID: 6180, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 528, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 1784, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 2220, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 4476, type: MEMORYSTR
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for dropped file
              Source: C:\ProgramData\Adobe\Adobe.exeJoe Sandbox ML: detected
              Machine Learning detection for sample
              Source: 6122.scr.exeJoe Sandbox ML: detected
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 3_2_00433837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,3_2_00433837
              Source: 6122.scr.exe, 00000000.00000002.2059716240.0000000004229000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_de751f6d-6

              Exploits

              barindex
              Yara detected UAC Bypass using CMSTP
              Source: Yara matchFile source: 3.2.6122.scr.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.6122.scr.exe.42f0650.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.6122.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.6122.scr.exe.4d2cf20.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.6122.scr.exe.4d2cf20.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.6122.scr.exe.42f0650.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.2059716240.0000000004D2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2059716240.0000000004229000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: 6122.scr.exe PID: 6044, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: 6122.scr.exe PID: 6180, type: MEMORYSTR

              Privilege Escalation

              barindex
              Contains functionality to bypass UAC (CMSTPLUA)
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 3_2_004074FD _wcslen,CoGetObject,3_2_004074FD
              Source: 6122.scr.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: 6122.scr.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: Binary string: yslI.pdbSHA256 source: 6122.scr.exe, Adobe.exe.3.dr
              Source: Binary string: yslI.pdb source: 6122.scr.exe, Adobe.exe.3.dr
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 3_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,3_2_00409253
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 3_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,3_2_0041C291
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 3_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,3_2_0040C34D
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 3_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,3_2_00409665
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 3_2_0044E879 FindFirstFileExA,3_2_0044E879
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 3_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,3_2_0040880C
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 3_2_0040783C FindFirstFileW,FindNextFileW,3_2_0040783C
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 3_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,3_2_00419AF5
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 3_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,3_2_0040BB30
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 3_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,3_2_0040BD37
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 5_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,5_2_100010F1
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 5_2_10006580 FindFirstFileExA,5_2_10006580
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 6_2_0040AE51 FindFirstFileW,FindNextFileW,6_2_0040AE51
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 7_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,7_2_00407EF8
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 8_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,8_2_00407898
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 3_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,3_2_00407C97

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49707 -> 104.250.180.178:7902
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49709 -> 104.250.180.178:7902
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: 104.250.180.178
              Source: global trafficTCP traffic: 192.168.2.5:49707 -> 104.250.180.178:7902
              Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
              Source: Joe Sandbox ViewIP Address: 104.250.180.178 104.250.180.178
              Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
              Source: Joe Sandbox ViewASN Name: M247GB M247GB
              Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.5:49710 -> 178.237.33.50:80
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: unknownTCP traffic detected without corresponding DNS query: 104.250.180.178
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 3_2_0041B380 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,3_2_0041B380
              Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
              Source: Adobe.exe, 00000008.00000002.2124174613.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
              Source: Adobe.exe, Adobe.exe, 00000008.00000002.2124174613.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
              Source: Adobe.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
              Source: Adobe.exe, 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
              Source: Adobe.exe, 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
              Source: global trafficDNS traffic detected: DNS query: geoplugin.net
              Source: bhv22E2.tmp.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertCloudServicesCA-1.crt0
              Source: bhv22E2.tmp.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
              Source: bhv22E2.tmp.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
              Source: bhv22E2.tmp.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
              Source: bhv22E2.tmp.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
              Source: bhv22E2.tmp.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
              Source: bhv22E2.tmp.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
              Source: bhv22E2.tmp.6.drString found in binary or memory: http://crl3.digicert.com/DigiCertCloudServicesCA-1-g1.crl0?
              Source: bhv22E2.tmp.6.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
              Source: bhv22E2.tmp.6.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
              Source: bhv22E2.tmp.6.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
              Source: bhv22E2.tmp.6.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
              Source: bhv22E2.tmp.6.drString found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
              Source: bhv22E2.tmp.6.drString found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
              Source: bhv22E2.tmp.6.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
              Source: bhv22E2.tmp.6.drString found in binary or memory: http://crl4.digicert.com/DigiCertCloudServicesCA-1-g1.crl0
              Source: bhv22E2.tmp.6.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
              Source: bhv22E2.tmp.6.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
              Source: bhv22E2.tmp.6.drString found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
              Source: bhv22E2.tmp.6.drString found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
              Source: bhv22E2.tmp.6.drString found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0~
              Source: Adobe.exe, 00000005.00000002.4500521486.0000000001322000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/
              Source: 6122.scr.exe, Adobe.exe, 00000005.00000002.4500276839.00000000012F1000.00000004.00000020.00020000.00000000.sdmp, Adobe.exe, 00000005.00000002.4500276839.0000000001303000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
              Source: Adobe.exe, 00000005.00000002.4500276839.0000000001303000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp%r
              Source: 6122.scr.exe, 00000000.00000002.2059716240.0000000004229000.00000004.00000800.00020000.00000000.sdmp, 6122.scr.exe, 00000000.00000002.2059716240.0000000004D2C000.00000004.00000800.00020000.00000000.sdmp, 6122.scr.exe, 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
              Source: Adobe.exe, 00000005.00000002.4500276839.0000000001303000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gptr$
              Source: bhv22E2.tmp.6.drString found in binary or memory: http://ocsp.digicert.com0
              Source: bhv22E2.tmp.6.drString found in binary or memory: http://ocsp.digicert.com0:
              Source: bhv22E2.tmp.6.drString found in binary or memory: http://ocsp.digicert.com0H
              Source: bhv22E2.tmp.6.drString found in binary or memory: http://ocsp.digicert.com0I
              Source: bhv22E2.tmp.6.drString found in binary or memory: http://ocsp.msocsp.com0
              Source: bhv22E2.tmp.6.drString found in binary or memory: http://ocsp.msocsp.com0S
              Source: bhv22E2.tmp.6.drString found in binary or memory: http://ocspx.digicert.com0E
              Source: bhv22E2.tmp.6.drString found in binary or memory: http://www.digicert.com/CPS0
              Source: bhv22E2.tmp.6.drString found in binary or memory: http://www.digicert.com/CPS0~
              Source: Adobe.exe, Adobe.exe, 00000008.00000002.2124174613.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com
              Source: Adobe.exe, Adobe.exe, 00000008.00000002.2124174613.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.com
              Source: Adobe.exe, 00000008.00000002.2124174613.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
              Source: Adobe.exe, 00000008.00000002.2124174613.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comr
              Source: bhv22E2.tmp.6.drString found in binary or memory: http://www.msftconnecttest.com/connecttest.txt?n=1696428304750
              Source: Adobe.exe, 00000006.00000002.2131344664.0000000000CF4000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net
              Source: Adobe.exe, 00000008.00000002.2124174613.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/
              Source: bhv22E2.tmp.6.drString found in binary or memory: https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DestinationEndpoint=P
              Source: bhv22E2.tmp.6.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
              Source: bhv22E2.tmp.6.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaotak
              Source: bhv22E2.tmp.6.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingrms
              Source: bhv22E2.tmp.6.drString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
              Source: bhv22E2.tmp.6.drString found in binary or memory: https://config.edge.skype.com/config/v1/Skype/1446_8.53.0.77?OSVer=10.0.19045.2006&ClientID=RHTiQUpX
              Source: bhv22E2.tmp.6.drString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
              Source: bhv22E2.tmp.6.drString found in binary or memory: https://ecs.nel.measure.office.net?TenantId=Skype&DestinationEndpoint=Edge-Prod-LAX31r5a&FrontEnd=AF
              Source: bhv22E2.tmp.6.drString found in binary or memory: https://fp-afd-nocache.azureedge.net/apc/trans.gif?77686a33b2eafa1538ef78c3be5a5910
              Source: bhv22E2.tmp.6.drString found in binary or memory: https://fp-afd-nocache.azureedge.net/apc/trans.gif?caa2cf97cacae25a18f577703684ee65
              Source: bhv22E2.tmp.6.drString found in binary or memory: https://fp-afd.azurefd.us/apc/trans.gif?0cf92be82316943650f2ee723bc6949e
              Source: bhv22E2.tmp.6.drString found in binary or memory: https://fp-afd.azurefd.us/apc/trans.gif?94fb5ac9609bcb4cda0bf8acf1827073
              Source: bhv22E2.tmp.6.drString found in binary or memory: https://fp-vp.azureedge.net/apc/trans.gif?7e9591e308dbda599df1fc08720a72a3
              Source: bhv22E2.tmp.6.drString found in binary or memory: https://fp-vp.azureedge.net/apc/trans.gif?c6a2869c584d2ea23c67c44abe1ec326
              Source: bhv22E2.tmp.6.drString found in binary or memory: https://fp.msedge.net/conf/v1/asgw/fpconfig.min.json
              Source: bhv22E2.tmp.6.drString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
              Source: bhv22E2.tmp.6.drString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
              Source: bhv22E2.tmp.6.drString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
              Source: Adobe.exeString found in binary or memory: https://login.yahoo.com/config/login
              Source: bhv22E2.tmp.6.drString found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_4HqSCTf5FFStBMz0_eIqyA2.css
              Source: bhv22E2.tmp.6.drString found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_RP-iR89BipE4i7ZOq
              Source: bhv22E2.tmp.6.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_tSc0Su-bb7Jt0QVuF6v9Cg2.js
              Source: bhv22E2.tmp.6.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/oneDs_f2e0f4a029670f10d892.js
              Source: bhv22E2.tmp.6.drString found in binary or memory: https://maps.windows.com/windows-app-web-link
              Source: bhv22E2.tmp.6.drString found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2023-10-04-14-10-35/PreSignInSettingsConfig.json
              Source: bhv22E2.tmp.6.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/dfb21df16475d4e5b2b0ba41e6c4e842c100b150.xml?OneDriveUpdate=4954a0
              Source: bhv22E2.tmp.6.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/ew-preload-inline-2523c8c1505f1172be19.js
              Source: bhv22E2.tmp.6.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/otel-logger-104bffe9378b8041455c.js
              Source: bhv22E2.tmp.6.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-35de8a913e.css
              Source: bhv22E2.tmp.6.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-async-styles.a903b7d0ab82e5bd2f8a.chunk.v7.css
              Source: bhv22E2.tmp.6.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bootstrap-5e7af218e953d095fabf.js
              Source: bhv22E2.tmp.6.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-0debb885be07c402c948.js
              Source: bhv22E2.tmp.6.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-994d8943fc9264e2f8d3.css
              Source: bhv22E2.tmp.6.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-fluent~left-nav-rc.ec3581b6c9e6e9985aa7.chunk.v7.js
              Source: bhv22E2.tmp.6.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-forms-group~mru~officeforms-group-forms~officeforms
              Source: bhv22E2.tmp.6.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-left-nav-rc.6c288f9aff9797959103.chunk.v7.js
              Source: bhv22E2.tmp.6.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-mru.9ba2d4c9e339ba497e10.chunk.v7.js
              Source: bhv22E2.tmp.6.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendor-bundle-1652fd8b358d589e6ec0.js
              Source: bhv22E2.tmp.6.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.52c45571d19ede0a7005.chunk.v7.j
              Source: bhv22E2.tmp.6.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.d918c7fc33e22b41b936.chunk.v7.c
              Source: bhv22E2.tmp.6.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwaunauth-9d8bc214ac.css
              Source: bhv22E2.tmp.6.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedfontstyles-27fa2598d8.css
              Source: bhv22E2.tmp.6.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedscripts-939520eada.js
              Source: bhv22E2.tmp.6.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticpwascripts-30998bff8f.js
              Source: bhv22E2.tmp.6.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticstylesfabric-35c34b95e3.css
              Source: bhv22E2.tmp.6.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/hero-image-desktop-f6720a4145.jpg
              Source: bhv22E2.tmp.6.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/lockup-mslogo-color-78c06e8898.png
              Source: bhv22E2.tmp.6.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/microsoft-365-logo-01d5ecd01a.png
              Source: bhv22E2.tmp.6.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-apps-image-46596a6856.png
              Source: bhv22E2.tmp.6.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-checkmark-image-1999f0bf81.png
              Source: bhv22E2.tmp.6.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/officehome/thirdpartynotice.html
              Source: bhv22E2.tmp.6.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_regular.woff2
              Source: bhv22E2.tmp.6.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_semibold.woff2
              Source: Adobe.exe, Adobe.exe, 00000008.00000002.2124174613.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
              Source: Adobe.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
              Source: bhv22E2.tmp.6.drString found in binary or memory: https://www.office.com/

              Key, Mouse, Clipboard, Microphone and Screen Capturing

              barindex
              Contains functionality to register a low level keyboard hook
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 3_2_0040A2B8 SetWindowsHookExA 0000000D,0040A2A4,000000003_2_0040A2B8
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 3_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard,3_2_0040B70E
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 3_2_004168C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,3_2_004168C1
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 6_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,6_2_0040987A
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 6_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,6_2_004098E2
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 7_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,7_2_00406DFC
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 7_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,7_2_00406E9F
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 8_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,8_2_004068B5
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 8_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,8_2_004072B5
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 3_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard,3_2_0040B70E
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 3_2_0040A3E0 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,3_2_0040A3E0

              E-Banking Fraud

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 3.2.6122.scr.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.6122.scr.exe.42f0650.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.6122.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.6122.scr.exe.4d2cf20.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.6122.scr.exe.4d2cf20.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.6122.scr.exe.42f0650.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000005.00000002.4500036931.00000000012B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000D.00000002.2250791131.0000000000DD7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2059716240.0000000004D2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.2159549546.0000000001397000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.2323206616.00000000016C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2059716240.0000000004229000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.2048067973.0000000000CA7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: 6122.scr.exe PID: 6044, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: 6122.scr.exe PID: 6180, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 528, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 1784, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 2220, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 4476, type: MEMORYSTR

              Spam, unwanted Advertisements and Ransom Demands

              barindex
              Contains functionalty to change the wallpaper
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 3_2_0041C9E2 SystemParametersInfoW,3_2_0041C9E2

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 3.2.6122.scr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 3.2.6122.scr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 3.2.6122.scr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 0.2.6122.scr.exe.42f0650.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 0.2.6122.scr.exe.42f0650.6.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 0.2.6122.scr.exe.42f0650.6.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 3.2.6122.scr.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 3.2.6122.scr.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 3.2.6122.scr.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 0.2.6122.scr.exe.4d2cf20.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 0.2.6122.scr.exe.4d2cf20.5.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 0.2.6122.scr.exe.4d2cf20.5.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 0.2.6122.scr.exe.4d2cf20.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 0.2.6122.scr.exe.4d2cf20.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 0.2.6122.scr.exe.42f0650.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 0.2.6122.scr.exe.42f0650.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 00000000.00000002.2059716240.0000000004D2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000000.00000002.2059716240.0000000004229000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: Process Memory Space: 6122.scr.exe PID: 6044, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: Process Memory Space: 6122.scr.exe PID: 6180, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 6_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,6_2_0040DD85
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 6_2_00401806 NtdllDefWindowProc_W,6_2_00401806
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 6_2_004018C0 NtdllDefWindowProc_W,6_2_004018C0
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 7_2_004016FD NtdllDefWindowProc_A,7_2_004016FD
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 7_2_004017B7 NtdllDefWindowProc_A,7_2_004017B7
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 8_2_00402CAC NtdllDefWindowProc_A,8_2_00402CAC
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 8_2_00402D66 NtdllDefWindowProc_A,8_2_00402D66
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 3_2_004167B4 ExitWindowsEx,LoadLibraryA,GetProcAddress,3_2_004167B4
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 0_2_017C4B010_2_017C4B01
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 0_2_017CDE4C0_2_017CDE4C
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 0_2_078F2E200_2_078F2E20
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 3_2_0043E0CC3_2_0043E0CC
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 3_2_0041F0FA3_2_0041F0FA
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 3_2_004541593_2_00454159
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 3_2_004381683_2_00438168
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 3_2_004461F03_2_004461F0
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 3_2_0043E2FB3_2_0043E2FB
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 3_2_0045332B3_2_0045332B
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 3_2_0042739D3_2_0042739D
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 3_2_004374E63_2_004374E6
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 3_2_0043E5583_2_0043E558
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 3_2_004387703_2_00438770
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 3_2_004378FE3_2_004378FE
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 3_2_004339463_2_00433946
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 3_2_0044D9C93_2_0044D9C9
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 3_2_00427A463_2_00427A46
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 3_2_0041DB623_2_0041DB62
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 3_2_00427BAF3_2_00427BAF
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 3_2_00437D333_2_00437D33
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 3_2_00435E5E3_2_00435E5E
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 3_2_00426E0E3_2_00426E0E
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 3_2_0043DE9D3_2_0043DE9D
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 3_2_00413FCA3_2_00413FCA
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 3_2_00436FEA3_2_00436FEA
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 4_2_0149DE4C4_2_0149DE4C
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 4_2_079F2E204_2_079F2E20
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 5_2_100171945_2_10017194
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 5_2_1000B5C15_2_1000B5C1
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 6_2_0044B0406_2_0044B040
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 6_2_0043610D6_2_0043610D
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 6_2_004473106_2_00447310
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 6_2_0044A4906_2_0044A490
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 6_2_0040755A6_2_0040755A
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 6_2_0043C5606_2_0043C560
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 6_2_0044B6106_2_0044B610
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 6_2_0044D6C06_2_0044D6C0
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 6_2_004476F06_2_004476F0
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 6_2_0044B8706_2_0044B870
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 6_2_0044081D6_2_0044081D
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 6_2_004149576_2_00414957
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 6_2_004079EE6_2_004079EE
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 6_2_00407AEB6_2_00407AEB
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 6_2_0044AA806_2_0044AA80
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 6_2_00412AA96_2_00412AA9
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 6_2_00404B746_2_00404B74
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 6_2_00404B036_2_00404B03
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 6_2_0044BBD86_2_0044BBD8
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 6_2_00404BE56_2_00404BE5
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 6_2_00404C766_2_00404C76
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 6_2_00415CFE6_2_00415CFE
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 6_2_00416D726_2_00416D72
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 6_2_00446D306_2_00446D30
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 6_2_00446D8B6_2_00446D8B
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 6_2_00406E8F6_2_00406E8F
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 7_2_004050387_2_00405038
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 7_2_0041208C7_2_0041208C
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 7_2_004050A97_2_004050A9
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 7_2_0040511A7_2_0040511A
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 7_2_0043C13A7_2_0043C13A
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 7_2_004051AB7_2_004051AB
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 7_2_004493007_2_00449300
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 7_2_0040D3227_2_0040D322
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 7_2_0044A4F07_2_0044A4F0
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 7_2_0043A5AB7_2_0043A5AB
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 7_2_004136317_2_00413631
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 7_2_004466907_2_00446690
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 7_2_0044A7307_2_0044A730
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 7_2_004398D87_2_004398D8
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 7_2_004498E07_2_004498E0
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 7_2_0044A8867_2_0044A886
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 7_2_0043DA097_2_0043DA09
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 7_2_00438D5E7_2_00438D5E
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 7_2_00449ED07_2_00449ED0
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 7_2_0041FE837_2_0041FE83
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 7_2_00430F547_2_00430F54
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 8_2_004050C28_2_004050C2
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 8_2_004014AB8_2_004014AB
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 8_2_004051338_2_00405133
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 8_2_004051A48_2_004051A4
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 8_2_004012468_2_00401246
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 8_2_0040CA468_2_0040CA46
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 8_2_004052358_2_00405235
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 8_2_004032C88_2_004032C8
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 8_2_004016898_2_00401689
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 8_2_00402F608_2_00402F60
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 9_2_0155DE4C9_2_0155DE4C
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 9_2_055773689_2_05577368
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 9_2_055700409_2_05570040
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 9_2_055700069_2_05570006
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 9_2_055773589_2_05577358
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 9_2_074F2E209_2_074F2E20
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 12_2_02EDDE4C12_2_02EDDE4C
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 12_2_059383C812_2_059383C8
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 12_2_059337BF12_2_059337BF
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 12_2_059337F812_2_059337F8
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 12_2_0593E74012_2_0593E740
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 12_2_0593C66812_2_0593C668
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 12_2_0593C23012_2_0593C230
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 12_2_0593C22012_2_0593C220
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 12_2_0593BDC012_2_0593BDC0
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 12_2_0593CA8F12_2_0593CA8F
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 12_2_0593CAA012_2_0593CAA0
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 12_2_07272E2012_2_07272E20
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 14_2_00F1DE4C14_2_00F1DE4C
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 14_2_06B92E2014_2_06B92E20
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: String function: 004169A7 appears 87 times
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: String function: 0044DB70 appears 41 times
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: String function: 004165FF appears 35 times
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: String function: 00422297 appears 42 times
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: String function: 00444B5A appears 37 times
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: String function: 00413025 appears 79 times
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: String function: 00416760 appears 69 times
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: String function: 00434E10 appears 54 times
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: String function: 00402093 appears 50 times
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: String function: 00434770 appears 41 times
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: String function: 00401E65 appears 34 times
              Source: 6122.scr.exe, 00000000.00000002.2059716240.0000000004229000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs 6122.scr.exe
              Source: 6122.scr.exe, 00000000.00000000.2032745011.0000000000EF0000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameyslI.exeD vs 6122.scr.exe
              Source: 6122.scr.exe, 00000000.00000002.2062560901.0000000008340000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs 6122.scr.exe
              Source: 6122.scr.exe, 00000003.00000002.2048067973.0000000000CD1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameyslID vs 6122.scr.exe
              Source: 6122.scr.exeBinary or memory string: OriginalFilenameyslI.exeD vs 6122.scr.exe
              Source: 6122.scr.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: 3.2.6122.scr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 3.2.6122.scr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 3.2.6122.scr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 0.2.6122.scr.exe.42f0650.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 0.2.6122.scr.exe.42f0650.6.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 0.2.6122.scr.exe.42f0650.6.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 3.2.6122.scr.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 3.2.6122.scr.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 3.2.6122.scr.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 0.2.6122.scr.exe.4d2cf20.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 0.2.6122.scr.exe.4d2cf20.5.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 0.2.6122.scr.exe.4d2cf20.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 0.2.6122.scr.exe.4d2cf20.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 0.2.6122.scr.exe.4d2cf20.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 0.2.6122.scr.exe.42f0650.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 0.2.6122.scr.exe.42f0650.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 00000000.00000002.2059716240.0000000004D2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000000.00000002.2059716240.0000000004229000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: Process Memory Space: 6122.scr.exe PID: 6044, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: Process Memory Space: 6122.scr.exe PID: 6180, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 6122.scr.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: Adobe.exe.3.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: 0.2.6122.scr.exe.8340000.8.raw.unpack, lMlittINpsxqyHRioh.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 0.2.6122.scr.exe.43aac70.4.raw.unpack, OiEqwKWV3XP5MFdO7m.csSecurity API names: _0020.SetAccessControl
              Source: 0.2.6122.scr.exe.43aac70.4.raw.unpack, OiEqwKWV3XP5MFdO7m.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 0.2.6122.scr.exe.43aac70.4.raw.unpack, OiEqwKWV3XP5MFdO7m.csSecurity API names: _0020.AddAccessRule
              Source: 0.2.6122.scr.exe.8340000.8.raw.unpack, OiEqwKWV3XP5MFdO7m.csSecurity API names: _0020.SetAccessControl
              Source: 0.2.6122.scr.exe.8340000.8.raw.unpack, OiEqwKWV3XP5MFdO7m.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 0.2.6122.scr.exe.8340000.8.raw.unpack, OiEqwKWV3XP5MFdO7m.csSecurity API names: _0020.AddAccessRule
              Source: 0.2.6122.scr.exe.43aac70.4.raw.unpack, lMlittINpsxqyHRioh.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: classification engineClassification label: mal100.rans.phis.troj.spyw.expl.evad.winEXE@22/7@1/2
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 6_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,6_2_004182CE
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 3_2_00417952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,3_2_00417952
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 8_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,CloseHandle,8_2_00410DE1
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 6_2_00418758 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,6_2_00418758
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 3_2_0040F474 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,3_2_0040F474
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 3_2_0041B4A8 FindResourceA,LoadResource,LockResource,SizeofResource,3_2_0041B4A8
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 3_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,3_2_0041AA4A
              Source: C:\Users\user\Desktop\6122.scr.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\6122.scr.exe.logJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeMutant created: \Sessions\1\BaseNamedObjects\Adobe-OTOIRK
              Source: C:\ProgramData\Adobe\Adobe.exeMutant created: NULL
              Source: C:\ProgramData\Adobe\Adobe.exeFile created: C:\Users\user\AppData\Local\Temp\bhv22E2.tmpJump to behavior
              Source: 6122.scr.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: 6122.scr.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
              Source: C:\ProgramData\Adobe\Adobe.exeSystem information queried: HandleInformationJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: Adobe.exe, Adobe.exe, 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
              Source: Adobe.exe, Adobe.exe, 00000007.00000002.2123873809.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
              Source: Adobe.exe, 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
              Source: Adobe.exe, Adobe.exe, 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
              Source: Adobe.exe, Adobe.exe, 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
              Source: Adobe.exe, Adobe.exe, 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
              Source: Adobe.exe, 00000006.00000002.2132215034.00000000012EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: Adobe.exe, Adobe.exe, 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
              Source: 6122.scr.exeReversingLabs: Detection: 28%
              Source: C:\Users\user\Desktop\6122.scr.exeFile read: C:\Users\user\Desktop\6122.scr.exeJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeEvasive API call chain: __getmainargs,DecisionNodes,exit
              Source: unknownProcess created: C:\Users\user\Desktop\6122.scr.exe "C:\Users\user\Desktop\6122.scr.exe"
              Source: C:\Users\user\Desktop\6122.scr.exeProcess created: C:\Users\user\Desktop\6122.scr.exe "C:\Users\user\Desktop\6122.scr.exe"
              Source: C:\Users\user\Desktop\6122.scr.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
              Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
              Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\kdsjilcrslq"
              Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\vxgujvmlgtiaot"
              Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\xrlnjoxmubafqzncq"
              Source: unknownProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
              Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
              Source: unknownProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
              Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
              Source: unknownProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
              Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
              Source: C:\Users\user\Desktop\6122.scr.exeProcess created: C:\Users\user\Desktop\6122.scr.exe "C:\Users\user\Desktop\6122.scr.exe"Jump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe" Jump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"Jump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\kdsjilcrslq"Jump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\vxgujvmlgtiaot"Jump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\xrlnjoxmubafqzncq"Jump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"Jump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"Jump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: dwrite.dllJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: windowscodecs.dllJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: slc.dllJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: version.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: wldp.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: profapi.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: dwrite.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: windowscodecs.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: amsi.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: userenv.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: winmm.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: wininet.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: netutils.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: wldp.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: profapi.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: version.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: wininet.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: wldp.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: pstorec.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: vaultcli.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: wldp.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: pstorec.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: wldp.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: version.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: wldp.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: profapi.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: dwrite.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: windowscodecs.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: amsi.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: userenv.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: winmm.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: wininet.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: netutils.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: version.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: wldp.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: profapi.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: dwrite.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: windowscodecs.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: amsi.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: userenv.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: winmm.dll
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: urlmon.dll
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: wininet.dll
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: iertutil.dll
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: srvcli.dll
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: netutils.dll
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: iphlpapi.dll
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: rstrtmgr.dll
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: ncrypt.dll
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: ntasn1.dll
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: kernel.appcore.dll
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: mscoree.dll
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: kernel.appcore.dll
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: version.dll
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: uxtheme.dll
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: windows.storage.dll
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: wldp.dll
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: profapi.dll
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: cryptsp.dll
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: rsaenh.dll
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: cryptbase.dll
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: dwrite.dll
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: windowscodecs.dll
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: amsi.dll
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: userenv.dll
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: msasn1.dll
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: gpapi.dll
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: winmm.dll
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: urlmon.dll
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: wininet.dll
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: iertutil.dll
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: srvcli.dll
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: netutils.dll
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: iphlpapi.dll
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: rstrtmgr.dll
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: ncrypt.dll
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: ntasn1.dll
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: kernel.appcore.dll
              Source: C:\Users\user\Desktop\6122.scr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Users\user\Desktop\6122.scr.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
              Source: 6122.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: 6122.scr.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: 6122.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: yslI.pdbSHA256 source: 6122.scr.exe, Adobe.exe.3.dr
              Source: Binary string: yslI.pdb source: 6122.scr.exe, Adobe.exe.3.dr

              Data Obfuscation

              barindex
              .NET source code contains potential unpacker
              Source: 6122.scr.exe, Form1.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
              Source: 0.2.6122.scr.exe.43aac70.4.raw.unpack, OiEqwKWV3XP5MFdO7m.cs.Net Code: nSC2GcWyVM System.Reflection.Assembly.Load(byte[])
              Source: 0.2.6122.scr.exe.325e8c8.1.raw.unpack, JK.cs.Net Code: ve System.Reflection.Assembly.Load(byte[])
              Source: 0.2.6122.scr.exe.5ae0000.7.raw.unpack, JK.cs.Net Code: ve System.Reflection.Assembly.Load(byte[])
              Source: 0.2.6122.scr.exe.8340000.8.raw.unpack, OiEqwKWV3XP5MFdO7m.cs.Net Code: nSC2GcWyVM System.Reflection.Assembly.Load(byte[])
              Source: 0.2.6122.scr.exe.32a418c.2.raw.unpack, JK.cs.Net Code: ve System.Reflection.Assembly.Load(byte[])
              Source: 0.2.6122.scr.exe.32ad7a4.3.raw.unpack, JK.cs.Net Code: ve System.Reflection.Assembly.Load(byte[])
              Source: 0.2.6122.scr.exe.32552b0.0.raw.unpack, JK.cs.Net Code: ve System.Reflection.Assembly.Load(byte[])
              Source: Adobe.exe.3.dr, Form1.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
              Source: 4.2.Adobe.exe.31d5288.0.raw.unpack, JK.cs.Net Code: ve System.Reflection.Assembly.Load(byte[])
              Source: 4.2.Adobe.exe.322d71c.3.raw.unpack, JK.cs.Net Code: ve System.Reflection.Assembly.Load(byte[])
              Source: 4.2.Adobe.exe.3224104.2.raw.unpack, JK.cs.Net Code: ve System.Reflection.Assembly.Load(byte[])
              Source: 6122.scr.exeStatic PE information: 0x9EE6543A [Wed Jun 24 06:22:50 2054 UTC]
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 3_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,3_2_0041CB50
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 3_2_00457106 push ecx; ret 3_2_00457119
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 3_2_0045B11A push esp; ret 3_2_0045B141
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 3_2_0045E54D push esi; ret 3_2_0045E556
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 3_2_00457A28 push eax; ret 3_2_00457A46
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 3_2_00434E56 push ecx; ret 3_2_00434E69
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 5_2_10002806 push ecx; ret 5_2_10002819
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 6_2_0044693D push ecx; ret 6_2_0044694D
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 6_2_0044DB70 push eax; ret 6_2_0044DB84
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 6_2_0044DB70 push eax; ret 6_2_0044DBAC
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 6_2_00451D54 push eax; ret 6_2_00451D61
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 7_2_0044B090 push eax; ret 7_2_0044B0A4
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 7_2_0044B090 push eax; ret 7_2_0044B0CC
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 7_2_00451D34 push eax; ret 7_2_00451D41
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 7_2_00444E71 push ecx; ret 7_2_00444E81
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 8_2_00414060 push eax; ret 8_2_00414074
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 8_2_00414060 push eax; ret 8_2_0041409C
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 8_2_00414039 push ecx; ret 8_2_00414049
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 8_2_004164EB push 0000006Ah; retf 8_2_004165C4
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 8_2_00416553 push 0000006Ah; retf 8_2_004165C4
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 8_2_00416555 push 0000006Ah; retf 8_2_004165C4
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 9_2_0155EF82 push eax; iretd 9_2_0155EF89
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 12_2_02EDEF82 push eax; iretd 12_2_02EDEF89
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 14_2_06B90006 push es; ret 14_2_06B9001C
              Source: 6122.scr.exeStatic PE information: section name: .text entropy: 7.920388843552256
              Source: Adobe.exe.3.drStatic PE information: section name: .text entropy: 7.920388843552256
              Source: 0.2.6122.scr.exe.43aac70.4.raw.unpack, oUXl38Qon5Z7tsM4nR.csHigh entropy of concatenated method names: 'HDvcsxy13C', 'uYjcLx7Zqx', 'hm9c2UO6Z5', 'r6Mcv3OEd6', 'oLtcua5NXD', 'RUZcjckD7r', 'agicoJs5mV', 'vowitx9Gpw', 'v1Pi6CSUOT', 'H06ifQmQMH'
              Source: 0.2.6122.scr.exe.43aac70.4.raw.unpack, OiEqwKWV3XP5MFdO7m.csHigh entropy of concatenated method names: 'eSPLTIkfeD', 'D33Lv7lihn', 'cKoLu3JTDO', 'k6YLVnbh2R', 'PCXLjxnUtp', 'ew5LoTpegF', 'FmtLCGHRUw', 'oFcLW2Gywt', 'TQ3L8A86nn', 'PO2LA1bGVy'
              Source: 0.2.6122.scr.exe.43aac70.4.raw.unpack, MMRRymsLRW3q82QOYGu.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'c6mb1lWoat', 'dZrbOiomQS', 'C1VbBGZEd4', 'miAbk24uIe', 'S0VbNies1F', 'chdbYk72K8', 'RgMbtAi8nP'
              Source: 0.2.6122.scr.exe.43aac70.4.raw.unpack, YejYQrk0TLI7mPPhDK.csHigh entropy of concatenated method names: 'FCSPAn28sT', 'jIVPy2RdWp', 'ToString', 'cFAPvvXcTw', 'aRkPuyfnvq', 'QNPPVnyA4P', 'fh9PjK3NuF', 'Y24PomorpU', 'c8kPCTRSUh', 'htrPWWoemB'
              Source: 0.2.6122.scr.exe.43aac70.4.raw.unpack, oEobZI1envoIa4Slio.csHigh entropy of concatenated method names: 'hukMSxGTXM', 'G49M9VmlOA', 'kP0M1YyDEp', 'PAZMOIi7f5', 'VUaMUIaert', 'QFtMxvVRYF', 'tu7MDcOBDL', 'S7WMlh2Uyi', 'x0DMEy9cOD', 'm8JMHkFyIi'
              Source: 0.2.6122.scr.exe.43aac70.4.raw.unpack, vM77OVB0h5ZGs4LVvp.csHigh entropy of concatenated method names: 'ToString', 'XXVRmu5uGC', 'zx1RUhPoWJ', 'J4DRxCwv8D', 'HIIRDr3k6D', 'iYyRlQlviT', 'DfWRETM1QA', 'g31RHg2APk', 'lyqRFsIOtp', 'RhfRehAZov'
              Source: 0.2.6122.scr.exe.43aac70.4.raw.unpack, fU8tOTH00QywT4N2NP.csHigh entropy of concatenated method names: 'En7CvMuLVT', 'sa4CVw5ixI', 'mgaCopdMcp', 'qSboQLnP3L', 'oVjozkmClU', 'A4PCw4bJrO', 'PnTCs5hyeJ', 'wbdCh0opnI', 'q9GCLx9MaX', 'pNxC22qvpg'
              Source: 0.2.6122.scr.exe.43aac70.4.raw.unpack, WGlAZZKGAXV6pDSItG.csHigh entropy of concatenated method names: 'KECV01pRxA', 'yt7V7ot9dB', 'pJDVISwETY', 'bLGVKaW2cm', 'yoYVM6EDtn', 'TO9VRxJmh5', 'HmrVPVkqKw', 'KJXViYYJkq', 'hlIVcfifjw', 'nmaVbIVgKb'
              Source: 0.2.6122.scr.exe.43aac70.4.raw.unpack, bDbkxKgtfhD1VVvXIL.csHigh entropy of concatenated method names: 'pQloTQyQaL', 'nA5ouCki8G', 'F6Ooj34PK0', 'UIkoCuDLqm', 'c8noW63dKi', 'eC9jNW5dIP', 'DjFjYg4dqs', 'KTkjt5fAln', 'ufEj6HY3ff', 'WHWjf1ZcMk'
              Source: 0.2.6122.scr.exe.43aac70.4.raw.unpack, BRqveBeSRUwbIX859D.csHigh entropy of concatenated method names: 'p2mCqpFCPn', 'GxhCaKsNJA', 'YsgCGTHgfT', 'sdrC0KVIcb', 'qNwCXhqVh2', 'z6AC73mO5R', 'Dd9C5l30hU', 'jSBCILHUuY', 'weWCKlou8x', 'ObDCrlEc9C'
              Source: 0.2.6122.scr.exe.43aac70.4.raw.unpack, s1JCvvuEraKO4aO8c1.csHigh entropy of concatenated method names: 'Dispose', 'fdOsfk1qEl', 'bjphU7jAf5', 'AtPYY8CAsf', 'qYSsQJd1vU', 'biVszO0WRS', 'ProcessDialogKey', 'xtFhw94Fda', 'HDthsLSt5Y', 'w6whhMUXl3'
              Source: 0.2.6122.scr.exe.43aac70.4.raw.unpack, M94FdafxDtLSt5Y46w.csHigh entropy of concatenated method names: 'keqigx41oc', 'XhtiUJKLwb', 'BcpixN9W6f', 'kIViDJGOZo', 'ubhi13R5Ji', 'AHYiliTA72', 'Next', 'Next', 'Next', 'NextBytes'
              Source: 0.2.6122.scr.exe.43aac70.4.raw.unpack, SKXiGDrAfbiCHdSK3S.csHigh entropy of concatenated method names: 'aQejXQRAyk', 'zMQj5aRlSw', 'S0kVxnXbiU', 'OKoVD5oDUM', 'o05VlNXlj3', 'cL1VEXVdrx', 'rWkVHOJHNL', 'V4wVF9EBCh', 'iE8VeYuJJJ', 'XJsVSAIePt'
              Source: 0.2.6122.scr.exe.43aac70.4.raw.unpack, YmnKt3swn5cFxyQhobJ.csHigh entropy of concatenated method names: 'H89cqngEQf', 'mlWcadK5Y6', 'mBFcG25isD', 'Gmvc00dqgD', 'gaocXlOKfj', 'wEYc7U3gpq', 'udLc5DPouo', 'j2TcIufgk5', 'MEgcKoU7gA', 'zO7cr9pGa3'
              Source: 0.2.6122.scr.exe.43aac70.4.raw.unpack, qTxWgB33udNUpZMyHq.csHigh entropy of concatenated method names: 'd79pIS5W9a', 'xZBpKi0YDv', 'vERpgMJwo8', 'ouWpU4dx4U', 'zUBpDE76t4', 'NaxpliSCDw', 'LZdpHZT9N6', 'xwXpFk6aTu', 'QjdpSySOWr', 'qkOpmxKRvL'
              Source: 0.2.6122.scr.exe.43aac70.4.raw.unpack, VSJd1v6UsiVO0WRSZt.csHigh entropy of concatenated method names: 'w2Kiv2isUi', 'AQNiukQSeO', 'yeOiVohAQ4', 'kb0ijiiSpT', 'Eskio3JAE0', 'eVPiCBt5ZR', 'ig4iWSOuee', 'vN9i88maxh', 'KMYiADA7wC', 'wOViyy85Tt'
              Source: 0.2.6122.scr.exe.43aac70.4.raw.unpack, lmin8QhhIQq4ovY4Tc.csHigh entropy of concatenated method names: 'xvoGtBDNZ', 'UZo0APtET', 'JXl7TZZL9', 'HvT5lhTfv', 'w41KkBBV6', 'JhGrcqeha', 'MK7d1pC7PU0Cla9Ckv', 'O9eoWmpHRR5hJAN49G', 'T8OigULDp', 'VgZb3YDe9'
              Source: 0.2.6122.scr.exe.43aac70.4.raw.unpack, d3UmV22nuMAGQR9kgB.csHigh entropy of concatenated method names: 'CNAsCMlitt', 'UpssWxqyHR', 'xGAsAXV6pD', 'NItsyGOKXi', 'uSKsM3ShDb', 'TxKsRtfhD1', 'FWt3APEdFEO7YKsLsg', 'ORyPgb3ecawqpWNOT5', 't1Rssd0O68', 'uSlsLFC7LK'
              Source: 0.2.6122.scr.exe.43aac70.4.raw.unpack, cMxtSezGcjyLrA6GXP.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'C2Scpp5bpC', 'XbecMsJSWc', 'J5EcRYKie8', 'pXkcPKEGJZ', 'sX6ci8q33F', 'O4MccIB4mK', 'eKqcbMRZA3'
              Source: 0.2.6122.scr.exe.43aac70.4.raw.unpack, lMlittINpsxqyHRioh.csHigh entropy of concatenated method names: 'cIpu1thYrm', 'jdNuO3lMgP', 'IlZuBlyHTs', 'n4RukX38MA', 'GrLuNa1oP4', 'UOSuY0NRDg', 'yjKut27e5u', 'dPRu6c1Ahr', 'dUZufDNsoB', 'FKiuQAjpbw'
              Source: 0.2.6122.scr.exe.43aac70.4.raw.unpack, Rre25hYWnTuqvUqFJf.csHigh entropy of concatenated method names: 'hsxP6eGYqm', 'hR3PQWay4U', 'Nf6iw75NSh', 'Ceqis2gimp', 'F5NPmAPZTV', 'Q8nP9RdXbL', 'bOdP3WcbBU', 'NJZP1Kokjg', 'hAxPOu8TLg', 'MGFPBgqSIx'
              Source: 0.2.6122.scr.exe.325e8c8.1.raw.unpack, JK.csHigh entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'
              Source: 0.2.6122.scr.exe.5ae0000.7.raw.unpack, JK.csHigh entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'
              Source: 0.2.6122.scr.exe.8340000.8.raw.unpack, oUXl38Qon5Z7tsM4nR.csHigh entropy of concatenated method names: 'HDvcsxy13C', 'uYjcLx7Zqx', 'hm9c2UO6Z5', 'r6Mcv3OEd6', 'oLtcua5NXD', 'RUZcjckD7r', 'agicoJs5mV', 'vowitx9Gpw', 'v1Pi6CSUOT', 'H06ifQmQMH'
              Source: 0.2.6122.scr.exe.8340000.8.raw.unpack, OiEqwKWV3XP5MFdO7m.csHigh entropy of concatenated method names: 'eSPLTIkfeD', 'D33Lv7lihn', 'cKoLu3JTDO', 'k6YLVnbh2R', 'PCXLjxnUtp', 'ew5LoTpegF', 'FmtLCGHRUw', 'oFcLW2Gywt', 'TQ3L8A86nn', 'PO2LA1bGVy'
              Source: 0.2.6122.scr.exe.8340000.8.raw.unpack, MMRRymsLRW3q82QOYGu.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'c6mb1lWoat', 'dZrbOiomQS', 'C1VbBGZEd4', 'miAbk24uIe', 'S0VbNies1F', 'chdbYk72K8', 'RgMbtAi8nP'
              Source: 0.2.6122.scr.exe.8340000.8.raw.unpack, YejYQrk0TLI7mPPhDK.csHigh entropy of concatenated method names: 'FCSPAn28sT', 'jIVPy2RdWp', 'ToString', 'cFAPvvXcTw', 'aRkPuyfnvq', 'QNPPVnyA4P', 'fh9PjK3NuF', 'Y24PomorpU', 'c8kPCTRSUh', 'htrPWWoemB'
              Source: 0.2.6122.scr.exe.8340000.8.raw.unpack, oEobZI1envoIa4Slio.csHigh entropy of concatenated method names: 'hukMSxGTXM', 'G49M9VmlOA', 'kP0M1YyDEp', 'PAZMOIi7f5', 'VUaMUIaert', 'QFtMxvVRYF', 'tu7MDcOBDL', 'S7WMlh2Uyi', 'x0DMEy9cOD', 'm8JMHkFyIi'
              Source: 0.2.6122.scr.exe.8340000.8.raw.unpack, vM77OVB0h5ZGs4LVvp.csHigh entropy of concatenated method names: 'ToString', 'XXVRmu5uGC', 'zx1RUhPoWJ', 'J4DRxCwv8D', 'HIIRDr3k6D', 'iYyRlQlviT', 'DfWRETM1QA', 'g31RHg2APk', 'lyqRFsIOtp', 'RhfRehAZov'
              Source: 0.2.6122.scr.exe.8340000.8.raw.unpack, fU8tOTH00QywT4N2NP.csHigh entropy of concatenated method names: 'En7CvMuLVT', 'sa4CVw5ixI', 'mgaCopdMcp', 'qSboQLnP3L', 'oVjozkmClU', 'A4PCw4bJrO', 'PnTCs5hyeJ', 'wbdCh0opnI', 'q9GCLx9MaX', 'pNxC22qvpg'
              Source: 0.2.6122.scr.exe.8340000.8.raw.unpack, WGlAZZKGAXV6pDSItG.csHigh entropy of concatenated method names: 'KECV01pRxA', 'yt7V7ot9dB', 'pJDVISwETY', 'bLGVKaW2cm', 'yoYVM6EDtn', 'TO9VRxJmh5', 'HmrVPVkqKw', 'KJXViYYJkq', 'hlIVcfifjw', 'nmaVbIVgKb'
              Source: 0.2.6122.scr.exe.8340000.8.raw.unpack, bDbkxKgtfhD1VVvXIL.csHigh entropy of concatenated method names: 'pQloTQyQaL', 'nA5ouCki8G', 'F6Ooj34PK0', 'UIkoCuDLqm', 'c8noW63dKi', 'eC9jNW5dIP', 'DjFjYg4dqs', 'KTkjt5fAln', 'ufEj6HY3ff', 'WHWjf1ZcMk'
              Source: 0.2.6122.scr.exe.8340000.8.raw.unpack, BRqveBeSRUwbIX859D.csHigh entropy of concatenated method names: 'p2mCqpFCPn', 'GxhCaKsNJA', 'YsgCGTHgfT', 'sdrC0KVIcb', 'qNwCXhqVh2', 'z6AC73mO5R', 'Dd9C5l30hU', 'jSBCILHUuY', 'weWCKlou8x', 'ObDCrlEc9C'
              Source: 0.2.6122.scr.exe.8340000.8.raw.unpack, s1JCvvuEraKO4aO8c1.csHigh entropy of concatenated method names: 'Dispose', 'fdOsfk1qEl', 'bjphU7jAf5', 'AtPYY8CAsf', 'qYSsQJd1vU', 'biVszO0WRS', 'ProcessDialogKey', 'xtFhw94Fda', 'HDthsLSt5Y', 'w6whhMUXl3'
              Source: 0.2.6122.scr.exe.8340000.8.raw.unpack, M94FdafxDtLSt5Y46w.csHigh entropy of concatenated method names: 'keqigx41oc', 'XhtiUJKLwb', 'BcpixN9W6f', 'kIViDJGOZo', 'ubhi13R5Ji', 'AHYiliTA72', 'Next', 'Next', 'Next', 'NextBytes'
              Source: 0.2.6122.scr.exe.8340000.8.raw.unpack, SKXiGDrAfbiCHdSK3S.csHigh entropy of concatenated method names: 'aQejXQRAyk', 'zMQj5aRlSw', 'S0kVxnXbiU', 'OKoVD5oDUM', 'o05VlNXlj3', 'cL1VEXVdrx', 'rWkVHOJHNL', 'V4wVF9EBCh', 'iE8VeYuJJJ', 'XJsVSAIePt'
              Source: 0.2.6122.scr.exe.8340000.8.raw.unpack, YmnKt3swn5cFxyQhobJ.csHigh entropy of concatenated method names: 'H89cqngEQf', 'mlWcadK5Y6', 'mBFcG25isD', 'Gmvc00dqgD', 'gaocXlOKfj', 'wEYc7U3gpq', 'udLc5DPouo', 'j2TcIufgk5', 'MEgcKoU7gA', 'zO7cr9pGa3'
              Source: 0.2.6122.scr.exe.8340000.8.raw.unpack, qTxWgB33udNUpZMyHq.csHigh entropy of concatenated method names: 'd79pIS5W9a', 'xZBpKi0YDv', 'vERpgMJwo8', 'ouWpU4dx4U', 'zUBpDE76t4', 'NaxpliSCDw', 'LZdpHZT9N6', 'xwXpFk6aTu', 'QjdpSySOWr', 'qkOpmxKRvL'
              Source: 0.2.6122.scr.exe.8340000.8.raw.unpack, VSJd1v6UsiVO0WRSZt.csHigh entropy of concatenated method names: 'w2Kiv2isUi', 'AQNiukQSeO', 'yeOiVohAQ4', 'kb0ijiiSpT', 'Eskio3JAE0', 'eVPiCBt5ZR', 'ig4iWSOuee', 'vN9i88maxh', 'KMYiADA7wC', 'wOViyy85Tt'
              Source: 0.2.6122.scr.exe.8340000.8.raw.unpack, lmin8QhhIQq4ovY4Tc.csHigh entropy of concatenated method names: 'xvoGtBDNZ', 'UZo0APtET', 'JXl7TZZL9', 'HvT5lhTfv', 'w41KkBBV6', 'JhGrcqeha', 'MK7d1pC7PU0Cla9Ckv', 'O9eoWmpHRR5hJAN49G', 'T8OigULDp', 'VgZb3YDe9'
              Source: 0.2.6122.scr.exe.8340000.8.raw.unpack, d3UmV22nuMAGQR9kgB.csHigh entropy of concatenated method names: 'CNAsCMlitt', 'UpssWxqyHR', 'xGAsAXV6pD', 'NItsyGOKXi', 'uSKsM3ShDb', 'TxKsRtfhD1', 'FWt3APEdFEO7YKsLsg', 'ORyPgb3ecawqpWNOT5', 't1Rssd0O68', 'uSlsLFC7LK'
              Source: 0.2.6122.scr.exe.8340000.8.raw.unpack, cMxtSezGcjyLrA6GXP.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'C2Scpp5bpC', 'XbecMsJSWc', 'J5EcRYKie8', 'pXkcPKEGJZ', 'sX6ci8q33F', 'O4MccIB4mK', 'eKqcbMRZA3'
              Source: 0.2.6122.scr.exe.8340000.8.raw.unpack, lMlittINpsxqyHRioh.csHigh entropy of concatenated method names: 'cIpu1thYrm', 'jdNuO3lMgP', 'IlZuBlyHTs', 'n4RukX38MA', 'GrLuNa1oP4', 'UOSuY0NRDg', 'yjKut27e5u', 'dPRu6c1Ahr', 'dUZufDNsoB', 'FKiuQAjpbw'
              Source: 0.2.6122.scr.exe.8340000.8.raw.unpack, Rre25hYWnTuqvUqFJf.csHigh entropy of concatenated method names: 'hsxP6eGYqm', 'hR3PQWay4U', 'Nf6iw75NSh', 'Ceqis2gimp', 'F5NPmAPZTV', 'Q8nP9RdXbL', 'bOdP3WcbBU', 'NJZP1Kokjg', 'hAxPOu8TLg', 'MGFPBgqSIx'
              Source: 0.2.6122.scr.exe.32a418c.2.raw.unpack, JK.csHigh entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'
              Source: 0.2.6122.scr.exe.32ad7a4.3.raw.unpack, JK.csHigh entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'
              Source: 0.2.6122.scr.exe.32552b0.0.raw.unpack, JK.csHigh entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'
              Source: 4.2.Adobe.exe.31d5288.0.raw.unpack, JK.csHigh entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'
              Source: 4.2.Adobe.exe.322d71c.3.raw.unpack, JK.csHigh entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'
              Source: 4.2.Adobe.exe.3224104.2.raw.unpack, JK.csHigh entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'

              Persistence and Installation Behavior

              barindex
              Drops executable to a common third party application directory
              Source: C:\Users\user\Desktop\6122.scr.exeFile written: C:\ProgramData\Adobe\Adobe.exeJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 3_2_00406EB0 ShellExecuteW,URLDownloadToFileW,3_2_00406EB0
              Source: C:\Users\user\Desktop\6122.scr.exeFile created: C:\ProgramData\Adobe\Adobe.exeJump to dropped file
              Source: C:\Users\user\Desktop\6122.scr.exeFile created: C:\ProgramData\Adobe\Adobe.exeJump to dropped file

              Boot Survival

              barindex
              Creates autostart registry keys with suspicious names
              Source: C:\Users\user\Desktop\6122.scr.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Adobe-OTOIRKJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 3_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,3_2_0041AA4A
              Source: C:\Users\user\Desktop\6122.scr.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Adobe-OTOIRKJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Adobe-OTOIRKJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Adobe-OTOIRKJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Adobe-OTOIRKJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 3_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,3_2_0041CB50
              Source: C:\Users\user\Desktop\6122.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion

              barindex
              Yara detected AntiVM3
              Source: Yara matchFile source: Process Memory Space: 6122.scr.exe PID: 6044, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 4500, type: MEMORYSTR
              Delayed program exit found
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 3_2_0040F7A7 Sleep,ExitProcess,3_2_0040F7A7
              Source: C:\Users\user\Desktop\6122.scr.exeMemory allocated: 1770000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeMemory allocated: 3220000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeMemory allocated: 5220000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeMemory allocated: 8500000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeMemory allocated: 9500000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeMemory allocated: 96C0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeMemory allocated: A6C0000 memory reserve | memory write watchJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 1490000 memory reserve | memory write watchJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 31A0000 memory reserve | memory write watchJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 51A0000 memory reserve | memory write watchJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 7FC0000 memory reserve | memory write watchJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 8FC0000 memory reserve | memory write watchJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 9170000 memory reserve | memory write watchJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: A170000 memory reserve | memory write watchJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 1550000 memory reserve | memory write watchJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 3040000 memory reserve | memory write watchJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 2E10000 memory reserve | memory write watchJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 7E60000 memory reserve | memory write watchJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 8E60000 memory reserve | memory write watchJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 9010000 memory reserve | memory write watchJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: A010000 memory reserve | memory write watchJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 2CC0000 memory reserve | memory write watchJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 2F50000 memory reserve | memory write watchJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 2CC0000 memory reserve | memory write watchJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 7C90000 memory reserve | memory write watchJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 8C90000 memory reserve | memory write watchJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 8E40000 memory reserve | memory write watchJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 9E40000 memory reserve | memory write watchJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: ED0000 memory reserve | memory write watch
              Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 2970000 memory reserve | memory write watch
              Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 2880000 memory reserve | memory write watch
              Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 7710000 memory reserve | memory write watch
              Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 8710000 memory reserve | memory write watch
              Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 88C0000 memory reserve | memory write watch
              Source: C:\ProgramData\Adobe\Adobe.exeMemory allocated: 98C0000 memory reserve | memory write watch
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 6_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,6_2_0040DD85
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,3_2_0041A748
              Source: C:\Users\user\Desktop\6122.scr.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeThread delayed: delay time: 922337203685477
              Source: C:\ProgramData\Adobe\Adobe.exeWindow / User API: threadDelayed 1219Jump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeWindow / User API: threadDelayed 8769Jump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeEvaded block: after key decisiongraph_3-47650
              Source: C:\Users\user\Desktop\6122.scr.exeEvaded block: after key decisiongraph_3-47673
              Source: C:\Users\user\Desktop\6122.scr.exeAPI coverage: 6.3 %
              Source: C:\ProgramData\Adobe\Adobe.exeAPI coverage: 9.7 %
              Source: C:\Users\user\Desktop\6122.scr.exe TID: 6804Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exe TID: 6604Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exe TID: 2132Thread sleep count: 1219 > 30Jump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exe TID: 2132Thread sleep time: -3657000s >= -30000sJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exe TID: 2132Thread sleep count: 8769 > 30Jump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exe TID: 2132Thread sleep time: -26307000s >= -30000sJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exe TID: 7064Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exe TID: 7064Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exe TID: 5068Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 3_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,3_2_00409253
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 3_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,3_2_0041C291
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 3_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,3_2_0040C34D
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 3_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,3_2_00409665
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 3_2_0044E879 FindFirstFileExA,3_2_0044E879
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 3_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,3_2_0040880C
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 3_2_0040783C FindFirstFileW,FindNextFileW,3_2_0040783C
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 3_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,3_2_00419AF5
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 3_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,3_2_0040BB30
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 3_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,3_2_0040BD37
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 5_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,5_2_100010F1
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 5_2_10006580 FindFirstFileExA,5_2_10006580
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 6_2_0040AE51 FindFirstFileW,FindNextFileW,6_2_0040AE51
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 7_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,7_2_00407EF8
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 8_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,8_2_00407898
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 3_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,3_2_00407C97
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 6_2_00418981 memset,GetSystemInfo,6_2_00418981
              Source: C:\Users\user\Desktop\6122.scr.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeThread delayed: delay time: 922337203685477
              Source: Adobe.exe, 00000005.00000002.4500036931.00000000012B8000.00000004.00000020.00020000.00000000.sdmp, Adobe.exe, 00000005.00000002.4500521486.000000000132B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: bhv22E2.tmp.6.drBinary or memory string: https://config.edge.skype.com/config/v1/Skype/1446_8.53.0.77?OSVer=10.0.19045.2006&ClientID=RHTiQUpXOaQeBtbq%2B7LgJauNdx5lF%2FQ%2FOy2qwXRNGjU%3D&Manufacturer=VMware%2C%20Inc.&Model=VMware20%2C1&Language=en&Locale=en-US
              Source: C:\ProgramData\Adobe\Adobe.exeAPI call chain: ExitProcess graph end node
              Source: C:\ProgramData\Adobe\Adobe.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 3_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_004349F9
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 6_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,6_2_0040DD85
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 3_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,3_2_0041CB50
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 3_2_004432B5 mov eax, dword ptr fs:[00000030h]3_2_004432B5
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 5_2_10004AB4 mov eax, dword ptr fs:[00000030h]5_2_10004AB4
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 3_2_00412077 GetProcessHeap,HeapFree,3_2_00412077
              Source: C:\ProgramData\Adobe\Adobe.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 3_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_004349F9
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 3_2_00434B47 SetUnhandledExceptionFilter,3_2_00434B47
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 3_2_0043BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_0043BB22
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 3_2_00434FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_00434FDC
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 5_2_100060E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_100060E2
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 5_2_10002639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_10002639
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 5_2_10002B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_10002B1C
              Source: C:\Users\user\Desktop\6122.scr.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Injects a PE file into a foreign processes
              Source: C:\ProgramData\Adobe\Adobe.exeMemory written: C:\ProgramData\Adobe\Adobe.exe base: 400000 value starts with: 4D5AJump to behavior
              Maps a DLL or memory area into another process
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: NULL target: C:\ProgramData\Adobe\Adobe.exe protection: execute and read and writeJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: NULL target: C:\ProgramData\Adobe\Adobe.exe protection: execute and read and writeJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeSection loaded: NULL target: C:\ProgramData\Adobe\Adobe.exe protection: execute and read and writeJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe3_2_004120F7
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 3_2_00419627 mouse_event,3_2_00419627
              Source: C:\Users\user\Desktop\6122.scr.exeProcess created: C:\Users\user\Desktop\6122.scr.exe "C:\Users\user\Desktop\6122.scr.exe"Jump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe" Jump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"Jump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\kdsjilcrslq"Jump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\vxgujvmlgtiaot"Jump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\xrlnjoxmubafqzncq"Jump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"Jump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"Jump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeProcess created: C:\ProgramData\Adobe\Adobe.exe "C:\ProgramData\Adobe\Adobe.exe"
              Source: Adobe.exe, 00000005.00000002.4500276839.0000000001315000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerH
              Source: Adobe.exe, 00000005.00000002.4500276839.0000000001315000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
              Source: Adobe.exe, 00000005.00000002.4500276839.0000000001315000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerWH}
              Source: Adobe.exe, 00000005.00000002.4500276839.0000000001303000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 3_2_00434C52 cpuid 3_2_00434C52
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: EnumSystemLocalesW,3_2_00452036
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,3_2_004520C3
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: GetLocaleInfoW,3_2_00452313
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: EnumSystemLocalesW,3_2_00448404
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,3_2_0045243C
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: GetLocaleInfoW,3_2_00452543
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,3_2_00452610
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: GetLocaleInfoA,3_2_0040F8D1
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: GetLocaleInfoW,3_2_004488ED
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,3_2_00451CD8
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: EnumSystemLocalesW,3_2_00451F50
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: EnumSystemLocalesW,3_2_00451F9B
              Source: C:\Users\user\Desktop\6122.scr.exeQueries volume information: C:\Users\user\Desktop\6122.scr.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\6122.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\ProgramData\Adobe\Adobe.exe VolumeInformationJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\ProgramData\Adobe\Adobe.exe VolumeInformationJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\ProgramData\Adobe\Adobe.exe VolumeInformationJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\ProgramData\Adobe\Adobe.exe VolumeInformation
              Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
              Source: C:\ProgramData\Adobe\Adobe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 3_2_0040B164 GetLocalTime,wsprintfW,3_2_0040B164
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 3_2_0041B60D GetUserNameW,3_2_0041B60D
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: 3_2_00449190 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,3_2_00449190
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: 6_2_0041739B GetVersionExW,6_2_0041739B
              Source: C:\Users\user\Desktop\6122.scr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 3.2.6122.scr.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.6122.scr.exe.42f0650.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.6122.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.6122.scr.exe.4d2cf20.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.6122.scr.exe.4d2cf20.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.6122.scr.exe.42f0650.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000005.00000002.4500036931.00000000012B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000D.00000002.2250791131.0000000000DD7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2059716240.0000000004D2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.2159549546.0000000001397000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.2323206616.00000000016C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2059716240.0000000004229000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.2048067973.0000000000CA7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: 6122.scr.exe PID: 6044, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: 6122.scr.exe PID: 6180, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 528, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 1784, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 2220, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 4476, type: MEMORYSTR
              Contains functionality to steal Chrome passwords or cookies
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data3_2_0040BA12
              Contains functionality to steal Firefox passwords or cookies
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\3_2_0040BB30
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: \key3.db3_2_0040BB30
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\ProgramData\Adobe\Adobe.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqliteJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.dbJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
              Tries to steal Instant Messenger accounts or passwords
              Source: C:\ProgramData\Adobe\Adobe.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeKey opened: HKEY_CURRENT_USER\Software\PaltalkJump to behavior
              Tries to steal Mail credentials (via file / registry access)
              Source: C:\ProgramData\Adobe\Adobe.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
              Source: C:\ProgramData\Adobe\Adobe.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
              Tries to steal Mail credentials (via file registry)
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: ESMTPPassword7_2_004033F0
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword7_2_00402DB3
              Source: C:\ProgramData\Adobe\Adobe.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword7_2_00402DB3
              Yara detected WebBrowserPassView password recovery tool
              Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 6948, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 3.2.6122.scr.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.6122.scr.exe.42f0650.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.6122.scr.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.6122.scr.exe.4d2cf20.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.6122.scr.exe.4d2cf20.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.6122.scr.exe.42f0650.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000005.00000002.4500036931.00000000012B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000D.00000002.2250791131.0000000000DD7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2059716240.0000000004D2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.2159549546.0000000001397000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.2323206616.00000000016C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2059716240.0000000004229000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.2048067973.0000000000CA7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: 6122.scr.exe PID: 6044, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: 6122.scr.exe PID: 6180, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 528, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 1784, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 2220, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Adobe.exe PID: 4476, type: MEMORYSTR
              Source: C:\Users\user\Desktop\6122.scr.exeCode function: cmd.exe3_2_0040569A

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts21
              Native API              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		1
              Disable or Modify Tools              		2
              OS Credential Dumping              		2
              System Time Discovery              		Remote Services11
              Archive Collected Data              		12
              Ingress Tool Transfer              		Exfiltration Over Other Network Medium1
              System Shutdown/Reboot
              CredentialsDomainsDefault Accounts12
              Command and Scripting Interpreter              		1
              Windows Service              		1
              Bypass User Account Control              		1
              Deobfuscate/Decode Files or Information              		111
              Input Capture              		1
              Account Discovery              		Remote Desktop Protocol1
              Data from Local System              		2
              Encrypted Channel              		Exfiltration Over Bluetooth1
              Defacement
              Email AddressesDNS ServerDomain Accounts2
              Service Execution              		11
              Registry Run Keys / Startup Folder              		1
              Access Token Manipulation              		3
              Obfuscated Files or Information              		2
              Credentials in Registry              		1
              System Service Discovery              		SMB/Windows Admin Shares1
              Email Collection              		1
              Non-Standard Port              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
              Windows Service              		12
              Software Packing              		3
              Credentials In Files              		3
              File and Directory Discovery              		Distributed Component Object Model111
              Input Capture              		2
              Non-Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script222
              Process Injection              		1
              Timestomp              		LSA Secrets38
              System Information Discovery              		SSH3
              Clipboard Data              		12
              Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts11
              Registry Run Keys / Startup Folder              		1
              DLL Side-Loading              		Cached Domain Credentials131
              Security Software Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              Bypass User Account Control              		DCSync31
              Virtualization/Sandbox Evasion              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
              Masquerading              		Proc Filesystem4
              Process Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt31
              Virtualization/Sandbox Evasion              		/etc/passwd and /etc/shadow1
              Application Window Discovery              		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
              IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
              Access Token Manipulation              		Network Sniffing1
              System Owner/User Discovery              		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
              Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd222
              Process Injection              		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1519262 Sample: 6122.scr.exe Startdate: 26/09/2024 Architecture: WINDOWS Score: 100 54 geoplugin.net 2->54 58 Suricata IDS alerts for network traffic 2->58 60 Found malware configuration 2->60 62 Malicious sample detected (through community Yara rule) 2->62 64 9 other signatures 2->64 10 6122.scr.exe 3 2->10         started        14 Adobe.exe 2 2->14         started        16 Adobe.exe 2 2->16         started        18 Adobe.exe 2->18         started        signatures3 process4 file5 48 C:\Users\user\AppData\...\6122.scr.exe.log, ASCII 10->48 dropped 76 Contains functionality to bypass UAC (CMSTPLUA) 10->76 78 Contains functionalty to change the wallpaper 10->78 80 Contains functionality to steal Chrome passwords or cookies 10->80 84 3 other signatures 10->84 20 6122.scr.exe 2 4 10->20         started        82 Injects a PE file into a foreign processes 14->82 24 Adobe.exe 14->24         started        26 Adobe.exe 16->26         started        28 Adobe.exe 18->28         started        signatures6 process7 file8 44 C:\ProgramData\Adobe\Adobe.exe, PE32 20->44 dropped 46 C:\ProgramData\...\Adobe.exe:Zone.Identifier, ASCII 20->46 dropped 66 Creates autostart registry keys with suspicious names 20->66 68 Drops executable to a common third party application directory 20->68 30 Adobe.exe 3 20->30         started        signatures9 process10 signatures11 86 Multi AV Scanner detection for dropped file 30->86 88 Tries to steal Mail credentials (via file registry) 30->88 90 Machine Learning detection for dropped file 30->90 33 Adobe.exe 3 14 30->33         started        process12 dnsIp13 50 104.250.180.178, 49707, 49709, 7902 M247GB United States 33->50 52 geoplugin.net 178.237.33.50, 49710, 80 ATOM86-ASATOM86NL Netherlands 33->52 56 Maps a DLL or memory area into another process 33->56 37 Adobe.exe 1 33->37         started        40 Adobe.exe 1 33->40         started        42 Adobe.exe 2 33->42         started        signatures14 process15 signatures16 70 Tries to steal Instant Messenger accounts or passwords 37->70 72 Tries to harvest and steal browser information (history, passwords, etc) 37->72 74 Tries to steal Mail credentials (via file / registry access) 40->74

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              6122.scr.exe29%ReversingLabs
              6122.scr.exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\ProgramData\Adobe\Adobe.exe100%Joe Sandbox ML
              C:\ProgramData\Adobe\Adobe.exe29%ReversingLabs

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://geoplugin.net/json.gp0%URL Reputationsafe
              http://geoplugin.net/json.gp/C0%URL Reputationsafe
              http://www.nirsoft.net0%Avira URL Cloudsafe
              http://www.imvu.com0%Avira URL Cloudsafe
              104.250.180.1780%Avira URL Cloudsafe
              https://aefd.nelreports.net/api/report?cat=bingaotak0%Avira URL Cloudsafe
              https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DestinationEndpoint=P0%Avira URL Cloudsafe
              http://www.imvu.comr0%Avira URL Cloudsafe
              https://deff.nelreports.net/api/report?cat=msn0%Avira URL Cloudsafe
              https://fp-afd.azurefd.us/apc/trans.gif?0cf92be82316943650f2ee723bc6949e0%Avira URL Cloudsafe
              https://www.office.com/0%Avira URL Cloudsafe
              http://geoplugin.net/json.gptr$0%Avira URL Cloudsafe
              https://fp-afd.azurefd.us/apc/trans.gif?94fb5ac9609bcb4cda0bf8acf18270730%Avira URL Cloudsafe
              https://www.google.com0%Avira URL Cloudsafe
              http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com0%Avira URL Cloudsafe
              https://aefd.nelreports.net/api/report?cat=bingaot0%Avira URL Cloudsafe
              https://aefd.nelreports.net/api/report?cat=bingrms0%Avira URL Cloudsafe
              https://ecs.nel.measure.office.net?TenantId=Skype&DestinationEndpoint=Edge-Prod-LAX31r5a&FrontEnd=AF0%Avira URL Cloudsafe
              http://geoplugin.net/json.gp%r0%Avira URL Cloudsafe
              https://maps.windows.com/windows-app-web-link0%Avira URL Cloudsafe
              http://geoplugin.net/0%Avira URL Cloudsafe
              https://www.google.com/accounts/servicelogin0%Avira URL Cloudsafe
              https://login.yahoo.com/config/login0%Avira URL Cloudsafe
              http://www.nirsoft.net/0%Avira URL Cloudsafe
              http://www.ebuddy.com0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              geoplugin.net
              		178.237.33.50
              		truefalse
                		unknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                104.250.180.178true
                • Avira URL Cloud: safe
                		unknown
                http://geoplugin.net/json.gpfalse
                • URL Reputation: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DestinationEndpoint=Pbhv22E2.tmp.6.drfalse
                • Avira URL Cloud: safe
                		unknown
                https://www.office.com/bhv22E2.tmp.6.drfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.imvu.comrAdobe.exe, 00000008.00000002.2124174613.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://fp-afd.azurefd.us/apc/trans.gif?0cf92be82316943650f2ee723bc6949ebhv22E2.tmp.6.drfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.imvu.comAdobe.exe, Adobe.exe, 00000008.00000002.2124174613.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.nirsoft.netAdobe.exe, 00000006.00000002.2131344664.0000000000CF4000.00000004.00000010.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://aefd.nelreports.net/api/report?cat=bingaotakbhv22E2.tmp.6.drfalse
                • Avira URL Cloud: safe
                		unknown
                https://deff.nelreports.net/api/report?cat=msnbhv22E2.tmp.6.drfalse
                • Avira URL Cloud: safe
                		unknown
                http://geoplugin.net/json.gptr$Adobe.exe, 00000005.00000002.4500276839.0000000001303000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.comAdobe.exe, 00000008.00000002.2124174613.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://www.google.comAdobe.exe, Adobe.exe, 00000008.00000002.2124174613.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://fp-afd.azurefd.us/apc/trans.gif?94fb5ac9609bcb4cda0bf8acf1827073bhv22E2.tmp.6.drfalse
                • Avira URL Cloud: safe
                		unknown
                https://ecs.nel.measure.office.net?TenantId=Skype&DestinationEndpoint=Edge-Prod-LAX31r5a&FrontEnd=AFbhv22E2.tmp.6.drfalse
                • Avira URL Cloud: safe
                		unknown
                http://geoplugin.net/Adobe.exe, 00000005.00000002.4500521486.0000000001322000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://aefd.nelreports.net/api/report?cat=bingaotbhv22E2.tmp.6.drfalse
                • Avira URL Cloud: safe
                		unknown
                http://geoplugin.net/json.gp/C6122.scr.exe, 00000000.00000002.2059716240.0000000004229000.00000004.00000800.00020000.00000000.sdmp, 6122.scr.exe, 00000000.00000002.2059716240.0000000004D2C000.00000004.00000800.00020000.00000000.sdmp, 6122.scr.exe, 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://maps.windows.com/windows-app-web-linkbhv22E2.tmp.6.drfalse
                • Avira URL Cloud: safe
                		unknown
                https://aefd.nelreports.net/api/report?cat=bingrmsbhv22E2.tmp.6.drfalse
                • Avira URL Cloud: safe
                		unknown
                https://www.google.com/accounts/serviceloginAdobe.exefalse
                • Avira URL Cloud: safe
                		unknown
                http://geoplugin.net/json.gp%rAdobe.exe, 00000005.00000002.4500276839.0000000001303000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://login.yahoo.com/config/loginAdobe.exefalse
                • Avira URL Cloud: safe
                		unknown
                http://www.nirsoft.net/Adobe.exe, 00000008.00000002.2124174613.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.ebuddy.comAdobe.exe, Adobe.exe, 00000008.00000002.2124174613.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                104.250.180.178
                		unknownUnited States
                		9009M247GBtrue
                178.237.33.50
                		geoplugin.netNetherlands
                		8455ATOM86-ASATOM86NLfalse

                General Information

                Joe Sandbox version:41.0.0 Charoite
                Analysis ID:1519262
                Start date and time:2024-09-26 09:24:57 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 11m 3s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:17
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:6122.scr.exe
                renamed because original name is a hash value
                Original Sample Name:DN ISF S CLS930 KHH-TOLEDO(VIA NYC) SO#66158152 WKH2406122.scr.exe
                Detection:MAL
                Classification:mal100.rans.phis.troj.spyw.expl.evad.winEXE@22/7@1/2
                EGA Information:
                • Successful, ratio: 100%
                HCA Information:
                • Successful, ratio: 99%
                • Number of executed functions: 146
                • Number of non-executed functions: 360
                Cookbook Comments:
                • Found application associated with file extension: .exe
                • Override analysis time to 240000 for current running targets taking high CPU consumption

                Warnings

                • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                • Report size exceeded maximum capacity and may have missing behavior information.
                • Report size exceeded maximum capacity and may have missing disassembly code.
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.
                • Report size getting too big, too many NtReadVirtualMemory calls found.
                • VT rate limit hit for: 6122.scr.exe

                Simulations

                Behavior and APIs

                TimeTypeDescription
                03:25:47API Interceptor1x Sleep call for process: 6122.scr.exe modified
                03:25:49API Interceptor4386044x Sleep call for process: Adobe.exe modified
                09:25:50AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Adobe-OTOIRK "C:\ProgramData\Adobe\Adobe.exe"
                09:25:58AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Adobe-OTOIRK "C:\ProgramData\Adobe\Adobe.exe"
                09:26:06AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Adobe-OTOIRK "C:\ProgramData\Adobe\Adobe.exe"

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                104.250.180.1786122.scr.exeGet hashmaliciousRemcosBrowse
                  DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exeGet hashmaliciousXWormBrowse
                    BNE400266900B - RLS SO# W317pdf.scr.exeGet hashmaliciousRemcosBrowse
                      BNE400266900A - BL NO.BNE400266900.pdf.scr.exeGet hashmaliciousXWormBrowse
                        (Draft) - SO# L539-SE2409060 Cut off #Uff19-15 - CHR# 487700191.scr.exeGet hashmaliciousRemcosBrowse
                          SEA - SO#L539 (SO+INV+PKG+ISF+VGM).scr.exeGet hashmaliciousXWormBrowse
                            rSO3315RCOHBLKHRTMP249013CO240913.pdf.scr.exeGet hashmaliciousRemcosBrowse
                              rBLNO.KHRTMP249013-SINGAPOREEXPRESSV.002W.scr.exeGet hashmaliciousXWormBrowse
                                SO#5087 (SO+INV+PKG+ISF+VGM) #U8acb#U67e5#U6536.scr.exeGet hashmaliciousRemcosBrowse
                                  BOOKING CLS 817 by SEA - CFS FM KHH TO FL (#U6cf0#U967d).scr.exeGet hashmaliciousXWormBrowse
                                    178.237.33.506122.scr.exeGet hashmaliciousRemcosBrowse
                                    • geoplugin.net/json.gp
                                    SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeGet hashmaliciousRemcosBrowse
                                    • geoplugin.net/json.gp
                                    https://maveuve.github.io/frlpodf/marynewreleasefax.htmlGet hashmaliciousRemcosBrowse
                                    • geoplugin.net/json.gp
                                    file.exeGet hashmaliciousRemcosBrowse
                                    • geoplugin.net/json.gp
                                    SDWLLRJcsY.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                    • geoplugin.net/json.gp
                                    BL.xlsGet hashmaliciousRemcos, PureLog StealerBrowse
                                    • geoplugin.net/json.gp
                                    z65orderrequest.bat.exeGet hashmaliciousGuLoader, RemcosBrowse
                                    • geoplugin.net/json.gp
                                    Fwo62RjOqH.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                                    • geoplugin.net/json.gp
                                    1DUCJGrpyb.exeGet hashmaliciousRemcosBrowse
                                    • geoplugin.net/json.gp
                                    1zbL83sqmd.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                                    • geoplugin.net/json.gp

                                    Domains

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    geoplugin.net6122.scr.exeGet hashmaliciousRemcosBrowse
                                    • 178.237.33.50
                                    SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeGet hashmaliciousRemcosBrowse
                                    • 178.237.33.50
                                    Marys Organizer 2023 Release.zipGet hashmaliciousRemcosBrowse
                                    • 178.237.33.50
                                    https://maveuve.github.io/frlpodf/marynewreleasefax.htmlGet hashmaliciousRemcosBrowse
                                    • 178.237.33.50
                                    file.exeGet hashmaliciousRemcosBrowse
                                    • 178.237.33.50
                                    SDWLLRJcsY.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                    • 178.237.33.50
                                    BL.xlsGet hashmaliciousRemcos, PureLog StealerBrowse
                                    • 178.237.33.50
                                    z65orderrequest.bat.exeGet hashmaliciousGuLoader, RemcosBrowse
                                    • 178.237.33.50
                                    Fwo62RjOqH.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                                    • 178.237.33.50
                                    1DUCJGrpyb.exeGet hashmaliciousRemcosBrowse
                                    • 178.237.33.50

                                    ASNs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    M247GB6122.scr.exeGet hashmaliciousRemcosBrowse
                                    • 104.250.180.178
                                    DRAFT BL - CLS930 KHH-TOLEDO(VIA NYC) SO6615#U21928152 WKH2406122.scr.exeGet hashmaliciousXWormBrowse
                                    • 104.250.180.178
                                    file.exeGet hashmaliciousLummaC, Amadey, Clipboard Hijacker, CryptOne, Cryptbot, LummaC Stealer, PureLog StealerBrowse
                                    • 91.202.233.158
                                    file.exeGet hashmaliciousAmadey, CryptOne, PureLog Stealer, RedLine, Stealc, Vidar, Zhark RATBrowse
                                    • 91.202.233.158
                                    SecuriteInfo.com.Linux.Siggen.9999.31454.15725.elfGet hashmaliciousUnknownBrowse
                                    • 158.46.140.169
                                    BNE400266900B - RLS SO# W317pdf.scr.exeGet hashmaliciousRemcosBrowse
                                    • 104.250.180.178
                                    BNE400266900A - BL NO.BNE400266900.pdf.scr.exeGet hashmaliciousXWormBrowse
                                    • 104.250.180.178
                                    jD6b7MZOhT.exeGet hashmaliciousAmadey, Clipboard Hijacker, CryptOne, Cryptbot, LummaC Stealer, PureLog Stealer, RedLineBrowse
                                    • 91.202.233.158
                                    aL8prAD2gL.jsGet hashmaliciousXWormBrowse
                                    • 82.102.27.171
                                    Ref_5010_103.exeGet hashmaliciousAgentTeslaBrowse
                                    • 172.86.66.70
                                    ATOM86-ASATOM86NL6122.scr.exeGet hashmaliciousRemcosBrowse
                                    • 178.237.33.50
                                    SecuriteInfo.com.Win32.PWSX-gen.9317.6656.exeGet hashmaliciousRemcosBrowse
                                    • 178.237.33.50
                                    Marys Organizer 2023 Release.zipGet hashmaliciousRemcosBrowse
                                    • 178.237.33.50
                                    https://maveuve.github.io/frlpodf/marynewreleasefax.htmlGet hashmaliciousRemcosBrowse
                                    • 178.237.33.50
                                    file.exeGet hashmaliciousRemcosBrowse
                                    • 178.237.33.50
                                    SDWLLRJcsY.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                    • 178.237.33.50
                                    BL.xlsGet hashmaliciousRemcos, PureLog StealerBrowse
                                    • 178.237.33.50
                                    z65orderrequest.bat.exeGet hashmaliciousGuLoader, RemcosBrowse
                                    • 178.237.33.50
                                    Fwo62RjOqH.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                                    • 178.237.33.50
                                    1DUCJGrpyb.exeGet hashmaliciousRemcosBrowse
                                    • 178.237.33.50

                                    JA3 Fingerprints

                                    No context

                                    Dropped Files

                                    No context

                                    Created / dropped Files

                                    C:\ProgramData\Adobe\Adobe.exe

                                    Download File
                                    Process:C:\Users\user\Desktop\6122.scr.exe
                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):906752
                                    Entropy (8bit):7.9156274851040465
                                    Encrypted:false
                                    SSDEEP:12288:0SX+8K/4lBlrzDUw8s9pVdsVSEy202NKu8SnTo/Yj40Eg1grROuYFRl115yzuwdL:0J4fZDUw8YpVds9mt0o/Y7gMVvTy
                                    MD5:44FA8131343F26AAF5303090D7BBA260
                                    SHA1:6AE8634D960F8E659AD166D4E1D95297AC114DE3
                                    SHA-256:AE72B0B7E4C361D0016ED97AC0664E0C8F3D31DD9627C993B635B5FAC24D7255
                                    SHA-512:90BA08E0CC3B8CC1F9DBE401E07110C667354A39DD52FFBAA7F2CBBEA93BB99D783FB48BEC60F759CAFCC1E9D3B74D7D5DB359C15DD48B4198608F6EE0E77A1D
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    • Antivirus: ReversingLabs, Detection: 29%
                                    Reputation:low
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...:T...............0.............z.... ........@.. .......................@............@.................................'...O............................ ..........p............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B................[.......H........]...3......#.......B............................................{....*"..}....*....0..f...........3...%.r...p.%.r...p.%.r...p.%.r...p.%.r...p.%.r...p.%.r...p.%.r...p.%.r...p.%..r...p.}.....(.....*...0.._........s....}.....s....}......}.....(.......(......{....(.......{....(......{....(.......{....(.....*..0............{....r...po.......o.....+d..(.......{......3...%..oB....%.r...p.%..oF......(.....%.r...p.%..oD......(.....%.(.....(....o........(....-...........o ...

                                    C:\ProgramData\Adobe\Adobe.exe:Zone.Identifier

                                    Download File
                                    Process:C:\Users\user\Desktop\6122.scr.exe
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:modified
                                    Size (bytes):26
                                    Entropy (8bit):3.95006375643621
                                    Encrypted:false
                                    SSDEEP:3:ggPYV:rPYV
                                    MD5:187F488E27DB4AF347237FE461A079AD
                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                    Malicious:true
                                    Reputation:high, very likely benign file
                                    Preview:[ZoneTransfer]....ZoneId=0

                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\6122.scr.exe.log

                                    Download File
                                    Process:C:\Users\user\Desktop\6122.scr.exe
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):1216
                                    Entropy (8bit):5.34331486778365
                                    Encrypted:false
                                    SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                    MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                    SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                    SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                    SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                    Malicious:true
                                    Reputation:high, very likely benign file
                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Adobe.exe.log

                                    Download File
                                    Process:C:\ProgramData\Adobe\Adobe.exe
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):1216
                                    Entropy (8bit):5.34331486778365
                                    Encrypted:false
                                    SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                    MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                    SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                    SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                    SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                    Malicious:false
                                    Reputation:high, very likely benign file
                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\json[1].json

                                    Download File
                                    Process:C:\ProgramData\Adobe\Adobe.exe
                                    File Type:JSON data
                                    Category:dropped
                                    Size (bytes):962
                                    Entropy (8bit):5.012309356796613
                                    Encrypted:false
                                    SSDEEP:12:tklu+mnd66GkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkwV:qlu+KdbauKyGX85jvXhNlT3/7AcV9Wro
                                    MD5:14B479958E659C5A4480548A393022AC
                                    SHA1:CD0766C1DAB80656D469ABDB22917BE668622015
                                    SHA-256:0F92BDD807D2F5C9947E1775A20231233043C171F62E1AFA705A7E7938909BFE
                                    SHA-512:4E87CA47392DD9710F9E3D4A2124A34B41938986A4F43D50A48623DB1838C0D6CFF05FD2A23792DCD5A974A94416C97DC04ECEF85025FC785F3393B69A0B1DC5
                                    Malicious:false
                                    Preview:{. "geoplugin_request":"8.46.123.33",. "geoplugin_status":200,. "geoplugin_delay":"0ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                    C:\Users\user\AppData\Local\Temp\bhv22E2.tmp

                                    Download File
                                    Process:C:\ProgramData\Adobe\Adobe.exe
                                    File Type:Extensible storage engine DataBase, version 0x620, checksum 0x3756608b, page size 32768, DirtyShutdown, Windows version 10.0
                                    Category:dropped
                                    Size (bytes):17301504
                                    Entropy (8bit):0.8011988782519069
                                    Encrypted:false
                                    SSDEEP:6144:KdfjZb5aXEY2waXEY24URlMe4APXAP5APzAPwbndOO8pHAP6JnTJnTbnSotnBQ+z:IVS4e81ySaKKjLrONseWe
                                    MD5:AD8BE021F485D9B2913249500CEB4E63
                                    SHA1:2859A538FC16DDAA3276B9323BC00034AC1205C8
                                    SHA-256:61B874CF2938B55E0382C6F2476E887F241F552C9F7A022E95DE47653C4F6A63
                                    SHA-512:574EFEF974825BF20D7BD97C3BC16E29693875D61D3FCDE8E8BE55D454E508FE1B52E04C80868A610D920B20EC71BBAA9E9D30409D91917EAE23B21A8DE52F77
                                    Malicious:false
                                    Preview:7V`.... .......;!......E{ow("...{........................@...../....{.. ....|a.h.B............................("...{q............................................................................................._...........eJ......n........................................................................................................... ............{...................................................................................................................................................................................................{]...................................iC ....|a..................P. ....|a..........................#......h.B.....................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\kdsjilcrslq

                                    Download File
                                    Process:C:\ProgramData\Adobe\Adobe.exe
                                    File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                    Category:dropped
                                    Size (bytes):2
                                    Entropy (8bit):1.0
                                    Encrypted:false
                                    SSDEEP:3:Qn:Qn
                                    MD5:F3B25701FE362EC84616A93A45CE9998
                                    SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                    SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                    SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                    Malicious:false
                                    Preview:..

                                    Static File Info

                                    General

                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Entropy (8bit):7.9156274851040465
                                    TrID:
                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                    • Win32 Executable (generic) a (10002005/4) 49.78%
                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                    • DOS Executable Generic (2002/1) 0.01%
                                    File name:6122.scr.exe
                                    File size:906'752 bytes
                                    MD5:44fa8131343f26aaf5303090d7bba260
                                    SHA1:6ae8634d960f8e659ad166d4e1d95297ac114de3
                                    SHA256:ae72b0b7e4c361d0016ed97ac0664e0c8f3d31dd9627c993b635b5fac24d7255
                                    SHA512:90ba08e0cc3b8cc1f9dbe401e07110c667354a39dd52ffbaa7f2cbbea93bb99d783fb48bec60f759cafcc1e9d3b74d7d5db359c15dd48b4198608f6ee0e77a1d
                                    SSDEEP:12288:0SX+8K/4lBlrzDUw8s9pVdsVSEy202NKu8SnTo/Yj40Eg1grROuYFRl115yzuwdL:0J4fZDUw8YpVds9mt0o/Y7gMVvTy
                                    TLSH:39152298204AD653D4660BF45A62CAF017B49DC56211E357EFDA3CFBBCBAB0118C4B93
                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...:T................0.............z.... ........@.. .......................@............@................................

                                    File Icon

                                    Icon Hash:00928e8e8686b000

                                    Static PE Info

                                    General

                                    Entrypoint:0x4deb7a
                                    Entrypoint Section:.text
                                    Digitally signed:false
                                    Imagebase:0x400000
                                    Subsystem:windows gui
                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                    Time Stamp:0x9EE6543A [Wed Jun 24 06:22:50 2054 UTC]
                                    TLS Callbacks:
                                    CLR (.Net) Version:
                                    OS Version Major:4
                                    OS Version Minor:0
                                    File Version Major:4
                                    File Version Minor:0
                                    Subsystem Version Major:4
                                    Subsystem Version Minor:0
                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                    Entrypoint Preview

                                    Instruction
                                    jmp dword ptr [00402000h]
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al

                                    Data Directories

                                    NameVirtual AddressVirtual Size Is in Section
                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xdeb270x4f.text
                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xe00000x5bc.rsrc
                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0xe20000xc.reloc
                                    IMAGE_DIRECTORY_ENTRY_DEBUG0xdd4c00x70.text
                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                    Sections

                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                    .text0x20000xdcb800xdcc006570516fa85d0ef4159be99853ed4323False0.9554994956823329data7.920388843552256IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    .rsrc0xe00000x5bc0x60010442aaa58b479c6ee95d8c057bb10adFalse0.4205729166666667data4.098872369907401IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .reloc0xe20000xc0x20036bd04afb9aa5f795d167c6ae96d0e81False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                    Resources

                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                    RT_VERSION0xe00900x32cdata0.4273399014778325
                                    RT_MANIFEST0xe03cc0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                    Imports

                                    DLLImport
                                    mscoree.dll_CorExeMain

                                    Network Behavior

                                    Suricata IDS Alerts

                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                    2024-09-26T09:25:51.543848+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549707104.250.180.1787902TCP
                                    2024-09-26T09:25:53.398729+02002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.549710178.237.33.5080TCP
                                    2024-09-26T09:25:53.715689+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549709104.250.180.1787902TCP

                                    Network Port Distribution

                                    TCP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Sep 26, 2024 09:25:50.524601936 CEST497077902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:50.529692888 CEST790249707104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:50.529910088 CEST497077902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:50.576632023 CEST497077902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:50.582717896 CEST790249707104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:51.490338087 CEST790249707104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:51.543848038 CEST497077902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:51.770721912 CEST790249707104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:51.775203943 CEST497077902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:51.780036926 CEST790249707104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:51.780102015 CEST497077902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:51.784964085 CEST790249707104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:51.785056114 CEST497077902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:51.789915085 CEST790249707104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:52.400927067 CEST790249707104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:52.417376995 CEST497077902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:52.422413111 CEST790249707104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:52.690274000 CEST790249707104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:52.705524921 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:52.710454941 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:52.710527897 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:52.714034081 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:52.718993902 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:52.731333971 CEST497077902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:52.777441978 CEST4971080192.168.2.5178.237.33.50
                                    Sep 26, 2024 09:25:52.782363892 CEST8049710178.237.33.50192.168.2.5
                                    Sep 26, 2024 09:25:52.782470942 CEST4971080192.168.2.5178.237.33.50
                                    Sep 26, 2024 09:25:52.782690048 CEST4971080192.168.2.5178.237.33.50
                                    Sep 26, 2024 09:25:52.787492037 CEST8049710178.237.33.50192.168.2.5
                                    Sep 26, 2024 09:25:53.398608923 CEST8049710178.237.33.50192.168.2.5
                                    Sep 26, 2024 09:25:53.398729086 CEST4971080192.168.2.5178.237.33.50
                                    Sep 26, 2024 09:25:53.412197113 CEST497077902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:53.418445110 CEST790249707104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:53.669409037 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:53.715688944 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:53.959574938 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:53.964133978 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:53.969011068 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:53.969075918 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:53.973866940 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:54.398593903 CEST8049710178.237.33.50192.168.2.5
                                    Sep 26, 2024 09:25:54.398670912 CEST4971080192.168.2.5178.237.33.50
                                    Sep 26, 2024 09:25:54.590367079 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:54.590442896 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:54.590540886 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:54.595792055 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:54.595808029 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:54.595818996 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:54.595865011 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:54.599931002 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:54.599961042 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:54.599973917 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:54.599986076 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:54.600006104 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:54.600033998 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:54.609502077 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:54.609530926 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:54.609540939 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:54.609591007 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:54.615458012 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:54.615469933 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:54.615523100 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:54.615535975 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:54.615545988 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:54.615580082 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:54.829905033 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:54.829929113 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:54.829997063 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:54.839668989 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:54.839699984 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:54.839709997 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:54.839755058 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:54.844569921 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:54.844583035 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:54.844655991 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:54.844670057 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:54.844711065 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:54.844784975 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:54.849816084 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:54.849831104 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:54.849842072 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:54.849859953 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:54.849889994 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:54.855026007 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:54.855041027 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:54.855051994 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:54.855130911 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:54.859834909 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:54.859875917 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:54.859884977 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:54.859885931 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:54.859925985 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:54.864784956 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:54.864862919 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:54.864902020 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:54.864947081 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:54.870033026 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:54.870044947 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:54.870054960 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:54.870068073 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:54.870081902 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:54.870129108 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:54.885026932 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:54.885055065 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:54.885090113 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:54.885098934 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:54.885138035 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:54.885138988 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:54.889715910 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:54.889744997 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:54.889754057 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:54.889765978 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:54.889797926 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:54.905333996 CEST790249707104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:54.907242060 CEST497077902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:54.912101030 CEST790249707104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:54.927083969 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:54.927098036 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:54.927170992 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.070359945 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.070382118 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.070394993 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.070406914 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.070530891 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.070602894 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.075299025 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.075340033 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.075373888 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.075424910 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.075428963 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.075481892 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.080473900 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.080543041 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.080576897 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.080601931 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.080612898 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.080660105 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.084706068 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.084727049 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.084742069 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.084824085 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.089803934 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.089837074 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.089847088 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.089849949 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.089977980 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.099984884 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.100016117 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.100050926 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.100096941 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.100106955 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.100147963 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.110647917 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.110698938 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.110711098 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.110812902 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.123675108 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.123706102 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.123717070 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.123847961 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.123857975 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.123877048 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.123889923 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.123924017 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.124259949 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.124308109 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.124449015 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.125736952 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.125756979 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.125766993 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.125796080 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.125839949 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.130122900 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.130137920 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.130150080 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.130194902 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.134923935 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.134953022 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.134962082 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.135037899 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.140505075 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.140602112 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.140614033 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.140631914 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.140641928 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.140676022 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.140697002 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.157577038 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.157625914 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.157741070 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.159800053 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.159905910 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.159915924 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.159928083 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.160024881 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.160024881 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.164789915 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.164904118 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.164913893 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.164921999 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.165077925 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.186064959 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.186759949 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.187001944 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.187499046 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.187549114 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.188827038 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.200215101 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.200301886 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.200396061 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.304996967 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.305922985 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.309277058 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.309793949 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.309839964 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.309849977 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.309997082 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.324750900 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.324784040 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.324794054 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.324836969 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.324867010 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.329569101 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.329612017 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.329622030 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.329695940 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.334676981 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.334717035 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.334738016 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.334795952 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.334806919 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.334851980 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.340236902 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.340265989 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.340279102 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.340286016 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.340291977 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.340334892 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.344850063 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.344863892 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.344877005 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.344949961 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.349816084 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.349841118 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.349849939 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.349945068 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.354758978 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.354773045 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.354784012 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.354850054 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.369731903 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.369755983 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.369766951 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.369801998 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.385261059 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.385318995 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.385332108 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.385361910 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.386946917 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.392334938 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.392362118 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.392412901 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.397253990 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.397635937 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.397696972 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.399797916 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.399847984 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.399859905 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.399904966 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.409564018 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.409595966 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.409605980 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.409658909 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.416892052 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.416906118 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.417002916 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.419960022 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.419987917 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.419998884 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.420053005 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.430074930 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.430152893 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.430162907 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.430175066 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.430250883 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.437216043 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.437242031 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.437290907 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.443559885 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.443572044 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.443609953 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.449930906 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.449944973 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.449955940 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.449992895 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.454653025 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.454689026 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.454699039 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.454736948 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.460033894 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.460068941 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.460078955 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.460088968 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.460129976 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.464915037 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.464952946 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.464962959 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.464986086 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.472512960 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.472526073 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.472559929 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.474864006 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.474889994 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.474900007 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.474904060 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.474941015 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.479607105 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.479619026 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.479655981 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.484518051 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.484626055 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.484666109 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.487217903 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.487230062 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.487298012 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.494772911 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.494786978 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.494797945 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.494829893 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.494852066 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.494889021 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.505935907 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.505949020 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.505984068 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.505995989 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.506006956 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.506021023 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.506045103 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.509999037 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.510011911 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.510024071 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.510046959 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.510085106 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.517819881 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.518251896 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.518296003 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.524835110 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.524966002 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.525015116 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.525170088 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.525213957 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.525229931 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.525260925 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.530105114 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.530132055 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.530142069 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.530148983 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.530184984 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.549149990 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.549168110 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.549179077 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.549190998 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.549241066 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.550437927 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.550476074 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.550486088 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.550522089 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.565536022 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.565572977 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.565592051 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.565603018 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.565618992 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.565663099 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.565985918 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.566030979 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.566040039 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.566051960 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.566083908 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.566355944 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.569925070 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.569968939 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.569972038 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.569978952 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.570013046 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.579879999 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.579900026 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.579912901 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.579945087 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.590141058 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.590183020 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.590193987 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.590198040 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.590208054 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.590229034 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.599879026 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.599895000 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.599908113 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.599921942 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.599951029 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.604967117 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.605000019 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.605010986 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.605046034 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.609585047 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.609617949 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.609627962 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.609643936 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.609668970 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.612066031 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.613852978 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.613902092 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.617393970 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.617506027 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.617553949 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.842901945 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.842920065 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.842937946 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.842950106 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.842966080 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.842983007 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.842983007 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.842995882 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.843005896 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.843014956 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.843025923 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.843029022 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.843035936 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.843045950 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.843058109 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.843065977 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.843086958 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.843096972 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.843110085 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.843118906 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.843130112 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.843141079 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.843144894 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.843178988 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.843271971 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.843283892 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.843295097 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.843303919 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.843312979 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.843313932 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.843327045 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.843349934 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.843377113 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.843396902 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.843477964 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.843489885 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.843501091 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.843512058 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.843516111 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.843522072 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.843533993 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.843538046 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.843575001 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.843637943 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.843676090 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.843844891 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.843950987 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.843982935 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.847873926 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.847912073 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.847923994 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.847950935 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.848107100 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.848143101 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.848146915 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.848156929 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.848197937 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.848222971 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.848234892 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.848284960 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.848982096 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.849010944 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.849021912 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.849044085 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.849107027 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.849117994 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.849143028 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.849884033 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.849896908 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.849909067 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.849922895 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.849924088 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.849936962 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.849961042 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.849994898 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.850707054 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.850749969 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.850761890 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.850784063 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.850830078 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.850841999 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.850867033 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.851581097 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.851619005 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.851629972 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.851641893 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.851671934 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.851677895 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.851685047 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.851727962 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.852413893 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.852448940 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.852461100 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.852483988 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.852518082 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.852556944 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.853091955 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.853446960 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.853458881 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.853471994 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.853486061 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.853508949 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.853775024 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.853835106 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.853878975 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.854155064 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.854181051 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.854216099 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.854226112 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.854238987 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.854271889 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.854834080 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.855190992 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.855204105 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.855226994 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.855227947 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.855262041 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.855575085 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.855665922 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.855701923 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.855851889 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.855865002 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.855901957 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.855932951 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.855942965 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.855979919 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.856519938 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.856573105 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.856585026 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.856606960 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.856611967 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.856642962 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.857001066 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.857050896 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.857063055 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.857074976 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.857084990 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.857108116 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.857424974 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.858128071 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.858184099 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.862026930 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.862313986 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.862360001 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.865096092 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.865133047 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.865144014 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.865164995 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.870352983 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.870389938 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.870404005 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.870403051 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.870414972 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.870439053 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.877141953 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.877187967 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.878659964 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.884944916 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.884968996 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.884979963 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.884991884 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.884994030 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.885027885 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.886899948 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.886914015 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.886939049 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.895045042 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.895077944 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.895087957 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.895097017 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.895124912 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.899816990 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.899847984 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.899857998 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.899869919 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.899893045 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.899915934 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.907351017 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.907366037 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.907409906 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.910021067 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.910063982 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.910075903 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.910098076 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.910099030 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.910142899 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.917226076 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.917388916 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.917435884 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.920485973 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.920564890 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.920615911 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.920644045 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.924880981 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.924895048 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.924906015 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.924918890 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.924942970 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.924990892 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.939815998 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.939855099 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.939865112 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.939865112 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.939908028 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.940129042 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.940167904 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.940177917 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.940216064 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.949423075 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.949471951 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.949496031 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.950099945 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.950144053 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.950145006 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.950155020 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.950185061 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.950200081 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.957688093 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.957701921 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.957755089 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.964720964 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.964750051 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.964799881 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.969841957 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.969871044 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.969881058 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.969939947 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.969978094 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.972381115 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.972433090 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.972568989 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.979582071 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.979609966 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.979619026 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.979669094 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.980007887 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.980031013 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.980041027 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.980072021 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.980108023 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.987129927 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.987404108 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.987457037 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.990205050 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.990228891 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.990241051 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.990262032 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.990288973 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.990313053 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.994685888 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.994731903 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.994771004 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:55.997338057 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.997392893 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:55.997431040 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:56.010503054 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.010533094 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.010543108 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.010570049 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.010579109 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.010742903 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:56.010742903 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:56.019668102 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.019696951 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.019716024 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.019725084 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.019785881 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:56.019845963 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:56.024661064 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.024687052 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.024697065 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.024708986 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:56.024739027 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:56.027106047 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.027254105 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.027326107 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:56.029975891 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.030000925 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.030010939 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.030038118 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:56.034792900 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.034822941 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.034832954 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.034852028 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:56.034878016 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:56.039863110 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.039891958 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.039901972 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.039932013 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:56.045028925 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.045042992 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.045116901 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:56.055088043 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.055103064 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.055114031 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.055269003 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:56.055269003 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:56.059623957 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.059710979 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.059760094 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:56.060030937 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.060096979 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.060106993 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.060117960 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.060139894 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:56.060164928 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:56.065063953 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.065093994 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.065103054 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.065176964 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:56.070302010 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.070343018 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.070352077 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:56.070353985 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.070365906 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.070389986 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:56.074687958 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.074726105 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.074733019 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:56.074736118 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.074780941 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:56.077471018 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.077544928 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.077588081 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:56.079890966 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.079931021 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.079941034 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.079968929 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:56.081981897 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.082022905 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:56.082189083 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.085141897 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.085155010 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.085166931 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.085177898 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.085206032 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:56.085239887 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:56.089770079 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.089802027 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.089853048 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:56.094988108 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.095016956 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.095026016 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.095042944 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:56.095079899 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:56.100106001 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.100133896 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.100166082 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.100174904 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:56.100178003 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.100222111 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:56.106950045 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.107198000 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.107242107 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:56.110101938 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.110138893 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.110148907 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.110182047 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:56.117928982 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.117943048 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.117971897 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:56.130938053 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.130965948 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.130975962 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.130994081 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:56.131278038 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:56.134769917 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.134815931 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.134862900 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:56.142354012 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.142366886 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.142407894 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:56.147142887 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.147161961 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.147202969 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:56.152556896 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.153134108 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.153187990 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:56.164999008 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.165077925 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.165128946 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.165132999 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:56.165175915 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.165185928 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.165222883 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:56.170113087 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.170155048 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.170165062 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:56.170165062 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.170216084 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:56.177349091 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.177364111 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.177434921 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:56.190119982 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.190135002 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.190149069 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.190161943 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.190180063 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:56.190210104 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:56.204879045 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.204915047 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.204926014 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.204937935 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.204952955 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:56.204979897 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:56.205322981 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.205344915 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.205353975 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.205385923 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:56.209919930 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.209934950 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.209945917 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.210009098 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:56.218394995 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.218408108 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.218523026 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:56.226097107 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.226129055 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.226139069 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.226200104 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:56.230829954 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.230922937 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:56.230952024 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.230963945 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.231014967 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:56.239840031 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.239856005 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.239939928 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:56.245239019 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.245268106 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.245280027 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.245317936 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.245359898 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:56.245392084 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:56.252291918 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.252305984 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.252382994 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:56.271047115 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.271064043 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.271075964 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.271254063 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:56.275841951 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.275856972 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.275871038 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.275913000 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:56.275939941 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:56.275964022 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.281137943 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.281224012 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:56.281287909 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.281301022 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.281311989 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.281333923 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:56.289761066 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.289774895 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.289787054 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.289799929 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.289839029 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:56.289870977 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:56.292290926 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.292304993 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.292371988 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:56.295311928 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.295336962 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.295347929 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:56.295363903 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:56.295408964 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:57.416260004 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:57.421361923 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:57.421396971 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:57.421406984 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:57.421416044 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:57.421436071 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:57.421443939 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:57.421452045 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:57.421462059 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:57.421469927 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:57.421489954 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:25:57.421581984 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:57.426361084 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:57.426409006 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:57.426417112 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:57.426425934 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:57.426434994 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:57.426449060 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:57.426814079 CEST790249709104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:25:57.427282095 CEST497097902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:26:24.945516109 CEST790249707104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:26:24.956713915 CEST497077902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:26:24.961560011 CEST790249707104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:26:55.021581888 CEST790249707104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:26:55.023044109 CEST497077902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:26:55.027916908 CEST790249707104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:27:25.052038908 CEST790249707104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:27:25.053397894 CEST497077902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:27:25.058434010 CEST790249707104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:27:42.748637915 CEST4971080192.168.2.5178.237.33.50
                                    Sep 26, 2024 09:27:43.137537956 CEST4971080192.168.2.5178.237.33.50
                                    Sep 26, 2024 09:27:43.840637922 CEST4971080192.168.2.5178.237.33.50
                                    Sep 26, 2024 09:27:45.043878078 CEST4971080192.168.2.5178.237.33.50
                                    Sep 26, 2024 09:27:47.528171062 CEST4971080192.168.2.5178.237.33.50
                                    Sep 26, 2024 09:27:52.340687990 CEST4971080192.168.2.5178.237.33.50
                                    Sep 26, 2024 09:27:55.061435938 CEST790249707104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:27:55.064728022 CEST497077902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:27:55.069642067 CEST790249707104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:28:02.043762922 CEST4971080192.168.2.5178.237.33.50
                                    Sep 26, 2024 09:28:25.081619024 CEST790249707104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:28:25.086632013 CEST497077902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:28:25.091535091 CEST790249707104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:28:55.091236115 CEST790249707104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:28:55.092885971 CEST497077902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:28:55.097970963 CEST790249707104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:29:25.120373964 CEST790249707104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:29:25.122828960 CEST497077902192.168.2.5104.250.180.178
                                    Sep 26, 2024 09:29:25.127877951 CEST790249707104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:29:55.120687008 CEST790249707104.250.180.178192.168.2.5
                                    Sep 26, 2024 09:29:55.168715000 CEST497077902192.168.2.5104.250.180.178

                                    UDP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Sep 26, 2024 09:25:52.760191917 CEST5298753192.168.2.51.1.1.1
                                    Sep 26, 2024 09:25:52.767888069 CEST53529871.1.1.1192.168.2.5

                                    DNS Queries

                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                    Sep 26, 2024 09:25:52.760191917 CEST192.168.2.51.1.1.10x993fStandard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                    DNS Answers

                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                    Sep 26, 2024 09:25:52.767888069 CEST1.1.1.1192.168.2.50x993fNo error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                    HTTP Request Dependency Graph

                                    • geoplugin.net

                                    HTTP Packets

                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    0192.168.2.549710178.237.33.5080528C:\ProgramData\Adobe\Adobe.exe
                                    TimestampBytes transferredDirectionData
                                    Sep 26, 2024 09:25:52.782690048 CEST71OUTGET /json.gp HTTP/1.1
                                    Host: geoplugin.net
                                    Cache-Control: no-cache
                                    Sep 26, 2024 09:25:53.398608923 CEST1170INHTTP/1.1 200 OK
                                    date: Thu, 26 Sep 2024 07:25:53 GMT
                                    server: Apache
                                    content-length: 962
                                    content-type: application/json; charset=utf-8
                                    cache-control: public, max-age=300
                                    access-control-allow-origin: *
                                    Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 30 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f [TRUNCATED]
                                    Data Ascii: { "geoplugin_request":"8.46.123.33", "geoplugin_status":200, "geoplugin_delay":"0ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                    Statistics

                                    CPU Usage

                                    Click to jump to process

                                    Memory Usage

                                    Click to jump to process

                                    High Level Behavior Distribution

                                    Click to dive into process behavior distribution

                                    Behavior

                                    Click to jump to process

                                    System Behavior

                                    General

                                    Target ID:0
                                    Start time:03:25:46
                                    Start date:26/09/2024
                                    Path:C:\Users\user\Desktop\6122.scr.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\Desktop\6122.scr.exe"
                                    Imagebase:0xe10000
                                    File size:906'752 bytes
                                    MD5 hash:44FA8131343F26AAF5303090D7BBA260
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.2059716240.0000000004D2C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.2059716240.0000000004D2C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.2059716240.0000000004D2C000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.2059716240.0000000004229000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.2059716240.0000000004229000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.2059716240.0000000004229000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:3
                                    Start time:03:25:47
                                    Start date:26/09/2024
                                    Path:C:\Users\user\Desktop\6122.scr.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\Desktop\6122.scr.exe"
                                    Imagebase:0x520000
                                    File size:906'752 bytes
                                    MD5 hash:44FA8131343F26AAF5303090D7BBA260
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                    • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                    • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000003.00000002.2048067973.0000000000CA7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:4
                                    Start time:03:25:47
                                    Start date:26/09/2024
                                    Path:C:\ProgramData\Adobe\Adobe.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\ProgramData\Adobe\Adobe.exe"
                                    Imagebase:0xd80000
                                    File size:906'752 bytes
                                    MD5 hash:44FA8131343F26AAF5303090D7BBA260
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Antivirus matches:
                                    • Detection: 100%, Joe Sandbox ML
                                    • Detection: 29%, ReversingLabs
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:5
                                    Start time:03:25:49
                                    Start date:26/09/2024
                                    Path:C:\ProgramData\Adobe\Adobe.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\ProgramData\Adobe\Adobe.exe"
                                    Imagebase:0x9c0000
                                    File size:906'752 bytes
                                    MD5 hash:44FA8131343F26AAF5303090D7BBA260
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000005.00000002.4500036931.00000000012B8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    Reputation:low
                                    Has exited:false

                                    General

                                    Target ID:6
                                    Start time:03:25:55
                                    Start date:26/09/2024
                                    Path:C:\ProgramData\Adobe\Adobe.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\kdsjilcrslq"
                                    Imagebase:0x7c0000
                                    File size:906'752 bytes
                                    MD5 hash:44FA8131343F26AAF5303090D7BBA260
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:7
                                    Start time:03:25:55
                                    Start date:26/09/2024
                                    Path:C:\ProgramData\Adobe\Adobe.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\vxgujvmlgtiaot"
                                    Imagebase:0x640000
                                    File size:906'752 bytes
                                    MD5 hash:44FA8131343F26AAF5303090D7BBA260
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:8
                                    Start time:03:25:55
                                    Start date:26/09/2024
                                    Path:C:\ProgramData\Adobe\Adobe.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\ProgramData\Adobe\Adobe.exe /stext "C:\Users\user\AppData\Local\Temp\xrlnjoxmubafqzncq"
                                    Imagebase:0xb80000
                                    File size:906'752 bytes
                                    MD5 hash:44FA8131343F26AAF5303090D7BBA260
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:9
                                    Start time:03:25:58
                                    Start date:26/09/2024
                                    Path:C:\ProgramData\Adobe\Adobe.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\ProgramData\Adobe\Adobe.exe"
                                    Imagebase:0xc00000
                                    File size:906'752 bytes
                                    MD5 hash:44FA8131343F26AAF5303090D7BBA260
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:10
                                    Start time:03:25:59
                                    Start date:26/09/2024
                                    Path:C:\ProgramData\Adobe\Adobe.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\ProgramData\Adobe\Adobe.exe"
                                    Imagebase:0xea0000
                                    File size:906'752 bytes
                                    MD5 hash:44FA8131343F26AAF5303090D7BBA260
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000A.00000002.2159549546.0000000001397000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:12
                                    Start time:03:26:06
                                    Start date:26/09/2024
                                    Path:C:\ProgramData\Adobe\Adobe.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\ProgramData\Adobe\Adobe.exe"
                                    Imagebase:0xac0000
                                    File size:906'752 bytes
                                    MD5 hash:44FA8131343F26AAF5303090D7BBA260
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:13
                                    Start time:03:26:08
                                    Start date:26/09/2024
                                    Path:C:\ProgramData\Adobe\Adobe.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\ProgramData\Adobe\Adobe.exe"
                                    Imagebase:0x630000
                                    File size:906'752 bytes
                                    MD5 hash:44FA8131343F26AAF5303090D7BBA260
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000D.00000002.2250791131.0000000000DD7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:14
                                    Start time:03:26:15
                                    Start date:26/09/2024
                                    Path:C:\ProgramData\Adobe\Adobe.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\ProgramData\Adobe\Adobe.exe"
                                    Imagebase:0x460000
                                    File size:906'752 bytes
                                    MD5 hash:44FA8131343F26AAF5303090D7BBA260
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:15
                                    Start time:03:26:15
                                    Start date:26/09/2024
                                    Path:C:\ProgramData\Adobe\Adobe.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\ProgramData\Adobe\Adobe.exe"
                                    Imagebase:0xe90000
                                    File size:906'752 bytes
                                    MD5 hash:44FA8131343F26AAF5303090D7BBA260
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000F.00000002.2323206616.00000000016C7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    Reputation:low
                                    Has exited:true

                                    Disassembly

                                    Reset < >

                                      Execution Graph

                                      Execution Coverage:8.5%
                                      Dynamic/Decrypted Code Coverage:100%
                                      Signature Coverage:0%
                                      Total number of Nodes:100
                                      Total number of Limit Nodes:7
                                      execution_graph 18845 17c4668 18846 17c467a 18845->18846 18847 17c4686 18846->18847 18851 17c4779 18846->18851 18856 17c3e34 18847->18856 18849 17c46a5 18852 17c479d 18851->18852 18860 17c4888 18852->18860 18864 17c4879 18852->18864 18857 17c3e3f 18856->18857 18872 17c5cb8 18857->18872 18859 17c709e 18859->18849 18862 17c48af 18860->18862 18861 17c498c 18861->18861 18862->18861 18868 17c44b4 18862->18868 18865 17c48af 18864->18865 18866 17c498c 18865->18866 18867 17c44b4 CreateActCtxA 18865->18867 18867->18866 18869 17c5918 CreateActCtxA 18868->18869 18871 17c59db 18869->18871 18873 17c5cc3 18872->18873 18876 17c5cf8 18873->18876 18875 17c718d 18875->18859 18877 17c5d03 18876->18877 18880 17c5d28 18877->18880 18879 17c7262 18879->18875 18881 17c5d33 18880->18881 18884 17c5d58 18881->18884 18883 17c7365 18883->18879 18885 17c5d63 18884->18885 18887 17c88cb 18885->18887 18891 17cab71 18885->18891 18886 17c8909 18886->18883 18887->18886 18895 17ccc61 18887->18895 18900 17ccc70 18887->18900 18905 17cafb0 18891->18905 18908 17cafa1 18891->18908 18892 17cab86 18892->18887 18896 17ccc70 18895->18896 18897 17cccb5 18896->18897 18917 17cd228 18896->18917 18921 17cd218 18896->18921 18897->18886 18902 17ccc75 18900->18902 18901 17cccb5 18901->18886 18902->18901 18903 17cd228 GetModuleHandleW 18902->18903 18904 17cd218 GetModuleHandleW 18902->18904 18903->18901 18904->18901 18912 17cb0a8 18905->18912 18906 17cafbf 18906->18892 18909 17cafb0 18908->18909 18911 17cb0a8 GetModuleHandleW 18909->18911 18910 17cafbf 18910->18892 18911->18910 18913 17cb0dc 18912->18913 18914 17cb0b9 18912->18914 18913->18906 18914->18913 18915 17cb2e0 GetModuleHandleW 18914->18915 18916 17cb30d 18915->18916 18916->18906 18918 17cd22d 18917->18918 18919 17cd26f 18918->18919 18925 17ccff0 18918->18925 18919->18897 18922 17cd228 18921->18922 18923 17cd26f 18922->18923 18924 17ccff0 GetModuleHandleW 18922->18924 18923->18897 18924->18923 18926 17ccffb 18925->18926 18928 17cdb80 18926->18928 18929 17cd11c 18926->18929 18928->18928 18930 17cd127 18929->18930 18931 17c5d58 GetModuleHandleW 18930->18931 18932 17cdbef 18931->18932 18932->18928 18933 78f33b8 18934 78f33d6 18933->18934 18935 78f33e0 18933->18935 18938 78f340b 18934->18938 18943 78f3420 18934->18943 18939 78f3420 18938->18939 18942 78f344d 18939->18942 18948 78f2cc8 18939->18948 18942->18935 18944 78f342e 18943->18944 18947 78f344d 18943->18947 18945 78f2cc8 CloseHandle 18944->18945 18946 78f3449 18945->18946 18946->18935 18947->18935 18949 78f3598 CloseHandle 18948->18949 18950 78f3449 18949->18950 18950->18935 18951 17cd340 18952 17cd345 18951->18952 18956 17cd50f 18952->18956 18959 17cd520 18952->18959 18953 17cd473 18957 17cd54e 18956->18957 18962 17cd0b8 18956->18962 18957->18953 18960 17cd0b8 DuplicateHandle 18959->18960 18961 17cd54e 18960->18961 18961->18953 18963 17cd588 DuplicateHandle 18962->18963 18965 17cd61e 18963->18965 18965->18957 18835 78f11c0 18837 78f11c5 18835->18837 18836 78f134b 18837->18836 18840 78f1438 18837->18840 18843 78f1440 PostMessageW 18837->18843 18841 78f1440 PostMessageW 18840->18841 18842 78f14ac 18841->18842 18842->18837 18844 78f14ac 18843->18844 18844->18837

                                      Executed Functions

                                      Function 017C4B01 Relevance: 1.6, Strings: 1, Instructions: 305COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 440 17c4b01-17c4b0d 441 17c4b7f-17c4b8e 440->441 442 17c4b0f-17c4b16 440->442 449 17c4c00-17c4c06 441->449 450 17c4b90-17c4b9a 441->450 444 17c4b1c-17c4b20 442->444 551 17c4b19 call 17c5778 442->551 552 17c4b19 call 17c5769 442->552 445 17c4b29-17c4b2b 444->445 446 17c4b22-17c4b27 444->446 448 17c4b32-17c4b34 445->448 446->448 451 17c4b4f-17c4b53 448->451 452 17c4b36-17c4b4c 448->452 453 17c4c78-17c4c7a 449->453 454 17c4c08 449->454 455 17c4c0c-17c4c0e 450->455 456 17c4b9c-17c4ba6 450->456 457 17c4c7d-17c4c7e 453->457 458 17c4c35-17c4c36 453->458 454->455 459 17c4bc9 455->459 460 17c4c11-17c4c12 455->460 461 17c4c18-17c4c19 456->461 462 17c4ba8-17c4bb2 456->462 466 17c4cf0-17c4cf6 457->466 467 17c4c80 457->467 464 17c4ca8 458->464 465 17c4c37 458->465 473 17c4c3c-17c4c3d 459->473 474 17c4bca 459->474 468 17c4c84-17c4c8a 460->468 469 17c4c14-17c4c16 460->469 472 17c4c1d-17c4c1e 461->472 470 17c4c24-17c4c25 462->470 471 17c4bb4-17c4bbe 462->471 475 17c4ca9-17c4caa 464->475 476 17c4c63 464->476 477 17c4c3e 465->477 478 17c4c38-17c4c3b 465->478 479 17c4d68-17c4d72 466->479 480 17c4cf8 466->480 467->468 481 17c4cfc-17c4cfe 468->481 482 17c4c8c 468->482 469->461 488 17c4c26 470->488 483 17c4c30-17c4c31 471->483 484 17c4bc0-17c4bc5 471->484 485 17c4c1f 472->485 486 17c4c90-17c4c91 472->486 473->477 474->473 487 17c4bcc-17c4bd6 474->487 495 17c4cad-17c4cae 475->495 496 17c4c65-17c4c66 475->496 476->472 476->496 497 17c4bf9-17c4bfa 477->497 498 17c4c41-17c4c42 477->498 478->473 503 17c4d74-17c4deb 479->503 480->481 489 17c4cb9-17c4cba 481->489 490 17c4d01-17c4d02 481->490 482->486 483->458 484->459 485->488 491 17c4c20-17c4c23 485->491 492 17c4c95-17c4c96 486->492 499 17c4c48-17c4c4e 487->499 500 17c4bd8-17c4bdd 487->500 493 17c4c29-17c4c2a 488->493 494 17c4be1-17c4be2 488->494 511 17c4d2c-17c4d36 489->511 512 17c4cbc 489->512 490->503 504 17c4d04 490->504 491->470 505 17c4d08-17c4d12 492->505 506 17c4c98 492->506 507 17c4c9c-17c4c9d 493->507 508 17c4c2c-17c4c2f 493->508 518 17c4c54-17c4c5a 494->518 519 17c4be4-17c4bee 494->519 509 17c4d20-17c4d2a 495->509 510 17c4cb0 495->510 520 17c4cd8-17c4cd9 496->520 521 17c4c67 496->521 501 17c4c6c-17c4c6d 497->501 502 17c4bfc 497->502 513 17c4cb4-17c4cb5 498->513 514 17c4c44-17c4c46 498->514 516 17c4cc0-17c4cc6 499->516 517 17c4c50 499->517 500->494 522 17c4c6e 501->522 502->449 504->505 523 17c4d14-17c4d16 505->523 506->507 524 17c4ca1-17c4ca2 507->524 508->483 509->511 510->513 525 17c4d38-17c4d43 511->525 512->516 513->489 514->499 516->525 526 17c4cc8 516->526 517->518 527 17c4ccc-17c4ccd 518->527 528 17c4c5c 518->528 530 17c4c60-17c4c61 519->530 531 17c4bf0-17c4bf5 519->531 529 17c4cda 520->529 521->522 532 17c4c68-17c4c6b 521->532 522->493 533 17c4c71-17c4c72 522->533 534 17c4d19-17c4d1e 523->534 535 17c4cd1 523->535 524->523 536 17c4ca4-17c4ca7 524->536 546 17c4d44-17c4d4a 525->546 526->527 527->535 528->530 529->492 537 17c4cdd-17c4cde 529->537 530->476 531->497 532->501 540 17c4ce4-17c4ce6 533->540 541 17c4c74 533->541 534->509 543 17c4d51-17c4d56 535->543 544 17c4cd2 535->544 536->464 538 17c4d50 537->538 539 17c4ce0 537->539 538->543 539->540 540->524 545 17c4ce9-17c4cea 540->545 541->453 547 17c4d5c-17c4d62 543->547 544->546 548 17c4cd3 544->548 545->547 549 17c4cec 545->549 546->538 547->479 548->529 550 17c4cd4-17c4cd7 548->550 549->466 550->520 551->444 552->444
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2045167489.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_17c0000_6122.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: `Q]q
                                      • API String ID: 0-1594560043
                                      • Opcode ID: 8ac384a0934b8c9d5d68c23a43b3b0a1d5ca237f79e7f68962fe26da2a229f41
                                      • Instruction ID: 9a000cfed7e87c1f4a05123eed36a89784d548e09aa19044f49813265921b7e4
                                      • Opcode Fuzzy Hash: 8ac384a0934b8c9d5d68c23a43b3b0a1d5ca237f79e7f68962fe26da2a229f41
                                      • Instruction Fuzzy Hash: EFB19D676205428BC732B27DD83E667AAC1476A638F26C28CD25ADF7F3D6D6C805C305
                                      Function 017CB0A8 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 334 17cb0a8-17cb0b7 335 17cb0b9-17cb0c6 call 17c9b14 334->335 336 17cb0e3-17cb0e7 334->336 341 17cb0dc 335->341 342 17cb0c8 335->342 337 17cb0e9-17cb0f3 336->337 338 17cb0fb-17cb13c 336->338 337->338 345 17cb13e-17cb146 338->345 346 17cb149-17cb157 338->346 341->336 391 17cb0ce call 17cb340 342->391 392 17cb0ce call 17cb331 342->392 345->346 348 17cb159-17cb15e 346->348 349 17cb17b-17cb17d 346->349 347 17cb0d4-17cb0d6 347->341 350 17cb218-17cb296 347->350 352 17cb169 348->352 353 17cb160-17cb167 call 17cad10 348->353 351 17cb180-17cb187 349->351 384 17cb29d-17cb2d8 350->384 385 17cb298-17cb29c 350->385 356 17cb189-17cb191 351->356 357 17cb194-17cb19b 351->357 355 17cb16b-17cb179 352->355 353->355 355->351 356->357 359 17cb19d-17cb1a5 357->359 360 17cb1a8-17cb1b1 call 17cad20 357->360 359->360 365 17cb1be-17cb1c3 360->365 366 17cb1b3-17cb1bb 360->366 367 17cb1c5-17cb1cc 365->367 368 17cb1e1-17cb1ee 365->368 366->365 367->368 370 17cb1ce-17cb1de call 17cad30 call 17cad40 367->370 375 17cb1f0-17cb20e 368->375 376 17cb211-17cb217 368->376 370->368 375->376 386 17cb2da-17cb2dd 384->386 387 17cb2e0-17cb30b GetModuleHandleW 384->387 385->384 386->387 388 17cb30d-17cb313 387->388 389 17cb314-17cb328 387->389 388->389 391->347 392->347
                                      APIs
                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 017CB2FE
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2045167489.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_17c0000_6122.jbxd
                                      Similarity
                                      • API ID: HandleModule
                                      • String ID:
                                      • API String ID: 4139908857-0
                                      • Opcode ID: a02c34b5101e4b114adb5fac6e9c10b8291d4a4e124beadbbffa8cab1dad8d27
                                      • Instruction ID: 840c163b3c451e5f10ed58789ed88f9c29bfbb3fc33cc633b5d0ae2feb503bd2
                                      • Opcode Fuzzy Hash: a02c34b5101e4b114adb5fac6e9c10b8291d4a4e124beadbbffa8cab1dad8d27
                                      • Instruction Fuzzy Hash: 6B712270A00B058FD724DF6AD44579AFBF5FF88B40F008A2DE48A97A54EB35E845CB91
                                      Function 017C590C Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 393 17c590c-17c59d9 CreateActCtxA 395 17c59db-17c59e1 393->395 396 17c59e2-17c5a3c 393->396 395->396 403 17c5a3e-17c5a41 396->403 404 17c5a4b-17c5a4f 396->404 403->404 405 17c5a60 404->405 406 17c5a51-17c5a5d 404->406 407 17c5a61 405->407 406->405 407->407
                                      APIs
                                      • CreateActCtxA.KERNEL32(?), ref: 017C59C9
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2045167489.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_17c0000_6122.jbxd
                                      Similarity
                                      • API ID: Create
                                      • String ID:
                                      • API String ID: 2289755597-0
                                      • Opcode ID: 94986aa38c228dd31f20d438e70d5cd1746951ea253a86922a2741e4bdbdb0c2
                                      • Instruction ID: 6c7a8f6dc21bdc5d91fd43948277dddb950873455764de9a1b237b29277fab82
                                      • Opcode Fuzzy Hash: 94986aa38c228dd31f20d438e70d5cd1746951ea253a86922a2741e4bdbdb0c2
                                      • Instruction Fuzzy Hash: 8541D3B1D00719CBDB14DFA9C88469EBBF5BF49704F20806ED408AB255DB756946CF90
                                      Function 017C44B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 409 17c44b4-17c59d9 CreateActCtxA 412 17c59db-17c59e1 409->412 413 17c59e2-17c5a3c 409->413 412->413 420 17c5a3e-17c5a41 413->420 421 17c5a4b-17c5a4f 413->421 420->421 422 17c5a60 421->422 423 17c5a51-17c5a5d 421->423 424 17c5a61 422->424 423->422 424->424
                                      APIs
                                      • CreateActCtxA.KERNEL32(?), ref: 017C59C9
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2045167489.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_17c0000_6122.jbxd
                                      Similarity
                                      • API ID: Create
                                      • String ID:
                                      • API String ID: 2289755597-0
                                      • Opcode ID: b3d29c033ccbd5aee006c4bb611ebbf43bec4c699edc6353f210e78cd2a5601f
                                      • Instruction ID: ebfa78d61ca92fde4c0e07115f2cf373c7aed701ea874af45662cdd34b550107
                                      • Opcode Fuzzy Hash: b3d29c033ccbd5aee006c4bb611ebbf43bec4c699edc6353f210e78cd2a5601f
                                      • Instruction Fuzzy Hash: 4B41D0B1D00719CADB24DFAAC884A9EFBF5BF49704F20806ED408AB255DB756946CF90
                                      Function 017CD0B8 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 426 17cd0b8-17cd61c DuplicateHandle 429 17cd61e-17cd624 426->429 430 17cd625-17cd642 426->430 429->430
                                      APIs
                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,017CD54E,?,?,?,?,?), ref: 017CD60F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2045167489.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_17c0000_6122.jbxd
                                      Similarity
                                      • API ID: DuplicateHandle
                                      • String ID:
                                      • API String ID: 3793708945-0
                                      • Opcode ID: aa06f7efb0e48f53cc15e2fa972dd60fd02d611d158a0814719aca067c5de330
                                      • Instruction ID: 0c866fd8eb8031eb87980921f679e91ad616ea987cf11b80e7496e15eab7bdac
                                      • Opcode Fuzzy Hash: aa06f7efb0e48f53cc15e2fa972dd60fd02d611d158a0814719aca067c5de330
                                      • Instruction Fuzzy Hash: 3F21E5B59002489FDB10CF9AD984AEEFFF4EB58310F14842AE918A7350D378A954CFA5
                                      Function 017CD581 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 433 17cd581-17cd586 434 17cd58d-17cd61c DuplicateHandle 433->434 435 17cd588-17cd58c 433->435 436 17cd61e-17cd624 434->436 437 17cd625-17cd642 434->437 435->434 436->437
                                      APIs
                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,017CD54E,?,?,?,?,?), ref: 017CD60F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2045167489.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_17c0000_6122.jbxd
                                      Similarity
                                      • API ID: DuplicateHandle
                                      • String ID:
                                      • API String ID: 3793708945-0
                                      • Opcode ID: b5386664d3f7d41651874df083b737355c70c8267b4f77f29d7309e838c8bb5e
                                      • Instruction ID: 698854dd7f3ed0804030200a8f1f873765981ef4bc8369f090d14c9a69b5692f
                                      • Opcode Fuzzy Hash: b5386664d3f7d41651874df083b737355c70c8267b4f77f29d7309e838c8bb5e
                                      • Instruction Fuzzy Hash: 7C21C6B59002489FDB10CF9AD984ADEFFF5FB48710F14841AE918A3350D379A954CFA5
                                      Function 078F1438 Relevance: 1.6, APIs: 1, Instructions: 50windowCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 553 78f1438-78f14aa PostMessageW 555 78f14ac-78f14b2 553->555 556 78f14b3-78f14c7 553->556 555->556
                                      APIs
                                      • PostMessageW.USER32(?,?,?,?), ref: 078F149D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2062435799.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_78f0000_6122.jbxd
                                      Similarity
                                      • API ID: MessagePost
                                      • String ID:
                                      • API String ID: 410705778-0
                                      • Opcode ID: 5a602a3caf01c003e47c14a91b7d46f2e32ef5cfe7b1da4c69443ffe8781a05a
                                      • Instruction ID: 95fa21a07721620bea0f2044e7c0c5dc47fa440747a53918a216a73403234109
                                      • Opcode Fuzzy Hash: 5a602a3caf01c003e47c14a91b7d46f2e32ef5cfe7b1da4c69443ffe8781a05a
                                      • Instruction Fuzzy Hash: 2711F5B5800249DFCB10DF9AD989BDEBBF9EB58310F10841AE518A3250D379A644CFA5
                                      Function 017CB298 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 558 17cb298-17cb2d8 560 17cb2da-17cb2dd 558->560 561 17cb2e0-17cb30b GetModuleHandleW 558->561 560->561 562 17cb30d-17cb313 561->562 563 17cb314-17cb328 561->563 562->563
                                      APIs
                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 017CB2FE
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2045167489.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_17c0000_6122.jbxd
                                      Similarity
                                      • API ID: HandleModule
                                      • String ID:
                                      • API String ID: 4139908857-0
                                      • Opcode ID: 98af8175139ad04e18fa727a26ac4cba76ee69a6915e73c847bb7de866dfed1b
                                      • Instruction ID: 962d4560344cbcbbbcf489bb290e0d855bb648f5eeafcfd73d50ef58093dc8f9
                                      • Opcode Fuzzy Hash: 98af8175139ad04e18fa727a26ac4cba76ee69a6915e73c847bb7de866dfed1b
                                      • Instruction Fuzzy Hash: B91110B5C002498FDB10CF9AC444ADEFBF8EF88710F10842ED919A7210C379A545CFA5
                                      Function 078F1440 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 565 78f1440-78f14aa PostMessageW 566 78f14ac-78f14b2 565->566 567 78f14b3-78f14c7 565->567 566->567
                                      APIs
                                      • PostMessageW.USER32(?,?,?,?), ref: 078F149D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2062435799.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_78f0000_6122.jbxd
                                      Similarity
                                      • API ID: MessagePost
                                      • String ID:
                                      • API String ID: 410705778-0
                                      • Opcode ID: 0441fae213f5a99a5dc1dfb70693fe6c6f1b148293db01235cb3f1ef8436bde6
                                      • Instruction ID: b6c7cb5d3c9310129cb378dcb8bc23507e0d64b0abb9538281620882017e70d9
                                      • Opcode Fuzzy Hash: 0441fae213f5a99a5dc1dfb70693fe6c6f1b148293db01235cb3f1ef8436bde6
                                      • Instruction Fuzzy Hash: 6111D3B5800349DFDB10DF9AD989BDEFBF8EB58310F108419E518A7250D379A544CFA5
                                      Function 078F3590 Relevance: 1.3, APIs: 1, Instructions: 52COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 622 78f3590-78f35fd CloseHandle 624 78f35ff-78f3605 622->624 625 78f3606-78f362e 622->625 624->625
                                      APIs
                                      • CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,078F3449,?,?), ref: 078F35F0
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2062435799.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_78f0000_6122.jbxd
                                      Similarity
                                      • API ID: CloseHandle
                                      • String ID:
                                      • API String ID: 2962429428-0
                                      • Opcode ID: d3662fadbf42c30749182f68a7062f238a5d4bd969f308c8536d3df0a75ace3c
                                      • Instruction ID: a62036787044b694bc84c055f53fbccb836e5c5754901a0e8dbb197cb02836fc
                                      • Opcode Fuzzy Hash: d3662fadbf42c30749182f68a7062f238a5d4bd969f308c8536d3df0a75ace3c
                                      • Instruction Fuzzy Hash: DD1136B5800249DFCB10DF9AC585BEEFBF4EB48320F20841AD559A7340D339A544CFA5
                                      Function 078F2CC8 Relevance: 1.3, APIs: 1, Instructions: 50COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 628 78f2cc8-78f35fd CloseHandle 630 78f35ff-78f3605 628->630 631 78f3606-78f362e 628->631 630->631
                                      APIs
                                      • CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,078F3449,?,?), ref: 078F35F0
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2062435799.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_78f0000_6122.jbxd
                                      Similarity
                                      • API ID: CloseHandle
                                      • String ID:
                                      • API String ID: 2962429428-0
                                      • Opcode ID: fb5a1cce19a6f125b0ba2cb0c52b541c4fe9aaa9353f0f2d9dc71c78180f115a
                                      • Instruction ID: cd59c0181b3b69cab7aa53a7b87fcf64c3ba28653ff9eba1b057dcb4c36615b6
                                      • Opcode Fuzzy Hash: fb5a1cce19a6f125b0ba2cb0c52b541c4fe9aaa9353f0f2d9dc71c78180f115a
                                      • Instruction Fuzzy Hash: 8F1125B5800749DFCB20DF9AC545BEEBBF4EB58320F108419E659A7740D338A944CFA5
                                      Function 014DD4C4 Relevance: .1, Instructions: 75COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2043644103.00000000014DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014DD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_14dd000_6122.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: fcf35d498d05354d8fce5bbe89808072f5895e636083c43f510b2f8ab902afff
                                      • Instruction ID: 2a1ace994d3731227c18d6f9222f24f960882d973419f76322ff8f41a997256f
                                      • Opcode Fuzzy Hash: fcf35d498d05354d8fce5bbe89808072f5895e636083c43f510b2f8ab902afff
                                      • Instruction Fuzzy Hash: 7221F471940240DFDF15DF58D9A0F27BF65FB88318F60C56AD9090A2A6C33AD416C7A1
                                      Function 014DD3D8 Relevance: .1, Instructions: 75COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2043644103.00000000014DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014DD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_14dd000_6122.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 636598a70f519f549531338d0a29a8743a64623e1eda657338bd4c836bec5e74
                                      • Instruction ID: e79c313bf6778fb8de9d55e3729d1b87a462e20a30e95b1864c4e89d2bf86dfd
                                      • Opcode Fuzzy Hash: 636598a70f519f549531338d0a29a8743a64623e1eda657338bd4c836bec5e74
                                      • Instruction Fuzzy Hash: 7C21E271900204DFDF15DF98D990B66BF65FB98324F20C57AD9090A2A6C33AE456CAA1
                                      Function 016ED01C Relevance: .1, Instructions: 72COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2044746975.00000000016ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 016ED000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_16ed000_6122.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0c58429036184c2c0d553804bbfcb297ba393a9df75e43aafb05429b0d172b18
                                      • Instruction ID: baec0ac78807567463fb17581885b4f094e7007522d02180eccc0c11996b08e7
                                      • Opcode Fuzzy Hash: 0c58429036184c2c0d553804bbfcb297ba393a9df75e43aafb05429b0d172b18
                                      • Instruction Fuzzy Hash: B8212271604200DFCB15DF68D988B26BFA5FB88314F28C66DD90A0B396C33AD407CA61
                                      Function 016ED006 Relevance: .1, Instructions: 62COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2044746975.00000000016ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 016ED000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_16ed000_6122.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 992b5958bc239f09d54e47cdca54227c79de02bf62db2a5c81404aae68934e4b
                                      • Instruction ID: d6709c463d540f79b715ef2c6b5983f9ca88f28247502d9574c8c3488496de36
                                      • Opcode Fuzzy Hash: 992b5958bc239f09d54e47cdca54227c79de02bf62db2a5c81404aae68934e4b
                                      • Instruction Fuzzy Hash: 082192755093808FDB03CF24D994715BFB1FB46214F28C6DAD8498F2A7C33A980ACB62
                                      Function 014DD4BF Relevance: .1, Instructions: 56COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2043644103.00000000014DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014DD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_14dd000_6122.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                      • Instruction ID: 366cadea5034ae3a3d033c44c87a64dcf28a23ba414cf3f61081cbfc884bc53f
                                      • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                      • Instruction Fuzzy Hash: 3211DF72804280CFCF12CF54D9D4B16BF71FB88314F24C6AAD9490B266C336D45ACBA2
                                      Function 014DD3D3 Relevance: .1, Instructions: 56COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2043644103.00000000014DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014DD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_14dd000_6122.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                      • Instruction ID: 4c3631ba0a723b7eb06cacc51766e59c9278f16c3eb5683a70a9a9d4661ebec1
                                      • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                      • Instruction Fuzzy Hash: 0411CD72804240DFDF12CF44D9C4B56BF61FB84224F24C6AAD9090A266C33AE45ACBA2
                                      Function 014DD731 Relevance: .0, Instructions: 45COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2043644103.00000000014DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014DD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_14dd000_6122.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: fffb61be5d8dd4d6434ba13ff019b7487b0fa3555878c4664ec416b998afaeff
                                      • Instruction ID: d7df6b520d171166f556c73e13640dd28a892fa3198f23ab46e349b4d86d6387
                                      • Opcode Fuzzy Hash: fffb61be5d8dd4d6434ba13ff019b7487b0fa3555878c4664ec416b998afaeff
                                      • Instruction Fuzzy Hash: 720120314043849AEB104A99CD84767FFDCEF45320F14C467ED080A2E6C2789800C671
                                      Function 014DD730 Relevance: .0, Instructions: 36COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2043644103.00000000014DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014DD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_14dd000_6122.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3734943c83e43ccc5ac419ba5d626a6adc1af7b2beb4756fc40e6ca7d8b68a32
                                      • Instruction ID: 584cdd2cdf2851f4cb97f7f56ed61e3cda366cc1a764cc22b8535df487d65bf2
                                      • Opcode Fuzzy Hash: 3734943c83e43ccc5ac419ba5d626a6adc1af7b2beb4756fc40e6ca7d8b68a32
                                      • Instruction Fuzzy Hash: 2CF0C2724043849AEB108A1AC884B63FFD8EF96334F18C55AED0C0A2D6C2799844CA70

                                      Non-executed Functions

                                      Function 078F2E20 Relevance: .4, Instructions: 362COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2062435799.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_78f0000_6122.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5b5b272f31d6b6c6f30d3813f299ba492a794d2949ff62ae0069f0fb59b23ba2
                                      • Instruction ID: 7642941e7634513c7aa8066c8561985a957b5c1e65d365d4df09de911ccfc0bb
                                      • Opcode Fuzzy Hash: 5b5b272f31d6b6c6f30d3813f299ba492a794d2949ff62ae0069f0fb59b23ba2
                                      • Instruction Fuzzy Hash: D9D1EBB070160A8FDB29DF79C860BAEB7FAAF98701F10446DD246DB690DB35D901CB52
                                      Function 017CDE4C Relevance: .3, Instructions: 264COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2045167489.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_17c0000_6122.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 93e776ae4e4433ebf055e897449b9058e9c522af07afb2ec62e15e7b777a9734
                                      • Instruction ID: 6a01c905f6916728d8911b45e1ed622f0c6e5b77fc87b4651fea4681d2d4fa0a
                                      • Opcode Fuzzy Hash: 93e776ae4e4433ebf055e897449b9058e9c522af07afb2ec62e15e7b777a9734
                                      • Instruction Fuzzy Hash: 25A14D32A0020A8FCF15DFB4C98459EFBB2FF98700B25457EE905AB265DB71E905CB80

                                      Execution Graph

                                      Execution Coverage:2%
                                      Dynamic/Decrypted Code Coverage:0%
                                      Signature Coverage:1.9%
                                      Total number of Nodes:742
                                      Total number of Limit Nodes:17
                                      execution_graph 47111 434887 47112 434893 ___DestructExceptionObject 47111->47112 47138 434596 47112->47138 47114 43489a 47116 4348c3 47114->47116 47426 4349f9 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 47114->47426 47125 434902 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 47116->47125 47427 444251 5 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 47116->47427 47118 4348dc 47120 4348e2 ___DestructExceptionObject 47118->47120 47428 4441f5 5 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 47118->47428 47121 434962 47149 434b14 47121->47149 47125->47121 47429 4433e7 35 API calls 4 library calls 47125->47429 47131 434984 47132 43498e 47131->47132 47431 44341f 28 API calls _Atexit 47131->47431 47134 434997 47132->47134 47432 4433c2 28 API calls _Atexit 47132->47432 47433 43470d 13 API calls 2 library calls 47134->47433 47137 43499f 47137->47120 47139 43459f 47138->47139 47434 434c52 IsProcessorFeaturePresent 47139->47434 47141 4345ab 47435 438f31 10 API calls 4 library calls 47141->47435 47143 4345b0 47144 4345b4 47143->47144 47436 4440bf IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 47143->47436 47144->47114 47146 4345bd 47147 4345cb 47146->47147 47437 438f5a 8 API calls 3 library calls 47146->47437 47147->47114 47438 436e90 47149->47438 47152 434968 47153 4441a2 47152->47153 47440 44f059 47153->47440 47155 4441ab 47156 434971 47155->47156 47444 446815 35 API calls 47155->47444 47158 40e9c5 47156->47158 47446 41cb50 LoadLibraryA GetProcAddress 47158->47446 47160 40e9e1 GetModuleFileNameW 47451 40f3c3 47160->47451 47162 40e9fd 47466 4020f6 47162->47466 47165 4020f6 28 API calls 47166 40ea1b 47165->47166 47472 41be1b 47166->47472 47170 40ea2d 47498 401e8d 47170->47498 47172 40ea36 47173 40ea93 47172->47173 47174 40ea49 47172->47174 47504 401e65 47173->47504 47703 40fbb3 116 API calls 47174->47703 47177 40eaa3 47181 401e65 22 API calls 47177->47181 47178 40ea5b 47179 401e65 22 API calls 47178->47179 47180 40ea67 47179->47180 47704 410f37 36 API calls __EH_prolog 47180->47704 47182 40eac2 47181->47182 47509 40531e 47182->47509 47185 40ead1 47514 406383 47185->47514 47186 40ea79 47705 40fb64 77 API calls 47186->47705 47190 40ea82 47706 40f3b0 70 API calls 47190->47706 47196 401fd8 11 API calls 47198 40eefb 47196->47198 47197 401fd8 11 API calls 47199 40eafb 47197->47199 47430 4432f6 GetModuleHandleW 47198->47430 47200 401e65 22 API calls 47199->47200 47201 40eb04 47200->47201 47531 401fc0 47201->47531 47203 40eb0f 47204 401e65 22 API calls 47203->47204 47205 40eb28 47204->47205 47206 401e65 22 API calls 47205->47206 47207 40eb43 47206->47207 47208 40ebae 47207->47208 47707 406c1e 28 API calls 47207->47707 47209 401e65 22 API calls 47208->47209 47216 40ebbb 47209->47216 47211 40eb70 47212 401fe2 28 API calls 47211->47212 47213 40eb7c 47212->47213 47214 401fd8 11 API calls 47213->47214 47217 40eb85 47214->47217 47215 40ec02 47535 40d069 47215->47535 47216->47215 47220 413549 3 API calls 47216->47220 47708 413549 RegOpenKeyExA 47217->47708 47219 40ec08 47221 40ea8b 47219->47221 47538 41b2c3 47219->47538 47227 40ebe6 47220->47227 47221->47196 47225 40ec23 47228 40ec76 47225->47228 47555 407716 47225->47555 47226 40f34f 47745 4139a9 30 API calls 47226->47745 47227->47215 47711 4139a9 30 API calls 47227->47711 47230 401e65 22 API calls 47228->47230 47233 40ec7f 47230->47233 47242 40ec90 47233->47242 47243 40ec8b 47233->47243 47235 40f365 47746 412475 65 API calls ___scrt_fastfail 47235->47746 47236 40ec42 47712 407738 30 API calls 47236->47712 47237 40ec4c 47240 401e65 22 API calls 47237->47240 47250 40ec55 47240->47250 47241 41bc5e 28 API calls 47245 40f37f 47241->47245 47248 401e65 22 API calls 47242->47248 47715 407755 CreateProcessA CloseHandle CloseHandle ___scrt_fastfail 47243->47715 47244 40ec47 47713 407260 97 API calls 47244->47713 47747 413a23 RegOpenKeyExW RegDeleteValueW 47245->47747 47249 40ec99 47248->47249 47559 41bc5e 47249->47559 47250->47228 47255 40ec71 47250->47255 47252 40eca4 47563 401f13 47252->47563 47714 407260 97 API calls 47255->47714 47256 40f392 47259 401f09 11 API calls 47256->47259 47261 40f39c 47259->47261 47263 401f09 11 API calls 47261->47263 47265 40f3a5 47263->47265 47264 401e65 22 API calls 47266 40ecc1 47264->47266 47748 40dd42 27 API calls 47265->47748 47270 401e65 22 API calls 47266->47270 47268 40f3aa 47749 414f2a 167 API calls _strftime 47268->47749 47272 40ecdb 47270->47272 47273 401e65 22 API calls 47272->47273 47274 40ecf5 47273->47274 47275 401e65 22 API calls 47274->47275 47277 40ed0e 47275->47277 47276 40ed7b 47279 40ed8a 47276->47279 47284 40ef06 ___scrt_fastfail 47276->47284 47277->47276 47278 401e65 22 API calls 47277->47278 47282 40ed23 _wcslen 47278->47282 47280 401e65 22 API calls 47279->47280 47286 40ee0f 47279->47286 47281 40ed9c 47280->47281 47283 401e65 22 API calls 47281->47283 47282->47276 47287 401e65 22 API calls 47282->47287 47285 40edae 47283->47285 47718 4136f8 RegOpenKeyExA RegQueryValueExA RegCloseKey 47284->47718 47290 401e65 22 API calls 47285->47290 47308 40ee0a ___scrt_fastfail 47286->47308 47288 40ed3e 47287->47288 47291 401e65 22 API calls 47288->47291 47292 40edc0 47290->47292 47293 40ed53 47291->47293 47295 401e65 22 API calls 47292->47295 47575 40da34 47293->47575 47294 40ef51 47296 401e65 22 API calls 47294->47296 47298 40ede9 47295->47298 47299 40ef76 47296->47299 47304 401e65 22 API calls 47298->47304 47719 402093 47299->47719 47301 401f13 28 API calls 47303 40ed72 47301->47303 47306 401f09 11 API calls 47303->47306 47307 40edfa 47304->47307 47305 40ef88 47725 41376f 14 API calls 47305->47725 47306->47276 47633 40cdf9 47307->47633 47308->47286 47716 413947 31 API calls 47308->47716 47312 40ef9e 47314 401e65 22 API calls 47312->47314 47313 40eea3 ctype 47316 401e65 22 API calls 47313->47316 47315 40efaa 47314->47315 47726 43baac 39 API calls _strftime 47315->47726 47319 40eeba 47316->47319 47318 40efb7 47320 40efe4 47318->47320 47727 41cd9b 86 API calls ___scrt_fastfail 47318->47727 47319->47294 47321 401e65 22 API calls 47319->47321 47325 402093 28 API calls 47320->47325 47323 40eed7 47321->47323 47326 41bc5e 28 API calls 47323->47326 47324 40efc8 CreateThread 47324->47320 48027 41d45d 10 API calls 47324->48027 47327 40eff9 47325->47327 47328 40eee3 47326->47328 47329 402093 28 API calls 47327->47329 47717 40f474 103 API calls 47328->47717 47331 40f008 47329->47331 47728 41b4ef 79 API calls 47331->47728 47332 40eee8 47332->47294 47334 40eeef 47332->47334 47334->47221 47335 40f00d 47336 401e65 22 API calls 47335->47336 47337 40f019 47336->47337 47338 401e65 22 API calls 47337->47338 47339 40f02b 47338->47339 47340 401e65 22 API calls 47339->47340 47341 40f04b 47340->47341 47729 43baac 39 API calls _strftime 47341->47729 47343 40f058 47344 401e65 22 API calls 47343->47344 47345 40f063 47344->47345 47346 401e65 22 API calls 47345->47346 47347 40f074 47346->47347 47348 401e65 22 API calls 47347->47348 47349 40f089 47348->47349 47350 401e65 22 API calls 47349->47350 47351 40f09a 47350->47351 47352 40f0a1 StrToIntA 47351->47352 47730 409de4 169 API calls _wcslen 47352->47730 47354 40f0b3 47355 401e65 22 API calls 47354->47355 47357 40f0bc 47355->47357 47356 40f101 47360 401e65 22 API calls 47356->47360 47357->47356 47731 4344ea 47357->47731 47365 40f111 47360->47365 47361 401e65 22 API calls 47362 40f0e4 47361->47362 47363 40f0eb CreateThread 47362->47363 47363->47356 48023 419fb4 102 API calls 2 library calls 47363->48023 47364 40f159 47366 401e65 22 API calls 47364->47366 47365->47364 47367 4344ea new 22 API calls 47365->47367 47372 40f162 47366->47372 47368 40f126 47367->47368 47369 401e65 22 API calls 47368->47369 47370 40f138 47369->47370 47373 40f13f CreateThread 47370->47373 47371 40f1cc 47374 401e65 22 API calls 47371->47374 47372->47371 47375 401e65 22 API calls 47372->47375 47373->47364 48028 419fb4 102 API calls 2 library calls 47373->48028 47377 40f1d5 47374->47377 47376 40f17e 47375->47376 47379 401e65 22 API calls 47376->47379 47378 40f21a 47377->47378 47381 401e65 22 API calls 47377->47381 47741 41b60d 79 API calls 47378->47741 47382 40f193 47379->47382 47384 40f1ea 47381->47384 47738 40d9e8 31 API calls 47382->47738 47383 40f223 47385 401f13 28 API calls 47383->47385 47388 401e65 22 API calls 47384->47388 47387 40f22e 47385->47387 47390 401f09 11 API calls 47387->47390 47391 40f1ff 47388->47391 47389 40f1a6 47392 401f13 28 API calls 47389->47392 47393 40f237 CreateThread 47390->47393 47739 43baac 39 API calls _strftime 47391->47739 47395 40f1b2 47392->47395 47396 40f264 47393->47396 47397 40f258 CreateThread 47393->47397 48022 40f7a7 120 API calls 47393->48022 47398 401f09 11 API calls 47395->47398 47399 40f279 47396->47399 47400 40f26d CreateThread 47396->47400 47397->47396 48024 4120f7 137 API calls 47397->48024 47402 40f1bb CreateThread 47398->47402 47404 40f2cc 47399->47404 47406 402093 28 API calls 47399->47406 47400->47399 48025 4126db 38 API calls ___scrt_fastfail 47400->48025 47402->47371 48026 401be9 49 API calls _strftime 47402->48026 47403 40f20c 47740 40c162 7 API calls 47403->47740 47743 4134ff RegOpenKeyExA RegQueryValueExA RegCloseKey 47404->47743 47407 40f29c 47406->47407 47742 4052fd 28 API calls 47407->47742 47410 40f2e4 47410->47265 47414 41bc5e 28 API calls 47410->47414 47416 40f2fd 47414->47416 47744 41361b 31 API calls 47416->47744 47420 40f313 47421 401f09 11 API calls 47420->47421 47424 40f31e 47421->47424 47422 40f346 DeleteFileW 47423 40f34d 47422->47423 47422->47424 47423->47241 47424->47422 47424->47423 47425 40f334 Sleep 47424->47425 47425->47424 47426->47114 47427->47118 47428->47125 47429->47121 47430->47131 47431->47132 47432->47134 47433->47137 47434->47141 47435->47143 47436->47146 47437->47144 47439 434b27 GetStartupInfoW 47438->47439 47439->47152 47441 44f06b 47440->47441 47442 44f062 47440->47442 47441->47155 47445 44ef58 48 API calls 4 library calls 47442->47445 47444->47155 47445->47441 47447 41cb8f LoadLibraryA GetProcAddress 47446->47447 47448 41cb7f GetModuleHandleA GetProcAddress 47446->47448 47449 41cbb8 44 API calls 47447->47449 47450 41cba8 LoadLibraryA GetProcAddress 47447->47450 47448->47447 47449->47160 47450->47449 47750 41b4a8 FindResourceA 47451->47750 47455 40f3ed _Yarn 47760 4020b7 47455->47760 47458 401fe2 28 API calls 47459 40f413 47458->47459 47460 401fd8 11 API calls 47459->47460 47461 40f41c 47460->47461 47462 43bd51 _Yarn 21 API calls 47461->47462 47463 40f42d _Yarn 47462->47463 47766 406dd8 47463->47766 47465 40f460 47465->47162 47467 40210c 47466->47467 47468 4023ce 11 API calls 47467->47468 47469 402126 47468->47469 47470 402569 28 API calls 47469->47470 47471 402134 47470->47471 47471->47165 47820 4020df 47472->47820 47474 401fd8 11 API calls 47475 41bed0 47474->47475 47477 401fd8 11 API calls 47475->47477 47476 41bea0 47826 4041a2 28 API calls 47476->47826 47480 41bed8 47477->47480 47482 401fd8 11 API calls 47480->47482 47481 41beac 47483 401fe2 28 API calls 47481->47483 47485 40ea24 47482->47485 47486 41beb5 47483->47486 47484 401fe2 28 API calls 47490 41be2e 47484->47490 47494 40fb17 47485->47494 47487 401fd8 11 API calls 47486->47487 47489 41bebd 47487->47489 47488 401fd8 11 API calls 47488->47490 47827 41ce34 28 API calls 47489->47827 47490->47476 47490->47484 47490->47488 47493 41be9e 47490->47493 47824 4041a2 28 API calls 47490->47824 47825 41ce34 28 API calls 47490->47825 47493->47474 47495 40fb23 47494->47495 47497 40fb2a 47494->47497 47828 402163 11 API calls 47495->47828 47497->47170 47499 402163 47498->47499 47500 40219f 47499->47500 47829 402730 11 API calls 47499->47829 47500->47172 47502 402184 47830 402712 11 API calls std::_Deallocate 47502->47830 47505 401e6d 47504->47505 47507 401e75 47505->47507 47831 402158 22 API calls 47505->47831 47507->47177 47510 4020df 11 API calls 47509->47510 47511 40532a 47510->47511 47832 4032a0 47511->47832 47513 405346 47513->47185 47836 4051ef 47514->47836 47516 406391 47840 402055 47516->47840 47519 401fe2 47520 401ff1 47519->47520 47527 402039 47519->47527 47521 4023ce 11 API calls 47520->47521 47522 401ffa 47521->47522 47523 40203c 47522->47523 47525 402015 47522->47525 47524 40267a 11 API calls 47523->47524 47524->47527 47855 403098 28 API calls 47525->47855 47528 401fd8 47527->47528 47529 4023ce 11 API calls 47528->47529 47530 401fe1 47529->47530 47530->47197 47532 401fd2 47531->47532 47533 401fc9 47531->47533 47532->47203 47856 4025e0 28 API calls 47533->47856 47857 401fab 47535->47857 47537 40d073 CreateMutexA GetLastError 47537->47219 47858 41bfb7 47538->47858 47543 401fe2 28 API calls 47544 41b2ff 47543->47544 47545 401fd8 11 API calls 47544->47545 47547 41b307 47545->47547 47546 41b35d 47546->47225 47547->47546 47548 4135a6 31 API calls 47547->47548 47549 41b330 47548->47549 47550 41b33b StrToIntA 47549->47550 47551 41b352 47550->47551 47552 41b349 47550->47552 47554 401fd8 11 API calls 47551->47554 47866 41cf69 22 API calls 47552->47866 47554->47546 47556 40772a 47555->47556 47557 413549 3 API calls 47556->47557 47558 407731 47557->47558 47558->47236 47558->47237 47560 41bc72 47559->47560 47867 40b904 47560->47867 47562 41bc7a 47562->47252 47564 401f22 47563->47564 47565 401f6a 47563->47565 47566 402252 11 API calls 47564->47566 47572 401f09 47565->47572 47567 401f2b 47566->47567 47568 401f6d 47567->47568 47569 401f46 47567->47569 47900 402336 47568->47900 47899 40305c 28 API calls 47569->47899 47573 402252 11 API calls 47572->47573 47574 401f12 47573->47574 47574->47264 47904 401f86 47575->47904 47578 40da70 47914 41b5b4 29 API calls 47578->47914 47579 40daa5 47583 41bfb7 GetCurrentProcess 47579->47583 47580 40da66 47582 40db99 GetLongPathNameW 47580->47582 47908 40417e 47582->47908 47586 40daaa 47583->47586 47584 40da79 47589 401f13 28 API calls 47584->47589 47587 40db00 47586->47587 47588 40daae 47586->47588 47591 40417e 28 API calls 47587->47591 47592 40417e 28 API calls 47588->47592 47593 40da83 47589->47593 47595 40db0e 47591->47595 47596 40dabc 47592->47596 47599 401f09 11 API calls 47593->47599 47594 40417e 28 API calls 47597 40dbbd 47594->47597 47602 40417e 28 API calls 47595->47602 47603 40417e 28 API calls 47596->47603 47917 40ddd1 28 API calls 47597->47917 47599->47580 47600 40dbd0 47918 402fa5 28 API calls 47600->47918 47605 40db24 47602->47605 47606 40dad2 47603->47606 47604 40dbdb 47919 402fa5 28 API calls 47604->47919 47916 402fa5 28 API calls 47605->47916 47915 402fa5 28 API calls 47606->47915 47610 40dbe5 47613 401f09 11 API calls 47610->47613 47611 40db2f 47614 401f13 28 API calls 47611->47614 47612 40dadd 47615 401f13 28 API calls 47612->47615 47616 40dbef 47613->47616 47617 40db3a 47614->47617 47618 40dae8 47615->47618 47619 401f09 11 API calls 47616->47619 47620 401f09 11 API calls 47617->47620 47621 401f09 11 API calls 47618->47621 47622 40dbf8 47619->47622 47623 40db43 47620->47623 47624 40daf1 47621->47624 47625 401f09 11 API calls 47622->47625 47626 401f09 11 API calls 47623->47626 47627 401f09 11 API calls 47624->47627 47628 40dc01 47625->47628 47626->47593 47627->47593 47629 401f09 11 API calls 47628->47629 47630 40dc0a 47629->47630 47631 401f09 11 API calls 47630->47631 47632 40dc13 47631->47632 47632->47301 47634 40ce0c _wcslen 47633->47634 47635 40ce60 47634->47635 47636 40ce16 47634->47636 47637 40da34 31 API calls 47635->47637 47639 40ce1f CreateDirectoryW 47636->47639 47638 40ce72 47637->47638 47640 401f13 28 API calls 47638->47640 47921 40915b 47639->47921 47642 40ce5e 47640->47642 47644 401f09 11 API calls 47642->47644 47643 40ce3b 47955 403014 47643->47955 47650 40ce89 47644->47650 47647 401f13 28 API calls 47648 40ce55 47647->47648 47649 401f09 11 API calls 47648->47649 47649->47642 47651 40cea2 47650->47651 47652 40cebf 47650->47652 47654 40cd0d 31 API calls 47651->47654 47653 40cec8 CopyFileW 47652->47653 47655 40cf99 47653->47655 47656 40ceda _wcslen 47653->47656 47687 40ceb3 47654->47687 47928 40cd0d 47655->47928 47656->47655 47658 40cef6 47656->47658 47659 40cf49 47656->47659 47662 40da34 31 API calls 47658->47662 47661 40da34 31 API calls 47659->47661 47666 40cf4f 47661->47666 47667 40cefc 47662->47667 47663 40cfb3 47672 40cfbc SetFileAttributesW 47663->47672 47664 40cfdf 47665 40d027 CloseHandle 47664->47665 47669 40417e 28 API calls 47664->47669 47954 401f04 47665->47954 47670 401f13 28 API calls 47666->47670 47671 401f13 28 API calls 47667->47671 47674 40cff5 47669->47674 47702 40cf43 47670->47702 47675 40cf08 47671->47675 47686 40cfcb _wcslen 47672->47686 47673 40d043 ShellExecuteW 47676 40d060 ExitProcess 47673->47676 47677 40d056 47673->47677 47678 41bc5e 28 API calls 47674->47678 47679 401f09 11 API calls 47675->47679 47681 40d069 CreateMutexA GetLastError 47677->47681 47682 40d008 47678->47682 47680 40cf11 47679->47680 47685 40915b 28 API calls 47680->47685 47681->47687 47961 413814 RegCreateKeyW 47682->47961 47683 401f09 11 API calls 47684 40cf61 47683->47684 47690 40cf6d CreateDirectoryW 47684->47690 47688 40cf25 47685->47688 47686->47664 47689 40cfdc SetFileAttributesW 47686->47689 47687->47308 47691 403014 28 API calls 47688->47691 47689->47664 47960 401f04 47690->47960 47694 40cf31 47691->47694 47697 401f13 28 API calls 47694->47697 47699 40cf3a 47697->47699 47698 401f09 11 API calls 47698->47665 47701 401f09 11 API calls 47699->47701 47701->47702 47702->47683 47703->47178 47704->47186 47705->47190 47707->47211 47709 40eba4 47708->47709 47710 413573 RegQueryValueExA RegCloseKey 47708->47710 47709->47208 47709->47226 47710->47709 47711->47215 47712->47244 47713->47237 47714->47228 47715->47242 47716->47313 47717->47332 47718->47294 47720 40209b 47719->47720 47721 4023ce 11 API calls 47720->47721 47722 4020a6 47721->47722 48014 4024ed 47722->48014 47725->47312 47726->47318 47727->47324 47728->47335 47729->47343 47730->47354 47737 4344ef 47731->47737 47732 43bd51 _Yarn 21 API calls 47732->47737 47733 40f0d1 47733->47361 47737->47732 47737->47733 48018 442f80 7 API calls 2 library calls 47737->48018 48019 434c35 RaiseException Concurrency::cancel_current_task __CxxThrowException@8 47737->48019 48020 43526e RaiseException Concurrency::cancel_current_task __CxxThrowException@8 47737->48020 47738->47389 47739->47403 47740->47378 47741->47383 47743->47410 47744->47420 47745->47235 47747->47256 47748->47268 48021 41ad17 104 API calls 47749->48021 47751 41b4c5 LoadResource LockResource SizeofResource 47750->47751 47752 40f3de 47750->47752 47751->47752 47753 43bd51 47752->47753 47758 446137 __Getctype 47753->47758 47754 446175 47770 4405dd 20 API calls _free 47754->47770 47756 446160 RtlAllocateHeap 47757 446173 47756->47757 47756->47758 47757->47455 47758->47754 47758->47756 47769 442f80 7 API calls 2 library calls 47758->47769 47761 4020bf 47760->47761 47771 4023ce 47761->47771 47763 4020ca 47775 40250a 47763->47775 47765 4020d9 47765->47458 47767 4020b7 28 API calls 47766->47767 47768 406dec 47767->47768 47768->47465 47769->47758 47770->47757 47772 402428 47771->47772 47773 4023d8 47771->47773 47772->47763 47773->47772 47782 4027a7 11 API calls std::_Deallocate 47773->47782 47776 40251a 47775->47776 47777 402520 47776->47777 47778 402535 47776->47778 47783 402569 47777->47783 47793 4028e8 47778->47793 47781 402533 47781->47765 47782->47772 47804 402888 47783->47804 47785 40257d 47786 402592 47785->47786 47787 4025a7 47785->47787 47809 402a34 22 API calls 47786->47809 47789 4028e8 28 API calls 47787->47789 47792 4025a5 47789->47792 47790 40259b 47810 4029da 22 API calls 47790->47810 47792->47781 47794 4028f1 47793->47794 47795 402953 47794->47795 47796 4028fb 47794->47796 47818 4028a4 22 API calls 47795->47818 47799 402917 47796->47799 47800 402904 47796->47800 47802 402915 47799->47802 47803 4023ce 11 API calls 47799->47803 47812 402cae 47800->47812 47802->47781 47803->47802 47806 402890 47804->47806 47805 402898 47805->47785 47806->47805 47811 402ca3 22 API calls 47806->47811 47809->47790 47810->47792 47813 402cb8 __EH_prolog 47812->47813 47819 402e54 22 API calls 47813->47819 47815 4023ce 11 API calls 47817 402d92 47815->47817 47816 402d24 47816->47815 47817->47802 47819->47816 47821 4020e7 47820->47821 47822 4023ce 11 API calls 47821->47822 47823 4020f2 47822->47823 47823->47490 47824->47490 47825->47490 47826->47481 47827->47493 47828->47497 47829->47502 47830->47500 47833 4032aa 47832->47833 47834 4028e8 28 API calls 47833->47834 47835 4032c9 47833->47835 47834->47835 47835->47513 47837 4051fb 47836->47837 47846 405274 47837->47846 47839 405208 47839->47516 47841 402061 47840->47841 47842 4023ce 11 API calls 47841->47842 47843 40207b 47842->47843 47851 40267a 47843->47851 47847 405282 47846->47847 47850 4028a4 22 API calls 47847->47850 47852 40268b 47851->47852 47853 4023ce 11 API calls 47852->47853 47854 40208d 47853->47854 47854->47519 47855->47527 47856->47532 47859 41bfc4 GetCurrentProcess 47858->47859 47860 41b2d1 47858->47860 47859->47860 47861 4135a6 RegOpenKeyExA 47860->47861 47862 4135d4 RegQueryValueExA RegCloseKey 47861->47862 47863 4135fe 47861->47863 47862->47863 47864 402093 28 API calls 47863->47864 47865 413613 47864->47865 47865->47543 47866->47551 47868 40b90c 47867->47868 47873 402252 47868->47873 47870 40b917 47877 40b92c 47870->47877 47872 40b926 47872->47562 47874 4022ac 47873->47874 47875 40225c 47873->47875 47874->47870 47875->47874 47884 402779 11 API calls std::_Deallocate 47875->47884 47878 40b966 47877->47878 47879 40b938 47877->47879 47896 4028a4 22 API calls 47878->47896 47885 4027e6 47879->47885 47883 40b942 47883->47872 47884->47874 47886 4027ef 47885->47886 47887 402851 47886->47887 47888 4027f9 47886->47888 47898 4028a4 22 API calls 47887->47898 47891 402802 47888->47891 47892 402815 47888->47892 47897 402aea 28 API calls __EH_prolog 47891->47897 47893 402813 47892->47893 47895 402252 11 API calls 47892->47895 47893->47883 47895->47893 47897->47893 47899->47565 47901 402347 47900->47901 47902 402252 11 API calls 47901->47902 47903 4023c7 47902->47903 47903->47565 47905 401f8e 47904->47905 47906 402252 11 API calls 47905->47906 47907 401f99 47906->47907 47907->47578 47907->47579 47907->47580 47909 404186 47908->47909 47910 402252 11 API calls 47909->47910 47911 404191 47910->47911 47920 4041bc 28 API calls 47911->47920 47913 40419c 47913->47594 47914->47584 47915->47612 47916->47611 47917->47600 47918->47604 47919->47610 47920->47913 47922 401f86 11 API calls 47921->47922 47923 409167 47922->47923 47967 40314c 47923->47967 47925 409184 47971 40325d 47925->47971 47927 40918c 47927->47643 47929 40cd33 47928->47929 47930 40cd6f 47928->47930 47985 40b97c 47929->47985 47931 40cdb0 47930->47931 47933 40b97c 28 API calls 47930->47933 47934 40cdf1 47931->47934 47937 40b97c 28 API calls 47931->47937 47936 40cd86 47933->47936 47934->47663 47934->47664 47939 403014 28 API calls 47936->47939 47940 40cdc7 47937->47940 47938 403014 28 API calls 47941 40cd4f 47938->47941 47944 40cd90 47939->47944 47942 403014 28 API calls 47940->47942 47943 413814 14 API calls 47941->47943 47945 40cdd1 47942->47945 47946 40cd63 47943->47946 47947 413814 14 API calls 47944->47947 47948 413814 14 API calls 47945->47948 47949 401f09 11 API calls 47946->47949 47950 40cda4 47947->47950 47951 40cde5 47948->47951 47949->47930 47952 401f09 11 API calls 47950->47952 47953 401f09 11 API calls 47951->47953 47952->47931 47953->47934 47992 403222 47955->47992 47957 403022 47996 403262 47957->47996 47962 413866 47961->47962 47965 413829 47961->47965 47963 401f09 11 API calls 47962->47963 47964 40d01b 47963->47964 47964->47698 47966 413842 RegSetValueExW RegCloseKey 47965->47966 47966->47962 47968 403156 47967->47968 47969 4027e6 28 API calls 47968->47969 47970 403175 47968->47970 47969->47970 47970->47925 47972 40323f 47971->47972 47975 4036a6 47972->47975 47974 40324c 47974->47927 47976 402888 22 API calls 47975->47976 47977 4036b9 47976->47977 47978 40372c 47977->47978 47979 4036de 47977->47979 47984 4028a4 22 API calls 47978->47984 47982 4027e6 28 API calls 47979->47982 47983 4036f0 47979->47983 47982->47983 47983->47974 47986 401f86 11 API calls 47985->47986 47987 40b988 47986->47987 47988 40314c 28 API calls 47987->47988 47989 40b9a4 47988->47989 47990 40325d 28 API calls 47989->47990 47991 40b9b7 47990->47991 47991->47938 47993 40322e 47992->47993 48002 403618 47993->48002 47995 40323b 47995->47957 47997 40326e 47996->47997 47998 402252 11 API calls 47997->47998 47999 403288 47998->47999 48000 402336 11 API calls 47999->48000 48001 403031 48000->48001 48001->47647 48003 403626 48002->48003 48004 403644 48003->48004 48005 40362c 48003->48005 48007 40365c 48004->48007 48008 40369e 48004->48008 48006 4036a6 28 API calls 48005->48006 48012 403642 48006->48012 48010 4027e6 28 API calls 48007->48010 48007->48012 48013 4028a4 22 API calls 48008->48013 48010->48012 48012->47995 48015 4024f9 48014->48015 48016 40250a 28 API calls 48015->48016 48017 4020b1 48016->48017 48017->47305 48018->47737 48029 4127ee 61 API calls 48024->48029 48030 43be58 48032 43be64 _swprintf ___DestructExceptionObject 48030->48032 48031 43be72 48046 4405dd 20 API calls _free 48031->48046 48032->48031 48034 43be9c 48032->48034 48041 445888 EnterCriticalSection 48034->48041 48036 43be77 pre_c_initialization ___DestructExceptionObject 48037 43bea7 48042 43bf48 48037->48042 48041->48037 48043 43bf56 48042->48043 48045 43beb2 48043->48045 48048 44976c 36 API calls 2 library calls 48043->48048 48047 43becf LeaveCriticalSection std::_Lockit::~_Lockit 48045->48047 48046->48036 48047->48036 48048->48043 48049 40165e 48050 401666 48049->48050 48051 401669 48049->48051 48052 4016a8 48051->48052 48054 401696 48051->48054 48053 4344ea new 22 API calls 48052->48053 48055 40169c 48053->48055 48056 4344ea new 22 API calls 48054->48056 48056->48055

                                      Executed Functions

                                      Function 0041CB50 Relevance: 148.9, APIs: 52, Strings: 33, Instructions: 176libraryloaderCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB65
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CB6E
                                      • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB85
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CB88
                                      • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CB9A
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CB9D
                                      • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CBAE
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CBB1
                                      • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040E9E1), ref: 0041CBC3
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CBC6
                                      • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040E9E1), ref: 0041CBD2
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CBD5
                                      • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040E9E1), ref: 0041CBE6
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CBE9
                                      • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040E9E1), ref: 0041CBFA
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CBFD
                                      • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040E9E1), ref: 0041CC0E
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CC11
                                      • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040E9E1), ref: 0041CC22
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CC25
                                      • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040E9E1), ref: 0041CC36
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CC39
                                      • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040E9E1), ref: 0041CC4A
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CC4D
                                      • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040E9E1), ref: 0041CC5E
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CC61
                                      • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040E9E1), ref: 0041CC72
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CC75
                                      • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040E9E1), ref: 0041CC83
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CC86
                                      • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040E9E1), ref: 0041CC97
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CC9A
                                      • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040E9E1), ref: 0041CCA7
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CCAA
                                      • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040E9E1), ref: 0041CCB7
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CCBA
                                      • LoadLibraryA.KERNELBASE(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040E9E1), ref: 0041CCCC
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CCCF
                                      • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040E9E1), ref: 0041CCDC
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CCDF
                                      • GetModuleHandleA.KERNEL32(ntdll,NtQueryInformationProcess,?,?,?,?,0040E9E1), ref: 0041CCF0
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CCF3
                                      • GetModuleHandleA.KERNEL32(kernel32,GetFinalPathNameByHandleW,?,?,?,?,0040E9E1), ref: 0041CD04
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CD07
                                      • LoadLibraryA.KERNELBASE(Rstrtmgr,RmStartSession,?,?,?,?,0040E9E1), ref: 0041CD19
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CD1C
                                      • LoadLibraryA.KERNEL32(Rstrtmgr,RmRegisterResources,?,?,?,?,0040E9E1), ref: 0041CD29
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CD2C
                                      • LoadLibraryA.KERNEL32(Rstrtmgr,RmGetList,?,?,?,?,0040E9E1), ref: 0041CD39
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CD3C
                                      • LoadLibraryA.KERNEL32(Rstrtmgr,RmEndSession,?,?,?,?,0040E9E1), ref: 0041CD49
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CD4C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressProc$LibraryLoad$HandleModule
                                      • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetFinalPathNameByHandleW$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtQueryInformationProcess$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$RmEndSession$RmGetList$RmRegisterResources$RmStartSession$Rstrtmgr$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                      • API String ID: 4236061018-3687161714
                                      • Opcode ID: d30ec231acb52cdcc59a2b6b3fe3a558d95728f00a5c8bab653e1e11384c1c5d
                                      • Instruction ID: 43d5c3d51f8f0173c8b3474e0c84bdc355f07b7b5b23ff39ae26555794408ecb
                                      • Opcode Fuzzy Hash: d30ec231acb52cdcc59a2b6b3fe3a558d95728f00a5c8bab653e1e11384c1c5d
                                      • Instruction Fuzzy Hash: 31419EA0EC035879DA107BB66DCDE3B3E5CD9857953214837B15CA7150EBBCD8408EAE
                                      Function 0040E9C5 Relevance: 84.8, APIs: 14, Strings: 34, Instructions: 795COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 5 40e9c5-40ea47 call 41cb50 GetModuleFileNameW call 40f3c3 call 4020f6 * 2 call 41be1b call 40fb17 call 401e8d call 43fd00 22 40ea93-40eb5b call 401e65 call 401fab call 401e65 call 40531e call 406383 call 401fe2 call 401fd8 * 2 call 401e65 call 401fc0 call 405aa6 call 401e65 call 4051e3 call 401e65 call 4051e3 5->22 23 40ea49-40ea8e call 40fbb3 call 401e65 call 401fab call 410f37 call 40fb64 call 40f3b0 5->23 69 40eb5d-40eba8 call 406c1e call 401fe2 call 401fd8 call 401fab call 413549 22->69 70 40ebae-40ebc9 call 401e65 call 40b9bd 22->70 49 40eef2-40ef03 call 401fd8 23->49 69->70 102 40f34f-40f36a call 401fab call 4139a9 call 412475 69->102 80 40ec03-40ec0a call 40d069 70->80 81 40ebcb-40ebea call 401fab call 413549 70->81 90 40ec13-40ec1a 80->90 91 40ec0c-40ec0e 80->91 81->80 97 40ebec-40ec02 call 401fab call 4139a9 81->97 95 40ec1c 90->95 96 40ec1e-40ec2a call 41b2c3 90->96 94 40eef1 91->94 94->49 95->96 103 40ec33-40ec37 96->103 104 40ec2c-40ec2e 96->104 97->80 126 40f36f-40f3a0 call 41bc5e call 401f04 call 413a23 call 401f09 * 2 102->126 107 40ec76-40ec89 call 401e65 call 401fab 103->107 108 40ec39 call 407716 103->108 104->103 128 40ec90-40ed18 call 401e65 call 41bc5e call 401f13 call 401f09 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab 107->128 129 40ec8b call 407755 107->129 117 40ec3e-40ec40 108->117 120 40ec42-40ec47 call 407738 call 407260 117->120 121 40ec4c-40ec5f call 401e65 call 401fab 117->121 120->121 121->107 140 40ec61-40ec67 121->140 157 40f3a5-40f3af call 40dd42 call 414f2a 126->157 177 40ed80-40ed84 128->177 178 40ed1a-40ed33 call 401e65 call 401fab call 43bad6 128->178 129->128 140->107 144 40ec69-40ec6f 140->144 144->107 147 40ec71 call 407260 144->147 147->107 180 40ef06-40ef66 call 436e90 call 40247c call 401fab * 2 call 4136f8 call 409057 177->180 181 40ed8a-40ed91 177->181 178->177 205 40ed35-40ed61 call 401e65 call 401fab call 401e65 call 401fab call 40da34 178->205 236 40ef6b-40efbf call 401e65 call 401fab call 402093 call 401fab call 41376f call 401e65 call 401fab call 43baac 180->236 184 40ed93-40ee05 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 40cdf9 181->184 185 40ee0f-40ee19 call 409057 181->185 271 40ee0a-40ee0d 184->271 191 40ee1e-40ee42 call 40247c call 434798 185->191 212 40ee51 191->212 213 40ee44-40ee4f call 436e90 191->213 247 40ed66-40ed7b call 401f13 call 401f09 205->247 218 40ee53-40eec8 call 401f04 call 43f809 call 40247c call 401fab call 40247c call 401fab call 413947 call 4347a1 call 401e65 call 40b9bd 212->218 213->218 218->236 286 40eece-40eeed call 401e65 call 41bc5e call 40f474 218->286 287 40efc1 236->287 288 40efdc-40efde 236->288 247->177 271->191 286->236 306 40eeef 286->306 292 40efc3-40efda call 41cd9b CreateThread 287->292 289 40efe0-40efe2 288->289 290 40efe4 288->290 289->292 294 40efea-40f0c6 call 402093 * 2 call 41b4ef call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 43baac call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab StrToIntA call 409de4 call 401e65 call 401fab 290->294 292->294 344 40f101 294->344 345 40f0c8-40f0ff call 4344ea call 401e65 call 401fab CreateThread 294->345 306->94 347 40f103-40f11b call 401e65 call 401fab 344->347 345->347 357 40f159-40f16c call 401e65 call 401fab 347->357 358 40f11d-40f154 call 4344ea call 401e65 call 401fab CreateThread 347->358 368 40f1cc-40f1df call 401e65 call 401fab 357->368 369 40f16e-40f1c7 call 401e65 call 401fab call 401e65 call 401fab call 40d9e8 call 401f13 call 401f09 CreateThread 357->369 358->357 379 40f1e1-40f215 call 401e65 call 401fab call 401e65 call 401fab call 43baac call 40c162 368->379 380 40f21a-40f23e call 41b60d call 401f13 call 401f09 368->380 369->368 379->380 400 40f240 380->400 401 40f243-40f256 CreateThread 380->401 400->401 404 40f264-40f26b 401->404 405 40f258-40f262 CreateThread 401->405 408 40f279-40f280 404->408 409 40f26d-40f277 CreateThread 404->409 405->404 412 40f282-40f285 408->412 413 40f28e 408->413 409->408 415 40f287-40f28c 412->415 416 40f2cc-40f2e7 call 401fab call 4134ff 412->416 418 40f293-40f2c7 call 402093 call 4052fd call 402093 call 41b4ef call 401fd8 413->418 415->418 416->157 427 40f2ed-40f32d call 41bc5e call 401f04 call 41361b call 401f09 call 401f04 416->427 418->416 443 40f346-40f34b DeleteFileW 427->443 444 40f34d 443->444 445 40f32f-40f332 443->445 444->126 445->126 446 40f334-40f341 Sleep call 401f04 445->446 446->443
                                      APIs
                                        • Part of subcall function 0041CB50: LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB65
                                        • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CB6E
                                        • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB85
                                        • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CB88
                                        • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CB9A
                                        • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CB9D
                                        • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CBAE
                                        • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBB1
                                        • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040E9E1), ref: 0041CBC3
                                        • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBC6
                                        • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040E9E1), ref: 0041CBD2
                                        • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBD5
                                        • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040E9E1), ref: 0041CBE6
                                        • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBE9
                                        • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040E9E1), ref: 0041CBFA
                                        • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBFD
                                        • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040E9E1), ref: 0041CC0E
                                        • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC11
                                        • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040E9E1), ref: 0041CC22
                                        • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC25
                                        • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040E9E1), ref: 0041CC36
                                        • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC39
                                        • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040E9E1), ref: 0041CC4A
                                        • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC4D
                                        • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040E9E1), ref: 0041CC5E
                                        • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC61
                                        • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040E9E1), ref: 0041CC72
                                        • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC75
                                        • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040E9E1), ref: 0041CC83
                                      • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\6122.scr.exe,00000104), ref: 0040E9EE
                                        • Part of subcall function 00410F37: __EH_prolog.LIBCMT ref: 00410F3C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                      • String ID: SG$ SG$8SG$8SG$Access Level: $Administrator$C:\Users\user\Desktop\6122.scr.exe$Exe$Inj$PSG$Remcos Agent initialized$Software\$User$dMG$del$del$exepath$licence$license_code.txt$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG
                                      • API String ID: 2830904901-1263283806
                                      • Opcode ID: 6b788d8bef068796558963f7ecebd42bb934510d76b3b9a953e2bf2f734d2ff5
                                      • Instruction ID: d4e128c763ae9979da4f7e35a5cae12564b96cb69b39ecb6445d524eb2b23fe8
                                      • Opcode Fuzzy Hash: 6b788d8bef068796558963f7ecebd42bb934510d76b3b9a953e2bf2f734d2ff5
                                      • Instruction Fuzzy Hash: 6332D860B043412BDA24B7729C67B6E26994F81748F50483FB9467B2E3EFBC4D45839E
                                      Function 0040CDF9 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 203fileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • _wcslen.LIBCMT ref: 0040CE07
                                      • CreateDirectoryW.KERNELBASE(00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040CE20
                                      • CopyFileW.KERNELBASE(C:\Users\user\Desktop\6122.scr.exe,00000000,00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040CED0
                                      • _wcslen.LIBCMT ref: 0040CEE6
                                      • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040CF6E
                                      • CopyFileW.KERNEL32(C:\Users\user\Desktop\6122.scr.exe,00000000,00000000), ref: 0040CF84
                                      • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFC3
                                      • _wcslen.LIBCMT ref: 0040CFC6
                                      • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFDD
                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004750E4,0000000E), ref: 0040D02D
                                      • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000001), ref: 0040D04B
                                      • ExitProcess.KERNEL32 ref: 0040D062
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                      • String ID: 6$C:\Users\user\Desktop\6122.scr.exe$del$open
                                      • API String ID: 1579085052-853654235
                                      • Opcode ID: 814849405574f27cdfff210f7d5faa9ce691f1cc33a2f2159ed20f1a2e65d6c6
                                      • Instruction ID: 6918cae47ac4af68ec004dabb58255b0e3542cbe00f5913d2fcd66cab837b2ae
                                      • Opcode Fuzzy Hash: 814849405574f27cdfff210f7d5faa9ce691f1cc33a2f2159ed20f1a2e65d6c6
                                      • Instruction Fuzzy Hash: CA51A620208302ABD605B7659C92A6F679D9F84719F10443FF609A62E3EFBC9D05866E
                                      Function 0040DA34 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • GetLongPathNameW.KERNELBASE(00000000,?,00000208), ref: 0040DB9A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: LongNamePath
                                      • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                      • API String ID: 82841172-425784914
                                      • Opcode ID: 46d901405b7c4f1817ae1d48af55330febbd656c9bbb3008c43cf957afa3439e
                                      • Instruction ID: 0cc8b9c4d8a16f3fd89327f32322cd7e2fd47b59120d3573c9b2d8a81569e3eb
                                      • Opcode Fuzzy Hash: 46d901405b7c4f1817ae1d48af55330febbd656c9bbb3008c43cf957afa3439e
                                      • Instruction Fuzzy Hash: FB414F715082019AC215FB61DC52DAEB3F8AE90718F10053FB546A60E2FFB8AE49C65F
                                      Function 0041B2C3 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                        • Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
                                        • Part of subcall function 004135A6: RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 004135CA
                                        • Part of subcall function 004135A6: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 004135E7
                                        • Part of subcall function 004135A6: RegCloseKey.KERNELBASE(?), ref: 004135F2
                                      • StrToIntA.SHLWAPI(00000000,0046C9F8,00000000,00000000,00000000,004750E4,00000003,Exe,00000000,0000000E,00000000,004660BC,00000003,00000000), ref: 0041B33C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseCurrentOpenProcessQueryValue
                                      • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                      • API String ID: 1866151309-2070987746
                                      • Opcode ID: b004e89fecfca72c60d0d2d1a8fce3e40073890883e7b2a8564e183fd8eeb87f
                                      • Instruction ID: 0537cd1ef0e49ffa1b211e53375311a7de90e31f2ded896f28e78de68f6ce99c
                                      • Opcode Fuzzy Hash: b004e89fecfca72c60d0d2d1a8fce3e40073890883e7b2a8564e183fd8eeb87f
                                      • Instruction Fuzzy Hash: 42112370A4010566C704B3668C87EFF77198B95314F94013BF856A21E2FB6C599683AE
                                      Function 00413814 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 656 413814-413827 RegCreateKeyW 657 413866 656->657 658 413829-413864 call 40247c call 401f04 RegSetValueExW RegCloseKey 656->658 659 413868-413876 call 401f09 657->659 658->659
                                      APIs
                                      • RegCreateKeyW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,?), ref: 0041381F
                                      • RegSetValueExW.KERNELBASE(?,00000000,00000000,00000001,00000000,00000000,?,?,?,?,00000000,004752D8,759237E0,?), ref: 0041384D
                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,004752D8,759237E0,?,?,?,?,?,0040CFAA,?,00000000), ref: 00413858
                                      Strings
                                      • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0041381D
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseCreateValue
                                      • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                      • API String ID: 1818849710-1051519024
                                      • Opcode ID: 3da2de30dd2e4c2ff773a1c969aacac889c14d245fa7b83563a43fe4ea506f1b
                                      • Instruction ID: 91b44a8789fefabe47d0aed0b401f4e945a8dec35bb1902c17c37083bf943f80
                                      • Opcode Fuzzy Hash: 3da2de30dd2e4c2ff773a1c969aacac889c14d245fa7b83563a43fe4ea506f1b
                                      • Instruction Fuzzy Hash: 83F0C271440218FBDF10AFA1EC45FEE376CEF00B56F10452AF905A61A1E7359F04DA94
                                      Function 0040D069 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 666 40d069-40d095 call 401fab CreateMutexA GetLastError
                                      APIs
                                      • CreateMutexA.KERNELBASE(00000000,00000001,00000000,0040EC08,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,004660BC,00000003,00000000), ref: 0040D078
                                      • GetLastError.KERNEL32 ref: 0040D083
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CreateErrorLastMutex
                                      • String ID: SG
                                      • API String ID: 1925916568-3189917014
                                      • Opcode ID: 801f4fab6620dad4192684c1acb97daf4a6912092659b95b34e50827bd09c0e4
                                      • Instruction ID: 95155ffd2f5cf2c34283977deb482d2843c3ccfb5002447f486bda260673b364
                                      • Opcode Fuzzy Hash: 801f4fab6620dad4192684c1acb97daf4a6912092659b95b34e50827bd09c0e4
                                      • Instruction Fuzzy Hash: 18D012B0604701EBD7181770ED5975839959744702F40487AB50BD99F1CBAC88908519
                                      Function 004135A6 Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 669 4135a6-4135d2 RegOpenKeyExA 670 4135d4-4135fc RegQueryValueExA RegCloseKey 669->670 671 413607 669->671 672 413609 670->672 673 4135fe-413605 670->673 671->672 674 41360e-41361a call 402093 672->674 673->674
                                      APIs
                                      • RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 004135CA
                                      • RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 004135E7
                                      • RegCloseKey.KERNELBASE(?), ref: 004135F2
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseOpenQueryValue
                                      • String ID:
                                      • API String ID: 3677997916-0
                                      • Opcode ID: 2c354c38eb467919e259a426341f00e1060616e4a77f0ac470f93c7e2a8fe8f5
                                      • Instruction ID: 357f89d7cd1c8cc036c5e31f86fe90e90b696c4569df010e686479b524d11f87
                                      • Opcode Fuzzy Hash: 2c354c38eb467919e259a426341f00e1060616e4a77f0ac470f93c7e2a8fe8f5
                                      • Instruction Fuzzy Hash: 5A01D676900228BBCF209B91DC09DEF7FBDDB84751F000066BB09E2240DA748E45DBA4
                                      Function 00413549 Relevance: 4.5, APIs: 3, Instructions: 37registryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 677 413549-413571 RegOpenKeyExA 678 4135a0 677->678 679 413573-41359e RegQueryValueExA RegCloseKey 677->679 680 4135a2-4135a5 678->680 679->680
                                      APIs
                                      • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,00000000,00000000), ref: 00413569
                                      • RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 00413587
                                      • RegCloseKey.ADVAPI32(00000000), ref: 00413592
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseOpenQueryValue
                                      • String ID:
                                      • API String ID: 3677997916-0
                                      • Opcode ID: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                                      • Instruction ID: df0ca7b2621da3f23a966dc0a7f3323316399916f3769291e5945d4ebcba47cd
                                      • Opcode Fuzzy Hash: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                                      • Instruction Fuzzy Hash: E8F01776900218FFDF109FA0DC05FEEBBBCEB04B11F1040A6BA09E6191E2359F54AB94
                                      Function 0040165E Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 681 40165e-401664 682 401666-401668 681->682 683 401669-401674 681->683 684 401676 683->684 685 40167b-401685 683->685 684->685 686 401687-40168d 685->686 687 4016a8-4016a9 call 4344ea 685->687 686->687 689 40168f-401694 686->689 690 4016ae-4016af 687->690 689->684 691 401696-4016a6 call 4344ea 689->691 692 4016b1-4016b3 690->692 691->692
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: dd3aabd753e8fbc850dd588cbaeb9a0baf8afa37155383fde8690b9b823aeb90
                                      • Instruction ID: 20740d68f627359004b4f50e822579efa7e6dd26000e0d34fcfb16e84f8f3500
                                      • Opcode Fuzzy Hash: dd3aabd753e8fbc850dd588cbaeb9a0baf8afa37155383fde8690b9b823aeb90
                                      • Instruction Fuzzy Hash: 6EF0E2706042015BDB1C8B34CD60B2A36955B84315F288F3FF01AD61E0C73EC8918A0D
                                      Function 00446137 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 723 446137-446143 724 446175-446180 call 4405dd 723->724 725 446145-446147 723->725 732 446182-446184 724->732 727 446160-446171 RtlAllocateHeap 725->727 728 446149-44614a 725->728 729 446173 727->729 730 44614c-446153 call 445545 727->730 728->727 729->732 730->724 735 446155-44615e call 442f80 730->735 735->724 735->727
                                      APIs
                                      • RtlAllocateHeap.NTDLL(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AllocateHeap
                                      • String ID:
                                      • API String ID: 1279760036-0
                                      • Opcode ID: 091c80118a57d95ebc2facbedd4e69ebcf5b938ae1e913472e35806a21779949
                                      • Instruction ID: 4903450aafda00484806ba385278610c2731405ed8485190d5fd86014b6ab98c
                                      • Opcode Fuzzy Hash: 091c80118a57d95ebc2facbedd4e69ebcf5b938ae1e913472e35806a21779949
                                      • Instruction Fuzzy Hash: 92E0ED3120062577FB2226669D05B5B365D9F033A2F160127EC0AA2283DF7CCC0081EF

                                      Non-executed Functions

                                      Function 00407C97 Relevance: 44.6, APIs: 10, Strings: 15, Instructions: 835filesleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SetEvent.KERNEL32(?,?), ref: 00407CB9
                                      • GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 00407D87
                                      • DeleteFileW.KERNEL32(00000000), ref: 00407DA9
                                        • Part of subcall function 0041C291: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00474EE0,?), ref: 0041C2EC
                                        • Part of subcall function 0041C291: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,00474EE0,?), ref: 0041C31C
                                        • Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00474EE0,?), ref: 0041C371
                                        • Part of subcall function 0041C291: FindClose.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C3D2
                                        • Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C3D9
                                        • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                        • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                        • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(?,00000000,00401A45,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000), ref: 00404B47
                                        • Part of subcall function 00404AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000,?,?,?,?,?,00401A45), ref: 00404B75
                                      • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00408197
                                      • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 00408278
                                      • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 004084C4
                                      • DeleteFileA.KERNEL32(?), ref: 00408652
                                        • Part of subcall function 0040880C: __EH_prolog.LIBCMT ref: 00408811
                                        • Part of subcall function 0040880C: FindFirstFileW.KERNEL32(00000000,?,00466608,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088CA
                                        • Part of subcall function 0040880C: __CxxThrowException@8.LIBVCRUNTIME ref: 004088F2
                                        • Part of subcall function 0040880C: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088FF
                                      • Sleep.KERNEL32(000007D0), ref: 004086F8
                                      • StrToIntA.SHLWAPI(00000000,00000000), ref: 0040873A
                                        • Part of subcall function 0041C9E2: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CAD7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$Find$AttributesDeleteDirectoryEventFirstNextRemove$CloseDriveException@8ExecuteH_prologInfoLocalLogicalObjectParametersShellSingleSleepStringsSystemThrowTimeWaitsend
                                      • String ID: (PG$Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$XPG$XPG$XPG$XPG$open$NG
                                      • API String ID: 1067849700-181434739
                                      • Opcode ID: b08ec038c843015cc658e55876cd7923d244435ed02f080ae07065bd7f36788e
                                      • Instruction ID: 75e26f7f6c3f3dbd7fc3c9379f58c72dc3a715cd35b24c1fb8b7d51949cc7e38
                                      • Opcode Fuzzy Hash: b08ec038c843015cc658e55876cd7923d244435ed02f080ae07065bd7f36788e
                                      • Instruction Fuzzy Hash: FE427F71A043016BC604FB76C95B9AE77A5AF91348F40093FF542671E2EE7C9A08879B
                                      Function 0040569A Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 278pipesleepfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • __Init_thread_footer.LIBCMT ref: 004056E6
                                        • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                      • __Init_thread_footer.LIBCMT ref: 00405723
                                      • CreatePipe.KERNEL32(00476CCC,00476CB4,00476BD8,00000000,004660BC,00000000), ref: 004057B6
                                      • CreatePipe.KERNEL32(00476CB8,00476CD4,00476BD8,00000000), ref: 004057CC
                                      • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00476BE8,00476CBC), ref: 0040583F
                                      • Sleep.KERNEL32(0000012C,00000093,?), ref: 00405897
                                      • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004058BC
                                      • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058E9
                                        • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                                      • WriteFile.KERNEL32(00000000,00000000,?,00000000,00474F90,004660C0,00000062,004660A4), ref: 004059E4
                                      • Sleep.KERNEL32(00000064,00000062,004660A4), ref: 004059FE
                                      • TerminateProcess.KERNEL32(00000000), ref: 00405A17
                                      • CloseHandle.KERNEL32 ref: 00405A23
                                      • CloseHandle.KERNEL32 ref: 00405A2B
                                      • CloseHandle.KERNEL32 ref: 00405A3D
                                      • CloseHandle.KERNEL32 ref: 00405A45
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                      • String ID: 0lG$0lG$0lG$0lG$0lG$SystemDrive$cmd.exe$kG
                                      • API String ID: 2994406822-18413064
                                      • Opcode ID: 9fdb2614b32db6a8ce990b4168d70707e98bdb19d6332ad615b030cef840106b
                                      • Instruction ID: 70e6a120cd26ef4d63fea04585a98dfb86eec3f3f3d93349c630b188a9e88b71
                                      • Opcode Fuzzy Hash: 9fdb2614b32db6a8ce990b4168d70707e98bdb19d6332ad615b030cef840106b
                                      • Instruction Fuzzy Hash: 8891E471604604AFD711FB36ED42A6F369AEB84308F01443FF989A62E2DB7D9C448B5D
                                      Function 004120F7 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 238threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentProcessId.KERNEL32 ref: 00412106
                                        • Part of subcall function 00413877: RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
                                        • Part of subcall function 00413877: RegSetValueExA.ADVAPI32(004660A4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138A0
                                        • Part of subcall function 00413877: RegCloseKey.ADVAPI32(004660A4,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138AB
                                      • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00412146
                                      • CloseHandle.KERNEL32(00000000), ref: 00412155
                                      • CreateThread.KERNEL32(00000000,00000000,004127EE,00000000,00000000,00000000), ref: 004121AB
                                      • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0041241A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
                                      • String ID: Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe
                                      • API String ID: 3018269243-13974260
                                      • Opcode ID: 7579134408927576322ff34649d0b5464798f67aa42af6ea2314acf5978c42f8
                                      • Instruction ID: 8205490d34a3093c97c97cf0412c87f535f0d81ed9353c04b1464aab831027f3
                                      • Opcode Fuzzy Hash: 7579134408927576322ff34649d0b5464798f67aa42af6ea2314acf5978c42f8
                                      • Instruction Fuzzy Hash: 2671813160430167C614FB72CD579AE73A4AF90308F50057FB546A61E2FFBC9949C69E
                                      Function 0040BB30 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BBAF
                                      • FindClose.KERNEL32(00000000), ref: 0040BBC9
                                      • FindNextFileA.KERNEL32(00000000,?), ref: 0040BCEC
                                      • FindClose.KERNEL32(00000000), ref: 0040BD12
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find$CloseFile$FirstNext
                                      • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                      • API String ID: 1164774033-3681987949
                                      • Opcode ID: cc2b906fffab3f5d65509244bf78c58c3969fa81e43ac990ef7529a7089f2592
                                      • Instruction ID: 0369a90be492857ee26322cec2c2e6bc6ddf3692cf68474a737f8ca2a3b0d98c
                                      • Opcode Fuzzy Hash: cc2b906fffab3f5d65509244bf78c58c3969fa81e43ac990ef7529a7089f2592
                                      • Instruction Fuzzy Hash: 13516E3190421A9ADB14F7B2DC56DEEB739AF11304F10057FF406721E2EF785A89CA89
                                      Function 004168C1 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 80clipboardmemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenClipboard.USER32 ref: 004168C2
                                      • EmptyClipboard.USER32 ref: 004168D0
                                      • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 004168F0
                                      • GlobalLock.KERNEL32(00000000), ref: 004168F9
                                      • GlobalUnlock.KERNEL32(00000000), ref: 0041692F
                                      • SetClipboardData.USER32(0000000D,00000000), ref: 00416938
                                      • CloseClipboard.USER32 ref: 00416955
                                      • OpenClipboard.USER32 ref: 0041695C
                                      • GetClipboardData.USER32(0000000D), ref: 0041696C
                                      • GlobalLock.KERNEL32(00000000), ref: 00416975
                                      • GlobalUnlock.KERNEL32(00000000), ref: 0041697E
                                      • CloseClipboard.USER32 ref: 00416984
                                        • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                      • String ID: !D@
                                      • API String ID: 3520204547-604454484
                                      • Opcode ID: 3da19db2da9e38382dfa1a35b9112d29995025b8f82a0e1631b12ced5ccb0bf8
                                      • Instruction ID: 9e7c9e91df33a813dd3aefbd505e3631e00017b2d00f6ad0929271c723fa7fba
                                      • Opcode Fuzzy Hash: 3da19db2da9e38382dfa1a35b9112d29995025b8f82a0e1631b12ced5ccb0bf8
                                      • Instruction Fuzzy Hash: 9F212171604301DBD714BB71DC5DABE36A9AF88746F40043EF946921E2EF3C8D45C66A
                                      Function 0040BD37 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BDAF
                                      • FindClose.KERNEL32(00000000), ref: 0040BDC9
                                      • FindNextFileA.KERNEL32(00000000,?), ref: 0040BE89
                                      • FindClose.KERNEL32(00000000), ref: 0040BEAF
                                      • FindClose.KERNEL32(00000000), ref: 0040BED0
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find$Close$File$FirstNext
                                      • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                      • API String ID: 3527384056-432212279
                                      • Opcode ID: 10bf6c217e0b25296ff8c4f6571a9877a80f89d81c2766d0b614c08461d6f91f
                                      • Instruction ID: daa8673b40617291cefb90f55d029d970aaced9502edc59260dc825ad40fac9f
                                      • Opcode Fuzzy Hash: 10bf6c217e0b25296ff8c4f6571a9877a80f89d81c2766d0b614c08461d6f91f
                                      • Instruction Fuzzy Hash: 38417D3190021AAADB04F7A6DC5A9EEB769DF11704F50017FF506B20D2EF385A46CA9E
                                      Function 0040F474 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 210processCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,004750E4,?,00475338), ref: 0040F48E
                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00475338), ref: 0040F4B9
                                      • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040F4D5
                                      • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F554
                                      • CloseHandle.KERNEL32(00000000,?,00000000,?,?,00475338), ref: 0040F563
                                        • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
                                        • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
                                      • CloseHandle.KERNEL32(00000000,?,00475338), ref: 0040F66E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseHandleOpenProcessProcess32$CreateFileFirstModuleNameNextSnapshotToolhelp32
                                      • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe
                                      • API String ID: 3756808967-1743721670
                                      • Opcode ID: b1e1f41d80490b315896909958d9242b500036c9ac5089c02299af30cc885f9c
                                      • Instruction ID: b3f00c97eb68dcc530bbf6735eb7028ff3362e05d7342ed3a56d945b0ce45bff
                                      • Opcode Fuzzy Hash: b1e1f41d80490b315896909958d9242b500036c9ac5089c02299af30cc885f9c
                                      • Instruction Fuzzy Hash: F6715E705083419BC724FB21D8959AEB7A5AF90348F50083FF586631E3EF78994ECB5A
                                      Function 00419627 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 206COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: 0$1$2$3$4$5$6$7$VG
                                      • API String ID: 0-1861860590
                                      • Opcode ID: b5a7de883cd012ce8913fa8e37131401e824a11eb2676ecb59610ee39723a0e8
                                      • Instruction ID: 08acf1e0be570df0aadc768861284cd9b307e7e5fc43d41925289fb9f64992c1
                                      • Opcode Fuzzy Hash: b5a7de883cd012ce8913fa8e37131401e824a11eb2676ecb59610ee39723a0e8
                                      • Instruction Fuzzy Hash: A771B2709183019FD304EF21D862BAB7B94DF95310F10492FF5A26B2D1DF78AA49CB96
                                      Function 004074FD Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 56COMMON
                                      Download Yara Rule
                                      APIs
                                      • _wcslen.LIBCMT ref: 00407521
                                      • CoGetObject.OLE32(?,00000024,00466518,00000000), ref: 00407582
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Object_wcslen
                                      • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                      • API String ID: 240030777-3166923314
                                      • Opcode ID: a3f0521951bb9342bb967e70cc438d07290dcccf7f3efa3b8b817ec6fb2293fa
                                      • Instruction ID: 36c1a35fc662e139fbe0c3856e6c09b73c1590006896ac343f6f9e6a2f87480d
                                      • Opcode Fuzzy Hash: a3f0521951bb9342bb967e70cc438d07290dcccf7f3efa3b8b817ec6fb2293fa
                                      • Instruction Fuzzy Hash: 1D115172D04218BAD710E6959C45ADEB7A89B08714F15007BF904B2282E77CAA4486BA
                                      Function 0041A748 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004758E8), ref: 0041A75E
                                      • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 0041A7AD
                                      • GetLastError.KERNEL32 ref: 0041A7BB
                                      • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041A7F3
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                      • String ID:
                                      • API String ID: 3587775597-0
                                      • Opcode ID: 23e486b81d5319d6976a5705641320cfcad202a7a3e49a3714ee4dfbb4f6799a
                                      • Instruction ID: 0905bbee584710e72bd43cf86ffd47af08151029a50ddcda7611e9b1cb6672f7
                                      • Opcode Fuzzy Hash: 23e486b81d5319d6976a5705641320cfcad202a7a3e49a3714ee4dfbb4f6799a
                                      • Instruction Fuzzy Hash: A1815F71104305ABC304EB61D885DAFB7A8FF94749F50092FF585521A2EF78EE48CB9A
                                      Function 00452610 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 188COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                                        • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                        • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                                        • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                        • Part of subcall function 00448215: _free.LIBCMT ref: 00448274
                                        • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448281
                                      • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0045271C
                                      • IsValidCodePage.KERNEL32(00000000), ref: 00452777
                                      • IsValidLocale.KERNEL32(?,00000001), ref: 00452786
                                      • GetLocaleInfoW.KERNEL32(?,00001001,lJD,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 004527CE
                                      • GetLocaleInfoW.KERNEL32(?,00001002,00000000,00000040), ref: 004527ED
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                      • String ID: lJD$lJD$lJD
                                      • API String ID: 745075371-479184356
                                      • Opcode ID: be4990bb79c05073f0fe7f4ee341d14c88f356d0bde4897ead87a4f5288e3279
                                      • Instruction ID: 5597d49bf91f8be5c1e88387600e3254545b136a20640e737b6730ed74bf2304
                                      • Opcode Fuzzy Hash: be4990bb79c05073f0fe7f4ee341d14c88f356d0bde4897ead87a4f5288e3279
                                      • Instruction Fuzzy Hash: 87518371900205ABDF10DFA5CD41ABF77B8AF19702F14047BFD04E7292E7B899488B69
                                      Function 0040C34D Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040C39B
                                      • FindNextFileW.KERNEL32(00000000,?), ref: 0040C46E
                                      • FindClose.KERNEL32(00000000), ref: 0040C47D
                                      • FindClose.KERNEL32(00000000), ref: 0040C4A8
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find$CloseFile$FirstNext
                                      • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                      • API String ID: 1164774033-405221262
                                      • Opcode ID: b4ce1130c63f91c9a7bb924499f2ab22045580026bc8e52ab8eb9ef944069cc1
                                      • Instruction ID: 975c513e22faa42ee1994afe11ceef4a5d9ff9fa3a88a4f7cb3cdca8b35e8719
                                      • Opcode Fuzzy Hash: b4ce1130c63f91c9a7bb924499f2ab22045580026bc8e52ab8eb9ef944069cc1
                                      • Instruction Fuzzy Hash: 4131513150021AA6CB14E7A1DC9ADFE7778AF10718F10017FB105B20D2EF789A49CA4D
                                      Function 0041C291 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00474EE0,?), ref: 0041C2EC
                                      • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,00474EE0,?), ref: 0041C31C
                                      • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,00474EE0,?), ref: 0041C38E
                                      • DeleteFileW.KERNEL32(?,?,?,?,?,?,00474EE0,?), ref: 0041C39B
                                        • Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00474EE0,?), ref: 0041C371
                                      • GetLastError.KERNEL32(?,?,?,?,?,00474EE0,?), ref: 0041C3BC
                                      • FindClose.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C3D2
                                      • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C3D9
                                      • FindClose.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C3E2
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                      • String ID:
                                      • API String ID: 2341273852-0
                                      • Opcode ID: 5daa9100e03deb39a4691b7b17906df9641a5acb862147602035c05749f1dd0e
                                      • Instruction ID: c19bc5cae20e4253aafd1d57f534f4f4794eeb6ee7264df4fdb3445c687e6cd6
                                      • Opcode Fuzzy Hash: 5daa9100e03deb39a4691b7b17906df9641a5acb862147602035c05749f1dd0e
                                      • Instruction Fuzzy Hash: 1331827294031CAADB24E7A1DC88EDB736CAF04305F4405FBF955D2152EB39DAC88B68
                                      Function 00419AF5 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 245fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileW.KERNEL32(00000000,?), ref: 00419D4B
                                      • FindNextFileW.KERNEL32(00000000,?,?), ref: 00419E17
                                        • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C49E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$Find$CreateFirstNext
                                      • String ID: 8SG$PXG$PXG$NG$PG
                                      • API String ID: 341183262-3812160132
                                      • Opcode ID: 51c1bc0efb57238df8f343c385f4ca69313514bd3b1d4432c3fe4bb7cf6149f9
                                      • Instruction ID: 96038134cf9b6260143958ba34f432c8b7c7433700823f8ab46a3e18139dd1a2
                                      • Opcode Fuzzy Hash: 51c1bc0efb57238df8f343c385f4ca69313514bd3b1d4432c3fe4bb7cf6149f9
                                      • Instruction Fuzzy Hash: D48152315083415AC314FB22C856EEFB3A9AF90344F90493FF546671E2EF789A49C69A
                                      Function 0040A2B8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040A2D3
                                      • SetWindowsHookExA.USER32(0000000D,0040A2A4,00000000), ref: 0040A2E1
                                      • GetLastError.KERNEL32 ref: 0040A2ED
                                        • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                      • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040A33B
                                      • TranslateMessage.USER32(?), ref: 0040A34A
                                      • DispatchMessageA.USER32(?), ref: 0040A355
                                      Strings
                                      • Keylogger initialization failure: error , xrefs: 0040A301
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                      • String ID: Keylogger initialization failure: error
                                      • API String ID: 3219506041-952744263
                                      • Opcode ID: 4f13040d40fce51975cfbbc3673976c4dad95410904dfe41d9466c849e225161
                                      • Instruction ID: 26c2bdf112627336efb266b6f5317542b4ef4d62b82d8858756ad59ca9dca42a
                                      • Opcode Fuzzy Hash: 4f13040d40fce51975cfbbc3673976c4dad95410904dfe41d9466c849e225161
                                      • Instruction Fuzzy Hash: FA11BF32604301ABCB107F76DC0A86B77ECEA95716B10457EFC85E21D1EA38C910CBAA
                                      Function 0040A3E0 Relevance: 12.1, APIs: 8, Instructions: 112keyboardthreadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetForegroundWindow.USER32 ref: 0040A416
                                      • GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A422
                                      • GetKeyboardLayout.USER32(00000000), ref: 0040A429
                                      • GetKeyState.USER32(00000010), ref: 0040A433
                                      • GetKeyboardState.USER32(?), ref: 0040A43E
                                      • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A461
                                      • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4C1
                                      • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A4FA
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                      • String ID:
                                      • API String ID: 1888522110-0
                                      • Opcode ID: 4ba0a60493bf1cb7a04a280161e9af6e0206db9f66fbe83c406a8642f04fa518
                                      • Instruction ID: 5ff565fa5b8df07833abad56ec5ecbabe923af01fc99f1944a330f9e709d98a3
                                      • Opcode Fuzzy Hash: 4ba0a60493bf1cb7a04a280161e9af6e0206db9f66fbe83c406a8642f04fa518
                                      • Instruction Fuzzy Hash: AE316D72504308FFD710DF94DC45F9BB7ECAB88705F01083AB645D61A0E7B5E9488BA6
                                      Function 00413FCA Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 382registrylibraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 0041409D
                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004140A9
                                        • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                      • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 0041426A
                                      • GetProcAddress.KERNEL32(00000000), ref: 00414271
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressCloseCreateLibraryLoadProcsend
                                      • String ID: SHDeleteKeyW$Shlwapi.dll
                                      • API String ID: 2127411465-314212984
                                      • Opcode ID: 16d4d9f7d8e9d2946c9e71bc9a9cf1ed37fbcb6207445c9ca6b4d79b5acfd54f
                                      • Instruction ID: ad322413622673165c78a8c4b5f48079e939d646f467ca97d3bec1feacf55119
                                      • Opcode Fuzzy Hash: 16d4d9f7d8e9d2946c9e71bc9a9cf1ed37fbcb6207445c9ca6b4d79b5acfd54f
                                      • Instruction Fuzzy Hash: F9B1F971A0430066CA14FB76DC5B9AF36A86FD1748F40053FF942771E2EE7C9A4886DA
                                      Function 00449190 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 00449212
                                      • _free.LIBCMT ref: 00449236
                                      • _free.LIBCMT ref: 004493BD
                                      • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F234), ref: 004493CF
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 00449447
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 00449474
                                      • _free.LIBCMT ref: 00449589
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                      • String ID:
                                      • API String ID: 314583886-0
                                      • Opcode ID: e51e2b160430e069a94018d2a40d83d225257a5f61c10d126208887eb2308fed
                                      • Instruction ID: 779aab753f07af14b01adf3fce5c8211df4e7f9331a35af1166ddbde82723190
                                      • Opcode Fuzzy Hash: e51e2b160430e069a94018d2a40d83d225257a5f61c10d126208887eb2308fed
                                      • Instruction Fuzzy Hash: CAC15771900205ABFB24DF69CC41AAFBBA8EF46314F1405AFE89497381E7788E42D758
                                      Function 004167B4 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 97libraryloadershutdownCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00417952: GetCurrentProcess.KERNEL32(00000028,?), ref: 0041795F
                                        • Part of subcall function 00417952: OpenProcessToken.ADVAPI32(00000000), ref: 00417966
                                        • Part of subcall function 00417952: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00417978
                                        • Part of subcall function 00417952: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00417997
                                        • Part of subcall function 00417952: GetLastError.KERNEL32 ref: 0041799D
                                      • ExitWindowsEx.USER32(00000000,00000001), ref: 00416856
                                      • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 0041686B
                                      • GetProcAddress.KERNEL32(00000000), ref: 00416872
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                      • String ID: !D@$PowrProf.dll$SetSuspendState
                                      • API String ID: 1589313981-2876530381
                                      • Opcode ID: 518a98aa8e33dee1c4de961979bab0d7f2b6bdf321556802f5344010ded5f568
                                      • Instruction ID: 15d3ae9bc4d358b9de40311b9e813ebd0b85961e95f80c383f5c7d57e5fc9640
                                      • Opcode Fuzzy Hash: 518a98aa8e33dee1c4de961979bab0d7f2b6bdf321556802f5344010ded5f568
                                      • Instruction Fuzzy Hash: 6E21617060430256CB14FBB68856AAE63599F41788F41487FB442A72D3EF3CD845CBAE
                                      Function 0045243C Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 86COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetLocaleInfoW.KERNEL32(00000000,2000000B,00000000,00000002,00000000,?,?,?,0045275B,?,00000000), ref: 004524D5
                                      • GetLocaleInfoW.KERNEL32(00000000,20001004,00000000,00000002,00000000,?,?,?,0045275B,?,00000000), ref: 004524FE
                                      • GetACP.KERNEL32(?,?,0045275B,?,00000000), ref: 00452513
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: InfoLocale
                                      • String ID: ACP$OCP$['E
                                      • API String ID: 2299586839-2532616801
                                      • Opcode ID: 996ac876140471f7f335f389899e539d753f319036e5aa489baf53db5bb263cf
                                      • Instruction ID: 65f7b5195a5790e2d5819d7d4b0c6b76a8aa59636dcad79128a037cfc813d78c
                                      • Opcode Fuzzy Hash: 996ac876140471f7f335f389899e539d753f319036e5aa489baf53db5bb263cf
                                      • Instruction Fuzzy Hash: FD21F432600104A7DB348F54CF00AA773A6EB47B1AB168567EC09D7302F7BADD48C398
                                      Function 0041B380 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041B3A7
                                      • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041B3BD
                                      • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041B3D6
                                      • InternetCloseHandle.WININET(00000000), ref: 0041B41C
                                      • InternetCloseHandle.WININET(00000000), ref: 0041B41F
                                      Strings
                                      • http://geoplugin.net/json.gp, xrefs: 0041B3B7
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Internet$CloseHandleOpen$FileRead
                                      • String ID: http://geoplugin.net/json.gp
                                      • API String ID: 3121278467-91888290
                                      • Opcode ID: 93fb62275c9c30ece467367bc9d260af9d028c0859994e7c2f4e10a89ee4ed45
                                      • Instruction ID: bc766ab0241d3587a1949f89688fbc1c60562a782fd7f61c1deed4db1e92f461
                                      • Opcode Fuzzy Hash: 93fb62275c9c30ece467367bc9d260af9d028c0859994e7c2f4e10a89ee4ed45
                                      • Instruction Fuzzy Hash: E711EB311053126BD224AB269C49EBF7F9CEF86755F00043EF905A2292DB68DC45C6FA
                                      Function 0040BA12 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040BA4E
                                      • GetLastError.KERNEL32 ref: 0040BA58
                                      Strings
                                      • UserProfile, xrefs: 0040BA1E
                                      • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040BA19
                                      • [Chrome StoredLogins not found], xrefs: 0040BA72
                                      • [Chrome StoredLogins found, cleared!], xrefs: 0040BA7E
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: DeleteErrorFileLast
                                      • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                      • API String ID: 2018770650-1062637481
                                      • Opcode ID: 0e718a6ebf02f44b4289ad564225df6632aa7359f7d3b59aeb067c3ad082f2b5
                                      • Instruction ID: af402a2c9819bc64f7c9913ab42ffc044d60d1b3c88a69bbc3d4df1d4d30a246
                                      • Opcode Fuzzy Hash: 0e718a6ebf02f44b4289ad564225df6632aa7359f7d3b59aeb067c3ad082f2b5
                                      • Instruction Fuzzy Hash: 2D01A7B17801056AC70477B6CD5B9BE77249911704F50057FF802725E2FE7D59098ADE
                                      Function 00417952 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentProcess.KERNEL32(00000028,?), ref: 0041795F
                                      • OpenProcessToken.ADVAPI32(00000000), ref: 00417966
                                      • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00417978
                                      • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00417997
                                      • GetLastError.KERNEL32 ref: 0041799D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                      • String ID: SeShutdownPrivilege
                                      • API String ID: 3534403312-3733053543
                                      • Opcode ID: 57e92913f0a9f4d9b3a8183d8d88438ae359a92b07d5b7f7122e8f665953110d
                                      • Instruction ID: b599e5caaba2c857c5a7044ea86e3d1b9a306509f9612008a7a3a71442eb1233
                                      • Opcode Fuzzy Hash: 57e92913f0a9f4d9b3a8183d8d88438ae359a92b07d5b7f7122e8f665953110d
                                      • Instruction Fuzzy Hash: 1EF03AB1801229FBDB109BA0EC4DEEF7FBCEF05612F100461B809A1092D7388E04CAB5
                                      Function 00409253 Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 00409258
                                        • Part of subcall function 004048C8: connect.WS2_32(?,?,?), ref: 004048E0
                                        • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 004092F4
                                      • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 00409352
                                      • FindNextFileW.KERNEL32(00000000,?), ref: 004093AA
                                      • FindClose.KERNEL32(00000000), ref: 004093C1
                                        • Part of subcall function 00404E26: WaitForSingleObject.KERNEL32(?,000000FF,00000000,00474EF8,PkGNG,00000000,00474EF8,00404CA8,00000000,?,?,?,00474EF8,?), ref: 00404E38
                                        • Part of subcall function 00404E26: SetEvent.KERNEL32(?), ref: 00404E43
                                        • Part of subcall function 00404E26: CloseHandle.KERNEL32(?), ref: 00404E4C
                                      • FindClose.KERNEL32(00000000), ref: 004095B9
                                        • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(?,00000000,00401A45,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000), ref: 00404B47
                                        • Part of subcall function 00404AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000,?,?,?,?,?,00401A45), ref: 00404B75
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find$Close$EventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsend
                                      • String ID:
                                      • API String ID: 1824512719-0
                                      • Opcode ID: 27b22fca0a27779137ade02a72c9abe49e1240f26c7200fc68e50cf31d4d9716
                                      • Instruction ID: 125c9cc0036adb3739497efb01147483584b5989e706bb19fe9a4109aadf0594
                                      • Opcode Fuzzy Hash: 27b22fca0a27779137ade02a72c9abe49e1240f26c7200fc68e50cf31d4d9716
                                      • Instruction Fuzzy Hash: DCB18D32900109AACB14EBA1DD96AED7779AF04318F10417FF506B60E2EF785E49CB98
                                      Function 0041AA4A Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,0041A6A0,00000000), ref: 0041AA53
                                      • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,0041A6A0,00000000), ref: 0041AA68
                                      • CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA75
                                      • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,0041A6A0,00000000), ref: 0041AA80
                                      • CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA92
                                      • CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA95
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Service$CloseHandle$Open$ManagerStart
                                      • String ID:
                                      • API String ID: 276877138-0
                                      • Opcode ID: 9428b136f56b7ac5d2013585799c428180de648bb4d6702bc273cde58ba3a705
                                      • Instruction ID: 9fefcdd13c5f6832e1e8d6374d810b05479d45f16fba084c356bea358aebaaee
                                      • Opcode Fuzzy Hash: 9428b136f56b7ac5d2013585799c428180de648bb4d6702bc273cde58ba3a705
                                      • Instruction Fuzzy Hash: FCF08971101325AFD2119B619C88DFF2B6CDF85BA6B00082AF945921919B68CD49E9B9
                                      Function 00451CD8 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 236COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                                        • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                        • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                                        • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                      • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00444A73,?,?,?,?,004444CA,?,00000004), ref: 00451DBA
                                      • _wcschr.LIBVCRUNTIME ref: 00451E4A
                                      • _wcschr.LIBVCRUNTIME ref: 00451E58
                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,sJD,00000000,?), ref: 00451EFB
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                      • String ID: sJD
                                      • API String ID: 4212172061-3536923933
                                      • Opcode ID: 7ea90a810ccb8eded513053f15f94d45dc96679ac5d2c45bddb92c1ff4a69e8d
                                      • Instruction ID: 601d6103ecad0283333aca7e4f79148897faf6e4cefa34abd84194fcdbd45a0d
                                      • Opcode Fuzzy Hash: 7ea90a810ccb8eded513053f15f94d45dc96679ac5d2c45bddb92c1ff4a69e8d
                                      • Instruction Fuzzy Hash: ED61FA35500606AAE724AB75CC86BBB73A8EF04316F14046FFD05D7292EB78ED48C769
                                      Function 0040F7A7 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00413549: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,00000000,00000000), ref: 00413569
                                        • Part of subcall function 00413549: RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 00413587
                                        • Part of subcall function 00413549: RegCloseKey.ADVAPI32(00000000), ref: 00413592
                                      • Sleep.KERNEL32(00000BB8), ref: 0040F85B
                                      • ExitProcess.KERNEL32 ref: 0040F8CA
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseExitOpenProcessQuerySleepValue
                                      • String ID: 5.1.0 Pro$override$pth_unenc
                                      • API String ID: 2281282204-182549033
                                      • Opcode ID: bc1be6459073602c737430f7b82db798cb6416b862091f8f7e094519bbbbbb63
                                      • Instruction ID: 07d0e0dc4205ecb16ec703249a4fc897915f305b32a2beb09604d1d6565ffe0f
                                      • Opcode Fuzzy Hash: bc1be6459073602c737430f7b82db798cb6416b862091f8f7e094519bbbbbb63
                                      • Instruction Fuzzy Hash: F821F371B0420167C604767A485B6AE35A95B80718F90403FF505676D7FF7C8E0583EF
                                      Function 0040B164 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B172
                                      • wsprintfW.USER32 ref: 0040B1F3
                                        • Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,00000000,0040B20A,00000000), ref: 0040A662
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: EventLocalTimewsprintf
                                      • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                                      • API String ID: 1497725170-248792730
                                      • Opcode ID: 48ae87abe5a633f6dbf757c3d9d37f4c5ebff31f90a39cbd1b197af817f8fe73
                                      • Instruction ID: 81b60f5d3581edaaac31e3e44e1e4f5c322996b2d8bf5e7d6f89c643b346fb92
                                      • Opcode Fuzzy Hash: 48ae87abe5a633f6dbf757c3d9d37f4c5ebff31f90a39cbd1b197af817f8fe73
                                      • Instruction Fuzzy Hash: 82117F72504118AACB18AB96EC558FE77BCEE48315B00012FF506A60E1FF7C9E46C6AC
                                      Function 0041B4A8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                      Download Yara Rule
                                      APIs
                                      • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041B4B9
                                      • LoadResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4CD
                                      • LockResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4D4
                                      • SizeofResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4E3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Resource$FindLoadLockSizeof
                                      • String ID: SETTINGS
                                      • API String ID: 3473537107-594951305
                                      • Opcode ID: 572f255012f9d3464d264dba9da87f940f43aba7d13ccaaee0753afa8a381888
                                      • Instruction ID: 65170a014006dd87783428e4339c5f85687a52ee3761dac8d56b05c0676c202a
                                      • Opcode Fuzzy Hash: 572f255012f9d3464d264dba9da87f940f43aba7d13ccaaee0753afa8a381888
                                      • Instruction Fuzzy Hash: 8AE01A36200B22EBEB311BA5AC4CD473E29F7C97637100075F90596232CB798840DAA8
                                      Function 00409665 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 0040966A
                                      • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 004096E2
                                      • FindNextFileW.KERNEL32(00000000,?), ref: 0040970B
                                      • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00409722
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find$File$CloseFirstH_prologNext
                                      • String ID:
                                      • API String ID: 1157919129-0
                                      • Opcode ID: f1abb1e18261a1922addd69d7cffa3ae5e96847022b02d1b31507e848c25f0fe
                                      • Instruction ID: bc6583c976318a9931a9d4e75bf6093b5b8d8c817350453c5398c0af4fd679c1
                                      • Opcode Fuzzy Hash: f1abb1e18261a1922addd69d7cffa3ae5e96847022b02d1b31507e848c25f0fe
                                      • Instruction Fuzzy Hash: 59812B329001199BCB15EBA1DC969EDB378AF14318F10417FE506B71E2EF78AE49CB58
                                      Function 0040880C Relevance: 7.7, APIs: 5, Instructions: 186fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 00408811
                                      • FindFirstFileW.KERNEL32(00000000,?,00466608,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088CA
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 004088F2
                                      • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088FF
                                      • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408A15
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                                      • String ID:
                                      • API String ID: 1771804793-0
                                      • Opcode ID: 9b645307c49ece523b116fa648223e4d0ed288365c05ee1dbdf173a36bd7f3be
                                      • Instruction ID: 1e810be39857a3d86828f92fa26e793a4655b35e172fafea17edde612d57cc14
                                      • Opcode Fuzzy Hash: 9b645307c49ece523b116fa648223e4d0ed288365c05ee1dbdf173a36bd7f3be
                                      • Instruction Fuzzy Hash: 16515F72900209AACF04FB61DD569ED7778AF11308F50417FB946B61E2EF389B48CB99
                                      Function 00406EB0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406FBC
                                      • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 004070A0
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: DownloadExecuteFileShell
                                      • String ID: C:\Users\user\Desktop\6122.scr.exe$open
                                      • API String ID: 2825088817-502581782
                                      • Opcode ID: 2b237405c553a9a1b0e8afa968ba7ab87aca62d7634961c01fb43f6f663e2fce
                                      • Instruction ID: 27a8b34c094a82f854f2ee3e6b31e6014a71d41456184bc7540e3ceb6c1d0c01
                                      • Opcode Fuzzy Hash: 2b237405c553a9a1b0e8afa968ba7ab87aca62d7634961c01fb43f6f663e2fce
                                      • Instruction Fuzzy Hash: 6561A171B0830166CA24FB76C8569BE37A59F81748F50093FB942772D2EE3C9905C69B
                                      Function 0040783C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00407857
                                      • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 0040791F
                                        • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: FileFind$FirstNextsend
                                      • String ID: XPG$XPG
                                      • API String ID: 4113138495-1962359302
                                      • Opcode ID: ab691d252adf93a793db7f637d0c661f35909e30d32946a99fdb273c158dd0c5
                                      • Instruction ID: 6b6d716c6ecdfe6ec78918620e47e684a121d368db73a1555a51ac38f2ecb6eb
                                      • Opcode Fuzzy Hash: ab691d252adf93a793db7f637d0c661f35909e30d32946a99fdb273c158dd0c5
                                      • Instruction Fuzzy Hash: 212195325083419BC314FB61D855DEFB3ACAF90358F40493EF696621E1EF78AA09C65B
                                      Function 0041C9E2 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                      Download Yara Rule
                                      APIs
                                      • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CAD7
                                        • Part of subcall function 0041376F: RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,0046611C), ref: 0041377E
                                        • Part of subcall function 0041376F: RegSetValueExA.ADVAPI32(0046611C,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0041CAB1,WallpaperStyle,0046611C,00000001,00474EE0,00000000), ref: 004137A6
                                        • Part of subcall function 0041376F: RegCloseKey.ADVAPI32(0046611C,?,?,0041CAB1,WallpaperStyle,0046611C,00000001,00474EE0,00000000,?,0040875D,00000001), ref: 004137B1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseCreateInfoParametersSystemValue
                                      • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                      • API String ID: 4127273184-3576401099
                                      • Opcode ID: 3c2d205688c6346916b5703b91afcadbe5e4724bf31c27c5056ca6af97e88c58
                                      • Instruction ID: 1197cbbb31bb874c57b9e92d70abebba424d259215afdbf251ae70ffa4d9d73d
                                      • Opcode Fuzzy Hash: 3c2d205688c6346916b5703b91afcadbe5e4724bf31c27c5056ca6af97e88c58
                                      • Instruction Fuzzy Hash: 7B1184B2BC021473D419313E5DABBBE28029743B51F94416BF6123A6C6E8DF0A8102CF
                                      Function 004432B5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentProcess.KERNEL32(00000003,PkGNG,0044328B,00000003,0046E948,0000000C,004433E2,00000003,00000002,00000000,PkGNG,00446136,00000003), ref: 004432D6
                                      • TerminateProcess.KERNEL32(00000000), ref: 004432DD
                                      • ExitProcess.KERNEL32 ref: 004432EF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process$CurrentExitTerminate
                                      • String ID: PkGNG
                                      • API String ID: 1703294689-263838557
                                      • Opcode ID: fda3935ef75a9da2a187ce407300f3730e4ebfece79a37869d002a8a215f2f15
                                      • Instruction ID: 3be6e6b92543006147ef5d7b2afd166c5ab2c5ffe072a920593a5ac20c7500e8
                                      • Opcode Fuzzy Hash: fda3935ef75a9da2a187ce407300f3730e4ebfece79a37869d002a8a215f2f15
                                      • Instruction Fuzzy Hash: D6E0BF31400244FBDF126F55DD0AA993B69FB40757F044469F90946232CB7ADE42CA98
                                      Function 004461F0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 464COMMONLIBRARYCODE
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: PkGNG
                                      • API String ID: 0-263838557
                                      • Opcode ID: 3af37b45e0065d2a9e4b628ca9eba3ad08e75ba8402ba2670485150a8c7006c8
                                      • Instruction ID: a89a86a7c059f2ce1b75669fee0c4fca3fa64158462c9470c468cddaecc71d09
                                      • Opcode Fuzzy Hash: 3af37b45e0065d2a9e4b628ca9eba3ad08e75ba8402ba2670485150a8c7006c8
                                      • Instruction Fuzzy Hash: FB025D71E002199BEF14CFA9D8806AEBBF1FF49324F26416AD819E7344D734AE41CB85
                                      Function 004520C3 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                                        • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                        • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                                        • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                        • Part of subcall function 00448215: _free.LIBCMT ref: 00448274
                                        • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448281
                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452117
                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452168
                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452228
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorInfoLastLocale$_free$_abort
                                      • String ID:
                                      • API String ID: 2829624132-0
                                      • Opcode ID: b894af2e73636fd6e8af7e748ba09ab431642972e93d3e8eb2aea65845f920f8
                                      • Instruction ID: 4b80d7ab7a7ff47978e382ad652e238d088576b56b9f239e8998609391b98480
                                      • Opcode Fuzzy Hash: b894af2e73636fd6e8af7e748ba09ab431642972e93d3e8eb2aea65845f920f8
                                      • Instruction Fuzzy Hash: B961C1315006079BDB289F25CE82BBB77A8FF05306F1041ABED15C6642F7B89D89DB58
                                      Function 0043BB22 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • IsDebuggerPresent.KERNEL32 ref: 0043BC1A
                                      • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0043BC24
                                      • UnhandledExceptionFilter.KERNEL32(?), ref: 0043BC31
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                      • String ID:
                                      • API String ID: 3906539128-0
                                      • Opcode ID: a72bbe9f24da65e63e608425843f2cf14cbf2294963ef3e60e5c7cfd459546ed
                                      • Instruction ID: cbfc558a7ca4bb69983b526de44ffd1abc81b2e56a4044740c9350c1ecaeaada
                                      • Opcode Fuzzy Hash: a72bbe9f24da65e63e608425843f2cf14cbf2294963ef3e60e5c7cfd459546ed
                                      • Instruction Fuzzy Hash: E131C27590121DABCB21DF65DD89BCDBBB8AF08311F5051EAE80CA6251EB349F858F48
                                      Function 00433837 Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,?,004334BF,00000034,?,?,00000000), ref: 00433849
                                      • CryptGenRandom.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,PkGNG,00433552,?,?,?), ref: 0043385F
                                      • CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,?,?,PkGNG,00433552,?,?,?,0041E251), ref: 00433871
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Crypt$Context$AcquireRandomRelease
                                      • String ID:
                                      • API String ID: 1815803762-0
                                      • Opcode ID: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                      • Instruction ID: 864202151b2ab8ebdb17250bb7e2999cce5b6c404a207f59f2405eb254ca80c1
                                      • Opcode Fuzzy Hash: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                      • Instruction Fuzzy Hash: 83E09231308310FAFB341F25AC08F573AA5EB89B67F20093AF211E40E4D2568C018A5C
                                      Function 0040B70E Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenClipboard.USER32(00000000), ref: 0040B711
                                      • GetClipboardData.USER32(0000000D), ref: 0040B71D
                                      • CloseClipboard.USER32 ref: 0040B725
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Clipboard$CloseDataOpen
                                      • String ID:
                                      • API String ID: 2058664381-0
                                      • Opcode ID: c799312c980d18205df260c4494eeab96c1e87453cdfeac26beaa605c81e592b
                                      • Instruction ID: a9752f6e69e3a39ef1c6dae57fb9473311d117e3f10fa11c4aa70225693e5904
                                      • Opcode Fuzzy Hash: c799312c980d18205df260c4494eeab96c1e87453cdfeac26beaa605c81e592b
                                      • Instruction Fuzzy Hash: 4FE0EC31645320EFC2209B609C49B9A6754DF95F52F41843AB905AB2D5DB78CC40C6AD
                                      Function 00434C52 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134COMMON
                                      Download Yara Rule
                                      APIs
                                      • IsProcessorFeaturePresent.KERNEL32(0000000A,00000000), ref: 00434C6B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: FeaturePresentProcessor
                                      • String ID:
                                      • API String ID: 2325560087-3916222277
                                      • Opcode ID: e737252210e65bd7558355cab1b99ff1055998ec76fc21d90816c5055d8ae967
                                      • Instruction ID: b6e659610939bc40af268f25ffb2b9965a4fe426cdd66f7fc4435c5297b2c53a
                                      • Opcode Fuzzy Hash: e737252210e65bd7558355cab1b99ff1055998ec76fc21d90816c5055d8ae967
                                      • Instruction Fuzzy Hash: EE515471D002089BEB24CF69D9856DEBBF4FB48354F24956BD819EB350D378AA80CF94
                                      Function 0044E879 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: .
                                      • API String ID: 0-248832578
                                      • Opcode ID: 6d782d14881953f3dc1aa7198760a6549ba6db1eba9a251ec7cea06479966fa1
                                      • Instruction ID: 28de479bcd0ee174bbf7ea2f8c467f6584cf945aa63ddb2e5cfeaaf716254919
                                      • Opcode Fuzzy Hash: 6d782d14881953f3dc1aa7198760a6549ba6db1eba9a251ec7cea06479966fa1
                                      • Instruction Fuzzy Hash: 233106B2900149AFEB249E7ACC85EEB7BBDEF45304F1001AEE819D7291E6349D458B54
                                      Function 00451F9B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                                        • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                        • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                                        • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                      • EnumSystemLocalesW.KERNEL32(004520C3,00000001,00000000,?,lJD,?,004526F0,00000000,?,?,?), ref: 0045200D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                      • String ID: lJD
                                      • API String ID: 1084509184-3316369744
                                      • Opcode ID: 8fcc83528109b8aaf498f975bbbcb34ae0404b7acadb8afce226787919ce0173
                                      • Instruction ID: 7d3ee128790e63e9d167a680a676634a6e0759605f9449bc3b94779c572ada63
                                      • Opcode Fuzzy Hash: 8fcc83528109b8aaf498f975bbbcb34ae0404b7acadb8afce226787919ce0173
                                      • Instruction Fuzzy Hash: E51125372007019FDB189F39C8916BABB91FF8075AB14482EEE4687B41D7B9A946CB44
                                      Function 00452036 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                                        • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                        • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                                        • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                      • EnumSystemLocalesW.KERNEL32(00452313,00000001,?,?,lJD,?,004526B4,lJD,?,?,?,?,?,00444A6C,?,?), ref: 00452082
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                      • String ID: lJD
                                      • API String ID: 1084509184-3316369744
                                      • Opcode ID: acb24ebe04e4856a9c83d3494bcbe1da60fd92419c71b9527b23937778bf3cf5
                                      • Instruction ID: 5d4b7cb44ca553c54ae5d492338df10e7871f8ce083c0ea6e3a4370b1d871309
                                      • Opcode Fuzzy Hash: acb24ebe04e4856a9c83d3494bcbe1da60fd92419c71b9527b23937778bf3cf5
                                      • Instruction Fuzzy Hash: 44F0FF322003055FDB245F798881A7A7B95FB82769B14446EFE428B681D7F9AC02C604
                                      Function 004488ED Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,004444CA,?,00000004), ref: 00448940
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: InfoLocale
                                      • String ID: GetLocaleInfoEx
                                      • API String ID: 2299586839-2904428671
                                      • Opcode ID: 2d8ab5e4c08eb423885d267f31dc3d21c73ce0c4a0b39471804a4927225e8e03
                                      • Instruction ID: 280d24bb3358c3803ceca68c405fa8cd3b52f77a8ef21af096b961815111c089
                                      • Opcode Fuzzy Hash: 2d8ab5e4c08eb423885d267f31dc3d21c73ce0c4a0b39471804a4927225e8e03
                                      • Instruction Fuzzy Hash: D1F02B31A40308F7DB119F61DC02F7E7B15DF08751F10056EFC0926261CE399D159A9E
                                      Function 00412077 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F37), ref: 004120E7
                                      • HeapFree.KERNEL32(00000000), ref: 004120EE
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$FreeProcess
                                      • String ID:
                                      • API String ID: 3859560861-0
                                      • Opcode ID: bbc8ffc4057debe9872561f5e92b4f6919ce40f9ddced797a216f9a420f6d04b
                                      • Instruction ID: eee285bae3a3c664d400e4c5f5e220380537cd22e0998a3ce94cd1697e41dfe3
                                      • Opcode Fuzzy Hash: bbc8ffc4057debe9872561f5e92b4f6919ce40f9ddced797a216f9a420f6d04b
                                      • Instruction Fuzzy Hash: 16112A32000B11EFC7305F64DE85957BBE9FF08715314892EE29696921CB76FCA0CB58
                                      Function 00452313 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                                        • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                        • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                                        • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                        • Part of subcall function 00448215: _free.LIBCMT ref: 00448274
                                        • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448281
                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452367
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLast$_free$InfoLocale_abort
                                      • String ID:
                                      • API String ID: 1663032902-0
                                      • Opcode ID: 5e55e5787c0a8882e24d5b04e2b41f1e3a8b10b9440aec12057efb59017b927c
                                      • Instruction ID: a0857f467e030380fa261c038abb83aeded24e37e53cd803257bf99bba5c3bcd
                                      • Opcode Fuzzy Hash: 5e55e5787c0a8882e24d5b04e2b41f1e3a8b10b9440aec12057efb59017b927c
                                      • Instruction Fuzzy Hash: 0121B632550206ABDB249E35DD41BBA73A8EF05316F1001BFFD01D6242EBBC9D59CB58
                                      Function 00452543 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                                        • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                        • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                                        • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                      • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,004522E1,00000000,00000000,?), ref: 0045256F
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLast$InfoLocale_abort_free
                                      • String ID:
                                      • API String ID: 2692324296-0
                                      • Opcode ID: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                                      • Instruction ID: deb82abe2421a0f23b1c286da40711a82d27d1439ce4f734d0a93897c1f260ce
                                      • Opcode Fuzzy Hash: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                                      • Instruction Fuzzy Hash: 3EF0993290011ABBDB245A20C916BBB3768EB01316F04046BEC05A3241FBB8FD05C698
                                      Function 0041B60D Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetUserNameW.ADVAPI32(?,0040F223), ref: 0041B642
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: NameUser
                                      • String ID:
                                      • API String ID: 2645101109-0
                                      • Opcode ID: 3d7d98170efc6b6b629f93dc404fb63378f1138ab074e43b779f7395dc78dc1a
                                      • Instruction ID: 2f1a7eaa0fafc1393a04fa3680ad11d69711b7caddb5f837a5711c727b94ccef
                                      • Opcode Fuzzy Hash: 3d7d98170efc6b6b629f93dc404fb63378f1138ab074e43b779f7395dc78dc1a
                                      • Instruction Fuzzy Hash: 3B014F7190011CABCB01EBD5DC45EEDB7BCAF44309F10016AB505B61A1EFB46E88CBA8
                                      Function 00448404 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00445888: EnterCriticalSection.KERNEL32(?,?,00442FDB,00000000,0046E928,0000000C,00442F96,?,?,?,00445B26,?,?,004482CA,00000001,00000364), ref: 00445897
                                      • EnumSystemLocalesW.KERNEL32(004483BE,00000001,0046EAD0,0000000C), ref: 0044843C
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CriticalEnterEnumLocalesSectionSystem
                                      • String ID:
                                      • API String ID: 1272433827-0
                                      • Opcode ID: 804d43dbd68489efcf8f22bf06177096911cc4f1bd16e2c376f90d23019e8210
                                      • Instruction ID: 9543b0ab25bad403ee5e8d2735ec903229a0e0f586434e65d0c90a277242bfd4
                                      • Opcode Fuzzy Hash: 804d43dbd68489efcf8f22bf06177096911cc4f1bd16e2c376f90d23019e8210
                                      • Instruction Fuzzy Hash: 6FF0AF72A50204EFE700EF69D946B8D37E0FB04725F10856AF414DB2A2CBB889808F09
                                      Function 00451F50 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                                        • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                        • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                                        • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                      • EnumSystemLocalesW.KERNEL32(00451EA7,00000001,?,?,?,00452712,lJD,?,?,?,?,?,00444A6C,?,?,?), ref: 00451F87
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                      • String ID:
                                      • API String ID: 1084509184-0
                                      • Opcode ID: 4d0c5cba832e86d7a557150270e3ca6bc4d6d332941df2bd00d727cb77582ebf
                                      • Instruction ID: 7090a925995da140c065d9916092b781359a33e81ca1c933e4536b6f4f09cf03
                                      • Opcode Fuzzy Hash: 4d0c5cba832e86d7a557150270e3ca6bc4d6d332941df2bd00d727cb77582ebf
                                      • Instruction Fuzzy Hash: A7F0203674020597CB04AF75C809B6A7F90EBC272AB06009AEE058B662C7799842C754
                                      Function 0040F8D1 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,004154FC,00474EE0,00475A00,00474EE0,00000000,00474EE0,00000000,00474EE0,5.1.0 Pro), ref: 0040F8E5
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: InfoLocale
                                      • String ID:
                                      • API String ID: 2299586839-0
                                      • Opcode ID: 60ac6b383c0d02c34bbf412ad9b051435ec7f82dc161eda072fb95a07eb92a85
                                      • Instruction ID: 54543d52817102a935349e0949155b160d3bd36039d058f0142c014f19b14c2e
                                      • Opcode Fuzzy Hash: 60ac6b383c0d02c34bbf412ad9b051435ec7f82dc161eda072fb95a07eb92a85
                                      • Instruction Fuzzy Hash: D5D05B3074421C77D61096959D0AEAA779CD701B52F0001A6BB05D72C0D9E15E0087D1
                                      Function 00434B47 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetUnhandledExceptionFilter.KERNEL32(Function_00034B53,0043487A), ref: 00434B4C
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExceptionFilterUnhandled
                                      • String ID:
                                      • API String ID: 3192549508-0
                                      • Opcode ID: 94f820becb3d11eb86a2e9fe35426058ee7de7bf36e1f11b305b7456ad7b3320
                                      • Instruction ID: b2b6851a15331e9206a2225a79f218ff0d060d1473a4ca8ef9e7ab7021fb00da
                                      • Opcode Fuzzy Hash: 94f820becb3d11eb86a2e9fe35426058ee7de7bf36e1f11b305b7456ad7b3320
                                      • Instruction Fuzzy Hash:
                                      Function 00418E76 Relevance: 49.3, APIs: 27, Strings: 1, Instructions: 328windowmemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00418E90
                                      • CreateCompatibleDC.GDI32(00000000), ref: 00418E9D
                                        • Part of subcall function 00419325: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00419355
                                      • CreateCompatibleBitmap.GDI32(00000000,?), ref: 00418F13
                                      • DeleteDC.GDI32(00000000), ref: 00418F2A
                                      • DeleteDC.GDI32(00000000), ref: 00418F2D
                                      • DeleteObject.GDI32(00000000), ref: 00418F30
                                      • SelectObject.GDI32(00000000,00000000), ref: 00418F51
                                      • DeleteDC.GDI32(00000000), ref: 00418F62
                                      • DeleteDC.GDI32(00000000), ref: 00418F65
                                      • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00418F89
                                      • GetIconInfo.USER32(?,?), ref: 00418FBD
                                      • DeleteObject.GDI32(?), ref: 00418FEC
                                      • DeleteObject.GDI32(?), ref: 00418FF9
                                      • DrawIcon.USER32(00000000,?,?,?), ref: 00419006
                                      • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 0041903C
                                      • GetObjectA.GDI32(00000000,00000018,?), ref: 00419068
                                      • LocalAlloc.KERNEL32(00000040,00000001), ref: 004190D5
                                      • GlobalAlloc.KERNEL32(00000000,?), ref: 00419144
                                      • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00419168
                                      • DeleteDC.GDI32(?), ref: 0041917C
                                      • DeleteDC.GDI32(00000000), ref: 0041917F
                                      • DeleteObject.GDI32(00000000), ref: 00419182
                                      • GlobalFree.KERNEL32(?), ref: 0041918D
                                      • DeleteObject.GDI32(00000000), ref: 00419241
                                      • GlobalFree.KERNEL32(?), ref: 00419248
                                      • DeleteDC.GDI32(?), ref: 00419258
                                      • DeleteDC.GDI32(00000000), ref: 00419263
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIcon$BitmapBitsDisplayDrawEnumInfoLocalSelectSettingsStretch
                                      • String ID: DISPLAY
                                      • API String ID: 479521175-865373369
                                      • Opcode ID: eeea48b2f12328c67a7764adb0283258d44bef4919e0b7e4c041a6272c1fd371
                                      • Instruction ID: c224b28d618b709f2792c20de920cdabb9de4a917dc726d0ffe82d87ba3e906a
                                      • Opcode Fuzzy Hash: eeea48b2f12328c67a7764adb0283258d44bef4919e0b7e4c041a6272c1fd371
                                      • Instruction Fuzzy Hash: 75C14C71508301AFD720DF25DC44BABBBE9EB88715F00482EF98993291DB74ED45CB6A
                                      Function 004180EF Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 289libraryloaderthreadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00418136
                                      • GetProcAddress.KERNEL32(00000000), ref: 00418139
                                      • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 0041814A
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041814D
                                      • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 0041815E
                                      • GetProcAddress.KERNEL32(00000000), ref: 00418161
                                      • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 00418172
                                      • GetProcAddress.KERNEL32(00000000), ref: 00418175
                                      • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00418217
                                      • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041822F
                                      • GetThreadContext.KERNEL32(?,00000000), ref: 00418245
                                      • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 0041826B
                                      • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 004182ED
                                      • TerminateProcess.KERNEL32(?,00000000), ref: 00418301
                                      • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 00418341
                                      • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0041840B
                                      • SetThreadContext.KERNEL32(?,00000000), ref: 00418428
                                      • ResumeThread.KERNEL32(?), ref: 00418435
                                      • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041844C
                                      • GetCurrentProcess.KERNEL32(?), ref: 00418457
                                      • TerminateProcess.KERNEL32(?,00000000), ref: 00418472
                                      • GetLastError.KERNEL32 ref: 0041847A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                      • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                                      • API String ID: 4188446516-3035715614
                                      • Opcode ID: b936ea2c1396c7360966393650c98f262233681cd2418a1eb1ae5de04f4b839e
                                      • Instruction ID: 216cb1b436b1bb1c0a39989cd20dfb1fea14fcd849b5832ba41dfff5d3f22c39
                                      • Opcode Fuzzy Hash: b936ea2c1396c7360966393650c98f262233681cd2418a1eb1ae5de04f4b839e
                                      • Instruction Fuzzy Hash: EDA16E70604305AFDB208F64CC85BAB7BE8FF48705F04482EF595D6291EB78D844CB1A
                                      Function 0040D420 Relevance: 45.8, APIs: 6, Strings: 20, Instructions: 282registryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,?,0040D80F), ref: 00412860
                                        • Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF,?,0040D80F), ref: 00412873
                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040D51D
                                      • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D530
                                      • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040D549
                                      • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040D579
                                        • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A27D,00000000,00000000,?,0040D442,?,00000000), ref: 0040B8BB
                                        • Part of subcall function 0040B8AC: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B8C7
                                        • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A267,00000000,?,0040D442,?,00000000), ref: 0040B8D5
                                        • Part of subcall function 0041C3F1: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041C510,00000000,00000000,00000000), ref: 0041C430
                                      • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D7C4
                                      • ExitProcess.KERNEL32 ref: 0040D7D0
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                      • String ID: """, 0$")$0qF$0qF$8SG$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                                      • API String ID: 1861856835-332907002
                                      • Opcode ID: f06c0f3fe88489d0e2c5ffad4c1a0fc09fbad2280a0079c9fbc51da470a9490e
                                      • Instruction ID: f0dedf37b1d13a6a68a2ae87fd6fc042f686ba0b246118386f774540a9e6bc24
                                      • Opcode Fuzzy Hash: f06c0f3fe88489d0e2c5ffad4c1a0fc09fbad2280a0079c9fbc51da470a9490e
                                      • Instruction Fuzzy Hash: 2191A4716082005AC315FB62D8529AFB7A9AF91309F10443FB14AA71E3FF7C9D49C65E
                                      Function 0040D096 Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 260registryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,?,0040D80F), ref: 00412860
                                        • Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF,?,0040D80F), ref: 00412873
                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1A5
                                      • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D1B8
                                      • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1E8
                                      • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1F7
                                        • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A27D,00000000,00000000,?,0040D442,?,00000000), ref: 0040B8BB
                                        • Part of subcall function 0040B8AC: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B8C7
                                        • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A267,00000000,?,0040D442,?,00000000), ref: 0040B8D5
                                        • Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040407C), ref: 0041B99F
                                      • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D412
                                      • ExitProcess.KERNEL32 ref: 0040D419
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                      • String ID: ")$.vbs$8SG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$hpF$open$pth_unenc$wend$while fso.FileExists("
                                      • API String ID: 3797177996-2557013105
                                      • Opcode ID: a1a0741b8aa6907e639e806891c4818a969d9db6df5c1f8137be8dc9c05249f3
                                      • Instruction ID: d7bb7cf55c4450259501d0c3086a2d123ad94ece798773e978a9ab54bd012bbb
                                      • Opcode Fuzzy Hash: a1a0741b8aa6907e639e806891c4818a969d9db6df5c1f8137be8dc9c05249f3
                                      • Instruction Fuzzy Hash: 9081B0716082005BC715FB62D8529AF77A8AFD1308F10483FB586A71E2EF7C9E49C65E
                                      Function 00412475 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 190synchronizationsleepfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,004750E4,00000003), ref: 00412494
                                      • ExitProcess.KERNEL32(00000000), ref: 004124A0
                                      • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0041251A
                                      • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412529
                                      • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00412534
                                      • CloseHandle.KERNEL32(00000000), ref: 0041253B
                                      • GetCurrentProcessId.KERNEL32 ref: 00412541
                                      • PathFileExistsW.SHLWAPI(?), ref: 00412572
                                      • GetTempPathW.KERNEL32(00000104,?), ref: 004125D5
                                      • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 004125EF
                                      • lstrcatW.KERNEL32(?,.exe), ref: 00412601
                                        • Part of subcall function 0041C3F1: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041C510,00000000,00000000,00000000), ref: 0041C430
                                      • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00412641
                                      • Sleep.KERNEL32(000001F4), ref: 00412682
                                      • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412697
                                      • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004126A2
                                      • CloseHandle.KERNEL32(00000000), ref: 004126A9
                                      • GetCurrentProcessId.KERNEL32 ref: 004126AF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
                                      • String ID: .exe$8SG$WDH$exepath$open$temp_
                                      • API String ID: 2649220323-436679193
                                      • Opcode ID: 5afe557bd59fe2fb36d972248b29c5deb24c09acede0227067c4c091f693347a
                                      • Instruction ID: 17e21f0bcac096b9b94ced5306d028ab2385f4d1d2402c2ee3c492442eb82615
                                      • Opcode Fuzzy Hash: 5afe557bd59fe2fb36d972248b29c5deb24c09acede0227067c4c091f693347a
                                      • Instruction Fuzzy Hash: 4651B371A00315BBDB10ABA09C9AEFE336D9B04715F10406BF502E71D2EFBC8E85865D
                                      Function 0041B047 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON
                                      Download Yara Rule
                                      APIs
                                      • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041B13C
                                      • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041B150
                                      • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,004660A4), ref: 0041B178
                                      • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00474EE0,00000000), ref: 0041B18E
                                      • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041B1CF
                                      • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041B1E7
                                      • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041B1FC
                                      • SetEvent.KERNEL32 ref: 0041B219
                                      • WaitForSingleObject.KERNEL32(000001F4), ref: 0041B22A
                                      • CloseHandle.KERNEL32 ref: 0041B23A
                                      • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041B25C
                                      • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041B266
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                      • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$NG
                                      • API String ID: 738084811-2094122233
                                      • Opcode ID: 1af6777f4b26f00d2594b4f9da1b5597036d5e91d20fdc05908bc04bace6597c
                                      • Instruction ID: fe650b41180b39ed17604f18bcb9a712e211fca36760164052b554565c231c06
                                      • Opcode Fuzzy Hash: 1af6777f4b26f00d2594b4f9da1b5597036d5e91d20fdc05908bc04bace6597c
                                      • Instruction Fuzzy Hash: 0351A3B12842056AD314B771DC96ABF379CDB84358F10043FB64A521E2EF788D48CA6E
                                      Function 00401A6D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                                      • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401B03
                                      • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401B13
                                      • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401B23
                                      • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401B33
                                      • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401B43
                                      • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B54
                                      • WriteFile.KERNEL32(00000000,00472AAA,00000002,00000000,00000000), ref: 00401B65
                                      • WriteFile.KERNEL32(00000000,00472AAC,00000004,00000000,00000000), ref: 00401B75
                                      • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401B85
                                      • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B96
                                      • WriteFile.KERNEL32(00000000,00472AB6,00000002,00000000,00000000), ref: 00401BA7
                                      • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401BB7
                                      • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401BC7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$Write$Create
                                      • String ID: RIFF$WAVE$data$fmt
                                      • API String ID: 1602526932-4212202414
                                      • Opcode ID: 62b265300192e2cf3fc36ee1b19606fb2409bb2919511e1e0316a81c88f5e1bc
                                      • Instruction ID: 2ec91bc18be8700290cedec85ec8f66933089e8d2246bcc6fed4c3761e19f715
                                      • Opcode Fuzzy Hash: 62b265300192e2cf3fc36ee1b19606fb2409bb2919511e1e0316a81c88f5e1bc
                                      • Instruction Fuzzy Hash: EB414E72644308BAE210DA51DD86FBB7EECEB89B50F40441AF644D60C0D7A4E909DBB3
                                      Function 00407270 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Users\user\Desktop\6122.scr.exe,00000001,0040764D,C:\Users\user\Desktop\6122.scr.exe,00000003,00407675,004752D8,004076CE), ref: 00407284
                                      • GetProcAddress.KERNEL32(00000000), ref: 0040728D
                                      • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 004072A2
                                      • GetProcAddress.KERNEL32(00000000), ref: 004072A5
                                      • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 004072B6
                                      • GetProcAddress.KERNEL32(00000000), ref: 004072B9
                                      • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 004072CA
                                      • GetProcAddress.KERNEL32(00000000), ref: 004072CD
                                      • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 004072DE
                                      • GetProcAddress.KERNEL32(00000000), ref: 004072E1
                                      • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 004072F2
                                      • GetProcAddress.KERNEL32(00000000), ref: 004072F5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressHandleModuleProc
                                      • String ID: C:\Users\user\Desktop\6122.scr.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                      • API String ID: 1646373207-748175997
                                      • Opcode ID: 219bb9ae8fbeca959e8a3246f6ba2b5d667704a520b136de0cc32d122fe89174
                                      • Instruction ID: f839149ce94c73eee9bda0254407c114f4740b95dc73f4bc012c28e2a4ae17e7
                                      • Opcode Fuzzy Hash: 219bb9ae8fbeca959e8a3246f6ba2b5d667704a520b136de0cc32d122fe89174
                                      • Instruction Fuzzy Hash: 520171E0E4431676DB216F3A6C54D4B6F9C9E5125131A087BB409E2292FEBCE800CE6D
                                      Function 0041C01B Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • lstrlenW.KERNEL32(?), ref: 0041C036
                                      • _memcmp.LIBVCRUNTIME ref: 0041C04E
                                      • lstrlenW.KERNEL32(?), ref: 0041C067
                                      • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041C0A2
                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041C0B5
                                      • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041C0F9
                                      • lstrcmpW.KERNEL32(?,?), ref: 0041C114
                                      • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041C12C
                                      • _wcslen.LIBCMT ref: 0041C13B
                                      • FindVolumeClose.KERNEL32(?), ref: 0041C15B
                                      • GetLastError.KERNEL32 ref: 0041C173
                                      • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041C1A0
                                      • lstrcatW.KERNEL32(?,?), ref: 0041C1B9
                                      • lstrcpyW.KERNEL32(?,?), ref: 0041C1C8
                                      • GetLastError.KERNEL32 ref: 0041C1D0
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                      • String ID: ?
                                      • API String ID: 3941738427-1684325040
                                      • Opcode ID: abe7e308a1a6702f98718e9be80ca678ae2d2d31c1c14d85f2c6eaae61ca29ed
                                      • Instruction ID: a349862c8cee18361e8dc915c9858c0b302c9409c899df8dda18ff866c7f94c5
                                      • Opcode Fuzzy Hash: abe7e308a1a6702f98718e9be80ca678ae2d2d31c1c14d85f2c6eaae61ca29ed
                                      • Instruction Fuzzy Hash: 8B416171584316EBD720DFA0DC889EB77ECAB49755F00092BF545C2261EB78C988CBDA
                                      Function 00414D86 Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 109libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414DD5
                                      • LoadLibraryA.KERNEL32(?), ref: 00414E17
                                      • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E37
                                      • FreeLibrary.KERNEL32(00000000), ref: 00414E3E
                                      • LoadLibraryA.KERNEL32(?), ref: 00414E76
                                      • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E88
                                      • FreeLibrary.KERNEL32(00000000), ref: 00414E8F
                                      • GetProcAddress.KERNEL32(00000000,?), ref: 00414E9E
                                      • FreeLibrary.KERNEL32(00000000), ref: 00414EB5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                      • String ID: IA$\ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
                                      • API String ID: 2490988753-1941338355
                                      • Opcode ID: 5f1d90fefb9d3b4d80abd47ac0ceceaf8be97214d3ee7f7b1d429d579a686c66
                                      • Instruction ID: d7a8240acd80c680e6a706eb94e62412fcb65bdb905c2e3468e0ccb64a1f64dc
                                      • Opcode Fuzzy Hash: 5f1d90fefb9d3b4d80abd47ac0ceceaf8be97214d3ee7f7b1d429d579a686c66
                                      • Instruction Fuzzy Hash: 8C31D5B1902315A7C320EF65DC84EDBB7D8AF84744F004A2AF94893250D778DD858BEE
                                      Function 0044F42D Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$EnvironmentVariable$_wcschr
                                      • String ID:
                                      • API String ID: 3899193279-0
                                      • Opcode ID: 12b2d8700cfafab1c51f31b0af1c60b5a90c67e430b3d12670f3d9796c815c4a
                                      • Instruction ID: f75d98bba309171a1893162bbba9979c566f834f65d54a181aa040c21db392b6
                                      • Opcode Fuzzy Hash: 12b2d8700cfafab1c51f31b0af1c60b5a90c67e430b3d12670f3d9796c815c4a
                                      • Instruction Fuzzy Hash: C4D13672D007006BFB20AF799D81A6B77A4EF01318F05427FE919A7382EB3D99058799
                                      Function 00412AB4 Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 482sleepfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00412ACD
                                        • Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040407C), ref: 0041B99F
                                        • Part of subcall function 00418568: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E74), ref: 0041857E
                                        • Part of subcall function 00418568: CloseHandle.KERNEL32(t^F,?,?,004040F5,00465E74), ref: 00418587
                                      • Sleep.KERNEL32(0000000A,00465E74), ref: 00412C1F
                                      • Sleep.KERNEL32(0000000A,00465E74,00465E74), ref: 00412CC1
                                      • Sleep.KERNEL32(0000000A,00465E74,00465E74,00465E74), ref: 00412D63
                                      • DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412DC5
                                      • DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412DFC
                                      • DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412E38
                                      • Sleep.KERNEL32(000001F4,00465E74,00465E74,00465E74), ref: 00412E52
                                      • Sleep.KERNEL32(00000064), ref: 00412E94
                                        • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                      • String ID: /stext "$0TG$0TG$NG$NG
                                      • API String ID: 1223786279-2576077980
                                      • Opcode ID: 2986c19d5eff0671da4a124577a32cf2d74727819232519ecdbd70d3c5314773
                                      • Instruction ID: 3b0169c2c8bc9f0d695cedb60fdc7b81a1931596247e975dd6f1dc47d42db627
                                      • Opcode Fuzzy Hash: 2986c19d5eff0671da4a124577a32cf2d74727819232519ecdbd70d3c5314773
                                      • Instruction Fuzzy Hash: 990255311083418AC325FB62D851AEFB3E5AFD4348F50483EF58A971E2EF785A49C65A
                                      Function 0041C68F Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041C6B1
                                      • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041C6F5
                                      • RegCloseKey.ADVAPI32(?), ref: 0041C9BF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseEnumOpen
                                      • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
                                      • API String ID: 1332880857-3714951968
                                      • Opcode ID: 131f557390299a5fb98f0b65c13fdfd9cb57ca643134b75c275777f897c8710a
                                      • Instruction ID: af0903b0dab8fbea49832074ad132f154b97281cd99b968e1e8b6bf9777b958e
                                      • Opcode Fuzzy Hash: 131f557390299a5fb98f0b65c13fdfd9cb57ca643134b75c275777f897c8710a
                                      • Instruction Fuzzy Hash: 248144711083419BC325EF11D851EEFB7E8BF94309F10492FB589921A1FF78AE49CA5A
                                      Function 0041D58F Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041D5DA
                                      • GetCursorPos.USER32(?), ref: 0041D5E9
                                      • SetForegroundWindow.USER32(?), ref: 0041D5F2
                                      • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041D60C
                                      • Shell_NotifyIconA.SHELL32(00000002,00474B48), ref: 0041D65D
                                      • ExitProcess.KERNEL32 ref: 0041D665
                                      • CreatePopupMenu.USER32 ref: 0041D66B
                                      • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041D680
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                      • String ID: Close
                                      • API String ID: 1657328048-3535843008
                                      • Opcode ID: dc0ab9a0fe4ab677523636461039160516679b910eee6fe46bba41fdb84f3345
                                      • Instruction ID: 483e3be36cf21f9f431d69439bfbb75804d706e25d1e382f075e68ac53faeb55
                                      • Opcode Fuzzy Hash: dc0ab9a0fe4ab677523636461039160516679b910eee6fe46bba41fdb84f3345
                                      • Instruction Fuzzy Hash: 392127B1944208FFDB194FA4ED0EAAA3B65FB08342F000135FA0A950B1D775EDA1EB5D
                                      Function 00404E26 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 65synchronizationCOMMON
                                      Download Yara Rule
                                      APIs
                                      • WaitForSingleObject.KERNEL32(?,000000FF,00000000,00474EF8,PkGNG,00000000,00474EF8,00404CA8,00000000,?,?,?,00474EF8,?), ref: 00404E38
                                      • SetEvent.KERNEL32(?), ref: 00404E43
                                      • CloseHandle.KERNEL32(?), ref: 00404E4C
                                      • closesocket.WS2_32(?), ref: 00404E5A
                                      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00404E91
                                      • SetEvent.KERNEL32(?), ref: 00404EA2
                                      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00404EA9
                                      • SetEvent.KERNEL32(?), ref: 00404EBA
                                      • CloseHandle.KERNEL32(?), ref: 00404EBF
                                      • CloseHandle.KERNEL32(?), ref: 00404EC4
                                      • SetEvent.KERNEL32(?), ref: 00404ED1
                                      • CloseHandle.KERNEL32(?), ref: 00404ED6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                      • String ID: PkGNG
                                      • API String ID: 3658366068-263838557
                                      • Opcode ID: 87d744648c5afa45b50529b6b6d14d146fbf4d1d8295755f98280c9be6f36435
                                      • Instruction ID: 0c11cd9b042c69dc9d4dd2828563f6d61870a883144e53252efabab5b24bcc37
                                      • Opcode Fuzzy Hash: 87d744648c5afa45b50529b6b6d14d146fbf4d1d8295755f98280c9be6f36435
                                      • Instruction Fuzzy Hash: BF21E871104B04AFDB216B26DC49B27BBA1FF40326F104A2EE2E211AF1CB75B851DB58
                                      Function 00445D56 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$Info
                                      • String ID:
                                      • API String ID: 2509303402-0
                                      • Opcode ID: 5c7b1bf4f475568e38e69d940d0222fa4f9c7dd3754b5f784b0771feacd0cc66
                                      • Instruction ID: 88ee944febda996c7adaaf7605242af7944d99fb061a5fd2e4f26fad8993db39
                                      • Opcode Fuzzy Hash: 5c7b1bf4f475568e38e69d940d0222fa4f9c7dd3754b5f784b0771feacd0cc66
                                      • Instruction Fuzzy Hash: 75B1CD719006059FEF20DF69C881BEEBBB4FF09304F14412EF5A8A7242D6799D45CB65
                                      Function 00408B7A Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 328fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00408CE3
                                      • GetFileSizeEx.KERNEL32(00000000,?), ref: 00408D1B
                                      • __aulldiv.LIBCMT ref: 00408D4D
                                        • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                        • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                      • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00408E70
                                      • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408E8B
                                      • CloseHandle.KERNEL32(00000000), ref: 00408F64
                                      • CloseHandle.KERNEL32(00000000,00000052), ref: 00408FAE
                                      • CloseHandle.KERNEL32(00000000), ref: 00408FFC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
                                      • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $NG
                                      • API String ID: 3086580692-2582957567
                                      • Opcode ID: 63a76c325e571f1cbcae1b5be894793c9b49cb204c16b04160e7bd094f2be9c7
                                      • Instruction ID: 4fd1ef8f0950b8c70c5ee12d710945c0a569e6ad21e20d2a74dcf75f3ec9a52d
                                      • Opcode Fuzzy Hash: 63a76c325e571f1cbcae1b5be894793c9b49cb204c16b04160e7bd094f2be9c7
                                      • Instruction Fuzzy Hash: 95B193716083409BC314FB25C982AAFB7E5AFC4354F50492FF589622D2EF789945CB8B
                                      Function 0040A726 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • Sleep.KERNEL32(00001388), ref: 0040A740
                                        • Part of subcall function 0040A675: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A74D), ref: 0040A6AB
                                        • Part of subcall function 0040A675: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A74D), ref: 0040A6BA
                                        • Part of subcall function 0040A675: Sleep.KERNEL32(00002710,?,?,?,0040A74D), ref: 0040A6E7
                                        • Part of subcall function 0040A675: CloseHandle.KERNEL32(00000000,?,?,?,0040A74D), ref: 0040A6EE
                                      • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040A77C
                                      • GetFileAttributesW.KERNEL32(00000000), ref: 0040A78D
                                      • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040A7A4
                                      • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 0040A81E
                                        • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C49E
                                      • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00466468,00000000,00000000,00000000), ref: 0040A927
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                      • String ID: 8SG$8SG$pQG$pQG$PG$PG
                                      • API String ID: 3795512280-1152054767
                                      • Opcode ID: f9bf0f70ca639f6d962135a3ade2805c3c6b71e3802994e37fdf4666e5df7246
                                      • Instruction ID: 265ddfea45d140738b9a7e0f0353a6f5be26653907181caffe3561bb72ed66c0
                                      • Opcode Fuzzy Hash: f9bf0f70ca639f6d962135a3ade2805c3c6b71e3802994e37fdf4666e5df7246
                                      • Instruction Fuzzy Hash: A7517E716043055ACB09BB32C866ABE739A9F80349F00483FB642B71E2DF7C9D09865E
                                      Function 004048C8 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 144networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • connect.WS2_32(?,?,?), ref: 004048E0
                                      • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A00
                                      • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A0E
                                      • WSAGetLastError.WS2_32 ref: 00404A21
                                        • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                      • String ID: Connection Failed: $Connection Refused$PkGNG$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                      • API String ID: 994465650-3229884001
                                      • Opcode ID: 544a8dfd755885537e58458bfc18e92728dddd0fb449b18b6c8fe8c32441fe06
                                      • Instruction ID: c5d57dbf39bf42eeb7f1fe8451fa1a1ddda5cb55b73798f96fdafd5064c5310c
                                      • Opcode Fuzzy Hash: 544a8dfd755885537e58458bfc18e92728dddd0fb449b18b6c8fe8c32441fe06
                                      • Instruction Fuzzy Hash: 3E41E8B47406016BD61877BA8D1B53E7A15AB81304B50017FE60267AD3EB7D9C108BDF
                                      Function 004512C6 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • ___free_lconv_mon.LIBCMT ref: 0045130A
                                        • Part of subcall function 00450502: _free.LIBCMT ref: 0045051F
                                        • Part of subcall function 00450502: _free.LIBCMT ref: 00450531
                                        • Part of subcall function 00450502: _free.LIBCMT ref: 00450543
                                        • Part of subcall function 00450502: _free.LIBCMT ref: 00450555
                                        • Part of subcall function 00450502: _free.LIBCMT ref: 00450567
                                        • Part of subcall function 00450502: _free.LIBCMT ref: 00450579
                                        • Part of subcall function 00450502: _free.LIBCMT ref: 0045058B
                                        • Part of subcall function 00450502: _free.LIBCMT ref: 0045059D
                                        • Part of subcall function 00450502: _free.LIBCMT ref: 004505AF
                                        • Part of subcall function 00450502: _free.LIBCMT ref: 004505C1
                                        • Part of subcall function 00450502: _free.LIBCMT ref: 004505D3
                                        • Part of subcall function 00450502: _free.LIBCMT ref: 004505E5
                                        • Part of subcall function 00450502: _free.LIBCMT ref: 004505F7
                                      • _free.LIBCMT ref: 004512FF
                                        • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                        • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                      • _free.LIBCMT ref: 00451321
                                      • _free.LIBCMT ref: 00451336
                                      • _free.LIBCMT ref: 00451341
                                      • _free.LIBCMT ref: 00451363
                                      • _free.LIBCMT ref: 00451376
                                      • _free.LIBCMT ref: 00451384
                                      • _free.LIBCMT ref: 0045138F
                                      • _free.LIBCMT ref: 004513C7
                                      • _free.LIBCMT ref: 004513CE
                                      • _free.LIBCMT ref: 004513EB
                                      • _free.LIBCMT ref: 00451403
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                      • String ID:
                                      • API String ID: 161543041-0
                                      • Opcode ID: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                      • Instruction ID: 673b37a441ff9bbb7eb6cd98574e5fa8379d72fae64c09c4febd1ea684bb8cd8
                                      • Opcode Fuzzy Hash: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                      • Instruction Fuzzy Hash: 0E319E315007009FFB20AA7AD845B5B73E8EF0131AF50851FEC68D7662DF78AD448B59
                                      Function 00419FB4 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 176sleeptimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 00419FB9
                                      • GdiplusStartup.GDIPLUS(00474ACC,?,00000000), ref: 00419FEB
                                      • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041A077
                                      • Sleep.KERNEL32(000003E8), ref: 0041A0FD
                                      • GetLocalTime.KERNEL32(?), ref: 0041A105
                                      • Sleep.KERNEL32(00000000,00000018,00000000), ref: 0041A1F4
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                      • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i$PG$PG$PG
                                      • API String ID: 489098229-1431523004
                                      • Opcode ID: a44948d284f133504734d697ca6f7e31c11da472c88381ebf6f8b069d30e9c47
                                      • Instruction ID: 65e100c03f0dda0ba9a952c873ad8774fe275ee1deca45487f64c7c8a8292b0e
                                      • Opcode Fuzzy Hash: a44948d284f133504734d697ca6f7e31c11da472c88381ebf6f8b069d30e9c47
                                      • Instruction Fuzzy Hash: E7515D70A00215AACB14BBB5C8529ED7BA9AB44308F40403FF509AB1E2EF7C9D85C799
                                      Function 0040D7FF Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 148COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,?,0040D80F), ref: 00412860
                                        • Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF,?,0040D80F), ref: 00412873
                                        • Part of subcall function 004136F8: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 00413714
                                        • Part of subcall function 004136F8: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 0041372D
                                        • Part of subcall function 004136F8: RegCloseKey.ADVAPI32(?), ref: 00413738
                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040D859
                                      • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D9B8
                                      • ExitProcess.KERNEL32 ref: 0040D9C4
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                      • String ID: """, 0$.vbs$8SG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                                      • API String ID: 1913171305-3159800282
                                      • Opcode ID: 523fac73997d54481d8aebdb5cb67a2a0406e130f2c03ac9efc8718d19fe164d
                                      • Instruction ID: 6fc8d312854778a25908ca85050b1cee1951ef16e4956e50e312a563d71e527c
                                      • Opcode Fuzzy Hash: 523fac73997d54481d8aebdb5cb67a2a0406e130f2c03ac9efc8718d19fe164d
                                      • Instruction Fuzzy Hash: 0C413A719001195ACB15FA62DC56DEEB778AF50309F10007FB10AB61E2EF785E4ACA98
                                      Function 00450600 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free
                                      • String ID:
                                      • API String ID: 269201875-0
                                      • Opcode ID: 47079874d6611f76b22abc1c1892e8562d414d23f3395fd45a7677fdf32a9ec5
                                      • Instruction ID: d910990a8472ee08c0279d8077499983e41ff25138a9859a729e4309013b5263
                                      • Opcode Fuzzy Hash: 47079874d6611f76b22abc1c1892e8562d414d23f3395fd45a7677fdf32a9ec5
                                      • Instruction Fuzzy Hash: E2C17476D40204AFEB20DBA9CC83FDE77B8AB19705F14015AFE05EB283D6B49D458798
                                      Function 00455BDB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 004558A9: CreateFileW.KERNEL32(00000000,00000000,?,00455C84,?,?,00000000,?,00455C84,00000000,0000000C), ref: 004558C6
                                      • GetLastError.KERNEL32 ref: 00455CEF
                                      • __dosmaperr.LIBCMT ref: 00455CF6
                                      • GetFileType.KERNEL32(00000000), ref: 00455D02
                                      • GetLastError.KERNEL32 ref: 00455D0C
                                      • __dosmaperr.LIBCMT ref: 00455D15
                                      • CloseHandle.KERNEL32(00000000), ref: 00455D35
                                      • CloseHandle.KERNEL32(?), ref: 00455E7F
                                      • GetLastError.KERNEL32 ref: 00455EB1
                                      • __dosmaperr.LIBCMT ref: 00455EB8
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                      • String ID: H
                                      • API String ID: 4237864984-2852464175
                                      • Opcode ID: ad10cc44415123364ccf3ab0f87a2b5b2deaae059395c87e8052164914e7d7f7
                                      • Instruction ID: f4290dc4267d91ba683862cdaabef3013db21248f4240db41616def06e578eae
                                      • Opcode Fuzzy Hash: ad10cc44415123364ccf3ab0f87a2b5b2deaae059395c87e8052164914e7d7f7
                                      • Instruction Fuzzy Hash: D5A155329106049FDF19AF68DC617BE3BA0EB06325F14415EEC11EB392CB398D5ACB59
                                      Function 00453D83 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 268COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,0045405C,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00453E2F
                                      • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453EB2
                                      • __alloca_probe_16.LIBCMT ref: 00453EEA
                                      • MultiByteToWideChar.KERNEL32(00000001,00000001,?,00000001,00000000,\@E,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453F45
                                      • __alloca_probe_16.LIBCMT ref: 00453F94
                                      • MultiByteToWideChar.KERNEL32(00000001,00000009,00000001,00000000,00000000,00000000,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453F5C
                                        • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169
                                      • MultiByteToWideChar.KERNEL32(00000001,00000001,00000001,00000000,00000000,?,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453FD8
                                      • __freea.LIBCMT ref: 00454003
                                      • __freea.LIBCMT ref: 0045400F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                      • String ID: \@E
                                      • API String ID: 201697637-1814623452
                                      • Opcode ID: 347d6d77569ccb8731e03be0652f4f39992ef0e8e93efb01081f6886d5a4a2b8
                                      • Instruction ID: bd5a1837779a5f2dcb5c2ea5aeb828518df7829aba760434011a70bbc407b236
                                      • Opcode Fuzzy Hash: 347d6d77569ccb8731e03be0652f4f39992ef0e8e93efb01081f6886d5a4a2b8
                                      • Instruction Fuzzy Hash: E391F472E002069ADB209E65CC42AEFBBF59F09756F14052BFC01E7282D739DD89C768
                                      Function 0044AC49 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 216COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,$C,0043EA24,?,?,PkGNG,0044AE9A,00000001,00000001,73E85006), ref: 0044ACA3
                                      • __alloca_probe_16.LIBCMT ref: 0044ACDB
                                      • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,PkGNG,0044AE9A,00000001,00000001,73E85006,?,?,?), ref: 0044AD29
                                      • __alloca_probe_16.LIBCMT ref: 0044ADC0
                                      • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,73E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044AE23
                                      • __freea.LIBCMT ref: 0044AE30
                                        • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169
                                      • __freea.LIBCMT ref: 0044AE39
                                      • __freea.LIBCMT ref: 0044AE5E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                      • String ID: $C$PkGNG
                                      • API String ID: 3864826663-3740547665
                                      • Opcode ID: 362257cb831b64f560ca9c305cbafbf1ddd2a76c4c9bcde51592d12c0f33465e
                                      • Instruction ID: b5b01290aead076256688b5938d42e4b2a7c64905c3dece0b68445a47d4ef5f6
                                      • Opcode Fuzzy Hash: 362257cb831b64f560ca9c305cbafbf1ddd2a76c4c9bcde51592d12c0f33465e
                                      • Instruction Fuzzy Hash: 1F513A72680206AFFB258F64CC41EBF77AAEB44714F24462EFC14D6240EB38DC60875A
                                      Function 00450A25 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 204COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free
                                      • String ID: \&G$\&G$`&G
                                      • API String ID: 269201875-253610517
                                      • Opcode ID: bf6a2d62285109b65615641ef8a9ee438ca725d72dbf644c1fcc8e573ee560d0
                                      • Instruction ID: 0b3297c67b001fbc5a9f4fbe1fd197d652097ca420ae28a40b4f72db8b3ed5d1
                                      • Opcode Fuzzy Hash: bf6a2d62285109b65615641ef8a9ee438ca725d72dbf644c1fcc8e573ee560d0
                                      • Instruction Fuzzy Hash: 77610475900204AFDB20CFA9C882B9ABBF4EF05315F14416BED58EB342D774AD458B98
                                      Function 00414BB0 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: 65535$udp
                                      • API String ID: 0-1267037602
                                      • Opcode ID: c855b19cc43d9bec36cd86ac5f012ace8f0d54e169e32fa1a21da6d4488bf9b2
                                      • Instruction ID: ff24d6befd6f0703c902a6165bd45161ed4db0fb5f75d2635e7e580b9b2721aa
                                      • Opcode Fuzzy Hash: c855b19cc43d9bec36cd86ac5f012ace8f0d54e169e32fa1a21da6d4488bf9b2
                                      • Instruction Fuzzy Hash: EF51E7756093019FDB209B58E9057BB37A4AFC4755F08082FF881973A1E76DCCC1865E
                                      Function 0040ACD6 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • __Init_thread_footer.LIBCMT ref: 0040AD38
                                      • Sleep.KERNEL32(000001F4), ref: 0040AD43
                                      • GetForegroundWindow.USER32 ref: 0040AD49
                                      • GetWindowTextLengthW.USER32(00000000), ref: 0040AD52
                                      • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040AD86
                                      • Sleep.KERNEL32(000003E8), ref: 0040AE54
                                        • Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,00000000,0040B20A,00000000), ref: 0040A662
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                      • String ID: [${ User has been idle for $ minutes }$]
                                      • API String ID: 911427763-3954389425
                                      • Opcode ID: feb8edceca8c1d3b0438b79f4b5d8782787a457fd28da8b62aac7c6790c891ec
                                      • Instruction ID: 3d5ee5432c15115af2c0f1375ae13a0ba8112eb59c463c5c733e63bb31497985
                                      • Opcode Fuzzy Hash: feb8edceca8c1d3b0438b79f4b5d8782787a457fd28da8b62aac7c6790c891ec
                                      • Instruction Fuzzy Hash: 6D51B1316043419BD314FB21D846AAE7796AB84308F50093FF586A22E2EF7C9D45C69F
                                      Function 0043A83A Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A892
                                      • GetLastError.KERNEL32(?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A89F
                                      • __dosmaperr.LIBCMT ref: 0043A8A6
                                      • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A8D2
                                      • GetLastError.KERNEL32(?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A8DC
                                      • __dosmaperr.LIBCMT ref: 0043A8E3
                                      • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D55,?), ref: 0043A926
                                      • GetLastError.KERNEL32(?,?,?,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A930
                                      • __dosmaperr.LIBCMT ref: 0043A937
                                      • _free.LIBCMT ref: 0043A943
                                      • _free.LIBCMT ref: 0043A94A
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                      • String ID:
                                      • API String ID: 2441525078-0
                                      • Opcode ID: 333218d4c374834d2f5605b8d1434d3a456e4a6d1d3d381f1630f1823c8abcb3
                                      • Instruction ID: 785efe6d9c8e3fffb8b85045f967b8474775cb8629fdf0d32462ae01257f7f2e
                                      • Opcode Fuzzy Hash: 333218d4c374834d2f5605b8d1434d3a456e4a6d1d3d381f1630f1823c8abcb3
                                      • Instruction Fuzzy Hash: FF31F57140420AFFDF01AFA5CC45DAF3B68EF09325F10021AF950662A1DB38CD21DB6A
                                      Function 004054A0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SetEvent.KERNEL32(?,?), ref: 004054BF
                                      • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040556F
                                      • TranslateMessage.USER32(?), ref: 0040557E
                                      • DispatchMessageA.USER32(?), ref: 00405589
                                      • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00474F78), ref: 00405641
                                      • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 00405679
                                        • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                      • String ID: CloseChat$DisplayMessage$GetMessage
                                      • API String ID: 2956720200-749203953
                                      • Opcode ID: d61d42d8eab0d720631995167214654c6103fa2369fe784e1bd38fbaf09f349a
                                      • Instruction ID: c1940132788662b917c5ec79ff16bb55de46c7435784779dc5fc992d72e4b12f
                                      • Opcode Fuzzy Hash: d61d42d8eab0d720631995167214654c6103fa2369fe784e1bd38fbaf09f349a
                                      • Instruction Fuzzy Hash: CE41A171604701ABCB14FB75DC5A86F37A9AB85704F40093EF916A36E1EF3C8905CB9A
                                      Function 00417CDF Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 108filesynchronizationCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00417F2C: __EH_prolog.LIBCMT ref: 00417F31
                                      • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,004660A4), ref: 00417DDC
                                      • CloseHandle.KERNEL32(00000000), ref: 00417DE5
                                      • DeleteFileA.KERNEL32(00000000), ref: 00417DF4
                                      • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00417DA8
                                        • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
                                      • String ID: 0VG$0VG$<$@$Temp
                                      • API String ID: 1704390241-2575729100
                                      • Opcode ID: 1c1b3640276c9f2484efac8a9a88c7dcef26998f5c3edd0453bd207f6b4608f6
                                      • Instruction ID: cfce1e327495ca125f9f778a73892d1ad62a3a088d665d9de3c725e9e650d499
                                      • Opcode Fuzzy Hash: 1c1b3640276c9f2484efac8a9a88c7dcef26998f5c3edd0453bd207f6b4608f6
                                      • Instruction Fuzzy Hash: 0E415F319002099BCB14FB62DC56AEE7775AF40318F50417EF506764E1EF7C1A8ACB99
                                      Function 00416940 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 46clipboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenClipboard.USER32 ref: 00416941
                                      • EmptyClipboard.USER32 ref: 0041694F
                                      • CloseClipboard.USER32 ref: 00416955
                                      • OpenClipboard.USER32 ref: 0041695C
                                      • GetClipboardData.USER32(0000000D), ref: 0041696C
                                      • GlobalLock.KERNEL32(00000000), ref: 00416975
                                      • GlobalUnlock.KERNEL32(00000000), ref: 0041697E
                                      • CloseClipboard.USER32 ref: 00416984
                                        • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                      • String ID: !D@
                                      • API String ID: 2172192267-604454484
                                      • Opcode ID: 014ab2952fb1720400378532343d04f3ca6c69c69b6d94fb269798378f0b3219
                                      • Instruction ID: 305b70c8a6b081cbeb1fc088e42579eafb4add048c4ccd3ac1cf7446a02d8759
                                      • Opcode Fuzzy Hash: 014ab2952fb1720400378532343d04f3ca6c69c69b6d94fb269798378f0b3219
                                      • Instruction Fuzzy Hash: CC015E31214301DFC714BB72DC09AAE77A5AF88742F40047EF906821E2DF38CC44CA69
                                      Function 004132D2 Relevance: 15.2, APIs: 10, Instructions: 153fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00413417
                                      • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00413425
                                      • GetFileSize.KERNEL32(?,00000000), ref: 00413432
                                      • UnmapViewOfFile.KERNEL32(00000000), ref: 00413452
                                      • CloseHandle.KERNEL32(00000000), ref: 0041345F
                                      • CloseHandle.KERNEL32(?), ref: 00413465
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$CloseHandleView$CreateMappingSizeUnmap
                                      • String ID:
                                      • API String ID: 297527592-0
                                      • Opcode ID: 1b52e587fb9d9e89c8408f811d16bdaf082f1bab315b69f0c216b55e30adf48b
                                      • Instruction ID: 9e0538afe5582c7c3c7070a3da709670e2bb39b60280b40541f30be5467d1837
                                      • Opcode Fuzzy Hash: 1b52e587fb9d9e89c8408f811d16bdaf082f1bab315b69f0c216b55e30adf48b
                                      • Instruction Fuzzy Hash: ED41E631108305BBD7109F25DC4AF6B3BACEF89726F10092AFA14D51A2DF38DA40C66E
                                      Function 0041AB0D Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB1C
                                      • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB33
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB40
                                      • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB4F
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB60
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB63
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Service$CloseHandle$Open$ControlManager
                                      • String ID:
                                      • API String ID: 221034970-0
                                      • Opcode ID: 06969d4054276dbf450069cd14adbb04630f9483e2dd0d38d9b092c5558579ee
                                      • Instruction ID: 6fbe0b082825830d9e24babaefac53afed48758aa8e56b4d18e4903ff4329a9c
                                      • Opcode Fuzzy Hash: 06969d4054276dbf450069cd14adbb04630f9483e2dd0d38d9b092c5558579ee
                                      • Instruction Fuzzy Hash: 41114C71901218AFD711AF64DCC4DFF3B7CDB42B62B000036FA05D2192DB289C46AAFA
                                      Function 00448121 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 00448135
                                        • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                        • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                      • _free.LIBCMT ref: 00448141
                                      • _free.LIBCMT ref: 0044814C
                                      • _free.LIBCMT ref: 00448157
                                      • _free.LIBCMT ref: 00448162
                                      • _free.LIBCMT ref: 0044816D
                                      • _free.LIBCMT ref: 00448178
                                      • _free.LIBCMT ref: 00448183
                                      • _free.LIBCMT ref: 0044818E
                                      • _free.LIBCMT ref: 0044819C
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast
                                      • String ID:
                                      • API String ID: 776569668-0
                                      • Opcode ID: 27d76b13a5ecae076ca6598a5b1433465caaf67949f0bdc0fbde8a5d49186781
                                      • Instruction ID: 63500befab30bf138fa449b3e81d3956d19e40097f86fc95f12732a98ce5ff4f
                                      • Opcode Fuzzy Hash: 27d76b13a5ecae076ca6598a5b1433465caaf67949f0bdc0fbde8a5d49186781
                                      • Instruction Fuzzy Hash: C211B67A500508BFEB01EF96C842CDD3BA5FF05359B0240AAFA588F222DA35DF509BC5
                                      Function 004114F5 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 191COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Eventinet_ntoa
                                      • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$NG
                                      • API String ID: 3578746661-3604713145
                                      • Opcode ID: 56d2d8895fe3b6af3d7bfbb84932521cb61644df9a1adc77dd7b2c2bf54f5752
                                      • Instruction ID: 71dfdc03858149a45142756d2b421c0b7bbb6d70992310a40494c7f1f0681c69
                                      • Opcode Fuzzy Hash: 56d2d8895fe3b6af3d7bfbb84932521cb61644df9a1adc77dd7b2c2bf54f5752
                                      • Instruction Fuzzy Hash: 0051C131A042015BC614FB36C91AAAE37A5AB85344F40453FF906A76F1EF7C8985C7DE
                                      Function 00455F04 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,00456FFF), ref: 00455F27
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: DecodePointer
                                      • String ID: acos$asin$exp$log$log10$pow$sqrt
                                      • API String ID: 3527080286-3064271455
                                      • Opcode ID: 629998c7ca290600fade91f32205cb7004f8bc569fe6c3e827db03ba52e3cc78
                                      • Instruction ID: ff4fc8d1aadbe784407353d8516796ad37925c88dabf63da6293f70e8270e0de
                                      • Opcode Fuzzy Hash: 629998c7ca290600fade91f32205cb7004f8bc569fe6c3e827db03ba52e3cc78
                                      • Instruction Fuzzy Hash: 16519F71900909CBCF10CF58E9485BEBBB0FF49306FA14197D841A73A6DB399D298B1E
                                      Function 0044B3BC Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 152fileCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,PkGNG,0044BB31,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B3FE
                                      • __fassign.LIBCMT ref: 0044B479
                                      • __fassign.LIBCMT ref: 0044B494
                                      • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0044B4BA
                                      • WriteFile.KERNEL32(?,FF8BC35D,00000000,0044BB31,00000000,?,?,?,?,?,?,?,?,PkGNG,0044BB31,?), ref: 0044B4D9
                                      • WriteFile.KERNEL32(?,?,00000001,0044BB31,00000000,?,?,?,?,?,?,?,?,PkGNG,0044BB31,?), ref: 0044B512
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                      • String ID: PkGNG
                                      • API String ID: 1324828854-263838557
                                      • Opcode ID: e1ab2fdd82c1bf82b8ea5de4eaaa1e5c3a736621917fd27297e58c6e874c6116
                                      • Instruction ID: 24f44d390d373c30b0d8a34eda065edd0bccebe0da4884afe324d1cece3cc5ea
                                      • Opcode Fuzzy Hash: e1ab2fdd82c1bf82b8ea5de4eaaa1e5c3a736621917fd27297e58c6e874c6116
                                      • Instruction Fuzzy Hash: 0751D270900208AFDB10CFA8D885AEEFBF4EF09305F14856BE955E7292D734D941CBA9
                                      Function 00417495 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 004174F5
                                        • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C49E
                                      • Sleep.KERNEL32(00000064), ref: 00417521
                                      • DeleteFileW.KERNEL32(00000000), ref: 00417555
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$CreateDeleteExecuteShellSleep
                                      • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                      • API String ID: 1462127192-2001430897
                                      • Opcode ID: d6a7a8c36c87aba2787b8ea33aa4d1f7fca6d44790c4f13fbcc8ebc3b329175f
                                      • Instruction ID: 51d64fe7c8a5c54eac4555a52c350958ac4104e8f54c8767ba2a87230734c78e
                                      • Opcode Fuzzy Hash: d6a7a8c36c87aba2787b8ea33aa4d1f7fca6d44790c4f13fbcc8ebc3b329175f
                                      • Instruction Fuzzy Hash: 1431307194011A9ADB04FB62DC96DED7779AF50309F40017EF606730E2EF785A8ACA9C
                                      Function 004073AC Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 99COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentProcess.KERNEL32(00472B14,00000000,004752D8,00003000,00000004,00000000,00000001), ref: 004073DD
                                      • GetCurrentProcess.KERNEL32(00472B14,00000000,00008000,?,00000000,00000001,00000000,00407656,C:\Users\user\Desktop\6122.scr.exe), ref: 0040749E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CurrentProcess
                                      • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir
                                      • API String ID: 2050909247-4242073005
                                      • Opcode ID: c96af00a5e7ec94e66acc45bf1863d5a4294996af44aaa2752f51638bf238a49
                                      • Instruction ID: f630994b7aed3d2c1b9b8fa2b3e4f68b22e8b08ead4833dea6669ff7d567ef23
                                      • Opcode Fuzzy Hash: c96af00a5e7ec94e66acc45bf1863d5a4294996af44aaa2752f51638bf238a49
                                      • Instruction Fuzzy Hash: 7031A471A04700ABD321FF65ED46F167BB8AB44305F10087EF515A6292E7B8B8448B6F
                                      Function 00401D0B Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON
                                      Download Yara Rule
                                      APIs
                                      • _strftime.LIBCMT ref: 00401D50
                                        • Part of subcall function 00401A6D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                                      • waveInUnprepareHeader.WINMM(00472A88,00000020,00000000,?), ref: 00401E02
                                      • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401E40
                                      • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401E4F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                      • String ID: %Y-%m-%d %H.%M$.wav$dMG$|MG
                                      • API String ID: 3809562944-243156785
                                      • Opcode ID: 056d7ed0179ee1e3bc41876d6f94bfa6cd5a524795bf822a31929a0c00ad1597
                                      • Instruction ID: 027c37fd5a1300b84eaed5fd93cda356eabc1c7fedb6cd9f381e221a57c36ff8
                                      • Opcode Fuzzy Hash: 056d7ed0179ee1e3bc41876d6f94bfa6cd5a524795bf822a31929a0c00ad1597
                                      • Instruction Fuzzy Hash: 383181315043019FC324EB21DD46A9A77A8EB84314F40443EF18DA21F2EFB89A49CB5E
                                      Function 00410E61 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 75COMMON
                                      Download Yara Rule
                                      APIs
                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00410E6E
                                      • int.LIBCPMT ref: 00410E81
                                        • Part of subcall function 0040E0C1: std::_Lockit::_Lockit.LIBCPMT ref: 0040E0D2
                                        • Part of subcall function 0040E0C1: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E0EC
                                      • std::_Facet_Register.LIBCPMT ref: 00410EC1
                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00410ECA
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 00410EE8
                                      • __Init_thread_footer.LIBCMT ref: 00410F29
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
                                      • String ID: ,kG$0kG
                                      • API String ID: 3815856325-2015055088
                                      • Opcode ID: e119dbdcd7508405a4e8dfb13a442e59be6990f0aecb212b832b7139a16d9266
                                      • Instruction ID: 12cf7b7900226bd12227407fb3b1cbab205c4dd0745ae636880afd2a72082c2f
                                      • Opcode Fuzzy Hash: e119dbdcd7508405a4e8dfb13a442e59be6990f0aecb212b832b7139a16d9266
                                      • Instruction Fuzzy Hash: 162134329005249BC704EB6AD9428DE37A8EF48324F20056FF804A72D1DBB9AD81CB9D
                                      Function 00401BE9 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 71COMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BF9
                                      • waveInOpen.WINMM(00472AC0,000000FF,00472AA8,Function_00001D0B,00000000,00000000,00000024), ref: 00401C8F
                                      • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401CE3
                                      • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401CF2
                                      • waveInStart.WINMM ref: 00401CFE
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                      • String ID: dMG$|MG$PG
                                      • API String ID: 1356121797-532278878
                                      • Opcode ID: f0413ad6b7edbe83be065844dac3f0d77922414ea45c2d30098e63d2db50c4df
                                      • Instruction ID: ba088f7df0b955e0db37e5e5e2d8d6799d5f59e9c832501e8260ac80857d70f0
                                      • Opcode Fuzzy Hash: f0413ad6b7edbe83be065844dac3f0d77922414ea45c2d30098e63d2db50c4df
                                      • Instruction Fuzzy Hash: 53212A71604201AFC739DF6AEE15A6A7BB6FB94715B00803FA10DD76B1DBB84881CB5C
                                      Function 0041D45D Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041D476
                                        • Part of subcall function 0041D50F: RegisterClassExA.USER32(00000030), ref: 0041D55B
                                        • Part of subcall function 0041D50F: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D576
                                        • Part of subcall function 0041D50F: GetLastError.KERNEL32 ref: 0041D580
                                      • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041D4AD
                                      • lstrcpynA.KERNEL32(00474B60,Remcos,00000080), ref: 0041D4C7
                                      • Shell_NotifyIconA.SHELL32(00000000,00474B48), ref: 0041D4DD
                                      • TranslateMessage.USER32(?), ref: 0041D4E9
                                      • DispatchMessageA.USER32(?), ref: 0041D4F3
                                      • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041D500
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                      • String ID: Remcos
                                      • API String ID: 1970332568-165870891
                                      • Opcode ID: e379e7694b2aceffa08d25cf1e7e1f0c4c43df4e14370d432b5b71655a4afb2b
                                      • Instruction ID: 4ccd8a34d55b2cf311069b5b9598b364b65d9d4e2968dcdf9eb94a5ca0393a4d
                                      • Opcode Fuzzy Hash: e379e7694b2aceffa08d25cf1e7e1f0c4c43df4e14370d432b5b71655a4afb2b
                                      • Instruction Fuzzy Hash: AC015271800245EBD7109FA5EC4CFEABB7CEB85705F004026F515930A1D778E885CB98
                                      Function 0044CD80 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5edaaaea362a6c10ef7d8e875ae5e8a922473b35402a21f9a1197ff68539a873
                                      • Instruction ID: c2c0890efeac2311cc0422bbb5d66c498191acafde20d8af94b1f6b0c86a236e
                                      • Opcode Fuzzy Hash: 5edaaaea362a6c10ef7d8e875ae5e8a922473b35402a21f9a1197ff68539a873
                                      • Instruction Fuzzy Hash: 5AC1D770D04249AFEF11DFA9C881BAEBBB4EF09314F18415AE914A7392C77C9D41CB69
                                      Function 00445179 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                                        • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                        • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                                        • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                      • _memcmp.LIBVCRUNTIME ref: 00445423
                                      • _free.LIBCMT ref: 00445494
                                      • _free.LIBCMT ref: 004454AD
                                      • _free.LIBCMT ref: 004454DF
                                      • _free.LIBCMT ref: 004454E8
                                      • _free.LIBCMT ref: 004454F4
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$ErrorLast$_abort_memcmp
                                      • String ID: C
                                      • API String ID: 1679612858-1037565863
                                      • Opcode ID: 3b59ec677d4d175c50db296303e2411e5fb3dbfaa0361dba4d40d6cf04aba7d4
                                      • Instruction ID: 551747f29a431029642ca2aca46be5bbca0cbe6c77a4b2ed9ddfbf6361621c56
                                      • Opcode Fuzzy Hash: 3b59ec677d4d175c50db296303e2411e5fb3dbfaa0361dba4d40d6cf04aba7d4
                                      • Instruction Fuzzy Hash: B2B13975A016199BEB24DF18C884BAEB7B4FF08308F5045EEE949A7351E774AE90CF44
                                      Function 0041490A Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: tcp$udp
                                      • API String ID: 0-3725065008
                                      • Opcode ID: 856ac91ac91911106c473792f8c7d8f31027b78cae10ba96d9f0cbb069fdbf0d
                                      • Instruction ID: c6aeaafd44a905d145cb4251883953767b251f71b123717361be5a5837da4da2
                                      • Opcode Fuzzy Hash: 856ac91ac91911106c473792f8c7d8f31027b78cae10ba96d9f0cbb069fdbf0d
                                      • Instruction Fuzzy Hash: 637177B06083028FDB24CF65C480BABB7E4AFD4395F15442FF88986351E778DD858B9A
                                      Function 00411CFE Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 206memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0041179C: SetLastError.KERNEL32(0000000D,00411D1C,00000000,t^F,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 004117A2
                                      • SetLastError.KERNEL32(000000C1,00000000,t^F,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 00411D37
                                      • GetNativeSystemInfo.KERNEL32(?,?,00000000,t^F,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 00411DA5
                                      • SetLastError.KERNEL32(0000000E), ref: 00411DC9
                                        • Part of subcall function 00411CA3: VirtualAlloc.KERNEL32(00000000,00000000,00000000,00000000,00411DE7,?,00000000,00003000,00000040,00000000), ref: 00411CB3
                                      • GetProcessHeap.KERNEL32(00000008,00000040), ref: 00411E10
                                      • HeapAlloc.KERNEL32(00000000), ref: 00411E17
                                      • SetLastError.KERNEL32(0000045A), ref: 00411F2A
                                        • Part of subcall function 00412077: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F37), ref: 004120E7
                                        • Part of subcall function 00412077: HeapFree.KERNEL32(00000000), ref: 004120EE
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
                                      • String ID: t^F
                                      • API String ID: 3950776272-389975521
                                      • Opcode ID: 461a53a6892bac39e8501077da2db8edf6161aa159888280e3eaf045f7e1ced3
                                      • Instruction ID: a5564978de1508fcfe39aaa31f5973b4ee53e0220ffe5d2cf9b9f7f7cc9a58c7
                                      • Opcode Fuzzy Hash: 461a53a6892bac39e8501077da2db8edf6161aa159888280e3eaf045f7e1ced3
                                      • Instruction Fuzzy Hash: B661E370601201ABC7109F66C980BAB7BA5BF44744F04411BFA058B7A2E7BCE8D2CBD9
                                      Function 0040186A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • __Init_thread_footer.LIBCMT ref: 004018BE
                                      • ExitThread.KERNEL32 ref: 004018F6
                                      • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00474EE0,00000000), ref: 00401A04
                                        • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                      • String ID: PkG$XMG$NG$NG
                                      • API String ID: 1649129571-3151166067
                                      • Opcode ID: cdec32db15edff859d4dc3adfbb971a1a7df97296c827c92140e57336d635a83
                                      • Instruction ID: 5b8630810f78da979eb204bf693be1d55f2004797ab3201abec5cd50ea38d472
                                      • Opcode Fuzzy Hash: cdec32db15edff859d4dc3adfbb971a1a7df97296c827c92140e57336d635a83
                                      • Instruction Fuzzy Hash: BF41B4312042109BC324FB26DD96ABE73A6AB85314F00453FF54AA61F2DF386D49C75E
                                      Function 00407963 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,00474EE0,00465FA4,?,00000000,00407FFC,00000000), ref: 004079C5
                                      • WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000,?,000186A0,?,?,00000000,00407FFC,00000000,?,?,0000000A,00000000), ref: 00407A0D
                                        • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                      • CloseHandle.KERNEL32(00000000,?,00000000,00407FFC,00000000,?,?,0000000A,00000000), ref: 00407A4D
                                      • MoveFileW.KERNEL32(00000000,00000000), ref: 00407A6A
                                      • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407A95
                                      • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AA5
                                        • Part of subcall function 00404B96: WaitForSingleObject.KERNEL32(?,000000FF,?,00474EF8,00404C49,00000000,?,?,?,00474EF8,?), ref: 00404BA5
                                        • Part of subcall function 00404B96: SetEvent.KERNEL32(?), ref: 00404BC3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                      • String ID: .part
                                      • API String ID: 1303771098-3499674018
                                      • Opcode ID: 3af979d2a86f55abb037a5ea190009b8bddef8696a723389280064d929b35107
                                      • Instruction ID: 3872d967715c28256f57216ae0d43a20e9ded80e7ed52efebe816600842ab993
                                      • Opcode Fuzzy Hash: 3af979d2a86f55abb037a5ea190009b8bddef8696a723389280064d929b35107
                                      • Instruction Fuzzy Hash: 7F318371508341AFC210EB21DC4599FB7A8FF94359F00493EB545A2192EB78EE48CB9A
                                      Function 00419993 Relevance: 12.1, APIs: 8, Instructions: 102keyboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 004199CC
                                      • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004199ED
                                      • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00419A0D
                                      • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00419A21
                                      • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00419A37
                                      • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00419A54
                                      • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00419A6F
                                      • SendInput.USER32(00000001,?,0000001C,?,00000000), ref: 00419A8B
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: InputSend
                                      • String ID:
                                      • API String ID: 3431551938-0
                                      • Opcode ID: f95364bfe09dcd8f200507449a759ee15de787b6f4e4bd27b79311205e9f388b
                                      • Instruction ID: babcb3f23bbfeda7ed9031f98f3524dfd9ae94bb4b0c65128b251ed995bccade
                                      • Opcode Fuzzy Hash: f95364bfe09dcd8f200507449a759ee15de787b6f4e4bd27b79311205e9f388b
                                      • Instruction Fuzzy Hash: CE31B471558349AEE310CF51DC41BEBBBDCEF98B54F00080FF6808A181D2A6A9C88B97
                                      Function 00447571 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: __freea$__alloca_probe_16_free
                                      • String ID: a/p$am/pm$zD
                                      • API String ID: 2936374016-2723203690
                                      • Opcode ID: ad0e661e8ca139f4988ec10911a06b569de76af7a8f23a444d27c6a0fba4a5cb
                                      • Instruction ID: 9fbfa546a4d6e8c17a1525f8bb1fcc11d6b56032d3bbc67104e2604220ae0e85
                                      • Opcode Fuzzy Hash: ad0e661e8ca139f4988ec10911a06b569de76af7a8f23a444d27c6a0fba4a5cb
                                      • Instruction Fuzzy Hash: 6AD1D1B1918206CAFB249F68C845ABBB7B1FF05310F28415BE545AB351D33D9D43CBA9
                                      Function 00413A55 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 179registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413ABC
                                      • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413AEB
                                      • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 00413B8B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Enum$InfoQueryValue
                                      • String ID: [regsplt]$xUG$TG
                                      • API String ID: 3554306468-1165877943
                                      • Opcode ID: e28986e9332aa07a6eea5a33b9e26ecc66a365c7f4eba0dbebaa861638ff76d3
                                      • Instruction ID: b9c9d149d6e4de0395087b00820169330fa190b61d8fc59f93bff107e3475f49
                                      • Opcode Fuzzy Hash: e28986e9332aa07a6eea5a33b9e26ecc66a365c7f4eba0dbebaa861638ff76d3
                                      • Instruction Fuzzy Hash: E5511D72900219AADB11EB95DC85EEFB77DAF04305F10007AF505F6191EF786B48CBA9
                                      Function 00456C1A Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 152COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free
                                      • String ID: D[E$D[E
                                      • API String ID: 269201875-3695742444
                                      • Opcode ID: a6e07d2e332d0ea6e1aa7b7f7b4c4c7b9128dbb8fddfed026ac15973f0d55745
                                      • Instruction ID: e1ec1e089ae9cf4c30c2343e7c59e1c9a5dba52e91c7d03f0b1416238821c5a9
                                      • Opcode Fuzzy Hash: a6e07d2e332d0ea6e1aa7b7f7b4c4c7b9128dbb8fddfed026ac15973f0d55745
                                      • Instruction Fuzzy Hash: 7A415B31A001046BEB216BBA8C4566F3BB4EF41336F96061BFC24D7293DA7C880D566D
                                      Function 00413D0D Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 135registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00413D46
                                        • Part of subcall function 00413A55: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413ABC
                                        • Part of subcall function 00413A55: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413AEB
                                        • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                      • RegCloseKey.ADVAPI32(00000000,004660A4,004660A4,00466468,00466468,00000071), ref: 00413EB4
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseEnumInfoOpenQuerysend
                                      • String ID: xUG$NG$NG$TG
                                      • API String ID: 3114080316-2811732169
                                      • Opcode ID: c6f35c2bf26cfa5651eb61a3c71b5883c010595c96b2a316ccc479b627cc95f7
                                      • Instruction ID: 865164b8d80166fcad8b4517e5ed4c9fbafb7c73de3830c3e78154838722fbed
                                      • Opcode Fuzzy Hash: c6f35c2bf26cfa5651eb61a3c71b5883c010595c96b2a316ccc479b627cc95f7
                                      • Instruction Fuzzy Hash: 0B419E316082405BC324F726DC56AEF72959FD1348F40883FF54A671D2EF7C5949866E
                                      Function 0045112C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 110COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • MultiByteToWideChar.KERNEL32(?,00000000,000000FF,?,00000000,00000000,0043F8C8,?,00000000,?,00000001,?,000000FF,00000001,0043F8C8,?), ref: 00451179
                                      • __alloca_probe_16.LIBCMT ref: 004511B1
                                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00451202
                                      • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00451214
                                      • __freea.LIBCMT ref: 0045121D
                                        • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                      • String ID: PkGNG
                                      • API String ID: 313313983-263838557
                                      • Opcode ID: bce85a8c1b82420839f42ccd06a1f385e5b5f24b7ce490b3fee2b1b7615d4ae7
                                      • Instruction ID: 2862a929c21554b3885a63a70f5d1b49ed21d23a3953ed9914841bfcf42aa681
                                      • Opcode Fuzzy Hash: bce85a8c1b82420839f42ccd06a1f385e5b5f24b7ce490b3fee2b1b7615d4ae7
                                      • Instruction Fuzzy Hash: 6631D271A0020AABDF24DFA5DC41EAF7BA5EB04315F0445AAFC04D72A2E739CD55CB94
                                      Function 0041B68A Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 91COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0041361B: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?,004750E4), ref: 0041363D
                                        • Part of subcall function 0041361B: RegQueryValueExW.ADVAPI32(?,0040F313,00000000,00000000,?,00000400), ref: 0041365C
                                        • Part of subcall function 0041361B: RegCloseKey.ADVAPI32(?), ref: 00413665
                                        • Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
                                      • _wcslen.LIBCMT ref: 0041B763
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseCurrentOpenProcessQueryValue_wcslen
                                      • String ID: .exe$8SG$http\shell\open\command$program files (x86)\$program files\
                                      • API String ID: 37874593-122982132
                                      • Opcode ID: 2f5c0ff3d6ea7972f87a7f3e3c7ffac37502a487daadfbe7cd55c680b7f4a926
                                      • Instruction ID: 0af867b59be632d30c611c6dccf556baefac66a2e67262e696d3f692bc65d575
                                      • Opcode Fuzzy Hash: 2f5c0ff3d6ea7972f87a7f3e3c7ffac37502a487daadfbe7cd55c680b7f4a926
                                      • Instruction Fuzzy Hash: 6721A472A002086BDB14BAB58CD6AFE766D9B85328F14043FF405B72C2EE7C9D494269
                                      Function 0040BEE9 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 004135A6: RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 004135CA
                                        • Part of subcall function 004135A6: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 004135E7
                                        • Part of subcall function 004135A6: RegCloseKey.KERNELBASE(?), ref: 004135F2
                                      • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040BF6B
                                      • PathFileExistsA.SHLWAPI(?), ref: 0040BF78
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                      • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                      • API String ID: 1133728706-4073444585
                                      • Opcode ID: 44b5265c6c0164f295b1527da2f4df424204d8919945bee9dcb633f0f8b76136
                                      • Instruction ID: 11f9a5ab4d81baf10890d677fe2d2a0774849eb970c5828eb217b404dd8a17fe
                                      • Opcode Fuzzy Hash: 44b5265c6c0164f295b1527da2f4df424204d8919945bee9dcb633f0f8b76136
                                      • Instruction Fuzzy Hash: 38215271A4021AA6CB04F7B2CC569EE77699F10704F40017FE506B71D2EF7899498ADE
                                      Function 00456B53 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 273ab8544d097714f5f9861dee4502037fec93a611cdb24e761043779f074d75
                                      • Instruction ID: 6cb1fb7365923ae9cd4386fa22a0d7cc2d4bdc50975796c61f51bb0de8f74700
                                      • Opcode Fuzzy Hash: 273ab8544d097714f5f9861dee4502037fec93a611cdb24e761043779f074d75
                                      • Instruction Fuzzy Hash: B9110272504214BAEB216F728C0496F3AACEF85326B52422BFD11C7252DE38CC41CAA8
                                      Function 00450EFA Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00450C41: _free.LIBCMT ref: 00450C6A
                                      • _free.LIBCMT ref: 00450F48
                                        • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                        • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                      • _free.LIBCMT ref: 00450F53
                                      • _free.LIBCMT ref: 00450F5E
                                      • _free.LIBCMT ref: 00450FB2
                                      • _free.LIBCMT ref: 00450FBD
                                      • _free.LIBCMT ref: 00450FC8
                                      • _free.LIBCMT ref: 00450FD3
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast
                                      • String ID:
                                      • API String ID: 776569668-0
                                      • Opcode ID: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                      • Instruction ID: d9348172fd0740f80504453a64c2ebf0df3e8af845a5f6206b1ac0666941ab15
                                      • Opcode Fuzzy Hash: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                      • Instruction Fuzzy Hash: B411A231540B04AAD625BB72CC47FCB779CAF0230BF44491EBEED66053D6ACB9085745
                                      Function 00411163 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                      Download Yara Rule
                                      APIs
                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00411170
                                      • int.LIBCPMT ref: 00411183
                                        • Part of subcall function 0040E0C1: std::_Lockit::_Lockit.LIBCPMT ref: 0040E0D2
                                        • Part of subcall function 0040E0C1: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E0EC
                                      • std::_Facet_Register.LIBCPMT ref: 004111C3
                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 004111CC
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 004111EA
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                      • String ID: (mG
                                      • API String ID: 2536120697-4059303827
                                      • Opcode ID: 34a51a48ebffab58c1c893f3ae79879d0a70666fb45cbfefdea1ee74b3510b9f
                                      • Instruction ID: 9d9da6683174d9a5c92fa95d325e3547e0845688fcbb555b93a4fb26f280994d
                                      • Opcode Fuzzy Hash: 34a51a48ebffab58c1c893f3ae79879d0a70666fb45cbfefdea1ee74b3510b9f
                                      • Instruction Fuzzy Hash: 1411EB32900518A7CB14BB9AD8058DEBB79DF44354F10456FBE04A72D1DB789D40C7D9
                                      Function 0043A35A Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetLastError.KERNEL32(?,?,0043A351,004392BE), ref: 0043A368
                                      • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0043A376
                                      • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A38F
                                      • SetLastError.KERNEL32(00000000,?,0043A351,004392BE), ref: 0043A3E1
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLastValue___vcrt_
                                      • String ID:
                                      • API String ID: 3852720340-0
                                      • Opcode ID: eac7a4b750c305e7b0904a447f782895729b7b2cae8ca2bab40c67d71c469531
                                      • Instruction ID: 5d53a0da36a7034647469206452edf011e0dcb0cee8899775f26e7a14c982385
                                      • Opcode Fuzzy Hash: eac7a4b750c305e7b0904a447f782895729b7b2cae8ca2bab40c67d71c469531
                                      • Instruction Fuzzy Hash: 7F01283214C3519EA61526796C86A6B2648EB0A7B9F30133FF918815F1EF594C90514D
                                      Function 004075B0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                                      Download Yara Rule
                                      APIs
                                      • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Users\user\Desktop\6122.scr.exe), ref: 004075D0
                                        • Part of subcall function 004074FD: _wcslen.LIBCMT ref: 00407521
                                        • Part of subcall function 004074FD: CoGetObject.OLE32(?,00000024,00466518,00000000), ref: 00407582
                                      • CoUninitialize.OLE32 ref: 00407629
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: InitializeObjectUninitialize_wcslen
                                      • String ID: C:\Users\user\Desktop\6122.scr.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                      • API String ID: 3851391207-3254586366
                                      • Opcode ID: 511e675c99acabaccc32e6a32445821ea963e9a83317c60cb45550512dba77c0
                                      • Instruction ID: 681a2da4e9d4b9e6b45db6330fec0c9e961fb52a18ca78f8243115a9baea1a6b
                                      • Opcode Fuzzy Hash: 511e675c99acabaccc32e6a32445821ea963e9a83317c60cb45550512dba77c0
                                      • Instruction Fuzzy Hash: B201D272B087016BE2245B25DC0EF6B7758DB81729F11083FF902A61C2EBA9BC0145AB
                                      Function 0040BAA1 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040BADD
                                      • GetLastError.KERNEL32 ref: 0040BAE7
                                      Strings
                                      • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040BAA8
                                      • UserProfile, xrefs: 0040BAAD
                                      • [Chrome Cookies not found], xrefs: 0040BB01
                                      • [Chrome Cookies found, cleared!], xrefs: 0040BB0D
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: DeleteErrorFileLast
                                      • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                      • API String ID: 2018770650-304995407
                                      • Opcode ID: 3ac18cd69eb512cfe3046ffff68c330a49271f1a171cc2acfba67e1dc9669370
                                      • Instruction ID: 6bc0ec4de36c0471385c24d45a27137009bd471b3f80e31671ebbef4da92dce6
                                      • Opcode Fuzzy Hash: 3ac18cd69eb512cfe3046ffff68c330a49271f1a171cc2acfba67e1dc9669370
                                      • Instruction Fuzzy Hash: 08018F31A402095ACA04BBBACD5B8BE7724E912714F50017BF802726E6FE7D5A059ADE
                                      Function 0041CD9B Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 48memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • AllocConsole.KERNEL32(00475338), ref: 0041CDA4
                                      • ShowWindow.USER32(00000000,00000000), ref: 0041CDBD
                                      • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CDE2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Console$AllocOutputShowWindow
                                      • String ID: Remcos v$5.1.0 Pro$CONOUT$
                                      • API String ID: 2425139147-1043272453
                                      • Opcode ID: 7204a5bae693ec2f4884850c6238c56aa94b879f8555490226ef59d43c8bca4e
                                      • Instruction ID: 3d4e39fb732e2b6cb40f789e287104da8d9afdf675614735db993d10cd8ea689
                                      • Opcode Fuzzy Hash: 7204a5bae693ec2f4884850c6238c56aa94b879f8555490226ef59d43c8bca4e
                                      • Instruction Fuzzy Hash: CD0188719803087AD610F7F1DC8BF9D776C5B14705F6004277604A70D3E7BD9954466E
                                      Function 0044333A Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,PkGNG,004432EB,00000003,PkGNG,0044328B,00000003,0046E948,0000000C,004433E2,00000003,00000002), ref: 0044335A
                                      • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044336D
                                      • FreeLibrary.KERNEL32(00000000,?,?,PkGNG,004432EB,00000003,PkGNG,0044328B,00000003,0046E948,0000000C,004433E2,00000003,00000002,00000000,PkGNG), ref: 00443390
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressFreeHandleLibraryModuleProc
                                      • String ID: CorExitProcess$PkGNG$mscoree.dll
                                      • API String ID: 4061214504-213444651
                                      • Opcode ID: cc52f7ac488aa55dad4b7db89aaf695af0dd1fe717ea7d7a85019ca2162c21c0
                                      • Instruction ID: b4f1316bd170a33105784e50650a9bde6d9e9410588fddf83d5a1a7bf10dc45d
                                      • Opcode Fuzzy Hash: cc52f7ac488aa55dad4b7db89aaf695af0dd1fe717ea7d7a85019ca2162c21c0
                                      • Instruction Fuzzy Hash: 6AF0A430A00208FBDB149F55DC09B9EBFB4EF04713F0041A9FC05A2261CB349E40CA98
                                      Function 0043AADC Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                      Download Yara Rule
                                      APIs
                                      • __allrem.LIBCMT ref: 0043AC69
                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AC85
                                      • __allrem.LIBCMT ref: 0043AC9C
                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043ACBA
                                      • __allrem.LIBCMT ref: 0043ACD1
                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043ACEF
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                      • String ID:
                                      • API String ID: 1992179935-0
                                      • Opcode ID: 324a3f8db7a4af308d45995ace6313bc09822ddcf2faf4fc4501ccf235525b64
                                      • Instruction ID: 0cac597ccac2158415e78c81c2c349525783c2449c9f0a8280db41f57d0428da
                                      • Opcode Fuzzy Hash: 324a3f8db7a4af308d45995ace6313bc09822ddcf2faf4fc4501ccf235525b64
                                      • Instruction Fuzzy Hash: CC812B72640706ABE7209F29CC41B5BB3A9EF48324F24552FF590D7781EB7CE9108B5A
                                      Function 00404371 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 206sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • Sleep.KERNEL32(00000000,?), ref: 004044C4
                                        • Part of subcall function 00404607: __EH_prolog.LIBCMT ref: 0040460C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: H_prologSleep
                                      • String ID: CloseCamera$FreeFrame$GetFrame$HNG$OpenCamera
                                      • API String ID: 3469354165-3054508432
                                      • Opcode ID: f7db187a1fe7af92a7c3ce0a79d7e7b6810ab1ab4c8a6d96157cd488684fa951
                                      • Instruction ID: 62663cdee79800d8a54f028f5a980ee1c6790ad11611a7059aef087dab150aaf
                                      • Opcode Fuzzy Hash: f7db187a1fe7af92a7c3ce0a79d7e7b6810ab1ab4c8a6d96157cd488684fa951
                                      • Instruction Fuzzy Hash: 5C51E1B1A042116BCA14FB369D0A66E3755ABC5748F00053FFA06677E2EF7C8A45839E
                                      Function 004458F9 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: __cftoe
                                      • String ID:
                                      • API String ID: 4189289331-0
                                      • Opcode ID: 73f4726c011166e6bdcb5754414c0ade346116ed487fada7dd59cfb8b2f8224a
                                      • Instruction ID: 6c78d09a6f5169ef6f707262af513c71f712f2c279f5202ad8aecd4a6012115a
                                      • Opcode Fuzzy Hash: 73f4726c011166e6bdcb5754414c0ade346116ed487fada7dd59cfb8b2f8224a
                                      • Instruction Fuzzy Hash: D951EA72900A05ABFF209B59CC81FAF77A9EF49334F14421FF515A6293DB39D900866C
                                      Function 0041AC78 Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,0041A38E,00000000), ref: 0041AC88
                                      • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,0041A38E,00000000), ref: 0041AC9C
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACA9
                                      • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0041A38E,00000000), ref: 0041ACDE
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACF0
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACF3
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                      • String ID:
                                      • API String ID: 493672254-0
                                      • Opcode ID: f3d4b447748c037b2dac55463b57a149c398f0d820f611c96b244fdc7ed94624
                                      • Instruction ID: ed0bae8235b77a8e2b5b4951a925fd67a34dfbd091713fce30693036f81a5133
                                      • Opcode Fuzzy Hash: f3d4b447748c037b2dac55463b57a149c398f0d820f611c96b244fdc7ed94624
                                      • Instruction Fuzzy Hash: 84014E311452147BD6110B385C4DEFB3B5CDB42771F100317F925922D1EA68CD45B5EE
                                      Function 0044A004 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 305COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: __alldvrm$_strrchr
                                      • String ID: PkGNG
                                      • API String ID: 1036877536-263838557
                                      • Opcode ID: 6e4ce0a9cd107544135c8758f381171db584a835852a0c7515be2cd765a07ccf
                                      • Instruction ID: 0200e234d7a66e392568480c50467de0d06b46efb2a76a7ba0b74d69ca9a70f2
                                      • Opcode Fuzzy Hash: 6e4ce0a9cd107544135c8758f381171db584a835852a0c7515be2cd765a07ccf
                                      • Instruction Fuzzy Hash: 57A166319843869FFB21CF58C8817AEBBA1FF25304F1441AFE9859B382C27D8951C75A
                                      Function 00448215 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                                      • _free.LIBCMT ref: 0044824C
                                      • _free.LIBCMT ref: 00448274
                                      • SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448281
                                      • SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                                      • _abort.LIBCMT ref: 00448293
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLast$_free$_abort
                                      • String ID:
                                      • API String ID: 3160817290-0
                                      • Opcode ID: d577d612c1ffbc00090520c66a2c794f4cb9603406b177c38f93d9dbc2276fca
                                      • Instruction ID: 1e51d54565af68f960eede883612623578b8b4ccb82fc25c91f14e3db4823c68
                                      • Opcode Fuzzy Hash: d577d612c1ffbc00090520c66a2c794f4cb9603406b177c38f93d9dbc2276fca
                                      • Instruction Fuzzy Hash: 15F0F935104F006AF611332A6C05B5F2515ABC276AF25066FF92892292DFACCC4581AD
                                      Function 0041AAA6 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAB5
                                      • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAC9
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAD6
                                      • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAE5
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAF7
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAFA
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Service$CloseHandle$Open$ControlManager
                                      • String ID:
                                      • API String ID: 221034970-0
                                      • Opcode ID: bc8933c3fd8e2fa998b2246ab8c72ed9b0f5170f60f0245b371609b51ac54b8f
                                      • Instruction ID: 651adf303b3d55a6ad93a9774d9c6d096703db2647e4265c62a250da7e042a32
                                      • Opcode Fuzzy Hash: bc8933c3fd8e2fa998b2246ab8c72ed9b0f5170f60f0245b371609b51ac54b8f
                                      • Instruction Fuzzy Hash: 68F0C231541218ABD711AF25AC49EFF3B6CDF45BA2F000026FE0992192DB68CD4695E9
                                      Function 0041ABAA Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABB9
                                      • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABCD
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABDA
                                      • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABE9
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABFB
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABFE
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Service$CloseHandle$Open$ControlManager
                                      • String ID:
                                      • API String ID: 221034970-0
                                      • Opcode ID: 94d93926ec858c5890fc603d54741d931e0eaafa3f6b468ff921a10e10d86c77
                                      • Instruction ID: cdcae22f94af1ce7d279f83afe572816001e75aa845eac4345c2c81124f82824
                                      • Opcode Fuzzy Hash: 94d93926ec858c5890fc603d54741d931e0eaafa3f6b468ff921a10e10d86c77
                                      • Instruction Fuzzy Hash: 84F0C231501218ABD6116F259C49DFF3B6CDB45B62F40002AFE0996192EB38DD4595F9
                                      Function 0041AC11 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC20
                                      • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC34
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC41
                                      • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC50
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC62
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC65
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Service$CloseHandle$Open$ControlManager
                                      • String ID:
                                      • API String ID: 221034970-0
                                      • Opcode ID: 4f42f77feb4e09d2984437374767d6fba58dab4553ac710dbf5187c031f369c2
                                      • Instruction ID: 1af6be829003de2eeb85b71d4b0cbdb2c911632148e7083bdbbda8586ff13133
                                      • Opcode Fuzzy Hash: 4f42f77feb4e09d2984437374767d6fba58dab4553ac710dbf5187c031f369c2
                                      • Instruction Fuzzy Hash: 2FF0F631501228BBD711AF25EC49DFF3B6CDB45B62F00002AFE0992192EB38CD4595F9
                                      Function 00442801 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: PkGNG
                                      • API String ID: 0-263838557
                                      • Opcode ID: 8d454ba49d51131fc87e61242d4279149af29133b98be3a40794271295c3e434
                                      • Instruction ID: 497cf8d2f4a88fd96e7f98feeb1d24cd381d204b534fd1f3fd6e485e43360072
                                      • Opcode Fuzzy Hash: 8d454ba49d51131fc87e61242d4279149af29133b98be3a40794271295c3e434
                                      • Instruction Fuzzy Hash: EA413871A00704BFF324AF79CD41B5EBBA9EB88710F10862FF105DB681E7B999418788
                                      Function 00404CC3 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121synchronizationthreadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00474F50), ref: 00404DB3
                                      • CreateThread.KERNEL32(00000000,00000000,?,00474EF8,00000000,00000000), ref: 00404DC7
                                      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00404DD2
                                      • CloseHandle.KERNEL32(?), ref: 00404DDB
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                      • String ID: PkGNG
                                      • API String ID: 3360349984-263838557
                                      • Opcode ID: e2f882af2a30351f686d04b3cd6d667c62da5f5effcafa466e9aedc6b7e26869
                                      • Instruction ID: 465453d6db43d9529954589ba2efa69a6de0eb64d520c2048147815e962fb190
                                      • Opcode Fuzzy Hash: e2f882af2a30351f686d04b3cd6d667c62da5f5effcafa466e9aedc6b7e26869
                                      • Instruction Fuzzy Hash: 3E4192B1108301AFC714EB62CD55DBFB7EDAFD4314F40093EF992A22E1DB3899098666
                                      Function 0040A675 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A74D), ref: 0040A6AB
                                      • GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A74D), ref: 0040A6BA
                                      • Sleep.KERNEL32(00002710,?,?,?,0040A74D), ref: 0040A6E7
                                      • CloseHandle.KERNEL32(00000000,?,?,?,0040A74D), ref: 0040A6EE
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$CloseCreateHandleSizeSleep
                                      • String ID: XQG
                                      • API String ID: 1958988193-3606453820
                                      • Opcode ID: 38e21002b9c7a7665831af374e9118a36682828a780468fd2ba8ddd7b6ab83cd
                                      • Instruction ID: 2d5b847f40b6dc6d65e682cb961bc0859910b41d7418e35cc132b68a4a9af338
                                      • Opcode Fuzzy Hash: 38e21002b9c7a7665831af374e9118a36682828a780468fd2ba8ddd7b6ab83cd
                                      • Instruction Fuzzy Hash: AD112B30600740EEE631A7249895A5F3B6AEB41356F48083AF2C26B6D2C6799CA0C35E
                                      Function 0041D50F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegisterClassExA.USER32(00000030), ref: 0041D55B
                                      • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D576
                                      • GetLastError.KERNEL32 ref: 0041D580
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ClassCreateErrorLastRegisterWindow
                                      • String ID: 0$MsgWindowClass
                                      • API String ID: 2877667751-2410386613
                                      • Opcode ID: a7bf03488480a67a5ab74e572dd3e9b3283d69d087452f3b28ffeaf09d6b5029
                                      • Instruction ID: 921741f364e14ac5d494c0d6481b3569f22aad0bbfd2e997b493b5423d792a6e
                                      • Opcode Fuzzy Hash: a7bf03488480a67a5ab74e572dd3e9b3283d69d087452f3b28ffeaf09d6b5029
                                      • Instruction Fuzzy Hash: 910129B1D00219BBDB00DFD5ECC49EFBBBDEA04355F40053AF900A6240E77859058AA4
                                      Function 00407755 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040779B
                                      • CloseHandle.KERNEL32(?), ref: 004077AA
                                      • CloseHandle.KERNEL32(?), ref: 004077AF
                                      Strings
                                      • C:\Windows\System32\cmd.exe, xrefs: 00407796
                                      • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 00407791
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseHandle$CreateProcess
                                      • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                      • API String ID: 2922976086-4183131282
                                      • Opcode ID: 86afbde76f2a9426f4ed7e8e7c7881cd7a3c7ba11745d0fd7a0dc136aa7099f4
                                      • Instruction ID: bcd6b2dc2297655d1c2a6c7a9d844aadd79638dc8707381bf3a952a3ff6736b4
                                      • Opcode Fuzzy Hash: 86afbde76f2a9426f4ed7e8e7c7881cd7a3c7ba11745d0fd7a0dc136aa7099f4
                                      • Instruction Fuzzy Hash: BCF03676D4029D76CB20ABD6DC0EEDF7F7DEBC5B11F00056AF904A6141E6746404C6B9
                                      Function 00407260 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: SG$C:\Users\user\Desktop\6122.scr.exe
                                      • API String ID: 0-4283703086
                                      • Opcode ID: aeb7ec08203138e6f15c389ffc7d883b5859742f8fda7ba0964a05b6f7ae7d1f
                                      • Instruction ID: 1b954d03a55cc3c1a25a26db856d3c6076ddce7f3b9fad0ad77fefb3a3407f05
                                      • Opcode Fuzzy Hash: aeb7ec08203138e6f15c389ffc7d883b5859742f8fda7ba0964a05b6f7ae7d1f
                                      • Instruction Fuzzy Hash: 2CF046B0F14A00EBCB0467655D186693A05A740356F404C77F907EA2F2EBBD5C41C61E
                                      Function 004050E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00474EF8), ref: 00405120
                                      • SetEvent.KERNEL32(?), ref: 0040512C
                                      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00405137
                                      • CloseHandle.KERNEL32(?), ref: 00405140
                                        • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                      • String ID: KeepAlive | Disabled
                                      • API String ID: 2993684571-305739064
                                      • Opcode ID: 09248d073b904291628f2a82f92fe6a987867c86155402bef043dd91105bf09b
                                      • Instruction ID: c1447ea2195e795a2fa4d382ed9a15925dec3dc8ccf256ab7d783030aa8980db
                                      • Opcode Fuzzy Hash: 09248d073b904291628f2a82f92fe6a987867c86155402bef043dd91105bf09b
                                      • Instruction Fuzzy Hash: 4CF06271904711BBDB103B758D0A66B7A54AB02311F0009BEF982916E2D6798840CF9A
                                      Function 0041ADC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                      • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 0041ADF2
                                      • PlaySoundW.WINMM(00000000,00000000), ref: 0041AE00
                                      • Sleep.KERNEL32(00002710), ref: 0041AE07
                                      • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 0041AE10
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: PlaySound$HandleLocalModuleSleepTime
                                      • String ID: Alarm triggered
                                      • API String ID: 614609389-2816303416
                                      • Opcode ID: b7b395eb2d8a8c6ac5b29d0703eec326aa80e776d4c85912c0c2915f52647228
                                      • Instruction ID: 9c0713ce1321a11b0f254193fe9a85ef30a97b7eb59a64372af151f10574a600
                                      • Opcode Fuzzy Hash: b7b395eb2d8a8c6ac5b29d0703eec326aa80e776d4c85912c0c2915f52647228
                                      • Instruction Fuzzy Hash: 36E01226B44260779620377B6D4FD6F3D28DAC2B5170100BEFA0666192D9580C4586FB
                                      Function 0041CD58 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041CDED), ref: 0041CD62
                                      • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041CDED), ref: 0041CD6F
                                      • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041CDED), ref: 0041CD7C
                                      • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041CDED), ref: 0041CD8F
                                      Strings
                                      • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041CD82
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Console$AttributeText$BufferHandleInfoScreen
                                      • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                      • API String ID: 3024135584-2418719853
                                      • Opcode ID: 7fe6fe9ce11b1ae804115fcba13355f31785efbed8ffac05f5782df1f2ab6211
                                      • Instruction ID: 0b88db63cd78dea0703aeaf814a7171c31f7e2e6e0b1944ffb711cb25cf7542c
                                      • Opcode Fuzzy Hash: 7fe6fe9ce11b1ae804115fcba13355f31785efbed8ffac05f5782df1f2ab6211
                                      • Instruction Fuzzy Hash: B4E04872904315E7E31027B5EC4DDAB7B7CE745713B100266FA12915D39A749C40C6B5
                                      Function 0044139A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 333ae2597f59f70c30e2a138da7d2dacca2148bf7cc6369c5742e0f4ac8aaabd
                                      • Instruction ID: 3288ceb70b28299b768e57bc56a65f905b411dc47ae91625c595fe6b39b3afde
                                      • Opcode Fuzzy Hash: 333ae2597f59f70c30e2a138da7d2dacca2148bf7cc6369c5742e0f4ac8aaabd
                                      • Instruction Fuzzy Hash: 4D71C431900256ABEF21CF55C884AFFBBB5EF95350F14012BE812A72A1D7748CC1CBA9
                                      Function 00444CFB Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169
                                      • _free.LIBCMT ref: 00444E06
                                      • _free.LIBCMT ref: 00444E1D
                                      • _free.LIBCMT ref: 00444E3C
                                      • _free.LIBCMT ref: 00444E57
                                      • _free.LIBCMT ref: 00444E6E
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$AllocateHeap
                                      • String ID:
                                      • API String ID: 3033488037-0
                                      • Opcode ID: bf8b46b868af2ecf30d3444370171b65bdd51122b8350dbbe1b9982e260663b5
                                      • Instruction ID: 75a60bec03265776b93b53542ea819fdab521e44af267d44e1f719a945e8e2e2
                                      • Opcode Fuzzy Hash: bf8b46b868af2ecf30d3444370171b65bdd51122b8350dbbe1b9982e260663b5
                                      • Instruction Fuzzy Hash: 5451D371A00704AFEB20DF6AC841B6673F4FF85729B14456EE819D7250E739EE01CB88
                                      Function 00449365 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F234), ref: 004493CF
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 00449447
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 00449474
                                      • _free.LIBCMT ref: 004493BD
                                        • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                        • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                      • _free.LIBCMT ref: 00449589
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                      • String ID:
                                      • API String ID: 1286116820-0
                                      • Opcode ID: 0a3c6fbe7e5a1f133d1032b40f823fca6b3dff27f0c0d46b4efcd8c71cfe77a6
                                      • Instruction ID: c95a83c4fc9d8f5f381c6ef12c4bd90d50aad01b0883e3b7d6e96279f2ead045
                                      • Opcode Fuzzy Hash: 0a3c6fbe7e5a1f133d1032b40f823fca6b3dff27f0c0d46b4efcd8c71cfe77a6
                                      • Instruction Fuzzy Hash: 71511A71904205EBEB14EFA9DD819AFB7BCEF44324F10066FE51493291EB788E42DB58
                                      Function 0040F8FD Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F91B
                                      • Process32FirstW.KERNEL32(00000000,?), ref: 0040F93F
                                      • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F94E
                                      • CloseHandle.KERNEL32(00000000), ref: 0040FB05
                                        • Part of subcall function 0041BFE5: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040F5F9,00000000,?,?,00475338), ref: 0041BFFA
                                        • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
                                        • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
                                      • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040FAF6
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process$OpenProcess32$Next$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                      • String ID:
                                      • API String ID: 4269425633-0
                                      • Opcode ID: 371d05c907dcca9c3c12ab80cf798e7523ffd5e5ecf3e3ca40c8afe2c02f4cbd
                                      • Instruction ID: d179df5438ecf7187d550cf9263b6860c2801d48d571b2859f9d543a591e132f
                                      • Opcode Fuzzy Hash: 371d05c907dcca9c3c12ab80cf798e7523ffd5e5ecf3e3ca40c8afe2c02f4cbd
                                      • Instruction Fuzzy Hash: 784116311083419BC325F722DC55AEFB3A5AF94345F50493EF48A921E2EF385A49C75A
                                      Function 00443DF9 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free
                                      • String ID:
                                      • API String ID: 269201875-0
                                      • Opcode ID: f0d0e5395ad938097262dc5d88931f0578874cbbbca0d0094bbf983591b431c8
                                      • Instruction ID: 5dce3a056f7b38871bf3701478ebec2c01ef4ac0d1e4adeac0a27022f106ca0c
                                      • Opcode Fuzzy Hash: f0d0e5395ad938097262dc5d88931f0578874cbbbca0d0094bbf983591b431c8
                                      • Instruction Fuzzy Hash: 0741F536A012009FEB20DF78C881A5EB3F1EF89B14F2545AEE515EB341DB35AE01CB84
                                      Function 0044F35A Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetEnvironmentStringsW.KERNEL32 ref: 0044F363
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044F386
                                        • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044F3AC
                                      • _free.LIBCMT ref: 0044F3BF
                                      • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044F3CE
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                      • String ID:
                                      • API String ID: 336800556-0
                                      • Opcode ID: 02a97bdb6e6c5d26fe886d3a9ae646317caea956d8251916105bf2d3fe3a3540
                                      • Instruction ID: 8337c1946637dec1c7c9c61cb05458c13fbc509b7d73539ecc926bc10a2836fd
                                      • Opcode Fuzzy Hash: 02a97bdb6e6c5d26fe886d3a9ae646317caea956d8251916105bf2d3fe3a3540
                                      • Instruction Fuzzy Hash: 2301B173601755BB37211ABA5C8CC7F6A6CDAC6FA5315013FFD14C2202EA68CD0581B9
                                      Function 0041C3F1 Relevance: 7.6, APIs: 5, Instructions: 67fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041C510,00000000,00000000,00000000), ref: 0041C430
                                      • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000004,00000000,0041C510,00000000,00000000), ref: 0041C44D
                                      • CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041C510,00000000,00000000), ref: 0041C459
                                      • WriteFile.KERNEL32(00000000,00000000,00000000,00406F85,00000000,?,00000004,00000000,0041C510,00000000,00000000), ref: 0041C46A
                                      • CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041C510,00000000,00000000), ref: 0041C477
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$CloseHandle$CreatePointerWrite
                                      • String ID:
                                      • API String ID: 1852769593-0
                                      • Opcode ID: c16bf2a5e476d7eb9c065cb57b6c83635d373e8a2041914a8f43a70e8d32cf2e
                                      • Instruction ID: 5cb8be75c3dc4c1e2f747800af3fbfd5a98fa41e64789a84fd548ad7506a8702
                                      • Opcode Fuzzy Hash: c16bf2a5e476d7eb9c065cb57b6c83635d373e8a2041914a8f43a70e8d32cf2e
                                      • Instruction Fuzzy Hash: B0110471288220FFEA104B24ACD9EFB739CEB46375F10462AF592C22C1C7259C81863A
                                      Function 00448299 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetLastError.KERNEL32(?,00000000,?,0043BC87,00000000,?,?,0043BD0B,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0044829E
                                      • _free.LIBCMT ref: 004482D3
                                      • _free.LIBCMT ref: 004482FA
                                      • SetLastError.KERNEL32(00000000), ref: 00448307
                                      • SetLastError.KERNEL32(00000000), ref: 00448310
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLast$_free
                                      • String ID:
                                      • API String ID: 3170660625-0
                                      • Opcode ID: 3b5a676440ed160f08d3b9c67501060176d9d4d3bcfe02f134d94644f9898a15
                                      • Instruction ID: 817e1e76de570c2b023109a843fda652767a1b5a915d0172e9d2adf04509528a
                                      • Opcode Fuzzy Hash: 3b5a676440ed160f08d3b9c67501060176d9d4d3bcfe02f134d94644f9898a15
                                      • Instruction Fuzzy Hash: 5601F936500B0067F3112A2A5C8596F2559EBC2B7A735452FFD19A22D2EFADCC01816D
                                      Function 004509BC Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 004509D4
                                        • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                        • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                      • _free.LIBCMT ref: 004509E6
                                      • _free.LIBCMT ref: 004509F8
                                      • _free.LIBCMT ref: 00450A0A
                                      • _free.LIBCMT ref: 00450A1C
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast
                                      • String ID:
                                      • API String ID: 776569668-0
                                      • Opcode ID: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                      • Instruction ID: 8e1836d4b3683ea2f551dac33bf8b94159c93f8dbbc189607f67f5fa0db289e6
                                      • Opcode Fuzzy Hash: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                      • Instruction Fuzzy Hash: F3F04F76504600B79620EB5DE8C2C1B73D9EA0571A795891BF66CDB612CB38FCC0869C
                                      Function 00444048 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 00444066
                                        • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                        • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                      • _free.LIBCMT ref: 00444078
                                      • _free.LIBCMT ref: 0044408B
                                      • _free.LIBCMT ref: 0044409C
                                      • _free.LIBCMT ref: 004440AD
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast
                                      • String ID:
                                      • API String ID: 776569668-0
                                      • Opcode ID: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                      • Instruction ID: c4ed0220327abb1134bcf7d54e43c2409a3611c90002b0fe773cef56a7474a4d
                                      • Opcode Fuzzy Hash: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                      • Instruction Fuzzy Hash: 11F03AB18009208FA631AF2DBD414053B61E705769346822BF62C62A70C7B94ED2CFCF
                                      Function 0044BA37 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: PkGNG
                                      • API String ID: 0-263838557
                                      • Opcode ID: 6a83c2428ddcf6ea71a3f14a315267ad78d224b448d93c685a7e270e7132f7c7
                                      • Instruction ID: 56b21f6c39f874414c878b072b89285690216c2d241c0ad811085e1835033e53
                                      • Opcode Fuzzy Hash: 6a83c2428ddcf6ea71a3f14a315267ad78d224b448d93c685a7e270e7132f7c7
                                      • Instruction Fuzzy Hash: 1B51B271D00249AAEF14DFA9C885FAFBBB8EF45314F14015FE400A7291DB78D901CBA9
                                      Function 0044E6E9 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                      Download Yara Rule
                                      APIs
                                      • _strpbrk.LIBCMT ref: 0044E738
                                      • _free.LIBCMT ref: 0044E855
                                        • Part of subcall function 0043BD19: IsProcessorFeaturePresent.KERNEL32(00000017,0043BCEB,?,?,?,?,?,00000000,?,?,0043BD0B,00000000,00000000,00000000,00000000,00000000), ref: 0043BD1B
                                        • Part of subcall function 0043BD19: GetCurrentProcess.KERNEL32(C0000417), ref: 0043BD3D
                                        • Part of subcall function 0043BD19: TerminateProcess.KERNEL32(00000000), ref: 0043BD44
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                                      • String ID: *?$.
                                      • API String ID: 2812119850-3972193922
                                      • Opcode ID: 6703a85dd49711e1afab558f77f60869b6155e4f96c4351f2947c71862cae23b
                                      • Instruction ID: 94a4b4bbf586d133b1ca6d09685756ea089c4dad0dcc4a5060c65dcbb11523ea
                                      • Opcode Fuzzy Hash: 6703a85dd49711e1afab558f77f60869b6155e4f96c4351f2947c71862cae23b
                                      • Instruction Fuzzy Hash: B951C375E00109EFEF14DFAAC881AAEBBB5FF58314F25816EE454E7301E6399E018B54
                                      Function 00415AEA Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CountEventTick
                                      • String ID: !D@$NG
                                      • API String ID: 180926312-2721294649
                                      • Opcode ID: b594ea947eeeebaeb01dcb2502271808d01e6126574666623e926871b5046dd7
                                      • Instruction ID: 1740d3d485f2be3f914829e5aa2a54ae858af1ae40273f66f7ff2800e9d96298
                                      • Opcode Fuzzy Hash: b594ea947eeeebaeb01dcb2502271808d01e6126574666623e926871b5046dd7
                                      • Instruction Fuzzy Hash: 7E51A1316083019AC724FB32D852AEF73A5AF94314F50493FF54A671E2EF3C5949C68A
                                      Function 00409EA3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 157COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetKeyboardLayoutNameA.USER32(?), ref: 00409ED3
                                        • Part of subcall function 004048C8: connect.WS2_32(?,?,?), ref: 004048E0
                                        • Part of subcall function 0041C515: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00409F5B,00474EE0,?,00474EE0,00000000,00474EE0,00000000), ref: 0041C52A
                                        • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CreateFileKeyboardLayoutNameconnectsend
                                      • String ID: XQG$NG$PG
                                      • API String ID: 1634807452-3565412412
                                      • Opcode ID: 54480eb0bc649cc79f0ae2d6016b7d596c1c2f6fed1d275c9adea3c12e8bc9d3
                                      • Instruction ID: e0ccbd324811511655e6ba18c086c0ffec884fa52ef92f7e14ea490dcf81b303
                                      • Opcode Fuzzy Hash: 54480eb0bc649cc79f0ae2d6016b7d596c1c2f6fed1d275c9adea3c12e8bc9d3
                                      • Instruction Fuzzy Hash: BA5133315082415AC324F732D852AEFB3E5AFD4348F50493FF44A671E6EF78594AC649
                                      Function 00442385 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                      Download Yara Rule
                                      APIs
                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004424DE
                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004424F3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                      • String ID: `#D$`#D
                                      • API String ID: 885266447-2450397995
                                      • Opcode ID: 36fac044672f79bbd2692348072d6fa41419b258ac2755bfc370d2617ef2a991
                                      • Instruction ID: d0478598ef992627c852fcfbe86add3ca1c9fa58067414995f231753f3186543
                                      • Opcode Fuzzy Hash: 36fac044672f79bbd2692348072d6fa41419b258ac2755bfc370d2617ef2a991
                                      • Instruction Fuzzy Hash: 78519071A00208AFDF18DF59C980AAEBBB2FB94314F59C19AF81897361D7B9DD41CB44
                                      Function 00443435 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\6122.scr.exe,00000104), ref: 00443475
                                      • _free.LIBCMT ref: 00443540
                                      • _free.LIBCMT ref: 0044354A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$FileModuleName
                                      • String ID: C:\Users\user\Desktop\6122.scr.exe
                                      • API String ID: 2506810119-1735216092
                                      • Opcode ID: c70776266e2bd8d98222b272a4c4964d73f1f6f6485ba9fff5740fbb3794026e
                                      • Instruction ID: 78b8e4ab202bb8962dfea6a4c95dea7b8c186c0554b41bb8e719afd17783d6d0
                                      • Opcode Fuzzy Hash: c70776266e2bd8d98222b272a4c4964d73f1f6f6485ba9fff5740fbb3794026e
                                      • Instruction Fuzzy Hash: 2E31C471A00258BFEB21DF999C8199EBBBCEF85B15F10406BF50497311D6B89F81CB98
                                      Function 0044B81F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101fileCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,00000D55,00000000,00000000,FF8BC35D,00000000,?,PkGNG,0044BB7E,?,00000000,FF8BC35D), ref: 0044B8D2
                                      • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0044B900
                                      • GetLastError.KERNEL32 ref: 0044B931
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ByteCharErrorFileLastMultiWideWrite
                                      • String ID: PkGNG
                                      • API String ID: 2456169464-263838557
                                      • Opcode ID: f29f19b57bd44476b84c2158df793cbd226619e25f42890a5cb9caccfef44ccc
                                      • Instruction ID: a4f89274a665815b2d7bd0a52cbb4c71b9b2878c435ac706d73e761117ab6cd9
                                      • Opcode Fuzzy Hash: f29f19b57bd44476b84c2158df793cbd226619e25f42890a5cb9caccfef44ccc
                                      • Instruction Fuzzy Hash: 18317271A002199FDB14DF59DC809EAB7B8EB48305F0444BEE90AD7260DB34ED80CBA4
                                      Function 0040404C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404066
                                        • Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040407C), ref: 0041B99F
                                        • Part of subcall function 00418568: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E74), ref: 0041857E
                                        • Part of subcall function 00418568: CloseHandle.KERNEL32(t^F,?,?,004040F5,00465E74), ref: 00418587
                                        • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C49E
                                      • Sleep.KERNEL32(000000FA,00465E74), ref: 00404138
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                      • String ID: /sort "Visit Time" /stext "$0NG
                                      • API String ID: 368326130-3219657780
                                      • Opcode ID: 5a82faa1ad293261ac248fbd7caeb08181cf258f5e0d188fe14b0def416cf126
                                      • Instruction ID: 62b88373b0174ac8ae4090b78ebfd0a8fca35ca34796720d8357018cc2c92f87
                                      • Opcode Fuzzy Hash: 5a82faa1ad293261ac248fbd7caeb08181cf258f5e0d188fe14b0def416cf126
                                      • Instruction Fuzzy Hash: E9316271A0011956CB15FBA6D8969EE7375AB90308F40007FF206B71E2EF385D89CA99
                                      Function 004162E4 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON
                                      Download Yara Rule
                                      APIs
                                      • _wcslen.LIBCMT ref: 004162F5
                                        • Part of subcall function 00413877: RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
                                        • Part of subcall function 00413877: RegSetValueExA.ADVAPI32(004660A4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138A0
                                        • Part of subcall function 00413877: RegCloseKey.ADVAPI32(004660A4,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138AB
                                        • Part of subcall function 00409DE4: _wcslen.LIBCMT ref: 00409DFD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _wcslen$CloseCreateValue
                                      • String ID: !D@$okmode$PG
                                      • API String ID: 3411444782-3370592832
                                      • Opcode ID: 3229767f42b224c22e38ab05f87ced9dbd25ea478007aec8b0515c8cef1bdfe3
                                      • Instruction ID: dff749dc984b923ba5de2327a6f3f9cc2e67bcaf748228c26ce3aec7d70e92d7
                                      • Opcode Fuzzy Hash: 3229767f42b224c22e38ab05f87ced9dbd25ea478007aec8b0515c8cef1bdfe3
                                      • Instruction Fuzzy Hash: 10119371B442011ADB187B72D832ABD22969F94358F80443FF54AAF2E2DEBD4C51525D
                                      Function 0040C5EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040C4C3: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C4F6
                                      • PathFileExistsW.SHLWAPI(00000000), ref: 0040C61D
                                      • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C688
                                      Strings
                                      • User Data\Default\Network\Cookies, xrefs: 0040C603
                                      • User Data\Profile ?\Network\Cookies, xrefs: 0040C635
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExistsFilePath
                                      • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                      • API String ID: 1174141254-1980882731
                                      • Opcode ID: ec0199523fc237e56364718817167f2e0688e89b82cc13cff5a9b1f21d5ed8d2
                                      • Instruction ID: e6b9b9a8142aca5ff9e4641a3ff80a721fb4b0471daa7637ae592fad8ebd6223
                                      • Opcode Fuzzy Hash: ec0199523fc237e56364718817167f2e0688e89b82cc13cff5a9b1f21d5ed8d2
                                      • Instruction Fuzzy Hash: B421037190011996CB14F7A2DC96CEEB738EE50319F40053FB502B31D2EF789A46C698
                                      Function 0040C6BB Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040C526: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C559
                                      • PathFileExistsW.SHLWAPI(00000000), ref: 0040C6EC
                                      • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C757
                                      Strings
                                      • User Data\Default\Network\Cookies, xrefs: 0040C6D2
                                      • User Data\Profile ?\Network\Cookies, xrefs: 0040C704
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExistsFilePath
                                      • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                      • API String ID: 1174141254-1980882731
                                      • Opcode ID: 830e565da1f4430f56a3fad2b3585c60fae3d202001501423d8e3de01861922a
                                      • Instruction ID: 83f6a23093d6b0727a30a1d550f3d6f5bdb2bb72864fa742cd8a9fd6423befd9
                                      • Opcode Fuzzy Hash: 830e565da1f4430f56a3fad2b3585c60fae3d202001501423d8e3de01861922a
                                      • Instruction Fuzzy Hash: AE21D37190011AD6CB05F7A2DC96CEEB778EE50719B50013FF502B31D2EF789A46C698
                                      Function 0040A179 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateThread.KERNEL32(00000000,00000000,0040A27D,004750F0,00000000,00000000), ref: 0040A1FE
                                      • CreateThread.KERNEL32(00000000,00000000,0040A267,004750F0,00000000,00000000), ref: 0040A20E
                                      • CreateThread.KERNEL32(00000000,00000000,0040A289,004750F0,00000000,00000000), ref: 0040A21A
                                        • Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B172
                                        • Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CreateThread$LocalTimewsprintf
                                      • String ID: Offline Keylogger Started
                                      • API String ID: 465354869-4114347211
                                      • Opcode ID: 739852a997fc0ae6182b294a28b4bb93c4a2cbea1e12e060c92b97aef043fd25
                                      • Instruction ID: bcf1cfbdc14a627f6781ea3a40f7cea6448602225ce5b2be95dc640702f6c2bd
                                      • Opcode Fuzzy Hash: 739852a997fc0ae6182b294a28b4bb93c4a2cbea1e12e060c92b97aef043fd25
                                      • Instruction Fuzzy Hash: DE1194B12003187AD220B7369C86CBB765DDA8139CB00057FF946222D2EA795D54CAFB
                                      Function 0040AEEE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B172
                                        • Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3
                                        • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                      • CreateThread.KERNEL32(00000000,00000000,0040A267,?,00000000,00000000), ref: 0040AF6E
                                      • CreateThread.KERNEL32(00000000,00000000,0040A289,?,00000000,00000000), ref: 0040AF7A
                                      • CreateThread.KERNEL32(00000000,00000000,0040A295,?,00000000,00000000), ref: 0040AF86
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CreateThread$LocalTime$wsprintf
                                      • String ID: Online Keylogger Started
                                      • API String ID: 112202259-1258561607
                                      • Opcode ID: be6d66d5fa79c5f31e74c778d4d5e15bc8bc5d5b3a82591b70bbeab99a5f0c5b
                                      • Instruction ID: a86b307176fed80e65d2d8085b20e14cf0e56bf63d45b36b749a5edd9f3e52e0
                                      • Opcode Fuzzy Hash: be6d66d5fa79c5f31e74c778d4d5e15bc8bc5d5b3a82591b70bbeab99a5f0c5b
                                      • Instruction Fuzzy Hash: 1401C8A070031939E62076365C87D7F7A5DCA81398F40057FF645362C6D97D1C5586FB
                                      Function 0041B4EF Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 59timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: LocalTime
                                      • String ID: | $%02i:%02i:%02i:%03i $PkGNG
                                      • API String ID: 481472006-3277280411
                                      • Opcode ID: cd8841d7ce7b31923eb0730a989a812e14017909399abac035ca2ef2887a575a
                                      • Instruction ID: b0c371a91d376d28eb23a1cf2c2b6b2589463c7c7bf84255da33bc44f247512a
                                      • Opcode Fuzzy Hash: cd8841d7ce7b31923eb0730a989a812e14017909399abac035ca2ef2887a575a
                                      • Instruction Fuzzy Hash: 361181714082055AC304EB62D8419BFB3E9AB44348F50093FF895A21E1EF3CDA49C65A
                                      Function 00404F51 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLocalTime.KERNEL32(?), ref: 00404F81
                                      • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00404FCD
                                      • CreateThread.KERNEL32(00000000,00000000,00405150,?,00000000,00000000), ref: 00404FE0
                                      Strings
                                      • KeepAlive | Enabled | Timeout: , xrefs: 00404F94
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Create$EventLocalThreadTime
                                      • String ID: KeepAlive | Enabled | Timeout:
                                      • API String ID: 2532271599-1507639952
                                      • Opcode ID: 7c8a9ce4b383af45d5410d66a549d3ab3812e2de270479e75a3fa2d1d41e82a0
                                      • Instruction ID: 982fc92e7e47f2769c776e0d9ab1702947c5453eb715a4cfed9cf45540ca89dc
                                      • Opcode Fuzzy Hash: 7c8a9ce4b383af45d5410d66a549d3ab3812e2de270479e75a3fa2d1d41e82a0
                                      • Instruction Fuzzy Hash: A8110671904385AAC720A7778C0DEAB7FA8DBD2710F04046FF54163291DAB89445CBBA
                                      Function 00406A63 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryA.KERNEL32(crypt32,CryptUnprotectData), ref: 00406A82
                                      • GetProcAddress.KERNEL32(00000000), ref: 00406A89
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressLibraryLoadProc
                                      • String ID: CryptUnprotectData$crypt32
                                      • API String ID: 2574300362-2380590389
                                      • Opcode ID: 58a6a211d8528d7034b6d4e537693813dfb36b0b7d2b88ce6c125ece2ab5d6dc
                                      • Instruction ID: d796ed41fc96dc9ef8d801536240fab0e9422483ab40f89d2a564a4d0f07de08
                                      • Opcode Fuzzy Hash: 58a6a211d8528d7034b6d4e537693813dfb36b0b7d2b88ce6c125ece2ab5d6dc
                                      • Instruction Fuzzy Hash: 6201B535B00216ABCB18DFAD9D449ABBBB8EB49300F14817EE95AE3341D674D9008BA4
                                      Function 0044C253 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • SetFilePointerEx.KERNEL32(00000000,00000000,00000002,FF8BC369,00000000,FF8BC35D,00000000,10558B1C,10558B1C,PkGNG,0044C302,FF8BC369,00000000,00000002,00000000,PkGNG), ref: 0044C28C
                                      • GetLastError.KERNEL32 ref: 0044C296
                                      • __dosmaperr.LIBCMT ref: 0044C29D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorFileLastPointer__dosmaperr
                                      • String ID: PkGNG
                                      • API String ID: 2336955059-263838557
                                      • Opcode ID: 60eaf30ffa5a6b77e16cdf42a69bcf8f7fa5cf007f91ab5b57ca5c6e56bd7837
                                      • Instruction ID: 03228b3a5a263cac3d3762c0c6cb9bea0ee6cefe7ee70a3785aa569069518732
                                      • Opcode Fuzzy Hash: 60eaf30ffa5a6b77e16cdf42a69bcf8f7fa5cf007f91ab5b57ca5c6e56bd7837
                                      • Instruction Fuzzy Hash: 9E016D32A11104BBDF008FE9CC4089E3719FB86320B28039AF810A7290EAB5DC118B64
                                      Function 0040515C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
                                      Download Yara Rule
                                      APIs
                                      • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405159), ref: 00405173
                                      • CloseHandle.KERNEL32(?), ref: 004051CA
                                      • SetEvent.KERNEL32(?), ref: 004051D9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseEventHandleObjectSingleWait
                                      • String ID: Connection Timeout
                                      • API String ID: 2055531096-499159329
                                      • Opcode ID: 16c0c5432ea764d1c3b3677813c316a5f50629e206d56325c82df1a06a1f960a
                                      • Instruction ID: e4880b57ed2806ada623013920947221b56867654f576af2420d72dde76e11cf
                                      • Opcode Fuzzy Hash: 16c0c5432ea764d1c3b3677813c316a5f50629e206d56325c82df1a06a1f960a
                                      • Instruction Fuzzy Hash: 1201D831A40F40AFE7257B368D9552BBBE0FF01302704097FE68396AE2D6789800CF59
                                      Function 0040E7C5 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                      Download Yara Rule
                                      APIs
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E833
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Exception@8Throw
                                      • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                      • API String ID: 2005118841-1866435925
                                      • Opcode ID: 8dcc56bc0b3abd67e197b42ddab56c72444c781ea05e0f6efff8352e2a22a648
                                      • Instruction ID: aca7d9cae529c24a85643cb8f0975e7fdd15ab88b82278639a3f13e82648cb6f
                                      • Opcode Fuzzy Hash: 8dcc56bc0b3abd67e197b42ddab56c72444c781ea05e0f6efff8352e2a22a648
                                      • Instruction Fuzzy Hash: 2C01B1315443086AE618F693C843FAA73585B10708F108C2FAA15761C2F67D6961C66B
                                      Function 0041CAE1 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 42windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FormatMessageA.KERNEL32(00001100,00000000,00000000,00000400,?,00000000,00000000,00474EF8,00474EF8,PkGNG,00404A40), ref: 0041CB09
                                      • LocalFree.KERNEL32(?,?), ref: 0041CB2F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: FormatFreeLocalMessage
                                      • String ID: @J@$PkGNG
                                      • API String ID: 1427518018-1416487119
                                      • Opcode ID: 582a0a935ffae84e33b405a2c8e80a835bcb557197e1ba62297b84e69e8a9d31
                                      • Instruction ID: 02a9d8e2c753fe243ccbc909122ce1ddd8f8b45a09ed5088e6b723b988b0f700
                                      • Opcode Fuzzy Hash: 582a0a935ffae84e33b405a2c8e80a835bcb557197e1ba62297b84e69e8a9d31
                                      • Instruction Fuzzy Hash: 5EF0A434B0021AAADF08A7A6DD4ADFF7769DB84305B10007FB606B21D1EEB86D05D659
                                      Function 0040DFA6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                      Download Yara Rule
                                      APIs
                                      • std::_Lockit::_Lockit.LIBCPMT ref: 0040DFB1
                                      • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040DFF0
                                        • Part of subcall function 00435640: _Yarn.LIBCPMT ref: 0043565F
                                        • Part of subcall function 00435640: _Yarn.LIBCPMT ref: 00435683
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E016
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                      • String ID: bad locale name
                                      • API String ID: 3628047217-1405518554
                                      • Opcode ID: 03a3a1b6538e95a80bbc96a5a3230d3fb174e533ca0510e3d942a7448ac3be7a
                                      • Instruction ID: c9d4814c50014869750c7e26a4e1a69426a580a77e14145940ab7c7d7e24a8db
                                      • Opcode Fuzzy Hash: 03a3a1b6538e95a80bbc96a5a3230d3fb174e533ca0510e3d942a7448ac3be7a
                                      • Instruction Fuzzy Hash: EAF081314006049AC634FA62D863B9AB7B89F14718F504A7FB906228D1EF7CBA1CCA4C
                                      Function 0041376F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,0046611C), ref: 0041377E
                                      • RegSetValueExA.ADVAPI32(0046611C,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0041CAB1,WallpaperStyle,0046611C,00000001,00474EE0,00000000), ref: 004137A6
                                      • RegCloseKey.ADVAPI32(0046611C,?,?,0041CAB1,WallpaperStyle,0046611C,00000001,00474EE0,00000000,?,0040875D,00000001), ref: 004137B1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseCreateValue
                                      • String ID: Control Panel\Desktop
                                      • API String ID: 1818849710-27424756
                                      • Opcode ID: 6030d9855dac89f4cd46f7f8c789974497344dcf9873e73d86c3d4cdefa30cde
                                      • Instruction ID: c04290829ccef693e4e8b5b7d06cdf9a2950efbbd707a4c1379ff92f90edcb59
                                      • Opcode Fuzzy Hash: 6030d9855dac89f4cd46f7f8c789974497344dcf9873e73d86c3d4cdefa30cde
                                      • Instruction Fuzzy Hash: B8F06272400118FBCB009FA1DD45DEA376CEF04B51F108566FD09A61A1D7359E14DB54
                                      Function 00416C2D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateThread.KERNEL32(00000000,00000000,Function_0001D45D,00000000,00000000,00000000), ref: 00416C47
                                      • ShowWindow.USER32(00000009), ref: 00416C61
                                      • SetForegroundWindow.USER32 ref: 00416C6D
                                        • Part of subcall function 0041CD9B: AllocConsole.KERNEL32(00475338), ref: 0041CDA4
                                        • Part of subcall function 0041CD9B: ShowWindow.USER32(00000000,00000000), ref: 0041CDBD
                                        • Part of subcall function 0041CD9B: SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CDE2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Window$ConsoleShow$AllocCreateForegroundOutputThread
                                      • String ID: !D@
                                      • API String ID: 3446828153-604454484
                                      • Opcode ID: 6979cefb1d1fefa54efaa96eb459276fcc124e6eae3c34ad0f1a5970b9474eaa
                                      • Instruction ID: c1d0571eb829819ca76672189d51ce116019f2d3a91c4b5ec781e9fa27a10d2f
                                      • Opcode Fuzzy Hash: 6979cefb1d1fefa54efaa96eb459276fcc124e6eae3c34ad0f1a5970b9474eaa
                                      • Instruction Fuzzy Hash: 9EF05E70158201EAD720AB62EC45AFA7B69EB54351F00483BF849D14F2DB398C85C69D
                                      Function 004160EE Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                      Download Yara Rule
                                      APIs
                                      • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 00416130
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExecuteShell
                                      • String ID: /C $cmd.exe$open
                                      • API String ID: 587946157-3896048727
                                      • Opcode ID: 1fb54d341f42364606467e993f20cb3c4ceaa424224daa94047b07daa39982c0
                                      • Instruction ID: 0a18f3537a1213b4b5dca9b82f73c842755a7e35c30cee8a650de64661b344da
                                      • Opcode Fuzzy Hash: 1fb54d341f42364606467e993f20cb3c4ceaa424224daa94047b07daa39982c0
                                      • Instruction Fuzzy Hash: 0DE0C0B0208345AAC705E775CC95CBF73ADAA94749B50483F7142A20E2EF7C9D49C659
                                      Function 0040140A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 00401414
                                      • GetProcAddress.KERNEL32(00000000), ref: 0040141B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressHandleModuleProc
                                      • String ID: GetCursorInfo$User32.dll
                                      • API String ID: 1646373207-2714051624
                                      • Opcode ID: 0feee19109755bbb7e48939f97e78712d63acfb534ae43d0cb60b2001d0c131e
                                      • Instruction ID: 65f79b4a2c2aed896b4012a4b0ac893fb7d0ccba54e760513c8834f3bef68171
                                      • Opcode Fuzzy Hash: 0feee19109755bbb7e48939f97e78712d63acfb534ae43d0cb60b2001d0c131e
                                      • Instruction Fuzzy Hash: B4B09B70541740E7CB106BF45C4F9153555B514703B105476B44996151D7B44400C61E
                                      Function 004014AF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 004014B9
                                      • GetProcAddress.KERNEL32(00000000), ref: 004014C0
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressLibraryLoadProc
                                      • String ID: GetLastInputInfo$User32.dll
                                      • API String ID: 2574300362-1519888992
                                      • Opcode ID: 6185ad33e38da01c5cedd7fab51ef37947c258832bc82ab0b36b916a7b459740
                                      • Instruction ID: ea73ef4d1088e939c140d9431744cb36a9dcab52d5ea7f3e4bb33043e5d41cbe
                                      • Opcode Fuzzy Hash: 6185ad33e38da01c5cedd7fab51ef37947c258832bc82ab0b36b916a7b459740
                                      • Instruction Fuzzy Hash: 5EB092B45C1700FBCB106FA4AC4E9293AA9A614703B1088ABB845D2162EBB884008F9F
                                      Function 0040C00C Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      • Cleared browsers logins and cookies., xrefs: 0040C0F5
                                      • [Cleared browsers logins and cookies.], xrefs: 0040C0E4
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Sleep
                                      • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                      • API String ID: 3472027048-1236744412
                                      • Opcode ID: 24f20f3b92deb628025467620478f708c177420abe32db4e4f6f8a7850cc6954
                                      • Instruction ID: fac43f66edf0589ccdcbb227709f1a337e776f7542e83b73a027453bfa593f46
                                      • Opcode Fuzzy Hash: 24f20f3b92deb628025467620478f708c177420abe32db4e4f6f8a7850cc6954
                                      • Instruction Fuzzy Hash: 2531C804348380E9D6116BF554567AB7B814E93744F08457FB9C42B3D3D97E4848C7AF
                                      Function 0040A529 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0041C551: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041C561
                                        • Part of subcall function 0041C551: GetWindowTextLengthW.USER32(00000000), ref: 0041C56A
                                        • Part of subcall function 0041C551: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041C594
                                      • Sleep.KERNEL32(000001F4), ref: 0040A573
                                      • Sleep.KERNEL32(00000064), ref: 0040A5FD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Window$SleepText$ForegroundLength
                                      • String ID: [ $ ]
                                      • API String ID: 3309952895-93608704
                                      • Opcode ID: 4603c95d7a0278816d05f17b1e103e1b56ebf32c1baad14edcc254fcbbfd146b
                                      • Instruction ID: 97bd403738d1ca0cb59e80c1fc79ee6201ed0cb329172f4776a94889a39aca56
                                      • Opcode Fuzzy Hash: 4603c95d7a0278816d05f17b1e103e1b56ebf32c1baad14edcc254fcbbfd146b
                                      • Instruction Fuzzy Hash: FE119F315043006BC614BB65CC5399F77A8AF50308F40053FF552665E2FF79AA5886DB
                                      Function 00443A33 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 26aae147e3b4032e8d822610677c8b44980169b964e3a1f9465f38b9cd56633c
                                      • Instruction ID: 17f232e73e96fb976a24982deb7d35e81c220cd9520ca4ef7e8dcf180de91df6
                                      • Opcode Fuzzy Hash: 26aae147e3b4032e8d822610677c8b44980169b964e3a1f9465f38b9cd56633c
                                      • Instruction Fuzzy Hash: 1301F2B36497067EFA202E786CC1F67220CDF41BBEB34032BB574712D1DA68CE404568
                                      Function 00443AB2 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 544fafb264448ea5c1072d449201ab24ccf485d51590c339dd7f80fdded84d3d
                                      • Instruction ID: 34d970f17befced98e3ca294e9c9a609e5e7bfbb0444a55afbb34e25ce639c56
                                      • Opcode Fuzzy Hash: 544fafb264448ea5c1072d449201ab24ccf485d51590c339dd7f80fdded84d3d
                                      • Instruction Fuzzy Hash: 0601A2B26096117EFA111E796CC4E27624CDB81BBF325032BF535612D6DA688E014169
                                      Function 00448566 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,0044850D,?,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue), ref: 00448598
                                      • GetLastError.KERNEL32(?,0044850D,?,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue,0045F160,0045F168,00000000,00000364,?,004482E7), ref: 004485A4
                                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0044850D,?,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue,0045F160,0045F168,00000000), ref: 004485B2
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: LibraryLoad$ErrorLast
                                      • String ID:
                                      • API String ID: 3177248105-0
                                      • Opcode ID: 03982c6842d6040e15a2f529479e2a2fef9fe475335e7dbaf6b0fa49dfb65394
                                      • Instruction ID: d5df962f837ff7629ef00c7a8b4dcab40ba3e58d8e4ddb8b40c265455ff02ab4
                                      • Opcode Fuzzy Hash: 03982c6842d6040e15a2f529479e2a2fef9fe475335e7dbaf6b0fa49dfb65394
                                      • Instruction Fuzzy Hash: AA012832602322FBD7214B289C4495B7798AB50B61B20053AFD05D3241DF34CD01CAE8
                                      Function 0041C485 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C49E
                                      • GetFileSize.KERNEL32(00000000,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C4B2
                                      • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C4D7
                                      • CloseHandle.KERNEL32(00000000,?,00000000,0040412F,00465E74), ref: 0041C4E5
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$CloseCreateHandleReadSize
                                      • String ID:
                                      • API String ID: 3919263394-0
                                      • Opcode ID: c4d28c244904a0c4b31f6914b30dbe9704a3e03414ae878e480ac2c22075bc56
                                      • Instruction ID: d938e931a51b81dfe9e25773ede9364464a286a3a3b97e7b856b7b87d8bf29b3
                                      • Opcode Fuzzy Hash: c4d28c244904a0c4b31f6914b30dbe9704a3e03414ae878e480ac2c22075bc56
                                      • Instruction Fuzzy Hash: 0FF0C2B1245308BFE6101B25ACD4EBB375CEB867A9F00053EF902A22C1CA298C05913A
                                      Function 0041C1DD Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
                                      • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
                                      • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C233
                                      • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C23B
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseHandleOpenProcess
                                      • String ID:
                                      • API String ID: 39102293-0
                                      • Opcode ID: f9441541d1e055ebec971b28555d0febc4d5c2f8e157a993c91f5ce795852cd2
                                      • Instruction ID: 502f13a9e38f74389cb09c542eced9ec4ef47df168bad581006c654e14f0d55b
                                      • Opcode Fuzzy Hash: f9441541d1e055ebec971b28555d0febc4d5c2f8e157a993c91f5ce795852cd2
                                      • Instruction Fuzzy Hash: 53012BB1680315ABD61057D49C89FB7B27CDB84796F0000A7FA04D21D2EF748C818679
                                      Function 00439863 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • ___BuildCatchObject.LIBVCRUNTIME ref: 0043987A
                                        • Part of subcall function 00439EB2: ___AdjustPointer.LIBCMT ref: 00439EFC
                                      • _UnwindNestedFrames.LIBCMT ref: 00439891
                                      • ___FrameUnwindToState.LIBVCRUNTIME ref: 004398A3
                                      • CallCatchBlock.LIBVCRUNTIME ref: 004398C7
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                      • String ID:
                                      • API String ID: 2633735394-0
                                      • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                      • Instruction ID: dcee73c62e3621a690853eebe59cad03ae51e1002f288686f44977c5109bb855
                                      • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                      • Instruction Fuzzy Hash: 18011732000109BBCF12AF55CC01EDA3BBAEF9D754F04511AFD5861221C3BAE861DBA5
                                      Function 004193E3 Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetSystemMetrics.USER32(0000004C), ref: 004193F0
                                      • GetSystemMetrics.USER32(0000004D), ref: 004193F6
                                      • GetSystemMetrics.USER32(0000004E), ref: 004193FC
                                      • GetSystemMetrics.USER32(0000004F), ref: 00419402
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: MetricsSystem
                                      • String ID:
                                      • API String ID: 4116985748-0
                                      • Opcode ID: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                      • Instruction ID: 9a44d86f369c7068fc2c949f9b02ed5542bf43da40f6b7222f807aea32733f55
                                      • Opcode Fuzzy Hash: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                      • Instruction Fuzzy Hash: DFF0A471B043155BD744EA759C51A6F6BD5EBD4264F10043FF20887281EE78DC468785
                                      Function 00438F31 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00438F31
                                      • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00438F36
                                      • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00438F3B
                                        • Part of subcall function 0043A43A: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0043A44B
                                      • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00438F50
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                      • String ID:
                                      • API String ID: 1761009282-0
                                      • Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                      • Instruction ID: 04dbcd9d80b8837b95b31ffc0e846904d80335f120ca5f78e3accc67d081205e
                                      • Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                      • Instruction Fuzzy Hash: 59C04C15080781541C50B6B2210B2AE83461E7E38DFD074DFFCE0571038E4E043B653F
                                      Function 00442C5D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                      Download Yara Rule
                                      APIs
                                      • __startOneArgErrorHandling.LIBCMT ref: 00442CED
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorHandling__start
                                      • String ID: pow
                                      • API String ID: 3213639722-2276729525
                                      • Opcode ID: ae0341c24035669086af68b363e9d44c4063f2ceb2f02d621ae22780893f867c
                                      • Instruction ID: c2a334fe3ab53b67a82bc2a1da04863f7f1ed5e2a579c87dfbcc8ae8a095d349
                                      • Opcode Fuzzy Hash: ae0341c24035669086af68b363e9d44c4063f2ceb2f02d621ae22780893f867c
                                      • Instruction Fuzzy Hash: C6516DA1E0420296FB167B14CE4137B2BA4DB40751F704D7FF096823AAEB7D8C859A4F
                                      Function 00449E3C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • WideCharToMultiByte.KERNEL32(000000FF,00000000,00000006,00000001,?,?,00000000,?,00000000,?,?,00000000,00000006,?,?,?), ref: 00449F0F
                                      • GetLastError.KERNEL32 ref: 00449F2B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ByteCharErrorLastMultiWide
                                      • String ID: PkGNG
                                      • API String ID: 203985260-263838557
                                      • Opcode ID: 8762d6c9eb8cd6bb849928aa97b0b7335ecf1b8cbe6ccd937ce160abea437523
                                      • Instruction ID: 5218313022fb824330162c1b3e1e252a07855a0508c927524b2412b0d5c8e50b
                                      • Opcode Fuzzy Hash: 8762d6c9eb8cd6bb849928aa97b0b7335ecf1b8cbe6ccd937ce160abea437523
                                      • Instruction Fuzzy Hash: A531F831600205EBEB21EF56C845BAB77A8DF55711F24416BF9048B3D1DB38CD41E7A9
                                      Function 0040B748 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                                      • __Init_thread_footer.LIBCMT ref: 0040B797
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Init_thread_footer__onexit
                                      • String ID: [End of clipboard]$[Text copied to clipboard]
                                      • API String ID: 1881088180-3686566968
                                      • Opcode ID: 60402113f4b18a007ad5d9fa0adee8409e9b11ca3b01e04d5642538178529adf
                                      • Instruction ID: c7bebb0a0a15900a9cc4ffb6e17528162536323bfdf0e6139bd55c50ddf57f74
                                      • Opcode Fuzzy Hash: 60402113f4b18a007ad5d9fa0adee8409e9b11ca3b01e04d5642538178529adf
                                      • Instruction Fuzzy Hash: C0219F32A101054ACB14FB66D8829EDB379AF90318F10453FE505731E2EF386D4A8A9C
                                      Function 00451B37 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00451D92,?,00000050,?,?,?,?,?), ref: 00451C12
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: ACP$OCP
                                      • API String ID: 0-711371036
                                      • Opcode ID: 9e0df5bdb224d2be14a0cd5949da06f0ee57b11af7c7271d7bdd2cdd18eeb32c
                                      • Instruction ID: fc24b39bc158c677debbea649066bee6e1bba6d32f28379ebc1c8ba741b2d3ba
                                      • Opcode Fuzzy Hash: 9e0df5bdb224d2be14a0cd5949da06f0ee57b11af7c7271d7bdd2cdd18eeb32c
                                      • Instruction Fuzzy Hash: BA217D22A4010063DB34CF54C940B9B326ADF50B27F568166ED09C7322F73AED44C39C
                                      Function 0044B731 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81fileCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • WriteFile.KERNEL32(?,?,?,?,00000000,FF8BC35D,00000000,?,PkGNG,0044BB6E,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B7DB
                                      • GetLastError.KERNEL32 ref: 0044B804
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorFileLastWrite
                                      • String ID: PkGNG
                                      • API String ID: 442123175-263838557
                                      • Opcode ID: e2af8d231f6539d56f2593d6ace3ed0d4bab48f660b2d85d051dab4aa689f9d2
                                      • Instruction ID: 56933c973e2243a1a9a6e47b5ff38ff3048756f5123006952a384074424e161b
                                      • Opcode Fuzzy Hash: e2af8d231f6539d56f2593d6ace3ed0d4bab48f660b2d85d051dab4aa689f9d2
                                      • Instruction Fuzzy Hash: 12319331A00619DBCB24CF59CD809DAB3F9EF88311F1445AAE509D7361D734ED81CB68
                                      Function 0044B652 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77fileCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • WriteFile.KERNEL32(?,?,?,?,00000000,FF8BC35D,00000000,?,PkGNG,0044BB8E,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B6ED
                                      • GetLastError.KERNEL32 ref: 0044B716
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorFileLastWrite
                                      • String ID: PkGNG
                                      • API String ID: 442123175-263838557
                                      • Opcode ID: 51546446b41bf805027a94335c0e64e4fe702750584376849c5da3291fd64da6
                                      • Instruction ID: 12ef57d8ab414bd2a6c5914f5c8b73f84ca543b1ee1fc2f1adbb6bb6aefc8993
                                      • Opcode Fuzzy Hash: 51546446b41bf805027a94335c0e64e4fe702750584376849c5da3291fd64da6
                                      • Instruction Fuzzy Hash: 6C21B435600219DFCB14CF69C980BE9B3F8EB48302F1044AAE94AD7351D734ED81CB64
                                      Function 00404FF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415CC9,?,00000001,0000004C,00000000), ref: 00405030
                                        • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                      • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415CC9,?,00000001,0000004C,00000000), ref: 00405087
                                      Strings
                                      • KeepAlive | Enabled | Timeout: , xrefs: 0040501F
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: LocalTime
                                      • String ID: KeepAlive | Enabled | Timeout:
                                      • API String ID: 481472006-1507639952
                                      • Opcode ID: 2607bdc9f0d933924e59b09d9b4d17e10e2c88dcc52cf24d6e3d3c5d02c0a6dc
                                      • Instruction ID: 59903f388a44bacb81d563bcbf5ab321eb0051b597eccb46fab67989b44e7fd4
                                      • Opcode Fuzzy Hash: 2607bdc9f0d933924e59b09d9b4d17e10e2c88dcc52cf24d6e3d3c5d02c0a6dc
                                      • Instruction Fuzzy Hash: 1D21F2719046405BD710B7259C0676F7B64E751308F40087EE8491B2A6DA7D5A88CBEF
                                      Function 0041663B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62sleepfilenetworkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • Sleep.KERNEL32 ref: 00416640
                                      • URLDownloadToFileW.URLMON(00000000,00000000,00000002,00000000,00000000), ref: 004166A2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: DownloadFileSleep
                                      • String ID: !D@
                                      • API String ID: 1931167962-604454484
                                      • Opcode ID: 2ae7695c40f29ee67dd386e4d97dc8b30bdd8952bcd1bbd735126d4dc73e8781
                                      • Instruction ID: f21b004d79e7af0ef9ad63e4b6518ad07bb10e0138b316cec4f8e9f86784bb19
                                      • Opcode Fuzzy Hash: 2ae7695c40f29ee67dd386e4d97dc8b30bdd8952bcd1bbd735126d4dc73e8781
                                      • Instruction Fuzzy Hash: C6115171A083029AC714FF72D8969BE77A8AF54348F400C3FF546621E2EE3C9949C65A
                                      Function 0041AD17 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                      Download Yara Rule
                                      APIs
                                      • PathFileExistsW.SHLWAPI(00000000), ref: 0041AD3C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExistsFilePath
                                      • String ID: alarm.wav$hYG
                                      • API String ID: 1174141254-2782910960
                                      • Opcode ID: a80849807d39b6d885b850496f76bbee22079f6d4cd25328039c8df50d7c6aa3
                                      • Instruction ID: 1ebdaa4a32a078914063a8122a991a3a49773bb3edac1861de613ef54c78e1f6
                                      • Opcode Fuzzy Hash: a80849807d39b6d885b850496f76bbee22079f6d4cd25328039c8df50d7c6aa3
                                      • Instruction Fuzzy Hash: 7A01F5B064460156C604F37698167EE37464B80319F00447FF68A266E2EFBC9D99C68F
                                      Function 0040B051 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B172
                                        • Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3
                                        • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                      • CloseHandle.KERNEL32(?), ref: 0040B0B4
                                      • UnhookWindowsHookEx.USER32 ref: 0040B0C7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                      • String ID: Online Keylogger Stopped
                                      • API String ID: 1623830855-1496645233
                                      • Opcode ID: bcbfeeedac202dcce5c27b8ae7271b8f67804fce0d04219dcea429481c7fcc84
                                      • Instruction ID: 2e372e3e3892c4e8816e9c8053feed756abc81e7e35a03d4dadb391bbfa0e77d
                                      • Opcode Fuzzy Hash: bcbfeeedac202dcce5c27b8ae7271b8f67804fce0d04219dcea429481c7fcc84
                                      • Instruction Fuzzy Hash: 0101F5306002049BD7217B35C80B3BF7BA59B41305F40007FE642226D2EBB91845D7DE
                                      Function 00448BB3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,73E85006,00000001,?,0043CE55), ref: 00448C24
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: String
                                      • String ID: LCMapStringEx$PkGNG
                                      • API String ID: 2568140703-1065776982
                                      • Opcode ID: 6176356b550008225c45ed95f9c308570f022b01c1c57b82113652449518e224
                                      • Instruction ID: 91dcaeff4e4508283399e99d6512adb219adb357de156da575c9a111b1dd59a7
                                      • Opcode Fuzzy Hash: 6176356b550008225c45ed95f9c308570f022b01c1c57b82113652449518e224
                                      • Instruction Fuzzy Hash: 3F016532500209FBCF029F90DC01EEE7F62EF08351F10452AFE0925161CA3A8971AB99
                                      Function 004017EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                      Download Yara Rule
                                      APIs
                                      • waveInPrepareHeader.WINMM(?,00000020,?,?,00476B50,00474EE0,?,00000000,00401A15), ref: 00401849
                                      • waveInAddBuffer.WINMM(?,00000020,?,00000000,00401A15), ref: 0040185F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: wave$BufferHeaderPrepare
                                      • String ID: XMG
                                      • API String ID: 2315374483-813777761
                                      • Opcode ID: db4cc151110a5f9a71eb5ce2d7546914e9eb517e880c4322ad0588f055fadbe6
                                      • Instruction ID: 6f1d19605e244f5f119b09d66236675289974365e05be472c2159163c6862827
                                      • Opcode Fuzzy Hash: db4cc151110a5f9a71eb5ce2d7546914e9eb517e880c4322ad0588f055fadbe6
                                      • Instruction Fuzzy Hash: D3016D71700301AFD7209F75EC48969BBA9FB89355701413AF409D3762EB759C90CBA8
                                      Function 00448AE6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • IsValidLocale.KERNEL32(00000000,JD,00000000,00000001,?,?,00444AEA,?,?,004444CA,?,00000004), ref: 00448B32
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: LocaleValid
                                      • String ID: IsValidLocaleName$JD
                                      • API String ID: 1901932003-2234456777
                                      • Opcode ID: 98bf4732c76f9d0cbfb8c103c3b900cf5be1bffc9926f7dc5154a94851103fac
                                      • Instruction ID: c43517d2c5aad0833927174c53c021eab8a1ac695cd7bc198788f3b2bcf9e263
                                      • Opcode Fuzzy Hash: 98bf4732c76f9d0cbfb8c103c3b900cf5be1bffc9926f7dc5154a94851103fac
                                      • Instruction Fuzzy Hash: D6F05230A80308F7DB106B60DC06FAEBF58CB04B52F10017EFD046B291CE786E05929E
                                      Function 0040C4C3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                      Download Yara Rule
                                      APIs
                                      • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C4F6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExistsFilePath
                                      • String ID: UserProfile$\AppData\Local\Google\Chrome\
                                      • API String ID: 1174141254-4188645398
                                      • Opcode ID: 7005c2773d118e2c9d7b7987c52ef0ef7a298987e294b58a31e1cd003faf56ca
                                      • Instruction ID: 529cceb54bdbac8586af3e6ebd5273a77adcdcd577382419881006e182ae29c8
                                      • Opcode Fuzzy Hash: 7005c2773d118e2c9d7b7987c52ef0ef7a298987e294b58a31e1cd003faf56ca
                                      • Instruction Fuzzy Hash: 96F05E31A00219A6C604BBF69C478BF7B3C9D50709B50017FBA01B61D3EE789945C6EE
                                      Function 0040C526 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                      Download Yara Rule
                                      APIs
                                      • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C559
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExistsFilePath
                                      • String ID: UserProfile$\AppData\Local\Microsoft\Edge\
                                      • API String ID: 1174141254-2800177040
                                      • Opcode ID: ab3f2aba289be1bf0ad3848519e66e4cff6ce689097d1d423b573e143f03c488
                                      • Instruction ID: 330371ab8f71d6844e3501a7b0875f3b866c8fe31c1dcac5d822fe972055fe7f
                                      • Opcode Fuzzy Hash: ab3f2aba289be1bf0ad3848519e66e4cff6ce689097d1d423b573e143f03c488
                                      • Instruction Fuzzy Hash: ECF05E31A00219A6CA14B7B69C47CEF7B6C9D50705B10017FB602B61D2EE78994186EE
                                      Function 0040C589 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                      Download Yara Rule
                                      APIs
                                      • PathFileExistsW.SHLWAPI(00000000,\Opera Software\Opera Stable\,00000000), ref: 0040C5BC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExistsFilePath
                                      • String ID: AppData$\Opera Software\Opera Stable\
                                      • API String ID: 1174141254-1629609700
                                      • Opcode ID: ab88a7dc1cafb0835d30463df654517a200d7fa6beafa267c9165c8e72f76c47
                                      • Instruction ID: 49b076bb86b4c8db4da1bdedad10e463925805c403c57d636a3174f469f12df7
                                      • Opcode Fuzzy Hash: ab88a7dc1cafb0835d30463df654517a200d7fa6beafa267c9165c8e72f76c47
                                      • Instruction Fuzzy Hash: 13F05E31A00319A6CA14B7B69C47CEF7B7C9D10709B40017BB601B61D2EE789D4586EA
                                      Function 0040B646 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetKeyState.USER32(00000011), ref: 0040B64B
                                        • Part of subcall function 0040A3E0: GetForegroundWindow.USER32 ref: 0040A416
                                        • Part of subcall function 0040A3E0: GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A422
                                        • Part of subcall function 0040A3E0: GetKeyboardLayout.USER32(00000000), ref: 0040A429
                                        • Part of subcall function 0040A3E0: GetKeyState.USER32(00000010), ref: 0040A433
                                        • Part of subcall function 0040A3E0: GetKeyboardState.USER32(?), ref: 0040A43E
                                        • Part of subcall function 0040A3E0: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A461
                                        • Part of subcall function 0040A3E0: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4C1
                                        • Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,00000000,0040B20A,00000000), ref: 0040A662
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                      • String ID: [AltL]$[AltR]
                                      • API String ID: 2738857842-2658077756
                                      • Opcode ID: 7258a7f4b132cbc40b361f8d5efa273a6a49595113cd8e0a5555153196a7725b
                                      • Instruction ID: e48b288e44f9d4c6b211653e2fe3bcc76c2b66b59b43e84e4aaf588e4500f4a3
                                      • Opcode Fuzzy Hash: 7258a7f4b132cbc40b361f8d5efa273a6a49595113cd8e0a5555153196a7725b
                                      • Instruction Fuzzy Hash: 3BE0652134021052C828323E592F6BE2D51C742754B86057FF9826B6C5DABF4D1542CF
                                      Function 0044ECEC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetOEMCP.KERNEL32(00000000,?,?,0044EF75,?), ref: 0044ED17
                                      • GetACP.KERNEL32(00000000,?,?,0044EF75,?), ref: 0044ED2E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: uD
                                      • API String ID: 0-2547262877
                                      • Opcode ID: b77d3b663c6aed767531e5de151c2f7480185761a2f62c70c64f4560ad89233a
                                      • Instruction ID: 19c10458df6b4aed5d20bc802b22671fd2b069e30d3a1616a3713fc20edc201d
                                      • Opcode Fuzzy Hash: b77d3b663c6aed767531e5de151c2f7480185761a2f62c70c64f4560ad89233a
                                      • Instruction Fuzzy Hash: A5F0C871800105CBEB20DB55DC897697771BF11335F144755E4394A6E2C7B98C81CF49
                                      Function 00448957 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetSystemTimeAsFileTime.KERNEL32(00000000,0043AAB7), ref: 00448996
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Time$FileSystem
                                      • String ID: GetSystemTimePreciseAsFileTime$PkGNG
                                      • API String ID: 2086374402-949981407
                                      • Opcode ID: 14ade04f60bc73be69f0a8e2d41fd66075f217d790f0afe8d3aaf6a6c36f91f3
                                      • Instruction ID: 0ece642104574987c61f359f6ab52f67772cb5eafdc88f944851b8b866d171c2
                                      • Opcode Fuzzy Hash: 14ade04f60bc73be69f0a8e2d41fd66075f217d790f0afe8d3aaf6a6c36f91f3
                                      • Instruction Fuzzy Hash: 55E0E571A41718E7D710AB259C02E7EBB54DB44B02B10027EFC0957382DE285D0496DE
                                      Function 0041618A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON
                                      Download Yara Rule
                                      APIs
                                      • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 004161A8
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExecuteShell
                                      • String ID: !D@$open
                                      • API String ID: 587946157-1586967515
                                      • Opcode ID: a3fafa264baa1d62442d83e0179a885528cd25db469b1c0675910708919d2975
                                      • Instruction ID: 73504a7432a82bf20c2cd712858cac99996ed9f8eaf32da6c0f13d1c3fa6c831
                                      • Opcode Fuzzy Hash: a3fafa264baa1d62442d83e0179a885528cd25db469b1c0675910708919d2975
                                      • Instruction Fuzzy Hash: 2FE0ED712483059AD614EA72DC91AFE7358AB54755F40083FF506514E2EE3C5849C65A
                                      Function 0045554B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • ___initconout.LIBCMT ref: 0045555B
                                        • Part of subcall function 00456B1D: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00455560,00000000,PkGNG,0044B59D,?,FF8BC35D,00000000,?,00000000), ref: 00456B30
                                      • WriteConsoleW.KERNEL32(FFFFFFFE,FF8BC369,00000001,00000000,00000000,00000000,PkGNG,0044B59D,?,FF8BC35D,00000000,?,00000000,PkGNG,0044BB19,?), ref: 0045557E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ConsoleCreateFileWrite___initconout
                                      • String ID: PkGNG
                                      • API String ID: 3087715906-263838557
                                      • Opcode ID: 4fd586c33a7e536def3848490aff3c82696797501ee569242fdde9145b290049
                                      • Instruction ID: e84ccb038854987deafcb7b601af55b429ad8f27f18c1f17be9b2782bd97289a
                                      • Opcode Fuzzy Hash: 4fd586c33a7e536def3848490aff3c82696797501ee569242fdde9145b290049
                                      • Instruction Fuzzy Hash: 10E02B70500508BBD610CB64DC25EB63319EB003B1F600315FE25C72D1EB34DD44C759
                                      Function 0040B6A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetKeyState.USER32(00000012), ref: 0040B6A5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: State
                                      • String ID: [CtrlL]$[CtrlR]
                                      • API String ID: 1649606143-2446555240
                                      • Opcode ID: 9c7a87a125a36fd6875230b5c06d2f1de547b3d92bb8a42f9d283a23a60e093e
                                      • Instruction ID: bec5627f59812d2efb235ad4bfa8f6d19d2d97b3e0140e65676d9d4505e8418d
                                      • Opcode Fuzzy Hash: 9c7a87a125a36fd6875230b5c06d2f1de547b3d92bb8a42f9d283a23a60e093e
                                      • Instruction Fuzzy Hash: 6FE04F2160021052C524363D5A1E67D2911CB52754B42096FF882A76CADEBF891543CF
                                      Function 0040E79F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                                      • __Init_thread_footer.LIBCMT ref: 00410F29
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Init_thread_footer__onexit
                                      • String ID: ,kG$0kG
                                      • API String ID: 1881088180-2015055088
                                      • Opcode ID: b05ab0c9b3baa3f524da702d8fc1cd1898caf97046da089980d037e9e657a158
                                      • Instruction ID: c595ded0a674a2b9ccc74dbc71d20adb946c68f5a758ea4f5ad5526f3cc50642
                                      • Opcode Fuzzy Hash: b05ab0c9b3baa3f524da702d8fc1cd1898caf97046da089980d037e9e657a158
                                      • Instruction Fuzzy Hash: 35E0D8312149208EC214A32995829C93791DB4E335B61412BF414D72D5CBAEB8C1CA1D
                                      Function 00413A23 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040D4CE,00000000,?,00000000), ref: 00413A31
                                      • RegDeleteValueW.ADVAPI32(?,?,?,00000000), ref: 00413A45
                                      Strings
                                      • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00413A2F
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: DeleteOpenValue
                                      • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                      • API String ID: 2654517830-1051519024
                                      • Opcode ID: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                      • Instruction ID: 6fb421a43559def270d35797bbb86f7c8bc210cd52a17bc53693ea6618a40a87
                                      • Opcode Fuzzy Hash: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                      • Instruction Fuzzy Hash: 99E0C23124420CFBDF104F71DD06FFA376CDB01F42F1006A5BA0692091C626DF049668
                                      Function 00440C91 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401D55), ref: 00440D27
                                      • GetLastError.KERNEL32 ref: 00440D35
                                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00440D90
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ByteCharMultiWide$ErrorLast
                                      • String ID:
                                      • API String ID: 1717984340-0
                                      • Opcode ID: a909a75f279edaa9992fcfd87f44a9f238bfc46e7277e37c8624290a99980dba
                                      • Instruction ID: f204e272a103731937cf510deb2d9f687334ef06d731906aa630a644c7418207
                                      • Opcode Fuzzy Hash: a909a75f279edaa9992fcfd87f44a9f238bfc46e7277e37c8624290a99980dba
                                      • Instruction Fuzzy Hash: BA411871A00206EFEF218FA5C8447AB7BA5EF45310F10816BFA549B3A1DB38AD25C759
                                      Function 00411B5F Relevance: 5.1, APIs: 4, Instructions: 119COMMON
                                      Download Yara Rule
                                      APIs
                                      • IsBadReadPtr.KERNEL32(?,00000014), ref: 00411B8C
                                      • IsBadReadPtr.KERNEL32(?,00000014), ref: 00411C58
                                      • SetLastError.KERNEL32(0000007F), ref: 00411C7A
                                      • SetLastError.KERNEL32(0000007E,00411EF0), ref: 00411C91
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2045250138.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_400000_6122.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLastRead
                                      • String ID:
                                      • API String ID: 4100373531-0
                                      • Opcode ID: 46f42941f51e653cdae40cd00269a703bf4e12df5cc4a1911c605fdb7767d4e6
                                      • Instruction ID: 277f4bdee2933866d2d1c697a3b04f0a6a13197b354a533a519a822f1f8833ca
                                      • Opcode Fuzzy Hash: 46f42941f51e653cdae40cd00269a703bf4e12df5cc4a1911c605fdb7767d4e6
                                      • Instruction Fuzzy Hash: 37419C75244305DFE7248F18DC84BA7B3E8FB48711F00082EEA8A87661F739E845CB99

                                      Execution Graph

                                      Execution Coverage:7.9%
                                      Dynamic/Decrypted Code Coverage:100%
                                      Signature Coverage:0%
                                      Total number of Nodes:48
                                      Total number of Limit Nodes:9
                                      execution_graph 19451 1494668 19452 149467a 19451->19452 19453 1494686 19452->19453 19455 1494779 19452->19455 19456 149479d 19455->19456 19460 1494879 19456->19460 19464 1494888 19456->19464 19457 14947a7 19457->19453 19461 14948af 19460->19461 19463 149498c 19461->19463 19468 14944b4 19461->19468 19463->19457 19465 14948af 19464->19465 19466 14944b4 CreateActCtxA 19465->19466 19467 149498c 19465->19467 19466->19467 19467->19457 19469 1495918 CreateActCtxA 19468->19469 19471 14959db 19469->19471 19471->19471 19472 149d588 DuplicateHandle 19473 149d61e 19472->19473 19474 79f3598 CloseHandle 19475 79f35ff 19474->19475 19476 149d340 19477 149d386 GetCurrentProcess 19476->19477 19479 149d3d8 GetCurrentThread 19477->19479 19480 149d3d1 19477->19480 19481 149d40e 19479->19481 19482 149d415 GetCurrentProcess 19479->19482 19480->19479 19481->19482 19485 149d44b 19482->19485 19483 149d473 GetCurrentThreadId 19484 149d4a4 19483->19484 19485->19483 19486 149afb0 19487 149afbf 19486->19487 19490 149b0a8 19486->19490 19495 149b097 19486->19495 19491 149b0dc 19490->19491 19492 149b0b9 19490->19492 19491->19487 19492->19491 19493 149b2e0 GetModuleHandleW 19492->19493 19494 149b30d 19493->19494 19494->19487 19496 149b0dc 19495->19496 19497 149b0b9 19495->19497 19496->19487 19497->19496 19498 149b2e0 GetModuleHandleW 19497->19498 19499 149b30d 19498->19499 19499->19487 19500 79f11c0 19501 79f134b 19500->19501 19502 79f11e6 19500->19502 19502->19501 19505 79f1440 PostMessageW 19502->19505 19507 79f1438 PostMessageW 19502->19507 19506 79f14ac 19505->19506 19506->19502 19508 79f14ac 19507->19508 19508->19502

                                      Executed Functions

                                      Function 0149D340 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 294 149d340-149d3cf GetCurrentProcess 298 149d3d8-149d40c GetCurrentThread 294->298 299 149d3d1-149d3d7 294->299 300 149d40e-149d414 298->300 301 149d415-149d449 GetCurrentProcess 298->301 299->298 300->301 303 149d44b-149d451 301->303 304 149d452-149d46d call 149d50f 301->304 303->304 306 149d473-149d4a2 GetCurrentThreadId 304->306 308 149d4ab-149d50d 306->308 309 149d4a4-149d4aa 306->309 309->308
                                      APIs
                                      • GetCurrentProcess.KERNEL32 ref: 0149D3BE
                                      • GetCurrentThread.KERNEL32 ref: 0149D3FB
                                      • GetCurrentProcess.KERNEL32 ref: 0149D438
                                      • GetCurrentThreadId.KERNEL32 ref: 0149D491
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.2065480689.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_1490000_Adobe.jbxd
                                      Similarity
                                      • API ID: Current$ProcessThread
                                      • String ID:
                                      • API String ID: 2063062207-0
                                      • Opcode ID: 840fb37a9d0f2e607152469aaf4b6b575ddc7deacceebe9db7d58879deb5a271
                                      • Instruction ID: 7f5ea2d5f033882990d4b8ca5efda646dc9ddee75d496f3dc3f6fc9d7f1b4104
                                      • Opcode Fuzzy Hash: 840fb37a9d0f2e607152469aaf4b6b575ddc7deacceebe9db7d58879deb5a271
                                      • Instruction Fuzzy Hash: ED5136B09012098FDB18DFAAD548BAEBFF5EF88314F208469D419A7360D7746984CF65
                                      Function 0149D331 Relevance: 6.1, APIs: 4, Instructions: 126threadCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 316 149d331-149d3cf GetCurrentProcess 320 149d3d8-149d40c GetCurrentThread 316->320 321 149d3d1-149d3d7 316->321 322 149d40e-149d414 320->322 323 149d415-149d449 GetCurrentProcess 320->323 321->320 322->323 325 149d44b-149d451 323->325 326 149d452-149d46d call 149d50f 323->326 325->326 328 149d473-149d4a2 GetCurrentThreadId 326->328 330 149d4ab-149d50d 328->330 331 149d4a4-149d4aa 328->331 331->330
                                      APIs
                                      • GetCurrentProcess.KERNEL32 ref: 0149D3BE
                                      • GetCurrentThread.KERNEL32 ref: 0149D3FB
                                      • GetCurrentProcess.KERNEL32 ref: 0149D438
                                      • GetCurrentThreadId.KERNEL32 ref: 0149D491
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.2065480689.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_1490000_Adobe.jbxd
                                      Similarity
                                      • API ID: Current$ProcessThread
                                      • String ID:
                                      • API String ID: 2063062207-0
                                      • Opcode ID: b4ff294d9dd642bfc868ff9cf49ad5e2de53377cbc623715b31ab43fe1a0f08c
                                      • Instruction ID: 54f23681581cd26902c7272317db1cff6e070c2935ca704323918cab12db9849
                                      • Opcode Fuzzy Hash: b4ff294d9dd642bfc868ff9cf49ad5e2de53377cbc623715b31ab43fe1a0f08c
                                      • Instruction Fuzzy Hash: 465146B09012498FDB14DFA9D548BAEBFF5EF48304F24846AD019A7260D738A984CB65
                                      Function 0149B0A8 Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 361 149b0a8-149b0b7 362 149b0b9-149b0c6 call 1499b14 361->362 363 149b0e3-149b0e7 361->363 370 149b0c8 362->370 371 149b0dc 362->371 364 149b0e9-149b0f3 363->364 365 149b0fb-149b13c 363->365 364->365 372 149b149-149b157 365->372 373 149b13e-149b146 365->373 416 149b0ce call 149b331 370->416 417 149b0ce call 149b340 370->417 371->363 374 149b159-149b15e 372->374 375 149b17b-149b17d 372->375 373->372 379 149b169 374->379 380 149b160-149b167 call 149ad10 374->380 378 149b180-149b187 375->378 376 149b0d4-149b0d6 376->371 377 149b218-149b2d8 376->377 411 149b2da-149b2dd 377->411 412 149b2e0-149b30b GetModuleHandleW 377->412 381 149b189-149b191 378->381 382 149b194-149b19b 378->382 383 149b16b-149b179 379->383 380->383 381->382 386 149b1a8-149b1b1 call 149ad20 382->386 387 149b19d-149b1a5 382->387 383->378 392 149b1be-149b1c3 386->392 393 149b1b3-149b1bb 386->393 387->386 395 149b1e1-149b1ee 392->395 396 149b1c5-149b1cc 392->396 393->392 401 149b211-149b217 395->401 402 149b1f0-149b20e 395->402 396->395 397 149b1ce-149b1de call 149ad30 call 149ad40 396->397 397->395 402->401 411->412 413 149b30d-149b313 412->413 414 149b314-149b328 412->414 413->414 416->376 417->376
                                      APIs
                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 0149B2FE
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.2065480689.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_1490000_Adobe.jbxd
                                      Similarity
                                      • API ID: HandleModule
                                      • String ID:
                                      • API String ID: 4139908857-0
                                      • Opcode ID: 704bf52237ba4083273cd9d274a7601b072712706e9e0ebbbce4b10c331f7ca5
                                      • Instruction ID: 9ea3e65588e1aea1e3ee5997bb181865841dbf0d243a2316f6c489cf91f8a917
                                      • Opcode Fuzzy Hash: 704bf52237ba4083273cd9d274a7601b072712706e9e0ebbbce4b10c331f7ca5
                                      • Instruction Fuzzy Hash: 4E7124B0A00B058FDB24DF6AD445B5ABBF1FF88604F108A2ED486D7B60D775E846CB90
                                      Function 0149590C Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 418 149590c-14959d9 CreateActCtxA 420 14959db-14959e1 418->420 421 14959e2-1495a3c 418->421 420->421 428 1495a4b-1495a4f 421->428 429 1495a3e-1495a41 421->429 430 1495a51-1495a5d 428->430 431 1495a60 428->431 429->428 430->431 432 1495a61 431->432 432->432
                                      APIs
                                      • CreateActCtxA.KERNEL32(?), ref: 014959C9
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.2065480689.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_1490000_Adobe.jbxd
                                      Similarity
                                      • API ID: Create
                                      • String ID:
                                      • API String ID: 2289755597-0
                                      • Opcode ID: fc35b59274406693fd1ab32ff0023be9e65055bbd4dbb89e5fd83de3a81c3554
                                      • Instruction ID: d5faf97a944c9b45287e0ce56ac88174df5d41d15859487c9f0c30bd0d676aa9
                                      • Opcode Fuzzy Hash: fc35b59274406693fd1ab32ff0023be9e65055bbd4dbb89e5fd83de3a81c3554
                                      • Instruction Fuzzy Hash: 8941EFB1C00619CFDF25DFA9C884B9EBBB1BF49304F20816AD408AB265DB755946CF91
                                      Function 014944B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 434 14944b4-14959d9 CreateActCtxA 437 14959db-14959e1 434->437 438 14959e2-1495a3c 434->438 437->438 445 1495a4b-1495a4f 438->445 446 1495a3e-1495a41 438->446 447 1495a51-1495a5d 445->447 448 1495a60 445->448 446->445 447->448 449 1495a61 448->449 449->449
                                      APIs
                                      • CreateActCtxA.KERNEL32(?), ref: 014959C9
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.2065480689.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_1490000_Adobe.jbxd
                                      Similarity
                                      • API ID: Create
                                      • String ID:
                                      • API String ID: 2289755597-0
                                      • Opcode ID: 2e759e7b5b487a439dab51b38e774b0d340f29d7501a51875f26f1b02d54e93d
                                      • Instruction ID: 842ad2a5939d7ece971b4c5a10f51b6bfa11626268f9c25ed451a82dd2460ac8
                                      • Opcode Fuzzy Hash: 2e759e7b5b487a439dab51b38e774b0d340f29d7501a51875f26f1b02d54e93d
                                      • Instruction Fuzzy Hash: 1A41EFB0C0071DCBDF25DFA9C884A9EBBF5BF49304F20806AD408AB265DB756946CF91
                                      Function 0149D588 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 451 149d588-149d61c DuplicateHandle 452 149d61e-149d624 451->452 453 149d625-149d642 451->453 452->453
                                      APIs
                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0149D60F
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.2065480689.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_1490000_Adobe.jbxd
                                      Similarity
                                      • API ID: DuplicateHandle
                                      • String ID:
                                      • API String ID: 3793708945-0
                                      • Opcode ID: 799a9ece1b13f351725bfa3b954b9182937b121cc9041bf0899371fd5d0b571e
                                      • Instruction ID: 70d88e55858826e1cb7fce4a3a8851c1bc2e28022f7c596433aeda97b51ba566
                                      • Opcode Fuzzy Hash: 799a9ece1b13f351725bfa3b954b9182937b121cc9041bf0899371fd5d0b571e
                                      • Instruction Fuzzy Hash: EF21C4B5D002489FDB10CF9AD984AEEBFF9FB48310F14841AE918A3350D378A954CFA5
                                      Function 0149D581 Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 456 149d581-149d61c DuplicateHandle 457 149d61e-149d624 456->457 458 149d625-149d642 456->458 457->458
                                      APIs
                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0149D60F
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.2065480689.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_1490000_Adobe.jbxd
                                      Similarity
                                      • API ID: DuplicateHandle
                                      • String ID:
                                      • API String ID: 3793708945-0
                                      • Opcode ID: c2e770e3b459d7fac91a89ac760ac353fe56952648eacfbe8e4bf0613e2cf045
                                      • Instruction ID: a885ff6a8fd0bfd2d9c8117619d7dcaee7b91ac52fa0584928cbb020d4dd2bc4
                                      • Opcode Fuzzy Hash: c2e770e3b459d7fac91a89ac760ac353fe56952648eacfbe8e4bf0613e2cf045
                                      • Instruction Fuzzy Hash: 5B21F0B59002489FDB10CFA9D584AEEBFF4EB48310F14845AE918A7350C379AA50CFA5
                                      Function 0149B298 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 461 149b298-149b2d8 462 149b2da-149b2dd 461->462 463 149b2e0-149b30b GetModuleHandleW 461->463 462->463 464 149b30d-149b313 463->464 465 149b314-149b328 463->465 464->465
                                      APIs
                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 0149B2FE
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.2065480689.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_1490000_Adobe.jbxd
                                      Similarity
                                      • API ID: HandleModule
                                      • String ID:
                                      • API String ID: 4139908857-0
                                      • Opcode ID: 9dae98de503a71dd61580737ebbd04b8ce91edc4a5511b4e5028d222f205f50d
                                      • Instruction ID: 13b8aab7f9ab3cdf77914890795c5fd07af741ce4292aadb6ca2bca52f44e42c
                                      • Opcode Fuzzy Hash: 9dae98de503a71dd61580737ebbd04b8ce91edc4a5511b4e5028d222f205f50d
                                      • Instruction Fuzzy Hash: CC110FB5C002498FDB20CF9AD448A9EFBF8EF88310F10845AD919A7310C379A545CFA1
                                      Function 079F1438 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 467 79f1438-79f14aa PostMessageW 468 79f14ac-79f14b2 467->468 469 79f14b3-79f14c7 467->469 468->469
                                      APIs
                                      • PostMessageW.USER32(?,?,?,?), ref: 079F149D
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.2071102962.00000000079F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079F0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_79f0000_Adobe.jbxd
                                      Similarity
                                      • API ID: MessagePost
                                      • String ID:
                                      • API String ID: 410705778-0
                                      • Opcode ID: c46f20e62024dc400037993cdfe4535222591f81398d0f10cf6a145ecce0a465
                                      • Instruction ID: 8b958f403330a3c47719fd487f09270d350f96db310796402e530e3f364e13e2
                                      • Opcode Fuzzy Hash: c46f20e62024dc400037993cdfe4535222591f81398d0f10cf6a145ecce0a465
                                      • Instruction Fuzzy Hash: 2311F2B5800349DFDB10DF99D985BEEBFF8EB48314F10885AD558A3240C379A644CFA1
                                      Function 079F1440 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 471 79f1440-79f14aa PostMessageW 472 79f14ac-79f14b2 471->472 473 79f14b3-79f14c7 471->473 472->473
                                      APIs
                                      • PostMessageW.USER32(?,?,?,?), ref: 079F149D
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.2071102962.00000000079F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079F0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_79f0000_Adobe.jbxd
                                      Similarity
                                      • API ID: MessagePost
                                      • String ID:
                                      • API String ID: 410705778-0
                                      • Opcode ID: 5734a0953e45fc1d7bab1547f008c9ad09b49bf06035991dc4ee3e2c65956192
                                      • Instruction ID: 29baa351861e0ac57fc6d6fb3b8e048c4972b3500819a6af7d8a919af6457cb5
                                      • Opcode Fuzzy Hash: 5734a0953e45fc1d7bab1547f008c9ad09b49bf06035991dc4ee3e2c65956192
                                      • Instruction Fuzzy Hash: 6E11D3B5800349DFDB10DF9AD545BDEBFF8EB48314F108459D518A7240D379A544CFA1
                                      Function 079F3590 Relevance: 1.3, APIs: 1, Instructions: 49COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 528 79f3590-79f35fd CloseHandle 529 79f35ff-79f3605 528->529 530 79f3606-79f362e 528->530 529->530
                                      APIs
                                      • CloseHandle.KERNELBASE(?), ref: 079F35F0
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.2071102962.00000000079F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079F0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_79f0000_Adobe.jbxd
                                      Similarity
                                      • API ID: CloseHandle
                                      • String ID:
                                      • API String ID: 2962429428-0
                                      • Opcode ID: 9ad3b53ea4ef7bdfdb3abd346606e9e7b10129390e5c14534f30fc7ae967be5b
                                      • Instruction ID: 0279e8ad200c4379551120ef136f3c3bbda9b9f67a7952502cff7ac3bdf24c5d
                                      • Opcode Fuzzy Hash: 9ad3b53ea4ef7bdfdb3abd346606e9e7b10129390e5c14534f30fc7ae967be5b
                                      • Instruction Fuzzy Hash: 651122BA8007498FDB10DF99C585BEEBFF4EB48320F14885AD559A7340C338A644CFA5
                                      Function 079F3598 Relevance: 1.3, APIs: 1, Instructions: 47COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 533 79f3598-79f35fd CloseHandle 534 79f35ff-79f3605 533->534 535 79f3606-79f362e 533->535 534->535
                                      APIs
                                      • CloseHandle.KERNELBASE(?), ref: 079F35F0
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.2071102962.00000000079F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079F0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_79f0000_Adobe.jbxd
                                      Similarity
                                      • API ID: CloseHandle
                                      • String ID:
                                      • API String ID: 2962429428-0
                                      • Opcode ID: 75cc3745be90c362b243b03431195f20d13298fe411c8ddd5b817ca2f54a212f
                                      • Instruction ID: 7a320cf722bb9ab11b0223e5ac9b5999e40dd27558fedc8667d586da1a0c8457
                                      • Opcode Fuzzy Hash: 75cc3745be90c362b243b03431195f20d13298fe411c8ddd5b817ca2f54a212f
                                      • Instruction Fuzzy Hash: 001133B58003498FCB20DF9AC545BEEBFF4EB48320F10841AD558A7340C338A544CFA5
                                      Function 0143D3D8 Relevance: .1, Instructions: 75COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.2065159367.000000000143D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0143D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_143d000_Adobe.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: acaedafe25e0aff6f6bf31aa3d9710e31a81f6ebe58b79acdab871f327749c56
                                      • Instruction ID: 90e7f9bc173e79784611dcc033aaaf2be037ebc779df06cc0e7eaf8886811c4b
                                      • Opcode Fuzzy Hash: acaedafe25e0aff6f6bf31aa3d9710e31a81f6ebe58b79acdab871f327749c56
                                      • Instruction Fuzzy Hash: B021E271904204DFDB05DF58D980B56BF65FBE8324F60C57AD9090A266C33AE456CAA1
                                      Function 0144D01C Relevance: .1, Instructions: 72COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.2065320803.000000000144D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_144d000_Adobe.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b50172407867d1cceaf83ce9498adc3b9baad65f0ad0dc07dd6242f22b10c461
                                      • Instruction ID: 2bec0d40f0d01fb7556ea7cbffc234ea9bd7c3c6c77460c907ceee1f924854ab
                                      • Opcode Fuzzy Hash: b50172407867d1cceaf83ce9498adc3b9baad65f0ad0dc07dd6242f22b10c461
                                      • Instruction Fuzzy Hash: 832107B1904204DFEB15DFA8D9C4B16BF65FB94358F20C56ED90A4B366C33AD407CA61
                                      Function 0144D006 Relevance: .1, Instructions: 62COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.2065320803.000000000144D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_144d000_Adobe.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6929e64e1c85f7b59f66bb2bfd128ad3c929cc4b954287a9bfb91f6d24a343ee
                                      • Instruction ID: d7dd278a0de2f0b3fe8e552a1756aa8a592ef4e8cbdd598df9dfd845b7058e2c
                                      • Opcode Fuzzy Hash: 6929e64e1c85f7b59f66bb2bfd128ad3c929cc4b954287a9bfb91f6d24a343ee
                                      • Instruction Fuzzy Hash: 762192755093808FDB17CF64D594716BF71EB46214F28C5DBD8498F2A7C33A980ACB62
                                      Function 0143D3D3 Relevance: .1, Instructions: 56COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.2065159367.000000000143D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0143D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_143d000_Adobe.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                      • Instruction ID: c4f3ce3fe2d0683c0fe54e2aceb52114ca304d85426d4b7a8768505dd6c1adf1
                                      • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                      • Instruction Fuzzy Hash: E011D272804240CFDB02CF54D5C4B56BF71FB98324F24C6AAD9490B267C33AD456CBA1
                                      Function 0143D731 Relevance: .0, Instructions: 45COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.2065159367.000000000143D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0143D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_143d000_Adobe.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ec65e8dd8e93979131abbc73fa0e5ec58ffb53f04213971f3de4fc62a9243579
                                      • Instruction ID: 0d7d650cea92367e9745ff9db2202de3b19b5f52fc2e9e02555f3c7970484b97
                                      • Opcode Fuzzy Hash: ec65e8dd8e93979131abbc73fa0e5ec58ffb53f04213971f3de4fc62a9243579
                                      • Instruction Fuzzy Hash: 6801FC318043849AE7114A99CD84767BF98EFC9320F58C42BED080A266C3389805CA71
                                      Function 0143D730 Relevance: .0, Instructions: 36COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.2065159367.000000000143D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0143D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_143d000_Adobe.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f94ccf6fc3de0af1f28c73c5616c5bae9500261969229a24338e59d7304ae23c
                                      • Instruction ID: 09caec61941e2c42b8094de5b787a28d3b34ea63781e507121270883a8ab903d
                                      • Opcode Fuzzy Hash: f94ccf6fc3de0af1f28c73c5616c5bae9500261969229a24338e59d7304ae23c
                                      • Instruction Fuzzy Hash: 20F0C2714043849EE7218A1AC884B63FFD8EF85334F18C45AED080B396C3799844CA70

                                      Execution Graph

                                      Execution Coverage:2.6%
                                      Dynamic/Decrypted Code Coverage:100%
                                      Signature Coverage:0%
                                      Total number of Nodes:1668
                                      Total number of Limit Nodes:5
                                      execution_graph 6510 10008640 6513 10008657 6510->6513 6514 10008665 6513->6514 6515 10008679 6513->6515 6518 10006368 __dosmaperr 20 API calls 6514->6518 6516 10008681 6515->6516 6517 10008693 6515->6517 6520 10006368 __dosmaperr 20 API calls 6516->6520 6524 10008652 6517->6524 6526 100054a7 6517->6526 6519 1000866a 6518->6519 6521 100062ac ___std_exception_copy 26 API calls 6519->6521 6522 10008686 6520->6522 6521->6524 6525 100062ac ___std_exception_copy 26 API calls 6522->6525 6525->6524 6527 100054ba 6526->6527 6528 100054c4 6526->6528 6527->6524 6528->6527 6529 10005af6 _abort 38 API calls 6528->6529 6530 100054e5 6529->6530 6534 10007a00 6530->6534 6535 10007a13 6534->6535 6536 100054fe 6534->6536 6535->6536 6542 10007f0f 6535->6542 6538 10007a2d 6536->6538 6539 10007a40 6538->6539 6540 10007a55 6538->6540 6539->6540 6677 10006d7e 6539->6677 6540->6527 6543 10007f1b ___DestructExceptionObject 6542->6543 6544 10005af6 _abort 38 API calls 6543->6544 6545 10007f24 6544->6545 6546 10007f72 _abort 6545->6546 6554 10005671 RtlEnterCriticalSection 6545->6554 6546->6536 6548 10007f42 6555 10007f86 6548->6555 6553 100055a8 _abort 38 API calls 6553->6546 6554->6548 6556 10007f56 6555->6556 6557 10007f94 __fassign 6555->6557 6559 10007f75 6556->6559 6557->6556 6562 10007cc2 6557->6562 6676 100056b9 RtlLeaveCriticalSection 6559->6676 6561 10007f69 6561->6546 6561->6553 6563 10007d42 6562->6563 6566 10007cd8 6562->6566 6564 10007d90 6563->6564 6567 1000571e _free 20 API calls 6563->6567 6630 10007e35 6564->6630 6566->6563 6568 10007d0b 6566->6568 6573 1000571e _free 20 API calls 6566->6573 6569 10007d64 6567->6569 6570 10007d2d 6568->6570 6575 1000571e _free 20 API calls 6568->6575 6571 1000571e _free 20 API calls 6569->6571 6572 1000571e _free 20 API calls 6570->6572 6574 10007d77 6571->6574 6577 10007d37 6572->6577 6579 10007d00 6573->6579 6576 1000571e _free 20 API calls 6574->6576 6581 10007d22 6575->6581 6582 10007d85 6576->6582 6583 1000571e _free 20 API calls 6577->6583 6578 10007dfe 6584 1000571e _free 20 API calls 6578->6584 6590 100090ba 6579->6590 6580 10007d9e 6580->6578 6588 1000571e 20 API calls _free 6580->6588 6618 100091b8 6581->6618 6587 1000571e _free 20 API calls 6582->6587 6583->6563 6589 10007e04 6584->6589 6587->6564 6588->6580 6589->6556 6591 100090cb 6590->6591 6617 100091b4 6590->6617 6592 100090dc 6591->6592 6593 1000571e _free 20 API calls 6591->6593 6594 100090ee 6592->6594 6596 1000571e _free 20 API calls 6592->6596 6593->6592 6595 10009100 6594->6595 6597 1000571e _free 20 API calls 6594->6597 6598 10009112 6595->6598 6599 1000571e _free 20 API calls 6595->6599 6596->6594 6597->6595 6600 10009124 6598->6600 6601 1000571e _free 20 API calls 6598->6601 6599->6598 6602 10009136 6600->6602 6604 1000571e _free 20 API calls 6600->6604 6601->6600 6603 10009148 6602->6603 6605 1000571e _free 20 API calls 6602->6605 6606 1000915a 6603->6606 6607 1000571e _free 20 API calls 6603->6607 6604->6602 6605->6603 6608 1000571e _free 20 API calls 6606->6608 6611 1000916c 6606->6611 6607->6606 6608->6611 6609 10009190 6614 100091a2 6609->6614 6615 1000571e _free 20 API calls 6609->6615 6610 1000917e 6610->6609 6613 1000571e _free 20 API calls 6610->6613 6611->6610 6612 1000571e _free 20 API calls 6611->6612 6612->6610 6613->6609 6616 1000571e _free 20 API calls 6614->6616 6614->6617 6615->6614 6616->6617 6617->6568 6619 100091c5 6618->6619 6629 1000921d 6618->6629 6620 1000571e _free 20 API calls 6619->6620 6621 100091d5 6619->6621 6620->6621 6622 100091e7 6621->6622 6623 1000571e _free 20 API calls 6621->6623 6624 100091f9 6622->6624 6626 1000571e _free 20 API calls 6622->6626 6623->6622 6625 1000920b 6624->6625 6627 1000571e _free 20 API calls 6624->6627 6628 1000571e _free 20 API calls 6625->6628 6625->6629 6626->6624 6627->6625 6628->6629 6629->6570 6631 10007e60 6630->6631 6632 10007e42 6630->6632 6631->6580 6632->6631 6636 1000925d 6632->6636 6635 1000571e _free 20 API calls 6635->6631 6637 10007e5a 6636->6637 6638 1000926e 6636->6638 6637->6635 6672 10009221 6638->6672 6641 10009221 __fassign 20 API calls 6642 10009281 6641->6642 6643 10009221 __fassign 20 API calls 6642->6643 6644 1000928c 6643->6644 6645 10009221 __fassign 20 API calls 6644->6645 6646 10009297 6645->6646 6647 10009221 __fassign 20 API calls 6646->6647 6648 100092a5 6647->6648 6649 1000571e _free 20 API calls 6648->6649 6650 100092b0 6649->6650 6651 1000571e _free 20 API calls 6650->6651 6652 100092bb 6651->6652 6653 1000571e _free 20 API calls 6652->6653 6654 100092c6 6653->6654 6655 10009221 __fassign 20 API calls 6654->6655 6656 100092d4 6655->6656 6657 10009221 __fassign 20 API calls 6656->6657 6658 100092e2 6657->6658 6659 10009221 __fassign 20 API calls 6658->6659 6660 100092f3 6659->6660 6661 10009221 __fassign 20 API calls 6660->6661 6662 10009301 6661->6662 6663 10009221 __fassign 20 API calls 6662->6663 6664 1000930f 6663->6664 6665 1000571e _free 20 API calls 6664->6665 6666 1000931a 6665->6666 6667 1000571e _free 20 API calls 6666->6667 6668 10009325 6667->6668 6669 1000571e _free 20 API calls 6668->6669 6670 10009330 6669->6670 6671 1000571e _free 20 API calls 6670->6671 6671->6637 6673 10009258 6672->6673 6674 10009248 6672->6674 6673->6641 6674->6673 6675 1000571e _free 20 API calls 6674->6675 6675->6674 6676->6561 6678 10006d8a ___DestructExceptionObject 6677->6678 6679 10005af6 _abort 38 API calls 6678->6679 6681 10006d94 6679->6681 6682 10006e18 _abort 6681->6682 6683 100055a8 _abort 38 API calls 6681->6683 6685 1000571e _free 20 API calls 6681->6685 6686 10005671 RtlEnterCriticalSection 6681->6686 6687 10006e0f 6681->6687 6682->6540 6683->6681 6685->6681 6686->6681 6690 100056b9 RtlLeaveCriticalSection 6687->6690 6689 10006e16 6689->6681 6690->6689 7257 10007a80 7258 10007a8d 7257->7258 7259 1000637b __dosmaperr 20 API calls 7258->7259 7260 10007aa7 7259->7260 7261 1000571e _free 20 API calls 7260->7261 7262 10007ab3 7261->7262 7263 1000637b __dosmaperr 20 API calls 7262->7263 7266 10007ad9 7262->7266 7265 10007acd 7263->7265 7264 10005eb7 11 API calls 7264->7266 7267 1000571e _free 20 API calls 7265->7267 7266->7264 7268 10007ae5 7266->7268 7267->7266 6082 10007103 GetCommandLineA GetCommandLineW 6083 10005303 6086 100050a5 6083->6086 6095 1000502f 6086->6095 6089 1000502f 5 API calls 6090 100050c3 6089->6090 6099 10005000 6090->6099 6093 10005000 20 API calls 6094 100050d9 6093->6094 6096 10005048 6095->6096 6097 10002ada _ValidateLocalCookies 5 API calls 6096->6097 6098 10005069 6097->6098 6098->6089 6100 1000502a 6099->6100 6101 1000500d 6099->6101 6100->6093 6102 10005024 6101->6102 6103 1000571e _free 20 API calls 6101->6103 6104 1000571e _free 20 API calls 6102->6104 6103->6101 6104->6100 6691 1000af43 6692 1000af59 6691->6692 6693 1000af4d 6691->6693 6693->6692 6694 1000af52 CloseHandle 6693->6694 6694->6692 6695 1000a945 6696 1000a96d 6695->6696 6697 1000a9a5 6696->6697 6698 1000a997 6696->6698 6699 1000a99e 6696->6699 6704 1000aa17 6698->6704 6708 1000aa00 6699->6708 6705 1000aa20 6704->6705 6712 1000b19b 6705->6712 6709 1000aa20 6708->6709 6710 1000b19b __startOneArgErrorHandling 21 API calls 6709->6710 6711 1000a9a3 6710->6711 6713 1000b1da __startOneArgErrorHandling 6712->6713 6715 1000b25c __startOneArgErrorHandling 6713->6715 6722 1000b59e 6713->6722 6720 1000b286 6715->6720 6725 100078a3 6715->6725 6717 1000b292 6719 10002ada _ValidateLocalCookies 5 API calls 6717->6719 6721 1000a99c 6719->6721 6720->6717 6729 1000b8b2 6720->6729 6736 1000b5c1 6722->6736 6726 100078cb 6725->6726 6727 10002ada _ValidateLocalCookies 5 API calls 6726->6727 6728 100078e8 6727->6728 6728->6720 6730 1000b8d4 6729->6730 6731 1000b8bf 6729->6731 6733 10006368 __dosmaperr 20 API calls 6730->6733 6732 1000b8d9 6731->6732 6734 10006368 __dosmaperr 20 API calls 6731->6734 6732->6717 6733->6732 6735 1000b8cc 6734->6735 6735->6717 6737 1000b5ec __raise_exc 6736->6737 6738 1000b7e5 RaiseException 6737->6738 6739 1000b5bc 6738->6739 6739->6715 7520 1000a1c6 IsProcessorFeaturePresent 7521 10007bc7 7522 10007bd3 ___DestructExceptionObject 7521->7522 7523 10007c0a _abort 7522->7523 7529 10005671 RtlEnterCriticalSection 7522->7529 7525 10007be7 7526 10007f86 __fassign 20 API calls 7525->7526 7527 10007bf7 7526->7527 7530 10007c10 7527->7530 7529->7525 7533 100056b9 RtlLeaveCriticalSection 7530->7533 7532 10007c17 7532->7523 7533->7532 6740 10005348 6741 10003529 ___vcrt_uninitialize 8 API calls 6740->6741 6742 1000534f 6741->6742 6743 10007b48 6753 10008ebf 6743->6753 6747 10007b55 6766 1000907c 6747->6766 6750 10007b7f 6751 1000571e _free 20 API calls 6750->6751 6752 10007b8a 6751->6752 6770 10008ec8 6753->6770 6755 10007b50 6756 10008fdc 6755->6756 6757 10008fe8 ___DestructExceptionObject 6756->6757 6790 10005671 RtlEnterCriticalSection 6757->6790 6759 1000905e 6804 10009073 6759->6804 6761 10009032 RtlDeleteCriticalSection 6764 1000571e _free 20 API calls 6761->6764 6762 1000906a _abort 6762->6747 6765 10008ff3 6764->6765 6765->6759 6765->6761 6791 1000a09c 6765->6791 6767 10009092 6766->6767 6768 10007b64 RtlDeleteCriticalSection 6766->6768 6767->6768 6769 1000571e _free 20 API calls 6767->6769 6768->6747 6768->6750 6769->6768 6771 10008ed4 ___DestructExceptionObject 6770->6771 6780 10005671 RtlEnterCriticalSection 6771->6780 6773 10008f77 6785 10008f97 6773->6785 6776 10008f83 _abort 6776->6755 6778 10008e78 66 API calls 6779 10008ee3 6778->6779 6779->6773 6779->6778 6781 10007b94 RtlEnterCriticalSection 6779->6781 6782 10008f6d 6779->6782 6780->6779 6781->6779 6788 10007ba8 RtlLeaveCriticalSection 6782->6788 6784 10008f75 6784->6779 6789 100056b9 RtlLeaveCriticalSection 6785->6789 6787 10008f9e 6787->6776 6788->6784 6789->6787 6790->6765 6792 1000a0a8 ___DestructExceptionObject 6791->6792 6793 1000a0b9 6792->6793 6794 1000a0ce 6792->6794 6795 10006368 __dosmaperr 20 API calls 6793->6795 6803 1000a0c9 _abort 6794->6803 6807 10007b94 RtlEnterCriticalSection 6794->6807 6797 1000a0be 6795->6797 6799 100062ac ___std_exception_copy 26 API calls 6797->6799 6798 1000a0ea 6808 1000a026 6798->6808 6799->6803 6801 1000a0f5 6824 1000a112 6801->6824 6803->6765 7072 100056b9 RtlLeaveCriticalSection 6804->7072 6806 1000907a 6806->6762 6807->6798 6809 1000a033 6808->6809 6810 1000a048 6808->6810 6811 10006368 __dosmaperr 20 API calls 6809->6811 6816 1000a043 6810->6816 6827 10008e12 6810->6827 6812 1000a038 6811->6812 6814 100062ac ___std_exception_copy 26 API calls 6812->6814 6814->6816 6816->6801 6817 1000907c 20 API calls 6818 1000a064 6817->6818 6833 10007a5a 6818->6833 6820 1000a06a 6840 1000adce 6820->6840 6823 1000571e _free 20 API calls 6823->6816 7071 10007ba8 RtlLeaveCriticalSection 6824->7071 6826 1000a11a 6826->6803 6828 10008e2a 6827->6828 6829 10008e26 6827->6829 6828->6829 6830 10007a5a 26 API calls 6828->6830 6829->6817 6831 10008e4a 6830->6831 6855 10009a22 6831->6855 6834 10007a66 6833->6834 6835 10007a7b 6833->6835 6836 10006368 __dosmaperr 20 API calls 6834->6836 6835->6820 6837 10007a6b 6836->6837 6838 100062ac ___std_exception_copy 26 API calls 6837->6838 6839 10007a76 6838->6839 6839->6820 6841 1000adf2 6840->6841 6842 1000addd 6840->6842 6843 1000ae2d 6841->6843 6848 1000ae19 6841->6848 6844 10006355 __dosmaperr 20 API calls 6842->6844 6845 10006355 __dosmaperr 20 API calls 6843->6845 6846 1000ade2 6844->6846 6849 1000ae32 6845->6849 6847 10006368 __dosmaperr 20 API calls 6846->6847 6852 1000a070 6847->6852 7028 1000ada6 6848->7028 6851 10006368 __dosmaperr 20 API calls 6849->6851 6853 1000ae3a 6851->6853 6852->6816 6852->6823 6854 100062ac ___std_exception_copy 26 API calls 6853->6854 6854->6852 6856 10009a2e ___DestructExceptionObject 6855->6856 6857 10009a36 6856->6857 6858 10009a4e 6856->6858 6880 10006355 6857->6880 6860 10009aec 6858->6860 6864 10009a83 6858->6864 6862 10006355 __dosmaperr 20 API calls 6860->6862 6865 10009af1 6862->6865 6863 10006368 __dosmaperr 20 API calls 6866 10009a43 _abort 6863->6866 6883 10008c7b RtlEnterCriticalSection 6864->6883 6868 10006368 __dosmaperr 20 API calls 6865->6868 6866->6829 6870 10009af9 6868->6870 6869 10009a89 6871 10009aa5 6869->6871 6872 10009aba 6869->6872 6873 100062ac ___std_exception_copy 26 API calls 6870->6873 6874 10006368 __dosmaperr 20 API calls 6871->6874 6884 10009b0d 6872->6884 6873->6866 6876 10009aaa 6874->6876 6878 10006355 __dosmaperr 20 API calls 6876->6878 6877 10009ab5 6935 10009ae4 6877->6935 6878->6877 6881 10005b7a __dosmaperr 20 API calls 6880->6881 6882 1000635a 6881->6882 6882->6863 6883->6869 6885 10009b34 6884->6885 6886 10009b3b 6884->6886 6889 10002ada _ValidateLocalCookies 5 API calls 6885->6889 6887 10009b5e 6886->6887 6888 10009b3f 6886->6888 6891 10009baf 6887->6891 6892 10009b92 6887->6892 6890 10006355 __dosmaperr 20 API calls 6888->6890 6893 10009d15 6889->6893 6894 10009b44 6890->6894 6896 10009bc5 6891->6896 6938 1000a00b 6891->6938 6895 10006355 __dosmaperr 20 API calls 6892->6895 6893->6877 6897 10006368 __dosmaperr 20 API calls 6894->6897 6899 10009b97 6895->6899 6941 100096b2 6896->6941 6901 10009b4b 6897->6901 6904 10006368 __dosmaperr 20 API calls 6899->6904 6902 100062ac ___std_exception_copy 26 API calls 6901->6902 6902->6885 6907 10009b9f 6904->6907 6905 10009bd3 6908 10009bf9 6905->6908 6913 10009bd7 6905->6913 6906 10009c0c 6910 10009c20 6906->6910 6911 10009c66 WriteFile 6906->6911 6909 100062ac ___std_exception_copy 26 API calls 6907->6909 6953 10009492 GetConsoleCP 6908->6953 6909->6885 6916 10009c56 6910->6916 6917 10009c28 6910->6917 6915 10009c89 GetLastError 6911->6915 6922 10009bef 6911->6922 6912 10009ccd 6912->6885 6924 10006368 __dosmaperr 20 API calls 6912->6924 6913->6912 6948 10009645 6913->6948 6915->6922 6979 10009728 6916->6979 6918 10009c46 6917->6918 6919 10009c2d 6917->6919 6971 100098f5 6918->6971 6919->6912 6964 10009807 6919->6964 6922->6885 6922->6912 6927 10009ca9 6922->6927 6926 10009cf2 6924->6926 6930 10006355 __dosmaperr 20 API calls 6926->6930 6928 10009cb0 6927->6928 6929 10009cc4 6927->6929 6931 10006368 __dosmaperr 20 API calls 6928->6931 6986 10006332 6929->6986 6930->6885 6933 10009cb5 6931->6933 6934 10006355 __dosmaperr 20 API calls 6933->6934 6934->6885 7027 10008c9e RtlLeaveCriticalSection 6935->7027 6937 10009aea 6937->6866 6991 10009f8d 6938->6991 7013 10008dbc 6941->7013 6943 100096c2 6944 100096c7 6943->6944 6945 10005af6 _abort 38 API calls 6943->6945 6944->6905 6944->6906 6946 100096ea 6945->6946 6946->6944 6947 10009708 GetConsoleMode 6946->6947 6947->6944 6951 1000966a 6948->6951 6952 1000969f 6948->6952 6949 1000a181 WriteConsoleW CreateFileW 6949->6951 6950 100096a1 GetLastError 6950->6952 6951->6949 6951->6950 6951->6952 6952->6922 6957 100094f5 6953->6957 6963 10009607 6953->6963 6954 10002ada _ValidateLocalCookies 5 API calls 6955 10009641 6954->6955 6955->6922 6958 1000957b WideCharToMultiByte 6957->6958 6960 100079e6 40 API calls __fassign 6957->6960 6962 100095d2 WriteFile 6957->6962 6957->6963 7022 10007c19 6957->7022 6959 100095a1 WriteFile 6958->6959 6958->6963 6959->6957 6961 1000962a GetLastError 6959->6961 6960->6957 6961->6963 6962->6957 6962->6961 6963->6954 6966 10009816 6964->6966 6965 100098d8 6968 10002ada _ValidateLocalCookies 5 API calls 6965->6968 6966->6965 6967 10009894 WriteFile 6966->6967 6967->6966 6969 100098da GetLastError 6967->6969 6970 100098f1 6968->6970 6969->6965 6970->6922 6978 10009904 6971->6978 6972 10009a0f 6973 10002ada _ValidateLocalCookies 5 API calls 6972->6973 6975 10009a1e 6973->6975 6974 10009986 WideCharToMultiByte 6976 10009a07 GetLastError 6974->6976 6977 100099bb WriteFile 6974->6977 6975->6922 6976->6972 6977->6976 6977->6978 6978->6972 6978->6974 6978->6977 6984 10009737 6979->6984 6980 100097ea 6981 10002ada _ValidateLocalCookies 5 API calls 6980->6981 6983 10009803 6981->6983 6982 100097a9 WriteFile 6982->6984 6985 100097ec GetLastError 6982->6985 6983->6922 6984->6980 6984->6982 6985->6980 6987 10006355 __dosmaperr 20 API calls 6986->6987 6988 1000633d __dosmaperr 6987->6988 6989 10006368 __dosmaperr 20 API calls 6988->6989 6990 10006350 6989->6990 6990->6885 7000 10008d52 6991->7000 6993 10009f9f 6994 10009fa7 6993->6994 6995 10009fb8 SetFilePointerEx 6993->6995 6996 10006368 __dosmaperr 20 API calls 6994->6996 6997 10009fd0 GetLastError 6995->6997 6998 10009fac 6995->6998 6996->6998 6999 10006332 __dosmaperr 20 API calls 6997->6999 6998->6896 6999->6998 7001 10008d74 7000->7001 7002 10008d5f 7000->7002 7005 10006355 __dosmaperr 20 API calls 7001->7005 7007 10008d99 7001->7007 7003 10006355 __dosmaperr 20 API calls 7002->7003 7004 10008d64 7003->7004 7006 10006368 __dosmaperr 20 API calls 7004->7006 7008 10008da4 7005->7008 7009 10008d6c 7006->7009 7007->6993 7010 10006368 __dosmaperr 20 API calls 7008->7010 7009->6993 7011 10008dac 7010->7011 7012 100062ac ___std_exception_copy 26 API calls 7011->7012 7012->7009 7014 10008dd6 7013->7014 7015 10008dc9 7013->7015 7017 10008de2 7014->7017 7018 10006368 __dosmaperr 20 API calls 7014->7018 7016 10006368 __dosmaperr 20 API calls 7015->7016 7019 10008dce 7016->7019 7017->6943 7020 10008e03 7018->7020 7019->6943 7021 100062ac ___std_exception_copy 26 API calls 7020->7021 7021->7019 7023 10005af6 _abort 38 API calls 7022->7023 7024 10007c24 7023->7024 7025 10007a00 __fassign 38 API calls 7024->7025 7026 10007c34 7025->7026 7026->6957 7027->6937 7031 1000ad24 7028->7031 7030 1000adca 7030->6852 7032 1000ad30 ___DestructExceptionObject 7031->7032 7042 10008c7b RtlEnterCriticalSection 7032->7042 7034 1000ad3e 7035 1000ad70 7034->7035 7036 1000ad65 7034->7036 7038 10006368 __dosmaperr 20 API calls 7035->7038 7043 1000ae4d 7036->7043 7039 1000ad6b 7038->7039 7058 1000ad9a 7039->7058 7041 1000ad8d _abort 7041->7030 7042->7034 7044 10008d52 26 API calls 7043->7044 7046 1000ae5d 7044->7046 7045 1000ae63 7061 10008cc1 7045->7061 7046->7045 7048 1000ae95 7046->7048 7051 10008d52 26 API calls 7046->7051 7048->7045 7049 10008d52 26 API calls 7048->7049 7052 1000aea1 CloseHandle 7049->7052 7054 1000ae8c 7051->7054 7052->7045 7056 1000aead GetLastError 7052->7056 7053 1000aedd 7053->7039 7055 10008d52 26 API calls 7054->7055 7055->7048 7056->7045 7057 10006332 __dosmaperr 20 API calls 7057->7053 7070 10008c9e RtlLeaveCriticalSection 7058->7070 7060 1000ada4 7060->7041 7062 10008cd0 7061->7062 7063 10008d37 7061->7063 7062->7063 7068 10008cfa 7062->7068 7064 10006368 __dosmaperr 20 API calls 7063->7064 7065 10008d3c 7064->7065 7066 10006355 __dosmaperr 20 API calls 7065->7066 7067 10008d27 7066->7067 7067->7053 7067->7057 7068->7067 7069 10008d21 SetStdHandle 7068->7069 7069->7067 7070->7060 7071->6826 7072->6806 7073 10002049 7074 10002055 ___DestructExceptionObject 7073->7074 7075 100020d3 7074->7075 7076 1000207d 7074->7076 7086 1000205e 7074->7086 7077 10002639 ___scrt_fastfail 4 API calls 7075->7077 7087 1000244c 7076->7087 7079 100020da 7077->7079 7080 10002082 7096 10002308 7080->7096 7082 10002087 __RTC_Initialize 7099 100020c4 7082->7099 7084 1000209f 7102 1000260b 7084->7102 7088 10002451 ___scrt_release_startup_lock 7087->7088 7089 10002461 7088->7089 7090 10002455 7088->7090 7093 1000246e 7089->7093 7094 1000499b _abort 28 API calls 7089->7094 7091 1000527a _abort 20 API calls 7090->7091 7092 1000245f 7091->7092 7092->7080 7093->7080 7095 10004bbd 7094->7095 7095->7080 7108 100034c7 RtlInterlockedFlushSList 7096->7108 7098 10002312 7098->7082 7110 1000246f 7099->7110 7101 100020c9 ___scrt_release_startup_lock 7101->7084 7103 10002617 7102->7103 7104 1000262d 7103->7104 7129 100053ed 7103->7129 7104->7086 7107 10003529 ___vcrt_uninitialize 8 API calls 7107->7104 7109 100034d7 7108->7109 7109->7098 7115 100053ff 7110->7115 7113 1000391b ___vcrt_uninitialize_ptd 6 API calls 7114 1000354d 7113->7114 7114->7101 7118 10005c2b 7115->7118 7119 10005c35 7118->7119 7121 10002476 7118->7121 7122 10005db2 7119->7122 7121->7113 7123 10005c45 __dosmaperr 5 API calls 7122->7123 7124 10005dd9 7123->7124 7125 10005df1 TlsFree 7124->7125 7126 10005de5 7124->7126 7125->7126 7127 10002ada _ValidateLocalCookies 5 API calls 7126->7127 7128 10005e02 7127->7128 7128->7121 7132 100074da 7129->7132 7135 100074f3 7132->7135 7133 10002ada _ValidateLocalCookies 5 API calls 7134 10002625 7133->7134 7134->7107 7135->7133 7269 10008a89 7272 10006d60 7269->7272 7273 10006d69 7272->7273 7274 10006d72 7272->7274 7276 10006c5f 7273->7276 7277 10005af6 _abort 38 API calls 7276->7277 7278 10006c6c 7277->7278 7279 10006d7e __fassign 38 API calls 7278->7279 7280 10006c74 7279->7280 7296 100069f3 7280->7296 7283 10006c8b 7283->7274 7286 10006cce 7289 1000571e _free 20 API calls 7286->7289 7289->7283 7290 10006cc9 7291 10006368 __dosmaperr 20 API calls 7290->7291 7291->7286 7292 10006d12 7292->7286 7320 100068c9 7292->7320 7293 10006ce6 7293->7292 7294 1000571e _free 20 API calls 7293->7294 7294->7292 7297 100054a7 __fassign 38 API calls 7296->7297 7298 10006a05 7297->7298 7299 10006a14 GetOEMCP 7298->7299 7300 10006a26 7298->7300 7302 10006a3d 7299->7302 7301 10006a2b GetACP 7300->7301 7300->7302 7301->7302 7302->7283 7303 100056d0 7302->7303 7304 1000570e 7303->7304 7308 100056de __dosmaperr 7303->7308 7305 10006368 __dosmaperr 20 API calls 7304->7305 7307 1000570c 7305->7307 7306 100056f9 RtlAllocateHeap 7306->7307 7306->7308 7307->7286 7310 10006e20 7307->7310 7308->7304 7308->7306 7309 1000474f __dosmaperr 7 API calls 7308->7309 7309->7308 7311 100069f3 40 API calls 7310->7311 7312 10006e3f 7311->7312 7315 10006e90 IsValidCodePage 7312->7315 7317 10006e46 7312->7317 7319 10006eb5 ___scrt_fastfail 7312->7319 7313 10002ada _ValidateLocalCookies 5 API calls 7314 10006cc1 7313->7314 7314->7290 7314->7293 7316 10006ea2 GetCPInfo 7315->7316 7315->7317 7316->7317 7316->7319 7317->7313 7323 10006acb GetCPInfo 7319->7323 7396 10006886 7320->7396 7322 100068ed 7322->7286 7324 10006baf 7323->7324 7330 10006b05 7323->7330 7327 10002ada _ValidateLocalCookies 5 API calls 7324->7327 7329 10006c5b 7327->7329 7329->7317 7333 100086e4 7330->7333 7332 10008a3e 43 API calls 7332->7324 7334 100054a7 __fassign 38 API calls 7333->7334 7336 10008704 MultiByteToWideChar 7334->7336 7337 10008742 7336->7337 7338 100087da 7336->7338 7340 100056d0 21 API calls 7337->7340 7343 10008763 ___scrt_fastfail 7337->7343 7339 10002ada _ValidateLocalCookies 5 API calls 7338->7339 7341 10006b66 7339->7341 7340->7343 7347 10008a3e 7341->7347 7342 100087d4 7352 10008801 7342->7352 7343->7342 7345 100087a8 MultiByteToWideChar 7343->7345 7345->7342 7346 100087c4 GetStringTypeW 7345->7346 7346->7342 7348 100054a7 __fassign 38 API calls 7347->7348 7349 10008a51 7348->7349 7356 10008821 7349->7356 7353 1000880d 7352->7353 7354 1000881e 7352->7354 7353->7354 7355 1000571e _free 20 API calls 7353->7355 7354->7338 7355->7354 7358 1000883c 7356->7358 7357 10008862 MultiByteToWideChar 7359 1000888c 7357->7359 7370 10008a16 7357->7370 7358->7357 7364 100056d0 21 API calls 7359->7364 7366 100088ad 7359->7366 7360 10002ada _ValidateLocalCookies 5 API calls 7361 10006b87 7360->7361 7361->7332 7362 100088f6 MultiByteToWideChar 7363 10008962 7362->7363 7365 1000890f 7362->7365 7368 10008801 __freea 20 API calls 7363->7368 7364->7366 7383 10005f19 7365->7383 7366->7362 7366->7363 7368->7370 7370->7360 7371 10008971 7373 100056d0 21 API calls 7371->7373 7376 10008992 7371->7376 7372 10008939 7372->7363 7374 10005f19 11 API calls 7372->7374 7373->7376 7374->7363 7375 10008a07 7378 10008801 __freea 20 API calls 7375->7378 7376->7375 7377 10005f19 11 API calls 7376->7377 7379 100089e6 7377->7379 7378->7363 7379->7375 7380 100089f5 WideCharToMultiByte 7379->7380 7380->7375 7381 10008a35 7380->7381 7382 10008801 __freea 20 API calls 7381->7382 7382->7363 7384 10005c45 __dosmaperr 5 API calls 7383->7384 7385 10005f40 7384->7385 7388 10005f49 7385->7388 7391 10005fa1 7385->7391 7389 10002ada _ValidateLocalCookies 5 API calls 7388->7389 7390 10005f9b 7389->7390 7390->7363 7390->7371 7390->7372 7392 10005c45 __dosmaperr 5 API calls 7391->7392 7393 10005fc8 7392->7393 7394 10002ada _ValidateLocalCookies 5 API calls 7393->7394 7395 10005f89 LCMapStringW 7394->7395 7395->7388 7397 10006892 ___DestructExceptionObject 7396->7397 7404 10005671 RtlEnterCriticalSection 7397->7404 7399 1000689c 7405 100068f1 7399->7405 7403 100068b5 _abort 7403->7322 7404->7399 7417 10007011 7405->7417 7407 1000693f 7408 10007011 26 API calls 7407->7408 7409 1000695b 7408->7409 7410 10007011 26 API calls 7409->7410 7411 10006979 7410->7411 7412 100068a9 7411->7412 7413 1000571e _free 20 API calls 7411->7413 7414 100068bd 7412->7414 7413->7412 7431 100056b9 RtlLeaveCriticalSection 7414->7431 7416 100068c7 7416->7403 7418 10007022 7417->7418 7427 1000701e 7417->7427 7419 10007029 7418->7419 7423 1000703c ___scrt_fastfail 7418->7423 7420 10006368 __dosmaperr 20 API calls 7419->7420 7421 1000702e 7420->7421 7422 100062ac ___std_exception_copy 26 API calls 7421->7422 7422->7427 7424 10007073 7423->7424 7425 1000706a 7423->7425 7423->7427 7424->7427 7429 10006368 __dosmaperr 20 API calls 7424->7429 7426 10006368 __dosmaperr 20 API calls 7425->7426 7428 1000706f 7426->7428 7427->7407 7430 100062ac ___std_exception_copy 26 API calls 7428->7430 7429->7428 7430->7427 7431->7416 6105 1000220c 6106 10002215 6105->6106 6107 1000221a dllmain_dispatch 6105->6107 6109 100022b1 6106->6109 6110 100022c7 6109->6110 6112 100022d0 6110->6112 6113 10002264 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 6110->6113 6112->6107 6113->6112 7136 1000724e GetProcessHeap 7137 1000284f 7138 10002882 std::exception::exception 27 API calls 7137->7138 7139 1000285d 7138->7139 7436 10003c90 RtlUnwind 7534 100036d0 7535 100036e2 7534->7535 7537 100036f0 @_EH4_CallFilterFunc@8 7534->7537 7536 10002ada _ValidateLocalCookies 5 API calls 7535->7536 7536->7537 7140 10005351 7141 10005360 7140->7141 7142 10005374 7140->7142 7141->7142 7145 1000571e _free 20 API calls 7141->7145 7143 1000571e _free 20 API calls 7142->7143 7144 10005386 7143->7144 7146 1000571e _free 20 API calls 7144->7146 7145->7142 7147 10005399 7146->7147 7148 1000571e _free 20 API calls 7147->7148 7149 100053aa 7148->7149 7150 1000571e _free 20 API calls 7149->7150 7151 100053bb 7150->7151 7538 100073d5 7539 100073e1 ___DestructExceptionObject 7538->7539 7550 10005671 RtlEnterCriticalSection 7539->7550 7541 100073e8 7542 10008be3 27 API calls 7541->7542 7543 100073f7 7542->7543 7548 10007406 7543->7548 7551 10007269 GetStartupInfoW 7543->7551 7562 10007422 7548->7562 7549 10007417 _abort 7550->7541 7552 10007286 7551->7552 7553 10007318 7551->7553 7552->7553 7554 10008be3 27 API calls 7552->7554 7557 1000731f 7553->7557 7555 100072af 7554->7555 7555->7553 7556 100072dd GetFileType 7555->7556 7556->7555 7559 10007326 7557->7559 7558 10007369 GetStdHandle 7558->7559 7559->7558 7560 100073d1 7559->7560 7561 1000737c GetFileType 7559->7561 7560->7548 7561->7559 7565 100056b9 RtlLeaveCriticalSection 7562->7565 7564 10007429 7564->7549 7565->7564 7566 10004ed7 7567 10006d60 51 API calls 7566->7567 7568 10004ee9 7567->7568 7577 10007153 GetEnvironmentStringsW 7568->7577 7571 10004ef4 7573 1000571e _free 20 API calls 7571->7573 7574 10004f29 7573->7574 7575 10004eff 7576 1000571e _free 20 API calls 7575->7576 7576->7571 7578 1000716a 7577->7578 7588 100071bd 7577->7588 7579 10007170 WideCharToMultiByte 7578->7579 7582 1000718c 7579->7582 7579->7588 7580 100071c6 FreeEnvironmentStringsW 7581 10004eee 7580->7581 7581->7571 7589 10004f2f 7581->7589 7583 100056d0 21 API calls 7582->7583 7584 10007192 7583->7584 7585 100071af 7584->7585 7586 10007199 WideCharToMultiByte 7584->7586 7587 1000571e _free 20 API calls 7585->7587 7586->7585 7587->7588 7588->7580 7588->7581 7590 10004f44 7589->7590 7591 1000637b __dosmaperr 20 API calls 7590->7591 7593 10004f6b 7591->7593 7592 1000571e _free 20 API calls 7595 10004fe9 7592->7595 7594 10004fcf 7593->7594 7596 1000637b __dosmaperr 20 API calls 7593->7596 7597 10004fd1 7593->7597 7598 1000544d ___std_exception_copy 26 API calls 7593->7598 7601 10004ff3 7593->7601 7604 1000571e _free 20 API calls 7593->7604 7594->7592 7595->7575 7596->7593 7599 10005000 20 API calls 7597->7599 7598->7593 7600 10004fd7 7599->7600 7602 1000571e _free 20 API calls 7600->7602 7603 100062bc ___std_exception_copy 11 API calls 7601->7603 7602->7594 7605 10004fff 7603->7605 7604->7593 6114 10002418 6115 10002420 ___scrt_release_startup_lock 6114->6115 6118 100047f5 6115->6118 6117 10002448 6119 10004804 6118->6119 6120 10004808 6118->6120 6119->6117 6123 10004815 6120->6123 6124 10005b7a __dosmaperr 20 API calls 6123->6124 6127 1000482c 6124->6127 6125 10002ada _ValidateLocalCookies 5 API calls 6126 10004811 6125->6126 6126->6117 6127->6125 7437 10004a9a 7440 10005411 7437->7440 7441 1000541d _abort 7440->7441 7442 10005af6 _abort 38 API calls 7441->7442 7445 10005422 7442->7445 7443 100055a8 _abort 38 API calls 7444 1000544c 7443->7444 7445->7443 5856 10001c5b 5857 10001c6b ___scrt_fastfail 5856->5857 5860 100012ee 5857->5860 5859 10001c87 5861 10001324 ___scrt_fastfail 5860->5861 5862 100013b7 GetEnvironmentVariableW 5861->5862 5886 100010f1 5862->5886 5865 100010f1 57 API calls 5866 10001465 5865->5866 5867 100010f1 57 API calls 5866->5867 5868 10001479 5867->5868 5869 100010f1 57 API calls 5868->5869 5870 1000148d 5869->5870 5871 100010f1 57 API calls 5870->5871 5872 100014a1 5871->5872 5873 100010f1 57 API calls 5872->5873 5874 100014b5 lstrlenW 5873->5874 5875 100014d2 5874->5875 5876 100014d9 lstrlenW 5874->5876 5875->5859 5877 100010f1 57 API calls 5876->5877 5878 10001501 lstrlenW lstrcatW 5877->5878 5879 100010f1 57 API calls 5878->5879 5880 10001539 lstrlenW lstrcatW 5879->5880 5881 100010f1 57 API calls 5880->5881 5882 1000156b lstrlenW lstrcatW 5881->5882 5883 100010f1 57 API calls 5882->5883 5884 1000159d lstrlenW lstrcatW 5883->5884 5885 100010f1 57 API calls 5884->5885 5885->5875 5887 10001118 ___scrt_fastfail 5886->5887 5888 10001129 lstrlenW 5887->5888 5899 10002c40 5888->5899 5890 10001148 lstrcatW lstrlenW 5891 10001177 lstrlenW FindFirstFileW 5890->5891 5892 10001168 lstrlenW 5890->5892 5893 100011a0 5891->5893 5894 100011e1 5891->5894 5892->5891 5895 100011c7 FindNextFileW 5893->5895 5898 100011aa 5893->5898 5894->5865 5895->5893 5896 100011da FindClose 5895->5896 5896->5894 5898->5895 5901 10001000 5898->5901 5900 10002c57 5899->5900 5900->5890 5900->5900 5902 10001022 ___scrt_fastfail 5901->5902 5903 100010af 5902->5903 5904 1000102f lstrcatW lstrlenW 5902->5904 5905 100010b5 lstrlenW 5903->5905 5906 100010ad 5903->5906 5907 1000105a lstrlenW 5904->5907 5908 1000106b lstrlenW 5904->5908 5932 10001e16 5905->5932 5906->5898 5907->5908 5918 10001e89 lstrlenW 5908->5918 5911 10001088 GetFileAttributesW 5911->5906 5913 1000109c 5911->5913 5912 100010ca 5912->5906 5914 10001e89 5 API calls 5912->5914 5913->5906 5924 1000173a 5913->5924 5916 100010df 5914->5916 5937 100011ea 5916->5937 5919 10002c40 ___scrt_fastfail 5918->5919 5920 10001ea7 lstrcatW lstrlenW 5919->5920 5921 10001ed1 lstrcatW 5920->5921 5922 10001ec2 5920->5922 5921->5911 5922->5921 5923 10001ec7 lstrlenW 5922->5923 5923->5921 5925 10001747 ___scrt_fastfail 5924->5925 5952 10001cca 5925->5952 5929 1000199f 5929->5906 5930 10001824 ___scrt_fastfail _strlen 5930->5929 5972 100015da 5930->5972 5933 10001e29 5932->5933 5936 10001e4c 5932->5936 5934 10001e2d lstrlenW 5933->5934 5933->5936 5935 10001e3f lstrlenW 5934->5935 5934->5936 5935->5936 5936->5912 5938 1000120e ___scrt_fastfail 5937->5938 5939 10001e89 5 API calls 5938->5939 5940 10001220 GetFileAttributesW 5939->5940 5941 10001235 5940->5941 5942 10001246 5940->5942 5941->5942 5944 1000173a 35 API calls 5941->5944 5943 10001e89 5 API calls 5942->5943 5945 10001258 5943->5945 5944->5942 5946 100010f1 56 API calls 5945->5946 5947 1000126d 5946->5947 5948 10001e89 5 API calls 5947->5948 5949 1000127f ___scrt_fastfail 5948->5949 5950 100010f1 56 API calls 5949->5950 5951 100012e6 5950->5951 5951->5906 5953 10001cf1 ___scrt_fastfail 5952->5953 5954 10001d0f CopyFileW CreateFileW 5953->5954 5955 10001d44 DeleteFileW 5954->5955 5956 10001d55 GetFileSize 5954->5956 5961 10001808 5955->5961 5957 10001ede 22 API calls 5956->5957 5958 10001d66 ReadFile 5957->5958 5959 10001d94 CloseHandle DeleteFileW 5958->5959 5960 10001d7d CloseHandle DeleteFileW 5958->5960 5959->5961 5960->5961 5961->5929 5962 10001ede 5961->5962 5964 1000222f 5962->5964 5965 1000224e 5964->5965 5968 10002250 5964->5968 5980 1000474f 5964->5980 5985 100047e5 5964->5985 5965->5930 5967 10002908 5969 100035d2 __CxxThrowException@8 RaiseException 5967->5969 5968->5967 5992 100035d2 5968->5992 5970 10002925 5969->5970 5970->5930 5973 1000160c _strcat _strlen 5972->5973 5974 1000163c lstrlenW 5973->5974 6080 10001c9d 5974->6080 5976 10001655 lstrcatW lstrlenW 5977 10001678 5976->5977 5978 10001693 ___scrt_fastfail 5977->5978 5979 1000167e lstrcatW 5977->5979 5978->5930 5979->5978 5995 10004793 5980->5995 5982 10004765 6001 10002ada 5982->6001 5984 1000478f 5984->5964 5990 100056d0 __dosmaperr 5985->5990 5986 1000570e 6014 10006368 5986->6014 5988 100056f9 RtlAllocateHeap 5989 1000570c 5988->5989 5988->5990 5989->5964 5990->5986 5990->5988 5991 1000474f __dosmaperr 7 API calls 5990->5991 5991->5990 5994 100035f2 RaiseException 5992->5994 5994->5967 5996 1000479f ___DestructExceptionObject 5995->5996 6008 10005671 RtlEnterCriticalSection 5996->6008 5998 100047aa 6009 100047dc 5998->6009 6000 100047d1 _abort 6000->5982 6002 10002ae3 6001->6002 6003 10002ae5 IsProcessorFeaturePresent 6001->6003 6002->5984 6005 10002b58 6003->6005 6013 10002b1c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 6005->6013 6007 10002c3b 6007->5984 6008->5998 6012 100056b9 RtlLeaveCriticalSection 6009->6012 6011 100047e3 6011->6000 6012->6011 6013->6007 6017 10005b7a GetLastError 6014->6017 6018 10005b93 6017->6018 6019 10005b99 6017->6019 6036 10005e08 6018->6036 6024 10005bf0 SetLastError 6019->6024 6043 1000637b 6019->6043 6023 10005bb3 6050 1000571e 6023->6050 6025 10005bf9 6024->6025 6025->5989 6029 10005bb9 6031 10005be7 SetLastError 6029->6031 6030 10005bcf 6063 1000593c 6030->6063 6031->6025 6034 1000571e _free 17 API calls 6035 10005be0 6034->6035 6035->6024 6035->6031 6068 10005c45 6036->6068 6038 10005e2f 6039 10005e47 TlsGetValue 6038->6039 6040 10005e3b 6038->6040 6039->6040 6041 10002ada _ValidateLocalCookies 5 API calls 6040->6041 6042 10005e58 6041->6042 6042->6019 6048 10006388 __dosmaperr 6043->6048 6044 100063c8 6047 10006368 __dosmaperr 19 API calls 6044->6047 6045 100063b3 RtlAllocateHeap 6046 10005bab 6045->6046 6045->6048 6046->6023 6056 10005e5e 6046->6056 6047->6046 6048->6044 6048->6045 6049 1000474f __dosmaperr 7 API calls 6048->6049 6049->6048 6051 10005752 __dosmaperr 6050->6051 6052 10005729 HeapFree 6050->6052 6051->6029 6052->6051 6053 1000573e 6052->6053 6054 10006368 __dosmaperr 18 API calls 6053->6054 6055 10005744 GetLastError 6054->6055 6055->6051 6057 10005c45 __dosmaperr 5 API calls 6056->6057 6058 10005e85 6057->6058 6059 10005ea0 TlsSetValue 6058->6059 6060 10005e94 6058->6060 6059->6060 6061 10002ada _ValidateLocalCookies 5 API calls 6060->6061 6062 10005bc8 6061->6062 6062->6023 6062->6030 6074 10005914 6063->6074 6069 10005c71 6068->6069 6070 10005c75 __crt_fast_encode_pointer 6068->6070 6069->6070 6071 10005ce1 __dosmaperr LoadLibraryExW GetLastError LoadLibraryExW FreeLibrary 6069->6071 6073 10005c95 6069->6073 6070->6038 6071->6069 6072 10005ca1 GetProcAddress 6072->6070 6073->6070 6073->6072 6075 10005854 __dosmaperr RtlEnterCriticalSection RtlLeaveCriticalSection 6074->6075 6076 10005938 6075->6076 6077 100058c4 6076->6077 6078 10005758 __dosmaperr 20 API calls 6077->6078 6079 100058e8 6078->6079 6079->6034 6081 10001ca6 _strlen 6080->6081 6081->5976 7606 100020db 7609 100020e7 ___DestructExceptionObject 7606->7609 7607 100020f6 7608 10002110 dllmain_raw 7608->7607 7610 1000212a 7608->7610 7609->7607 7609->7608 7614 1000210b 7609->7614 7619 10001eec 7610->7619 7612 10002177 7612->7607 7613 10001eec 31 API calls 7612->7613 7615 1000218a 7613->7615 7614->7607 7614->7612 7617 10001eec 31 API calls 7614->7617 7615->7607 7616 10002193 dllmain_raw 7615->7616 7616->7607 7618 1000216d dllmain_raw 7617->7618 7618->7612 7620 10001ef7 7619->7620 7621 10001f2a dllmain_crt_process_detach 7619->7621 7622 10001f1c dllmain_crt_process_attach 7620->7622 7623 10001efc 7620->7623 7628 10001f06 7621->7628 7622->7628 7624 10001f01 7623->7624 7625 10001f12 7623->7625 7624->7628 7629 1000240b 7624->7629 7634 100023ec 7625->7634 7628->7614 7642 100053e5 7629->7642 7735 10003513 7634->7735 7637 100023f5 7637->7628 7640 10002408 7640->7628 7641 1000351e 7 API calls 7641->7637 7648 10005aca 7642->7648 7645 1000351e 7724 10003820 7645->7724 7647 10002415 7647->7628 7649 10005ad4 7648->7649 7650 10002410 7648->7650 7651 10005e08 __dosmaperr 11 API calls 7649->7651 7650->7645 7652 10005adb 7651->7652 7652->7650 7653 10005e5e __dosmaperr 11 API calls 7652->7653 7654 10005aee 7653->7654 7656 100059b5 7654->7656 7657 100059c0 7656->7657 7661 100059d0 7656->7661 7662 100059d6 7657->7662 7660 1000571e _free 20 API calls 7660->7661 7661->7650 7663 100059e9 7662->7663 7666 100059ef 7662->7666 7664 1000571e _free 20 API calls 7663->7664 7664->7666 7665 1000571e _free 20 API calls 7667 100059fb 7665->7667 7666->7665 7668 1000571e _free 20 API calls 7667->7668 7669 10005a06 7668->7669 7670 1000571e _free 20 API calls 7669->7670 7671 10005a11 7670->7671 7672 1000571e _free 20 API calls 7671->7672 7673 10005a1c 7672->7673 7674 1000571e _free 20 API calls 7673->7674 7675 10005a27 7674->7675 7676 1000571e _free 20 API calls 7675->7676 7677 10005a32 7676->7677 7678 1000571e _free 20 API calls 7677->7678 7679 10005a3d 7678->7679 7680 1000571e _free 20 API calls 7679->7680 7681 10005a48 7680->7681 7682 1000571e _free 20 API calls 7681->7682 7683 10005a56 7682->7683 7688 1000589c 7683->7688 7694 100057a8 7688->7694 7690 100058c0 7691 100058ec 7690->7691 7707 10005809 7691->7707 7693 10005910 7693->7660 7695 100057b4 ___DestructExceptionObject 7694->7695 7702 10005671 RtlEnterCriticalSection 7695->7702 7698 100057be 7699 1000571e _free 20 API calls 7698->7699 7700 100057e8 7698->7700 7699->7700 7703 100057fd 7700->7703 7701 100057f5 _abort 7701->7690 7702->7698 7706 100056b9 RtlLeaveCriticalSection 7703->7706 7705 10005807 7705->7701 7706->7705 7708 10005815 ___DestructExceptionObject 7707->7708 7715 10005671 RtlEnterCriticalSection 7708->7715 7710 1000581f 7716 10005a7f 7710->7716 7712 10005832 7720 10005848 7712->7720 7714 10005840 _abort 7714->7693 7715->7710 7717 10005ab5 __fassign 7716->7717 7718 10005a8e __fassign 7716->7718 7717->7712 7718->7717 7719 10007cc2 __fassign 20 API calls 7718->7719 7719->7717 7723 100056b9 RtlLeaveCriticalSection 7720->7723 7722 10005852 7722->7714 7723->7722 7725 1000384b ___vcrt_freefls@4 7724->7725 7727 1000382d 7724->7727 7725->7647 7726 1000383b 7729 10003ba2 ___vcrt_FlsSetValue 6 API calls 7726->7729 7727->7726 7730 10003b67 7727->7730 7729->7725 7731 10003a82 try_get_function 5 API calls 7730->7731 7732 10003b81 7731->7732 7733 10003b99 TlsGetValue 7732->7733 7734 10003b8d 7732->7734 7733->7734 7734->7726 7741 10003856 7735->7741 7737 100023f1 7737->7637 7738 100053da 7737->7738 7739 10005b7a __dosmaperr 20 API calls 7738->7739 7740 100023fd 7739->7740 7740->7640 7740->7641 7742 10003862 GetLastError 7741->7742 7743 1000385f 7741->7743 7744 10003b67 ___vcrt_FlsGetValue 6 API calls 7742->7744 7743->7737 7745 10003877 7744->7745 7746 100038dc SetLastError 7745->7746 7747 10003ba2 ___vcrt_FlsSetValue 6 API calls 7745->7747 7752 10003896 7745->7752 7746->7737 7748 10003890 7747->7748 7749 100038b8 7748->7749 7750 10003ba2 ___vcrt_FlsSetValue 6 API calls 7748->7750 7748->7752 7751 10003ba2 ___vcrt_FlsSetValue 6 API calls 7749->7751 7749->7752 7750->7749 7751->7752 7752->7746 6128 1000281c 6131 10002882 6128->6131 6134 10003550 6131->6134 6133 1000282a 6135 1000358a 6134->6135 6136 1000355d 6134->6136 6135->6133 6136->6135 6137 100047e5 ___std_exception_copy 21 API calls 6136->6137 6138 1000357a 6137->6138 6138->6135 6140 1000544d 6138->6140 6141 1000545a 6140->6141 6143 10005468 6140->6143 6141->6143 6147 1000547f 6141->6147 6142 10006368 __dosmaperr 20 API calls 6144 10005470 6142->6144 6143->6142 6149 100062ac 6144->6149 6146 1000547a 6146->6135 6147->6146 6148 10006368 __dosmaperr 20 API calls 6147->6148 6148->6144 6152 10006231 6149->6152 6151 100062b8 6151->6146 6153 10005b7a __dosmaperr 20 API calls 6152->6153 6154 10006247 6153->6154 6155 100062a6 6154->6155 6158 10006255 6154->6158 6163 100062bc IsProcessorFeaturePresent 6155->6163 6157 100062ab 6159 10006231 ___std_exception_copy 26 API calls 6157->6159 6160 10002ada _ValidateLocalCookies 5 API calls 6158->6160 6161 100062b8 6159->6161 6162 1000627c 6160->6162 6161->6151 6162->6151 6164 100062c7 6163->6164 6167 100060e2 6164->6167 6168 100060fe ___scrt_fastfail 6167->6168 6169 1000612a IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 6168->6169 6172 100061fb ___scrt_fastfail 6169->6172 6170 10002ada _ValidateLocalCookies 5 API calls 6171 10006219 GetCurrentProcess TerminateProcess 6170->6171 6171->6157 6172->6170 7753 10004bdd 7754 10004c08 7753->7754 7755 10004bec 7753->7755 7757 10006d60 51 API calls 7754->7757 7755->7754 7756 10004bf2 7755->7756 7758 10006368 __dosmaperr 20 API calls 7756->7758 7759 10004c0f GetModuleFileNameA 7757->7759 7760 10004bf7 7758->7760 7761 10004c33 7759->7761 7762 100062ac ___std_exception_copy 26 API calls 7760->7762 7776 10004d01 7761->7776 7763 10004c01 7762->7763 7768 10004c72 7771 10004d01 38 API calls 7768->7771 7769 10004c66 7770 10006368 __dosmaperr 20 API calls 7769->7770 7775 10004c6b 7770->7775 7773 10004c88 7771->7773 7772 1000571e _free 20 API calls 7772->7763 7774 1000571e _free 20 API calls 7773->7774 7773->7775 7774->7775 7775->7772 7778 10004d26 7776->7778 7780 10004d86 7778->7780 7788 100070eb 7778->7788 7779 10004c50 7782 10004e76 7779->7782 7780->7779 7781 100070eb 38 API calls 7780->7781 7781->7780 7783 10004e8b 7782->7783 7784 10004c5d 7782->7784 7783->7784 7785 1000637b __dosmaperr 20 API calls 7783->7785 7784->7768 7784->7769 7786 10004eb9 7785->7786 7787 1000571e _free 20 API calls 7786->7787 7787->7784 7791 10007092 7788->7791 7792 100054a7 __fassign 38 API calls 7791->7792 7793 100070a6 7792->7793 7793->7778 7152 10007260 GetStartupInfoW 7153 10007286 7152->7153 7155 10007318 7152->7155 7153->7155 7158 10008be3 7153->7158 7156 100072af 7156->7155 7157 100072dd GetFileType 7156->7157 7157->7156 7159 10008bef ___DestructExceptionObject 7158->7159 7160 10008c13 7159->7160 7161 10008bfc 7159->7161 7171 10005671 RtlEnterCriticalSection 7160->7171 7162 10006368 __dosmaperr 20 API calls 7161->7162 7164 10008c01 7162->7164 7165 100062ac ___std_exception_copy 26 API calls 7164->7165 7166 10008c0b _abort 7165->7166 7166->7156 7167 10008c4b 7179 10008c72 7167->7179 7169 10008c1f 7169->7167 7172 10008b34 7169->7172 7171->7169 7173 1000637b __dosmaperr 20 API calls 7172->7173 7174 10008b46 7173->7174 7177 10005eb7 11 API calls 7174->7177 7178 10008b53 7174->7178 7175 1000571e _free 20 API calls 7176 10008ba5 7175->7176 7176->7169 7177->7174 7178->7175 7182 100056b9 RtlLeaveCriticalSection 7179->7182 7181 10008c79 7181->7166 7182->7181 7446 100081a0 7447 100081d9 7446->7447 7448 100081dd 7447->7448 7459 10008205 7447->7459 7449 10006368 __dosmaperr 20 API calls 7448->7449 7450 100081e2 7449->7450 7452 100062ac ___std_exception_copy 26 API calls 7450->7452 7451 10008529 7453 10002ada _ValidateLocalCookies 5 API calls 7451->7453 7454 100081ed 7452->7454 7455 10008536 7453->7455 7456 10002ada _ValidateLocalCookies 5 API calls 7454->7456 7458 100081f9 7456->7458 7459->7451 7460 100080c0 7459->7460 7461 100080db 7460->7461 7462 10002ada _ValidateLocalCookies 5 API calls 7461->7462 7463 10008152 7462->7463 7463->7459 7794 1000a1e0 7797 1000a1fe 7794->7797 7796 1000a1f6 7799 1000a203 7797->7799 7798 1000aa53 21 API calls 7801 1000a42f 7798->7801 7799->7798 7800 1000a298 7799->7800 7800->7796 7801->7796 7183 10009d61 7184 10009d81 7183->7184 7187 10009db8 7184->7187 7186 10009dab 7189 10009dbf 7187->7189 7188 10009e20 7190 1000a90e 7188->7190 7191 1000aa17 21 API calls 7188->7191 7189->7188 7193 10009ddf 7189->7193 7190->7186 7192 10009e6e 7191->7192 7192->7186 7193->7190 7194 1000aa17 21 API calls 7193->7194 7195 1000a93e 7194->7195 7195->7186 7464 100021a1 ___scrt_dllmain_exception_filter 5824 1000c7a7 5825 1000c7be 5824->5825 5831 1000c82c 5824->5831 5825->5831 5836 1000c7e6 GetModuleHandleA 5825->5836 5827 1000c835 GetModuleHandleA 5830 1000c83f 5827->5830 5828 1000c872 5829 1000c7dd 5829->5830 5829->5831 5833 1000c800 GetProcAddress 5829->5833 5830->5831 5832 1000c85f GetProcAddress 5830->5832 5831->5827 5831->5828 5831->5830 5832->5831 5833->5831 5834 1000c80d VirtualProtect 5833->5834 5834->5831 5835 1000c81c VirtualProtect 5834->5835 5835->5831 5837 1000c7ef 5836->5837 5845 1000c82c 5836->5845 5848 1000c803 GetProcAddress 5837->5848 5839 1000c7f4 5842 1000c800 GetProcAddress 5839->5842 5839->5845 5840 1000c872 5841 1000c835 GetModuleHandleA 5844 1000c83f 5841->5844 5843 1000c80d VirtualProtect 5842->5843 5842->5845 5843->5845 5846 1000c81c VirtualProtect 5843->5846 5844->5845 5847 1000c85f GetProcAddress 5844->5847 5845->5840 5845->5841 5845->5844 5846->5845 5847->5845 5849 1000c82c 5848->5849 5850 1000c80d VirtualProtect 5848->5850 5852 1000c872 5849->5852 5853 1000c835 GetModuleHandleA 5849->5853 5850->5849 5851 1000c81c VirtualProtect 5850->5851 5851->5849 5855 1000c83f 5853->5855 5854 1000c85f GetProcAddress 5854->5855 5855->5849 5855->5854 6173 1000742b 6174 10007430 6173->6174 6175 10007453 6174->6175 6177 10008bae 6174->6177 6178 10008bdd 6177->6178 6179 10008bbb 6177->6179 6178->6174 6180 10008bd7 6179->6180 6181 10008bc9 RtlDeleteCriticalSection 6179->6181 6182 1000571e _free 20 API calls 6180->6182 6181->6180 6181->6181 6182->6178 7196 1000ac6b 7197 1000ac84 __startOneArgErrorHandling 7196->7197 7199 1000acad __startOneArgErrorHandling 7197->7199 7200 1000b2f0 7197->7200 7201 1000b329 __startOneArgErrorHandling 7200->7201 7202 1000b5c1 __raise_exc RaiseException 7201->7202 7203 1000b350 __startOneArgErrorHandling 7201->7203 7202->7203 7204 1000b393 7203->7204 7205 1000b36e 7203->7205 7206 1000b8b2 __startOneArgErrorHandling 20 API calls 7204->7206 7211 1000b8e1 7205->7211 7208 1000b38e __startOneArgErrorHandling 7206->7208 7209 10002ada _ValidateLocalCookies 5 API calls 7208->7209 7210 1000b3b7 7209->7210 7210->7199 7212 1000b8f0 7211->7212 7213 1000b90f __startOneArgErrorHandling 7212->7213 7214 1000b964 __startOneArgErrorHandling 7212->7214 7215 100078a3 __startOneArgErrorHandling 5 API calls 7213->7215 7216 1000b8b2 __startOneArgErrorHandling 20 API calls 7214->7216 7217 1000b950 7215->7217 7219 1000b95d 7216->7219 7218 1000b8b2 __startOneArgErrorHandling 20 API calls 7217->7218 7217->7219 7218->7219 7219->7208 7465 100060ac 7466 100060b7 7465->7466 7468 100060dd 7465->7468 7467 100060c7 FreeLibrary 7466->7467 7466->7468 7467->7466 7220 1000506f 7221 10005081 7220->7221 7222 10005087 7220->7222 7223 10005000 20 API calls 7221->7223 7223->7222 6183 10005630 6184 1000563b 6183->6184 6186 10005664 6184->6186 6188 10005660 6184->6188 6189 10005eb7 6184->6189 6196 10005688 6186->6196 6190 10005c45 __dosmaperr 5 API calls 6189->6190 6191 10005ede 6190->6191 6192 10005efc InitializeCriticalSectionAndSpinCount 6191->6192 6195 10005ee7 6191->6195 6192->6195 6193 10002ada _ValidateLocalCookies 5 API calls 6194 10005f13 6193->6194 6194->6184 6195->6193 6197 100056b4 6196->6197 6198 10005695 6196->6198 6197->6188 6199 1000569f RtlDeleteCriticalSection 6198->6199 6199->6197 6199->6199 7224 10003370 7235 10003330 7224->7235 7236 10003342 7235->7236 7237 1000334f 7235->7237 7238 10002ada _ValidateLocalCookies 5 API calls 7236->7238 7238->7237 7802 100063f0 7803 10006400 7802->7803 7806 10006416 7802->7806 7804 10006368 __dosmaperr 20 API calls 7803->7804 7805 10006405 7804->7805 7808 100062ac ___std_exception_copy 26 API calls 7805->7808 7809 10006480 7806->7809 7814 10006561 7806->7814 7821 10006580 7806->7821 7807 10004e76 20 API calls 7810 100064e5 7807->7810 7816 1000640f 7808->7816 7809->7807 7812 100064ee 7810->7812 7818 10006573 7810->7818 7832 100085eb 7810->7832 7813 1000571e _free 20 API calls 7812->7813 7813->7814 7841 1000679a 7814->7841 7819 100062bc ___std_exception_copy 11 API calls 7818->7819 7820 1000657f 7819->7820 7822 1000658c 7821->7822 7822->7822 7823 1000637b __dosmaperr 20 API calls 7822->7823 7824 100065ba 7823->7824 7825 100085eb 26 API calls 7824->7825 7826 100065e6 7825->7826 7827 100062bc ___std_exception_copy 11 API calls 7826->7827 7828 10006615 ___scrt_fastfail 7827->7828 7829 100066b6 FindFirstFileExA 7828->7829 7830 10006705 7829->7830 7831 10006580 26 API calls 7830->7831 7835 1000853a 7832->7835 7833 1000854f 7834 10006368 __dosmaperr 20 API calls 7833->7834 7836 10008554 7833->7836 7840 1000857a 7834->7840 7835->7833 7835->7836 7838 1000858b 7835->7838 7836->7810 7837 100062ac ___std_exception_copy 26 API calls 7837->7836 7838->7836 7839 10006368 __dosmaperr 20 API calls 7838->7839 7839->7840 7840->7837 7845 100067a4 7841->7845 7842 100067b4 7844 1000571e _free 20 API calls 7842->7844 7843 1000571e _free 20 API calls 7843->7845 7846 100067bb 7844->7846 7845->7842 7845->7843 7846->7816 7239 10009e71 7240 10009e95 7239->7240 7241 10009ee6 7240->7241 7243 10009f71 __startOneArgErrorHandling 7240->7243 7244 10009ef8 7241->7244 7247 1000aa53 7241->7247 7245 1000b2f0 21 API calls 7243->7245 7246 1000acad __startOneArgErrorHandling 7243->7246 7245->7246 7248 1000aa70 RtlDecodePointer 7247->7248 7249 1000aa80 7247->7249 7248->7249 7250 1000ab0d 7249->7250 7253 1000ab02 7249->7253 7255 1000aab7 7249->7255 7250->7253 7254 10006368 __dosmaperr 20 API calls 7250->7254 7251 10002ada _ValidateLocalCookies 5 API calls 7252 1000ac67 7251->7252 7252->7244 7253->7251 7254->7253 7255->7253 7256 10006368 __dosmaperr 20 API calls 7255->7256 7256->7253 7473 10003eb3 7474 10005411 38 API calls 7473->7474 7475 10003ebb 7474->7475 6200 1000543d 6201 10005440 6200->6201 6204 100055a8 6201->6204 6215 10007613 6204->6215 6207 100055b8 6209 100055c2 IsProcessorFeaturePresent 6207->6209 6214 100055e0 6207->6214 6211 100055cd 6209->6211 6212 100060e2 _abort 8 API calls 6211->6212 6212->6214 6245 10004bc1 6214->6245 6248 10007581 6215->6248 6218 1000766e 6219 1000767a _abort 6218->6219 6220 10005b7a __dosmaperr 20 API calls 6219->6220 6221 100076a1 _abort 6219->6221 6225 100076a7 _abort 6219->6225 6220->6221 6222 100076f3 6221->6222 6221->6225 6244 100076d6 6221->6244 6223 10006368 __dosmaperr 20 API calls 6222->6223 6224 100076f8 6223->6224 6227 100062ac ___std_exception_copy 26 API calls 6224->6227 6230 1000771f 6225->6230 6262 10005671 RtlEnterCriticalSection 6225->6262 6227->6244 6231 1000777e 6230->6231 6233 10007776 6230->6233 6241 100077a9 6230->6241 6263 100056b9 RtlLeaveCriticalSection 6230->6263 6231->6241 6264 10007665 6231->6264 6236 10004bc1 _abort 28 API calls 6233->6236 6236->6231 6240 10007665 _abort 38 API calls 6240->6241 6267 1000782e 6241->6267 6242 1000780c 6243 10005af6 _abort 38 API calls 6242->6243 6242->6244 6243->6244 6291 1000bdc9 6244->6291 6295 1000499b 6245->6295 6251 10007527 6248->6251 6250 100055ad 6250->6207 6250->6218 6252 10007533 ___DestructExceptionObject 6251->6252 6257 10005671 RtlEnterCriticalSection 6252->6257 6254 10007541 6258 10007575 6254->6258 6256 10007568 _abort 6256->6250 6257->6254 6261 100056b9 RtlLeaveCriticalSection 6258->6261 6260 1000757f 6260->6256 6261->6260 6262->6230 6263->6233 6265 10005af6 _abort 38 API calls 6264->6265 6266 1000766a 6265->6266 6266->6240 6268 10007834 6267->6268 6269 100077fd 6267->6269 6294 100056b9 RtlLeaveCriticalSection 6268->6294 6269->6242 6269->6244 6271 10005af6 GetLastError 6269->6271 6272 10005b12 6271->6272 6273 10005b0c 6271->6273 6275 1000637b __dosmaperr 20 API calls 6272->6275 6277 10005b61 SetLastError 6272->6277 6274 10005e08 __dosmaperr 11 API calls 6273->6274 6274->6272 6276 10005b24 6275->6276 6278 10005b2c 6276->6278 6279 10005e5e __dosmaperr 11 API calls 6276->6279 6277->6242 6280 1000571e _free 20 API calls 6278->6280 6281 10005b41 6279->6281 6282 10005b32 6280->6282 6281->6278 6283 10005b48 6281->6283 6284 10005b6d SetLastError 6282->6284 6285 1000593c __dosmaperr 20 API calls 6283->6285 6287 100055a8 _abort 35 API calls 6284->6287 6286 10005b53 6285->6286 6288 1000571e _free 20 API calls 6286->6288 6289 10005b79 6287->6289 6290 10005b5a 6288->6290 6290->6277 6290->6284 6292 10002ada _ValidateLocalCookies 5 API calls 6291->6292 6293 1000bdd4 6292->6293 6293->6293 6294->6269 6296 100049a7 _abort 6295->6296 6303 100049bf 6296->6303 6317 10004af5 GetModuleHandleW 6296->6317 6300 10004a65 6334 10004aa5 6300->6334 6326 10005671 RtlEnterCriticalSection 6303->6326 6305 10004a3c 6307 10004a54 6305->6307 6330 10004669 6305->6330 6306 100049c7 6306->6300 6306->6305 6327 1000527a 6306->6327 6313 10004669 _abort 5 API calls 6307->6313 6308 10004a82 6337 10004ab4 6308->6337 6309 10004aae 6311 1000bdc9 _abort 5 API calls 6309->6311 6316 10004ab3 6311->6316 6313->6300 6318 100049b3 6317->6318 6318->6303 6319 10004b39 GetModuleHandleExW 6318->6319 6320 10004b63 GetProcAddress 6319->6320 6321 10004b78 6319->6321 6320->6321 6322 10004b95 6321->6322 6323 10004b8c FreeLibrary 6321->6323 6324 10002ada _ValidateLocalCookies 5 API calls 6322->6324 6323->6322 6325 10004b9f 6324->6325 6325->6303 6326->6306 6345 10005132 6327->6345 6331 10004698 6330->6331 6332 10002ada _ValidateLocalCookies 5 API calls 6331->6332 6333 100046c1 6332->6333 6333->6307 6367 100056b9 RtlLeaveCriticalSection 6334->6367 6336 10004a7e 6336->6308 6336->6309 6368 10006025 6337->6368 6340 10004ae2 6343 10004b39 _abort 8 API calls 6340->6343 6341 10004ac2 GetPEB 6341->6340 6342 10004ad2 GetCurrentProcess TerminateProcess 6341->6342 6342->6340 6344 10004aea ExitProcess 6343->6344 6348 100050e1 6345->6348 6347 10005156 6347->6305 6349 100050ed ___DestructExceptionObject 6348->6349 6356 10005671 RtlEnterCriticalSection 6349->6356 6351 100050fb 6357 1000515a 6351->6357 6355 10005119 _abort 6355->6347 6356->6351 6360 10005182 6357->6360 6361 1000517a 6357->6361 6358 10002ada _ValidateLocalCookies 5 API calls 6359 10005108 6358->6359 6363 10005126 6359->6363 6360->6361 6362 1000571e _free 20 API calls 6360->6362 6361->6358 6362->6361 6366 100056b9 RtlLeaveCriticalSection 6363->6366 6365 10005130 6365->6355 6366->6365 6367->6336 6369 10006040 6368->6369 6370 1000604a 6368->6370 6372 10002ada _ValidateLocalCookies 5 API calls 6369->6372 6371 10005c45 __dosmaperr 5 API calls 6370->6371 6371->6369 6373 10004abe 6372->6373 6373->6340 6373->6341 6374 10001f3f 6375 10001f4b ___DestructExceptionObject 6374->6375 6392 1000247c 6375->6392 6377 10001f52 6378 10002041 6377->6378 6379 10001f7c 6377->6379 6386 10001f57 ___scrt_is_nonwritable_in_current_image 6377->6386 6415 10002639 IsProcessorFeaturePresent 6378->6415 6403 100023de 6379->6403 6382 10002048 6383 10001f8b __RTC_Initialize 6383->6386 6406 100022fc RtlInitializeSListHead 6383->6406 6385 10001f99 ___scrt_initialize_default_local_stdio_options 6407 100046c5 6385->6407 6390 10001fb8 6390->6386 6391 10004669 _abort 5 API calls 6390->6391 6391->6386 6393 10002485 6392->6393 6419 10002933 IsProcessorFeaturePresent 6393->6419 6397 1000249a 6397->6377 6398 10002496 6398->6397 6430 100053c8 6398->6430 6401 100024b1 6401->6377 6504 100024b5 6403->6504 6405 100023e5 6405->6383 6406->6385 6408 100046dc 6407->6408 6409 10002ada _ValidateLocalCookies 5 API calls 6408->6409 6410 10001fad 6409->6410 6410->6386 6411 100023b3 6410->6411 6412 100023b8 ___scrt_release_startup_lock 6411->6412 6413 10002933 ___isa_available_init IsProcessorFeaturePresent 6412->6413 6414 100023c1 6412->6414 6413->6414 6414->6390 6416 1000264e ___scrt_fastfail 6415->6416 6417 100026f9 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 6416->6417 6418 10002744 ___scrt_fastfail 6417->6418 6418->6382 6420 10002491 6419->6420 6421 100034ea 6420->6421 6422 100034ef ___vcrt_initialize_winapi_thunks 6421->6422 6441 10003936 6422->6441 6426 10003505 6427 10003510 6426->6427 6455 10003972 6426->6455 6427->6398 6429 100034fd 6429->6398 6496 10007457 6430->6496 6433 10003529 6434 10003532 6433->6434 6435 10003543 6433->6435 6436 1000391b ___vcrt_uninitialize_ptd 6 API calls 6434->6436 6435->6397 6437 10003537 6436->6437 6438 10003972 ___vcrt_uninitialize_locks RtlDeleteCriticalSection 6437->6438 6439 1000353c 6438->6439 6500 10003c50 6439->6500 6442 1000393f 6441->6442 6444 10003968 6442->6444 6445 100034f9 6442->6445 6459 10003be0 6442->6459 6446 10003972 ___vcrt_uninitialize_locks RtlDeleteCriticalSection 6444->6446 6445->6429 6447 100038e8 6445->6447 6446->6445 6477 10003af1 6447->6477 6450 100038fd 6450->6426 6453 10003918 6453->6426 6456 1000399c 6455->6456 6457 1000397d 6455->6457 6456->6429 6458 10003987 RtlDeleteCriticalSection 6457->6458 6458->6456 6458->6458 6464 10003a82 6459->6464 6461 10003bfa 6462 10003c18 InitializeCriticalSectionAndSpinCount 6461->6462 6463 10003c03 6461->6463 6462->6463 6463->6442 6465 10003aa6 __crt_fast_encode_pointer 6464->6465 6466 10003aaa 6464->6466 6465->6461 6466->6465 6470 100039be 6466->6470 6469 10003ac4 GetProcAddress 6469->6465 6475 100039cd try_get_first_available_module 6470->6475 6471 10003a77 6471->6465 6471->6469 6472 100039ea LoadLibraryExW 6473 10003a05 GetLastError 6472->6473 6472->6475 6473->6475 6474 10003a60 FreeLibrary 6474->6475 6475->6471 6475->6472 6475->6474 6476 10003a38 LoadLibraryExW 6475->6476 6476->6475 6478 10003a82 try_get_function 5 API calls 6477->6478 6479 10003b0b 6478->6479 6480 10003b24 TlsAlloc 6479->6480 6481 100038f2 6479->6481 6481->6450 6482 10003ba2 6481->6482 6483 10003a82 try_get_function 5 API calls 6482->6483 6484 10003bbc 6483->6484 6485 10003bd7 TlsSetValue 6484->6485 6486 1000390b 6484->6486 6485->6486 6486->6453 6487 1000391b 6486->6487 6488 1000392b 6487->6488 6489 10003925 6487->6489 6488->6450 6491 10003b2c 6489->6491 6492 10003a82 try_get_function 5 API calls 6491->6492 6493 10003b46 6492->6493 6494 10003b5e TlsFree 6493->6494 6495 10003b52 6493->6495 6494->6495 6495->6488 6499 10007470 6496->6499 6497 10002ada _ValidateLocalCookies 5 API calls 6498 100024a3 6497->6498 6498->6401 6498->6433 6499->6497 6501 10003c7f 6500->6501 6502 10003c59 6500->6502 6501->6435 6502->6501 6503 10003c69 FreeLibrary 6502->6503 6503->6502 6505 100024c4 6504->6505 6506 100024c8 6504->6506 6505->6405 6507 10002639 ___scrt_fastfail 4 API calls 6506->6507 6509 100024d5 ___scrt_release_startup_lock 6506->6509 6508 10002559 6507->6508 6509->6405 7476 100067bf 7481 100067f4 7476->7481 7479 100067db 7480 1000571e _free 20 API calls 7480->7479 7482 10006806 7481->7482 7491 100067cd 7481->7491 7483 10006836 7482->7483 7484 1000680b 7482->7484 7483->7491 7492 100071d6 7483->7492 7485 1000637b __dosmaperr 20 API calls 7484->7485 7487 10006814 7485->7487 7488 1000571e _free 20 API calls 7487->7488 7488->7491 7489 10006851 7490 1000571e _free 20 API calls 7489->7490 7490->7491 7491->7479 7491->7480 7493 100071e1 7492->7493 7494 10007209 7493->7494 7495 100071fa 7493->7495 7498 10007218 7494->7498 7501 10008a98 7494->7501 7496 10006368 __dosmaperr 20 API calls 7495->7496 7500 100071ff ___scrt_fastfail 7496->7500 7508 10008acb 7498->7508 7500->7489 7502 10008aa3 7501->7502 7503 10008ab8 RtlSizeHeap 7501->7503 7504 10006368 __dosmaperr 20 API calls 7502->7504 7503->7498 7505 10008aa8 7504->7505 7506 100062ac ___std_exception_copy 26 API calls 7505->7506 7507 10008ab3 7506->7507 7507->7498 7509 10008ae3 7508->7509 7510 10008ad8 7508->7510 7512 10008aeb 7509->7512 7518 10008af4 __dosmaperr 7509->7518 7511 100056d0 21 API calls 7510->7511 7517 10008ae0 7511->7517 7515 1000571e _free 20 API calls 7512->7515 7513 10008af9 7516 10006368 __dosmaperr 20 API calls 7513->7516 7514 10008b1e RtlReAllocateHeap 7514->7517 7514->7518 7515->7517 7516->7517 7517->7500 7518->7513 7518->7514 7519 1000474f __dosmaperr 7 API calls 7518->7519 7519->7518 7847 10005bff 7855 10005d5c 7847->7855 7850 10005c13 7851 10005b7a __dosmaperr 20 API calls 7852 10005c1b 7851->7852 7853 10005c28 7852->7853 7854 10005c2b 11 API calls 7852->7854 7854->7850 7856 10005c45 __dosmaperr 5 API calls 7855->7856 7857 10005d83 7856->7857 7858 10005d9b TlsAlloc 7857->7858 7859 10005d8c 7857->7859 7858->7859 7860 10002ada _ValidateLocalCookies 5 API calls 7859->7860 7861 10005c09 7860->7861 7861->7850 7861->7851

                                      Executed Functions

                                      Function 100010F1 Relevance: 12.1, APIs: 8, Instructions: 88stringfileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 10001137
                                      • lstrcatW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001151
                                      • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000115C
                                      • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000116D
                                      • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000117C
                                      • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001193
                                      • FindNextFileW.KERNELBASE(00000000,00000010), ref: 100011D0
                                      • FindClose.KERNEL32(00000000), ref: 100011DB
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.4501143392.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000005.00000002.4501120067.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000005.00000002.4501143392.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_10000000_Adobe.jbxd
                                      Similarity
                                      • API ID: lstrlen$Find$File$CloseFirstNextlstrcat
                                      • String ID:
                                      • API String ID: 1083526818-0
                                      • Opcode ID: 27fd7685666e3c989c46effb07117df397b19369cc2c037b590c32d569d2463a
                                      • Instruction ID: 89aa6ca17049c9a574106098fd68ded4b08ae6dd255c3979a52dcbc6bb9ed716
                                      • Opcode Fuzzy Hash: 27fd7685666e3c989c46effb07117df397b19369cc2c037b590c32d569d2463a
                                      • Instruction Fuzzy Hash: D22193715043586BE714EB649C49FDF7BDCEF84394F00092AFA58D3190E770D64487A6
                                      Function 100012EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 243stringCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • GetEnvironmentVariableW.KERNEL32(ProgramFiles,?,00000104), ref: 10001434
                                        • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 10001137
                                        • Part of subcall function 100010F1: lstrcatW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001151
                                        • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000115C
                                        • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000116D
                                        • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000117C
                                        • Part of subcall function 100010F1: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001193
                                        • Part of subcall function 100010F1: FindNextFileW.KERNELBASE(00000000,00000010), ref: 100011D0
                                        • Part of subcall function 100010F1: FindClose.KERNEL32(00000000), ref: 100011DB
                                      • lstrlenW.KERNEL32(?), ref: 100014C5
                                      • lstrlenW.KERNEL32(?), ref: 100014E0
                                      • lstrlenW.KERNEL32(?,?), ref: 1000150F
                                      • lstrcatW.KERNEL32(00000000), ref: 10001521
                                      • lstrlenW.KERNEL32(?,?), ref: 10001547
                                      • lstrcatW.KERNEL32(00000000), ref: 10001553
                                      • lstrlenW.KERNEL32(?,?), ref: 10001579
                                      • lstrcatW.KERNEL32(00000000), ref: 10001585
                                      • lstrlenW.KERNEL32(?,?), ref: 100015AB
                                      • lstrcatW.KERNEL32(00000000), ref: 100015B7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.4501143392.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000005.00000002.4501120067.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000005.00000002.4501143392.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_10000000_Adobe.jbxd
                                      Similarity
                                      • API ID: lstrlen$lstrcat$Find$File$CloseEnvironmentFirstNextVariable
                                      • String ID: )$Foxmail$ProgramFiles
                                      • API String ID: 672098462-2938083778
                                      • Opcode ID: 70009fe3950369d2bec9de66e6564922956a7fdd4521fcb7cc54e78474496dcb
                                      • Instruction ID: 44b728d421a24f1832cbc0053e0d9d9aefaca4d51113d01ad6b93c48f87fe4b0
                                      • Opcode Fuzzy Hash: 70009fe3950369d2bec9de66e6564922956a7fdd4521fcb7cc54e78474496dcb
                                      • Instruction Fuzzy Hash: 4081A475A40358A9EB30D7A0DC86FDE7379EF84740F00059AF608EB191EBB16AC5CB95
                                      Function 1000C7E6 Relevance: 9.1, APIs: 6, Instructions: 65libraryloaderCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • GetModuleHandleA.KERNEL32(1000C7DD), ref: 1000C7E6
                                      • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 1000C860
                                        • Part of subcall function 1000C803: GetProcAddress.KERNEL32(00000000,1000C7F4), ref: 1000C804
                                        • Part of subcall function 1000C803: VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                                        • Part of subcall function 1000C803: VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.4501143392.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000005.00000002.4501120067.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000005.00000002.4501143392.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_10000000_Adobe.jbxd
                                      Similarity
                                      • API ID: AddressHandleModuleProcProtectVirtual
                                      • String ID:
                                      • API String ID: 2099061454-0
                                      • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                      • Instruction ID: 210348daefc771ff09e919cc38fdfa0d839c8297c2798a32150270056baeab90
                                      • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                      • Instruction Fuzzy Hash: 0301D22094574A38BA51D7B40C06EBA5FD8DB176E0B24D756F1408619BDDA08906C3AE
                                      Function 1000C7A7 Relevance: 7.6, APIs: 5, Instructions: 100libraryloaderCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 79 1000c7a7-1000c7bc 80 1000c82d 79->80 81 1000c7be-1000c7c6 79->81 83 1000c82f-1000c833 80->83 81->80 82 1000c7c8-1000c7f6 call 1000c7e6 81->82 91 1000c7f8 82->91 92 1000c86c-1000c86e 82->92 85 1000c872 call 1000c877 83->85 86 1000c835-1000c83d GetModuleHandleA 83->86 89 1000c83f-1000c847 86->89 89->89 90 1000c849-1000c84c 89->90 90->83 93 1000c84e-1000c850 90->93 94 1000c7fa-1000c7fe 91->94 95 1000c85b-1000c85e 91->95 96 1000c870 92->96 97 1000c866-1000c86b 92->97 98 1000c852-1000c854 93->98 99 1000c856-1000c85a 93->99 102 1000c865 94->102 103 1000c800-1000c80b GetProcAddress 94->103 100 1000c85f-1000c860 GetProcAddress 95->100 96->90 97->92 98->100 99->95 100->102 102->97 103->80 104 1000c80d-1000c81a VirtualProtect 103->104 105 1000c82c 104->105 106 1000c81c-1000c82a VirtualProtect 104->106 105->80 106->105
                                      APIs
                                      • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 1000C860
                                        • Part of subcall function 1000C7E6: GetModuleHandleA.KERNEL32(1000C7DD), ref: 1000C7E6
                                        • Part of subcall function 1000C7E6: GetProcAddress.KERNEL32(00000000,1000C7F4), ref: 1000C804
                                        • Part of subcall function 1000C7E6: VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                                        • Part of subcall function 1000C7E6: VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.4501143392.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000005.00000002.4501120067.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000005.00000002.4501143392.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_10000000_Adobe.jbxd
                                      Similarity
                                      • API ID: AddressHandleModuleProcProtectVirtual
                                      • String ID:
                                      • API String ID: 2099061454-0
                                      • Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                      • Instruction ID: abaa11d5974e3e1b05dfd32ec0224f7ddc3d76465740e120717e363e7a178845
                                      • Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                      • Instruction Fuzzy Hash: A921382140838A6FF711CBB44C05FA67FD8DB172E0F198696E040CB147DDA89845C3AE
                                      Function 1000C803 Relevance: 7.6, APIs: 5, Instructions: 54librarymemoryloaderCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 107 1000c803-1000c80b GetProcAddress 108 1000c82d 107->108 109 1000c80d-1000c81a VirtualProtect 107->109 112 1000c82f-1000c833 108->112 110 1000c82c 109->110 111 1000c81c-1000c82a VirtualProtect 109->111 110->108 111->110 113 1000c872 call 1000c877 112->113 114 1000c835-1000c83d GetModuleHandleA 112->114 116 1000c83f-1000c847 114->116 116->116 117 1000c849-1000c84c 116->117 117->112 118 1000c84e-1000c850 117->118 119 1000c852-1000c854 118->119 120 1000c856-1000c85e 118->120 121 1000c85f-1000c865 GetProcAddress 119->121 120->121 124 1000c866-1000c86e 121->124 126 1000c870 124->126 126->117
                                      APIs
                                      • GetProcAddress.KERNEL32(00000000,1000C7F4), ref: 1000C804
                                      • VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                                      • VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                                      • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 1000C860
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.4501143392.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000005.00000002.4501120067.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000005.00000002.4501143392.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_10000000_Adobe.jbxd
                                      Similarity
                                      • API ID: AddressProcProtectVirtual$HandleModule
                                      • String ID:
                                      • API String ID: 2152742572-0
                                      • Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                      • Instruction ID: 9138b94afbcae90e12a8614b592989542e7cb6e8cba5f1d72008c399686a5f74
                                      • Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                      • Instruction Fuzzy Hash: B7F0C2619497893CFA21C7B40C45EBA5FCCCB276E0B249A56F600C718BDCA5890693FE

                                      Non-executed Functions

                                      Function 1000173A Relevance: 30.0, APIs: 5, Strings: 12, Instructions: 210COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 136 1000173a-100017fe call 1000c030 call 10002c40 * 2 143 10001803 call 10001cca 136->143 144 10001808-1000180c 143->144 145 10001812-10001816 144->145 146 100019ad-100019b1 144->146 145->146 147 1000181c-10001837 call 10001ede 145->147 150 1000183d-10001845 147->150 151 1000199f-100019ac call 10001ee7 * 2 147->151 153 10001982-10001985 150->153 154 1000184b-1000184e 150->154 151->146 156 10001995-10001999 153->156 157 10001987 153->157 154->153 158 10001854-10001881 call 100044b0 * 2 call 10001db7 154->158 156->150 156->151 160 1000198a-1000198d call 10002c40 157->160 170 10001887-1000189f call 100044b0 call 10001db7 158->170 171 1000193d-10001943 158->171 166 10001992 160->166 166->156 170->171 187 100018a5-100018a8 170->187 173 10001945-10001947 171->173 174 1000197e-10001980 171->174 173->174 175 10001949-1000194b 173->175 174->160 177 10001961-1000197c call 100016aa 175->177 178 1000194d-1000194f 175->178 177->166 180 10001951-10001953 178->180 181 10001955-10001957 178->181 180->177 180->181 184 10001959-1000195b 181->184 185 1000195d-1000195f 181->185 184->177 184->185 185->174 185->177 188 100018c4-100018dc call 100044b0 call 10001db7 187->188 189 100018aa-100018c2 call 100044b0 call 10001db7 187->189 188->156 198 100018e2-1000193b call 100016aa call 100015da call 10002c40 * 2 188->198 189->188 189->198 198->156
                                      APIs
                                        • Part of subcall function 10001CCA: CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D1B
                                        • Part of subcall function 10001CCA: CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 10001D37
                                        • Part of subcall function 10001CCA: DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D4B
                                      • _strlen.LIBCMT ref: 10001855
                                      • _strlen.LIBCMT ref: 10001869
                                      • _strlen.LIBCMT ref: 1000188B
                                      • _strlen.LIBCMT ref: 100018AE
                                      • _strlen.LIBCMT ref: 100018C8
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.4501143392.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000005.00000002.4501120067.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000005.00000002.4501143392.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_10000000_Adobe.jbxd
                                      Similarity
                                      • API ID: _strlen$File$CopyCreateDelete
                                      • String ID: Acco$Acco$POP3$POP3$Pass$Pass$t$t$un$un$word$word
                                      • API String ID: 3296212668-3023110444
                                      • Opcode ID: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                      • Instruction ID: bb93a2ec4ecc4c0c7ac40ef0fbf5621e946fdf476ba73097d2750e43d9e064ca
                                      • Opcode Fuzzy Hash: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                      • Instruction Fuzzy Hash: 69612475D04218ABFF11CBE4C851BDEB7F9EF45280F00409AE604A7299EF706A45CF96
                                      Function 100019B2 Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 218COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.4501143392.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000005.00000002.4501120067.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000005.00000002.4501143392.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_10000000_Adobe.jbxd
                                      Similarity
                                      • API ID: _strlen
                                      • String ID: %m$~$Gon~$~F@7$~dra
                                      • API String ID: 4218353326-230879103
                                      • Opcode ID: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                      • Instruction ID: 2a57ee3bda34e0ca62253b4f9cdd28a92c7aa5ebcaa9e167bfd7dd38749d7a78
                                      • Opcode Fuzzy Hash: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                      • Instruction Fuzzy Hash: 9371F5B5D002685BEF11DBB49895BDF7BFCDB05280F104096E644D7246EB74EB85CBA0
                                      Function 10007CC2 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 276 10007cc2-10007cd6 277 10007d44-10007d4c 276->277 278 10007cd8-10007cdd 276->278 280 10007d93-10007dab call 10007e35 277->280 281 10007d4e-10007d51 277->281 278->277 279 10007cdf-10007ce4 278->279 279->277 282 10007ce6-10007ce9 279->282 290 10007dae-10007db5 280->290 281->280 284 10007d53-10007d90 call 1000571e * 4 281->284 282->277 285 10007ceb-10007cf3 282->285 284->280 288 10007cf5-10007cf8 285->288 289 10007d0d-10007d15 285->289 288->289 292 10007cfa-10007d0c call 1000571e call 100090ba 288->292 295 10007d17-10007d1a 289->295 296 10007d2f-10007d43 call 1000571e * 2 289->296 293 10007dd4-10007dd8 290->293 294 10007db7-10007dbb 290->294 292->289 298 10007df0-10007dfc 293->298 299 10007dda-10007ddf 293->299 302 10007dd1 294->302 303 10007dbd-10007dc0 294->303 295->296 304 10007d1c-10007d2e call 1000571e call 100091b8 295->304 296->277 298->290 311 10007dfe-10007e0b call 1000571e 298->311 308 10007de1-10007de4 299->308 309 10007ded 299->309 302->293 303->302 313 10007dc2-10007dd0 call 1000571e * 2 303->313 304->296 308->309 316 10007de6-10007dec call 1000571e 308->316 309->298 313->302 316->309
                                      APIs
                                      • ___free_lconv_mon.LIBCMT ref: 10007D06
                                        • Part of subcall function 100090BA: _free.LIBCMT ref: 100090D7
                                        • Part of subcall function 100090BA: _free.LIBCMT ref: 100090E9
                                        • Part of subcall function 100090BA: _free.LIBCMT ref: 100090FB
                                        • Part of subcall function 100090BA: _free.LIBCMT ref: 1000910D
                                        • Part of subcall function 100090BA: _free.LIBCMT ref: 1000911F
                                        • Part of subcall function 100090BA: _free.LIBCMT ref: 10009131
                                        • Part of subcall function 100090BA: _free.LIBCMT ref: 10009143
                                        • Part of subcall function 100090BA: _free.LIBCMT ref: 10009155
                                        • Part of subcall function 100090BA: _free.LIBCMT ref: 10009167
                                        • Part of subcall function 100090BA: _free.LIBCMT ref: 10009179
                                        • Part of subcall function 100090BA: _free.LIBCMT ref: 1000918B
                                        • Part of subcall function 100090BA: _free.LIBCMT ref: 1000919D
                                        • Part of subcall function 100090BA: _free.LIBCMT ref: 100091AF
                                      • _free.LIBCMT ref: 10007CFB
                                        • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                        • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                      • _free.LIBCMT ref: 10007D1D
                                      • _free.LIBCMT ref: 10007D32
                                      • _free.LIBCMT ref: 10007D3D
                                      • _free.LIBCMT ref: 10007D5F
                                      • _free.LIBCMT ref: 10007D72
                                      • _free.LIBCMT ref: 10007D80
                                      • _free.LIBCMT ref: 10007D8B
                                      • _free.LIBCMT ref: 10007DC3
                                      • _free.LIBCMT ref: 10007DCA
                                      • _free.LIBCMT ref: 10007DE7
                                      • _free.LIBCMT ref: 10007DFF
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.4501143392.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000005.00000002.4501120067.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000005.00000002.4501143392.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_10000000_Adobe.jbxd
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                      • String ID:
                                      • API String ID: 161543041-0
                                      • Opcode ID: 04f87de51616aa77c632626b63215b7c3e2981daeb02be256c48a4a07a0be686
                                      • Instruction ID: 6de9b84f5b51ee4e35cbeb1ed48e08772f21b212059d2ac72beb9c863e9ed859
                                      • Opcode Fuzzy Hash: 04f87de51616aa77c632626b63215b7c3e2981daeb02be256c48a4a07a0be686
                                      • Instruction Fuzzy Hash: 90313931A04645EFFB21DA38E941B6A77FAFF002D1F11446AE84DDB159DE3ABC809B14
                                      Function 100059D6 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • _free.LIBCMT ref: 100059EA
                                        • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                        • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                      • _free.LIBCMT ref: 100059F6
                                      • _free.LIBCMT ref: 10005A01
                                      • _free.LIBCMT ref: 10005A0C
                                      • _free.LIBCMT ref: 10005A17
                                      • _free.LIBCMT ref: 10005A22
                                      • _free.LIBCMT ref: 10005A2D
                                      • _free.LIBCMT ref: 10005A38
                                      • _free.LIBCMT ref: 10005A43
                                      • _free.LIBCMT ref: 10005A51
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.4501143392.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000005.00000002.4501120067.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000005.00000002.4501143392.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_10000000_Adobe.jbxd
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast
                                      • String ID:
                                      • API String ID: 776569668-0
                                      • Opcode ID: c98d8f3bae8e62c9802464aaca1a5f37d2e9bc397092d84fe88d11ffaa9aaf75
                                      • Instruction ID: 60753d52f1e9cb5801f9add085180c5dd3fc305f79823ad6bc57240ee419c635
                                      • Opcode Fuzzy Hash: c98d8f3bae8e62c9802464aaca1a5f37d2e9bc397092d84fe88d11ffaa9aaf75
                                      • Instruction Fuzzy Hash: BE11B97E514548FFEB11DF58D842CDE3FA9EF04291B4540A1BD088F12ADA32EE50AB84
                                      Function 10001CCA Relevance: 13.6, APIs: 9, Instructions: 84fileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D1B
                                      • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 10001D37
                                      • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D4B
                                      • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D58
                                      • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D72
                                      • CloseHandle.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D7D
                                      • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D8A
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.4501143392.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000005.00000002.4501120067.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000005.00000002.4501143392.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_10000000_Adobe.jbxd
                                      Similarity
                                      • API ID: File$Delete$CloseCopyCreateHandleReadSize
                                      • String ID:
                                      • API String ID: 1454806937-0
                                      • Opcode ID: 95ffba8e0906de61fbf41533eef9bce15325b0b0370a179d90a4a5ca68fedbfa
                                      • Instruction ID: 3114db45d92e83daf92c47a85baf70c14dd0292bf94a6379629bf72341f68b19
                                      • Opcode Fuzzy Hash: 95ffba8e0906de61fbf41533eef9bce15325b0b0370a179d90a4a5ca68fedbfa
                                      • Instruction Fuzzy Hash: 2221FCB594122CAFF710EBA08CCCFEF76ACEB08395F010566F515D2154D6709E458A70
                                      Function 10009492 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 377 10009492-100094ef GetConsoleCP 378 10009632-10009644 call 10002ada 377->378 379 100094f5-10009511 377->379 381 10009513-1000952a 379->381 382 1000952c-1000953d call 10007c19 379->382 384 10009566-10009575 call 100079e6 381->384 389 10009563-10009565 382->389 390 1000953f-10009542 382->390 384->378 391 1000957b-1000959b WideCharToMultiByte 384->391 389->384 392 10009548-1000955a call 100079e6 390->392 393 10009609-10009628 390->393 391->378 394 100095a1-100095b7 WriteFile 391->394 392->378 399 10009560-10009561 392->399 393->378 396 100095b9-100095ca 394->396 397 1000962a-10009630 GetLastError 394->397 396->378 400 100095cc-100095d0 396->400 397->378 399->391 401 100095d2-100095f0 WriteFile 400->401 402 100095fe-10009601 400->402 401->397 403 100095f2-100095f6 401->403 402->379 404 10009607 402->404 403->378 405 100095f8-100095fb 403->405 404->378 405->402
                                      APIs
                                      • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,10009C07,?,00000000,?,00000000,00000000), ref: 100094D4
                                      • __fassign.LIBCMT ref: 1000954F
                                      • __fassign.LIBCMT ref: 1000956A
                                      • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 10009590
                                      • WriteFile.KERNEL32(?,?,00000000,10009C07,00000000,?,?,?,?,?,?,?,?,?,10009C07,?), ref: 100095AF
                                      • WriteFile.KERNEL32(?,?,00000001,10009C07,00000000,?,?,?,?,?,?,?,?,?,10009C07,?), ref: 100095E8
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.4501143392.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000005.00000002.4501120067.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000005.00000002.4501143392.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_10000000_Adobe.jbxd
                                      Similarity
                                      • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                      • String ID:
                                      • API String ID: 1324828854-0
                                      • Opcode ID: c8cde1f94c5a3c187481f919a86e285046f284bf183baf255f965bcae4dd5098
                                      • Instruction ID: 7b1e32e7ca62d622bc6abd4954a79b3a1191cf35157f5551c2bc05612337e78d
                                      • Opcode Fuzzy Hash: c8cde1f94c5a3c187481f919a86e285046f284bf183baf255f965bcae4dd5098
                                      • Instruction Fuzzy Hash: D7519271D00249AFEB10CFA4CC95BDEBBF8EF09350F15811AE955E7295D731AA41CB60
                                      Function 10003370 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 406 10003370-100033b5 call 10003330 call 100037a7 411 10003416-10003419 406->411 412 100033b7-100033c9 406->412 413 10003439-10003442 411->413 414 1000341b-10003428 call 10003790 411->414 412->413 415 100033cb 412->415 418 1000342d-10003436 call 10003330 414->418 417 100033d0-100033e7 415->417 419 100033e9-100033f7 call 10003740 417->419 420 100033fd 417->420 418->413 428 100033f9 419->428 429 1000340d-10003414 419->429 421 10003400-10003405 420->421 421->417 424 10003407-10003409 421->424 424->413 427 1000340b 424->427 427->418 430 10003443-1000344c 428->430 431 100033fb 428->431 429->418 432 10003486-10003496 call 10003774 430->432 433 1000344e-10003455 430->433 431->421 439 10003498-100034a7 call 10003790 432->439 440 100034aa-100034c6 call 10003330 call 10003758 432->440 433->432 435 10003457-10003466 call 1000bbe0 433->435 441 10003483 435->441 442 10003468-10003480 435->442 439->440 441->432 442->441
                                      APIs
                                      • _ValidateLocalCookies.LIBCMT ref: 1000339B
                                      • ___except_validate_context_record.LIBVCRUNTIME ref: 100033A3
                                      • _ValidateLocalCookies.LIBCMT ref: 10003431
                                      • __IsNonwritableInCurrentImage.LIBCMT ref: 1000345C
                                      • _ValidateLocalCookies.LIBCMT ref: 100034B1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.4501143392.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000005.00000002.4501120067.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000005.00000002.4501143392.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_10000000_Adobe.jbxd
                                      Similarity
                                      • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                      • String ID: csm
                                      • API String ID: 1170836740-1018135373
                                      • Opcode ID: 314e045d64bd9dff90e147ebc0021a06731dbc25050b3dab86f6a1545ce1a07e
                                      • Instruction ID: 0a936c430148d26a69835db3fa9f683d01d5328c1142e13f0191aacd949c771e
                                      • Opcode Fuzzy Hash: 314e045d64bd9dff90e147ebc0021a06731dbc25050b3dab86f6a1545ce1a07e
                                      • Instruction Fuzzy Hash: D141D678E042189BEB12CF68C880A9FBBF9EF453A4F10C155E9159F25AD731FA01CB91
                                      Function 1000925D Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                        • Part of subcall function 10009221: _free.LIBCMT ref: 1000924A
                                      • _free.LIBCMT ref: 100092AB
                                        • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                        • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                      • _free.LIBCMT ref: 100092B6
                                      • _free.LIBCMT ref: 100092C1
                                      • _free.LIBCMT ref: 10009315
                                      • _free.LIBCMT ref: 10009320
                                      • _free.LIBCMT ref: 1000932B
                                      • _free.LIBCMT ref: 10009336
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.4501143392.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000005.00000002.4501120067.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000005.00000002.4501143392.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_10000000_Adobe.jbxd
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast
                                      • String ID:
                                      • API String ID: 776569668-0
                                      • Opcode ID: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                      • Instruction ID: 62dea9ede071ec04ae7e8d39c2d2a9b8d59ba4565e42afa4a1a73bd13a3591d1
                                      • Opcode Fuzzy Hash: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                      • Instruction Fuzzy Hash: 3E118E35548B08FAFA20EBB0EC47FCB7B9DEF04780F400824BA9DB6097DA25B5249751
                                      Function 10008821 Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 488 10008821-1000883a 489 10008850-10008855 488->489 490 1000883c-1000884c call 10009341 488->490 491 10008862-10008886 MultiByteToWideChar 489->491 492 10008857-1000885f 489->492 490->489 500 1000884e 490->500 494 10008a19-10008a2c call 10002ada 491->494 495 1000888c-10008898 491->495 492->491 497 1000889a-100088ab 495->497 498 100088ec 495->498 501 100088ca-100088db call 100056d0 497->501 502 100088ad-100088bc call 1000bf20 497->502 504 100088ee-100088f0 498->504 500->489 506 10008a0e 501->506 516 100088e1 501->516 502->506 515 100088c2-100088c8 502->515 505 100088f6-10008909 MultiByteToWideChar 504->505 504->506 505->506 509 1000890f-1000892a call 10005f19 505->509 510 10008a10-10008a17 call 10008801 506->510 509->506 520 10008930-10008937 509->520 510->494 519 100088e7-100088ea 515->519 516->519 519->504 521 10008971-1000897d 520->521 522 10008939-1000893e 520->522 524 100089c9 521->524 525 1000897f-10008990 521->525 522->510 523 10008944-10008946 522->523 523->506 526 1000894c-10008966 call 10005f19 523->526 527 100089cb-100089cd 524->527 528 10008992-100089a1 call 1000bf20 525->528 529 100089ab-100089bc call 100056d0 525->529 526->510 543 1000896c 526->543 532 10008a07-10008a0d call 10008801 527->532 533 100089cf-100089e8 call 10005f19 527->533 528->532 541 100089a3-100089a9 528->541 529->532 542 100089be 529->542 532->506 533->532 546 100089ea-100089f1 533->546 545 100089c4-100089c7 541->545 542->545 543->506 545->527 547 100089f3-100089f4 546->547 548 10008a2d-10008a33 546->548 549 100089f5-10008a05 WideCharToMultiByte 547->549 548->549 549->532 550 10008a35-10008a3c call 10008801 549->550 550->510
                                      APIs
                                      • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,10006FFD,00000000,?,?,?,10008A72,?,?,00000100), ref: 1000887B
                                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,10008A72,?,?,00000100,5EFC4D8B,?,?), ref: 10008901
                                      • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,5EFC4D8B,00000100,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 100089FB
                                      • __freea.LIBCMT ref: 10008A08
                                        • Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702
                                      • __freea.LIBCMT ref: 10008A11
                                      • __freea.LIBCMT ref: 10008A36
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.4501143392.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000005.00000002.4501120067.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000005.00000002.4501143392.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_10000000_Adobe.jbxd
                                      Similarity
                                      • API ID: ByteCharMultiWide__freea$AllocateHeap
                                      • String ID:
                                      • API String ID: 1414292761-0
                                      • Opcode ID: bbd44e65680a142b819532ff26adde273e0ccd3bd0c95f1520c1a5c0857fc469
                                      • Instruction ID: 3f57ce737592ef9202bcebfaa3f65c0582e3f3231b4dd00ae19a895c9b397c34
                                      • Opcode Fuzzy Hash: bbd44e65680a142b819532ff26adde273e0ccd3bd0c95f1520c1a5c0857fc469
                                      • Instruction Fuzzy Hash: 4F51CF72710216ABFB15CF60CC85EAB37A9FB417D0F11462AFC44D6148EB35EE509BA1
                                      Function 100015DA Relevance: 9.1, APIs: 6, Instructions: 84stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _strlen.LIBCMT ref: 10001607
                                      • _strcat.LIBCMT ref: 1000161D
                                      • lstrlenW.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,1000190E,?,?,00000000,?,00000000), ref: 10001643
                                      • lstrcatW.KERNEL32(?,?,?,?,?,?,1000190E,?,?,00000000,?,00000000,?,?,?,00000104), ref: 1000165A
                                      • lstrlenW.KERNEL32(?,?,?,?,?,1000190E,?,?,00000000,?,00000000,?,?,?,00000104,?), ref: 10001661
                                      • lstrcatW.KERNEL32(00001008,?,?,?,?,?,1000190E,?,?,00000000,?,00000000,?,?,?,00000104), ref: 10001686
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.4501143392.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000005.00000002.4501120067.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000005.00000002.4501143392.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_10000000_Adobe.jbxd
                                      Similarity
                                      • API ID: lstrcatlstrlen$_strcat_strlen
                                      • String ID:
                                      • API String ID: 1922816806-0
                                      • Opcode ID: 315c55c979a72bdf3ac51594b752bef976f460307e9923370b73d2b1bd80b905
                                      • Instruction ID: a267a6945d1554df97f4c8e17fbec8689bbb0548aac84132402ab8fad08d9bbc
                                      • Opcode Fuzzy Hash: 315c55c979a72bdf3ac51594b752bef976f460307e9923370b73d2b1bd80b905
                                      • Instruction Fuzzy Hash: 9821A776900204ABEB05DBA4DC85FEE77B8EF88750F24401BF604AB185DF34B94587A9
                                      Function 10001000 Relevance: 9.1, APIs: 6, Instructions: 76stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • lstrcatW.KERNEL32(?,?,?,?,?,00000000), ref: 10001038
                                      • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 1000104B
                                      • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 10001061
                                      • lstrlenW.KERNEL32(?,?,?,?,?,00000000), ref: 10001075
                                      • GetFileAttributesW.KERNEL32(?,?,?,00000000), ref: 10001090
                                      • lstrlenW.KERNEL32(?,?,?,00000000), ref: 100010B8
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.4501143392.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000005.00000002.4501120067.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000005.00000002.4501143392.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_10000000_Adobe.jbxd
                                      Similarity
                                      • API ID: lstrlen$AttributesFilelstrcat
                                      • String ID:
                                      • API String ID: 3594823470-0
                                      • Opcode ID: c62e9e5fa69f7526a4dcdb62aa87bf44082eca201cfcddb2e536fed9ba73336f
                                      • Instruction ID: f5da6160d3db499da992451a69b84f141dc83571de07cfa19ff2ab3d93a8fd2c
                                      • Opcode Fuzzy Hash: c62e9e5fa69f7526a4dcdb62aa87bf44082eca201cfcddb2e536fed9ba73336f
                                      • Instruction Fuzzy Hash: DB21E5359003289BEF10DBA0DC48EDF37B8EF44294F104556E999931A6DE709EC5CF50
                                      Function 10003856 Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLastError.KERNEL32(?,?,10003518,100023F1,10001F17), ref: 10003864
                                      • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 10003872
                                      • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 1000388B
                                      • SetLastError.KERNEL32(00000000,?,10003518,100023F1,10001F17), ref: 100038DD
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.4501143392.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000005.00000002.4501120067.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000005.00000002.4501143392.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_10000000_Adobe.jbxd
                                      Similarity
                                      • API ID: ErrorLastValue___vcrt_
                                      • String ID:
                                      • API String ID: 3852720340-0
                                      • Opcode ID: 669731f2127195b9a905fed2c89c9d5b837464d933d8447bfa53086d9201cd33
                                      • Instruction ID: 2a33bd680f99e964f7cdf1ea0b0e713dcb61597015083b2077453114c578dac0
                                      • Opcode Fuzzy Hash: 669731f2127195b9a905fed2c89c9d5b837464d933d8447bfa53086d9201cd33
                                      • Instruction Fuzzy Hash: 0F012432608B225EF207D7796CCAA0B2BDDDB096F9B20C27AF510940E9EF219C009300
                                      Function 10005AF6 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetLastError.KERNEL32(?,?,10006C6C), ref: 10005AFA
                                      • _free.LIBCMT ref: 10005B2D
                                      • _free.LIBCMT ref: 10005B55
                                      • SetLastError.KERNEL32(00000000,?,?,10006C6C), ref: 10005B62
                                      • SetLastError.KERNEL32(00000000,?,?,10006C6C), ref: 10005B6E
                                      • _abort.LIBCMT ref: 10005B74
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.4501143392.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000005.00000002.4501120067.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000005.00000002.4501143392.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_10000000_Adobe.jbxd
                                      Similarity
                                      • API ID: ErrorLast$_free$_abort
                                      • String ID:
                                      • API String ID: 3160817290-0
                                      • Opcode ID: c9cb188a03aa1811073f11ee06fa520bea6a831bfab7ff5292fc2b03e8e202de
                                      • Instruction ID: 6ab9c425fee0725613b21b3b36aaf5e4259b246f4cabca8c388d0d7fb541d563
                                      • Opcode Fuzzy Hash: c9cb188a03aa1811073f11ee06fa520bea6a831bfab7ff5292fc2b03e8e202de
                                      • Instruction Fuzzy Hash: 8FF0A47A508911AAF212E3346C4AF0F36AACBC55E3F264125F918A619DFF27B9024174
                                      Function 100011EA Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 90COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,?,?,?,100010DF,?,?,?,00000000), ref: 10001E9A
                                        • Part of subcall function 10001E89: lstrcatW.KERNEL32(?,?,?,100010DF,?,?,?,00000000), ref: 10001EAC
                                        • Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EB3
                                        • Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EC8
                                        • Part of subcall function 10001E89: lstrcatW.KERNEL32(?,100010DF,?,100010DF,?,?,?,00000000), ref: 10001ED3
                                      • GetFileAttributesW.KERNEL32(?,?,?,?), ref: 1000122A
                                        • Part of subcall function 1000173A: _strlen.LIBCMT ref: 10001855
                                        • Part of subcall function 1000173A: _strlen.LIBCMT ref: 10001869
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.4501143392.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000005.00000002.4501120067.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000005.00000002.4501143392.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_10000000_Adobe.jbxd
                                      Similarity
                                      • API ID: lstrlen$_strlenlstrcat$AttributesFile
                                      • String ID: \Accounts\Account.rec0$\Data\AccCfg\Accounts.tdat$\Mail\$\Storage\
                                      • API String ID: 4036392271-1520055953
                                      • Opcode ID: 09c536ecd907401b0aa489f333ca62d314ebad464b807bf11bf7235871964734
                                      • Instruction ID: e2b7c7e1c3038021adfe9ab266432482c710e64fc4cfb1bae4cfd9c1521b4980
                                      • Opcode Fuzzy Hash: 09c536ecd907401b0aa489f333ca62d314ebad464b807bf11bf7235871964734
                                      • Instruction Fuzzy Hash: 4B21D579E142486AFB14D7A0EC92FED7339EF80754F000556F604EB1D5EBB16E818758
                                      Function 10004B39 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,10004AEA,?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000), ref: 10004B59
                                      • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 10004B6C
                                      • FreeLibrary.KERNEL32(00000000,?,?,?,10004AEA,?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000,00000001,10002082), ref: 10004B8F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.4501143392.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000005.00000002.4501120067.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000005.00000002.4501143392.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_10000000_Adobe.jbxd
                                      Similarity
                                      • API ID: AddressFreeHandleLibraryModuleProc
                                      • String ID: CorExitProcess$mscoree.dll
                                      • API String ID: 4061214504-1276376045
                                      • Opcode ID: 497ca4813dea5db040ed96ba3988917c23aad912c76c67efd82f8c60daebc881
                                      • Instruction ID: e6e2f78cdd7cd30bdf2d4d174718ae12991e9b6ae5ca6a82eaba56a43cf4d13d
                                      • Opcode Fuzzy Hash: 497ca4813dea5db040ed96ba3988917c23aad912c76c67efd82f8c60daebc881
                                      • Instruction Fuzzy Hash: C8F03C71900218BBEB11AB94CC48BAEBFB9EF043D1F01416AE909A6164DF309941CAA5
                                      Function 10007153 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetEnvironmentStringsW.KERNEL32 ref: 1000715C
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1000717F
                                        • Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 100071A5
                                      • _free.LIBCMT ref: 100071B8
                                      • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 100071C7
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.4501143392.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000005.00000002.4501120067.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000005.00000002.4501143392.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_10000000_Adobe.jbxd
                                      Similarity
                                      • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                      • String ID:
                                      • API String ID: 336800556-0
                                      • Opcode ID: dbf9df5b4a4e45fd59d7b0ba6c08b1d97dee470f846bf8241c04808ce4e83989
                                      • Instruction ID: fdf90bdbf822fabaf3dd9d310e80898d5fc59248e37e3ebe61ec6e18e74c85b1
                                      • Opcode Fuzzy Hash: dbf9df5b4a4e45fd59d7b0ba6c08b1d97dee470f846bf8241c04808ce4e83989
                                      • Instruction Fuzzy Hash: 6601D872A01225BB73129BBE5C8CDBF2A6DFBC69E0311012AFD0CC7288DB658C0181B0
                                      Function 10005B7A Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetLastError.KERNEL32(00000000,?,00000000,1000636D,10005713,00000000,?,10002249,?,?,10001D66,00000000,?,?,00000000), ref: 10005B7F
                                      • _free.LIBCMT ref: 10005BB4
                                      • _free.LIBCMT ref: 10005BDB
                                      • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10005BE8
                                      • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10005BF1
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.4501143392.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000005.00000002.4501120067.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000005.00000002.4501143392.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_10000000_Adobe.jbxd
                                      Similarity
                                      • API ID: ErrorLast$_free
                                      • String ID:
                                      • API String ID: 3170660625-0
                                      • Opcode ID: 6445a1f563467e3e4669709244547b488691a64b9545451a4f80944232cffe94
                                      • Instruction ID: a404960836b3e2f032ab47abdd1028028b52a365ddf0c47563f665e512f3cffd
                                      • Opcode Fuzzy Hash: 6445a1f563467e3e4669709244547b488691a64b9545451a4f80944232cffe94
                                      • Instruction Fuzzy Hash: 5501F47A108A52A7F202E7345C85E1F3AAEDBC55F37220025FD19A615EEF73FD024164
                                      Function 10001E89 Relevance: 7.5, APIs: 5, Instructions: 41stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • lstrlenW.KERNEL32(?,?,?,?,?,100010DF,?,?,?,00000000), ref: 10001E9A
                                      • lstrcatW.KERNEL32(?,?,?,100010DF,?,?,?,00000000), ref: 10001EAC
                                      • lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EB3
                                      • lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EC8
                                      • lstrcatW.KERNEL32(?,100010DF,?,100010DF,?,?,?,00000000), ref: 10001ED3
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.4501143392.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000005.00000002.4501120067.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000005.00000002.4501143392.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_10000000_Adobe.jbxd
                                      Similarity
                                      • API ID: lstrlen$lstrcat
                                      • String ID:
                                      • API String ID: 493641738-0
                                      • Opcode ID: 15c5d9995ac510f09c0b88b7baf044722e7f40351600db373de5a6e0e33856fc
                                      • Instruction ID: f5d9027fafc921fe84ae6627056796c55de3fa1ad923a59450c5185d8ca5453c
                                      • Opcode Fuzzy Hash: 15c5d9995ac510f09c0b88b7baf044722e7f40351600db373de5a6e0e33856fc
                                      • Instruction Fuzzy Hash: D8F082261002207AF621772AECC5FBF7B7CEFC6AA0F04001AFA0C83194DB54684292B5
                                      Function 100091B8 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 100091D0
                                        • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                        • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                      • _free.LIBCMT ref: 100091E2
                                      • _free.LIBCMT ref: 100091F4
                                      • _free.LIBCMT ref: 10009206
                                      • _free.LIBCMT ref: 10009218
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.4501143392.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000005.00000002.4501120067.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000005.00000002.4501143392.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_10000000_Adobe.jbxd
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast
                                      • String ID:
                                      • API String ID: 776569668-0
                                      • Opcode ID: 531e654f2f11120a5df636ecca0a5618a09e043c7f3cd6e1a71cca3ab3857efc
                                      • Instruction ID: a08e021c65853776c99c3fd86fadada58ae96d962e635c5153d22f52a77de1c5
                                      • Opcode Fuzzy Hash: 531e654f2f11120a5df636ecca0a5618a09e043c7f3cd6e1a71cca3ab3857efc
                                      • Instruction Fuzzy Hash: 77F06DB161C650ABE664DB58EAC6C4B7BEDFB003E13608805FC4DD7549CB31FC809A64
                                      Function 10005351 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 1000536F
                                        • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                        • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                      • _free.LIBCMT ref: 10005381
                                      • _free.LIBCMT ref: 10005394
                                      • _free.LIBCMT ref: 100053A5
                                      • _free.LIBCMT ref: 100053B6
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.4501143392.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000005.00000002.4501120067.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000005.00000002.4501143392.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_10000000_Adobe.jbxd
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast
                                      • String ID:
                                      • API String ID: 776569668-0
                                      • Opcode ID: 77e2762e1a20340d72e45a4044f221924c2ac7473818ed27067cb432955df604
                                      • Instruction ID: ba906e9feca9bc6e71cd1aa5ebacb8f64a9f241ffe6b13fedf7f16c4e4854dfa
                                      • Opcode Fuzzy Hash: 77e2762e1a20340d72e45a4044f221924c2ac7473818ed27067cb432955df604
                                      • Instruction Fuzzy Hash: 38F0F478C18934EBF741DF28ADC140A3BB5F718A91342C15AFC1497279DB36D9429B84
                                      Function 10004BDD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleFileNameA.KERNEL32(00000000,C:\ProgramData\Adobe\Adobe.exe,00000104), ref: 10004C1D
                                      • _free.LIBCMT ref: 10004CE8
                                      • _free.LIBCMT ref: 10004CF2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.4501143392.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000005.00000002.4501120067.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000005.00000002.4501143392.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_10000000_Adobe.jbxd
                                      Similarity
                                      • API ID: _free$FileModuleName
                                      • String ID: C:\ProgramData\Adobe\Adobe.exe
                                      • API String ID: 2506810119-1403210833
                                      • Opcode ID: f4d765c9bb58478f6d614cb19d249666f691a76f34bd4fd838862d42c91d6eee
                                      • Instruction ID: 12f2da1a58c9c923660241357757b5dddff340f6d61411cdc8d35d961f62cc7a
                                      • Opcode Fuzzy Hash: f4d765c9bb58478f6d614cb19d249666f691a76f34bd4fd838862d42c91d6eee
                                      • Instruction Fuzzy Hash: EB31A0B5A01258EFFB51CF99CC81D9EBBFCEB88390F12806AF80497215DA709E41CB54
                                      Function 100086E4 Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                                      Download Yara Rule
                                      APIs
                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,00000100,00000020,00000000,00000000,5EFC4D8B,00000100,10006FFD,00000000,00000001,00000020,00000100,?,5EFC4D8B,00000000), ref: 10008731
                                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 100087BA
                                      • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 100087CC
                                      • __freea.LIBCMT ref: 100087D5
                                        • Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.4501143392.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000005.00000002.4501120067.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000005.00000002.4501143392.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_10000000_Adobe.jbxd
                                      Similarity
                                      • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                      • String ID:
                                      • API String ID: 2652629310-0
                                      • Opcode ID: 11ee239c82756698d200c57d0e0d3564a08309f574ce1b92975b0cd3435ea26e
                                      • Instruction ID: 5b9b35b0a4db414dac5c81271493033b4f2f0f3dd9b893eeefd60fa04c8ec889
                                      • Opcode Fuzzy Hash: 11ee239c82756698d200c57d0e0d3564a08309f574ce1b92975b0cd3435ea26e
                                      • Instruction Fuzzy Hash: 2731AE32A0021AABEF15CF64CC85EAF7BA5EF44290F214129FC48D7158EB35DE50CBA0
                                      Function 10005CE1 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,10001D66,00000000,00000000,?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue), ref: 10005D13
                                      • GetLastError.KERNEL32(?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue,1000E190,FlsSetValue,00000000,00000364,?,10005BC8), ref: 10005D1F
                                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue,1000E190,FlsSetValue,00000000), ref: 10005D2D
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.4501143392.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000005.00000002.4501120067.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000005.00000002.4501143392.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_10000000_Adobe.jbxd
                                      Similarity
                                      • API ID: LibraryLoad$ErrorLast
                                      • String ID:
                                      • API String ID: 3177248105-0
                                      • Opcode ID: 803c5c09655bb12e7a00387565e20d3af286ada8f732c439529cecb726329beb
                                      • Instruction ID: ab8c2af688280ff547417c348c7c3430721907d0b6a0cc88e9d35c15e8af339b
                                      • Opcode Fuzzy Hash: 803c5c09655bb12e7a00387565e20d3af286ada8f732c439529cecb726329beb
                                      • Instruction Fuzzy Hash: 59018436615732ABE7319B689C8CB4B7798EF056E2B214623F909D7158D731D801CAE0
                                      Function 100063F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 1000655C
                                        • Part of subcall function 100062BC: IsProcessorFeaturePresent.KERNEL32(00000017,100062AB,00000000,?,?,?,?,00000016,?,?,100062B8,00000000,00000000,00000000,00000000,00000000), ref: 100062BE
                                        • Part of subcall function 100062BC: GetCurrentProcess.KERNEL32(C0000417), ref: 100062E0
                                        • Part of subcall function 100062BC: TerminateProcess.KERNEL32(00000000), ref: 100062E7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.4501143392.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000005.00000002.4501120067.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000005.00000002.4501143392.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_10000000_Adobe.jbxd
                                      Similarity
                                      • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
                                      • String ID: *?$.
                                      • API String ID: 2667617558-3972193922
                                      • Opcode ID: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
                                      • Instruction ID: 55016225c6cf3c2ad74d5bf99958d96f24b8fe448c0df4d83e2be8db5664878a
                                      • Opcode Fuzzy Hash: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
                                      • Instruction Fuzzy Hash: 2D519475E0060A9FEB14CFA8CC81AADB7F6FF4C394F258169E854E7349D635AE018B50
                                      Function 100016AA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.4501143392.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000005.00000002.4501120067.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000005.00000002.4501143392.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_10000000_Adobe.jbxd
                                      Similarity
                                      • API ID: _strlen
                                      • String ID: : $Se.
                                      • API String ID: 4218353326-4089948878
                                      • Opcode ID: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                      • Instruction ID: 66f447a9efa091531784e06c0e565222335d100d85517175c1dac28435e0d9bb
                                      • Opcode Fuzzy Hash: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                      • Instruction Fuzzy Hash: 2F11E7B5904249AEDB11DFA8D841BDEFBFCEF09244F104056E545E7252E6706B02C765
                                      Function 10001EDE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                      Download Yara Rule
                                      APIs
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 10002903
                                        • Part of subcall function 100035D2: RaiseException.KERNEL32(?,?,?,10002925,00000000,00000000,00000000,?,?,?,?,?,10002925,?,100121B8), ref: 10003632
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 10002920
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.4501143392.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000005.00000002.4501120067.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000005.00000002.4501143392.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_10000000_Adobe.jbxd
                                      Similarity
                                      • API ID: Exception@8Throw$ExceptionRaise
                                      • String ID: Unknown exception
                                      • API String ID: 3476068407-410509341
                                      • Opcode ID: 00f05d2547b3034e4c7bbe2eae49a616f435d37e9c126e5e725cfb9fdfb6d2bb
                                      • Instruction ID: 696891806b75a506f07e96a947ab79166ff1ea0d2f17bc9dac180a151cc952bd
                                      • Opcode Fuzzy Hash: 00f05d2547b3034e4c7bbe2eae49a616f435d37e9c126e5e725cfb9fdfb6d2bb
                                      • Instruction Fuzzy Hash: 2BF0A47890420D77AB04E6E5EC4599D77ACDB006D0F508161FD1496499EF31FA658690

                                      Execution Graph

                                      Execution Coverage:6.6%
                                      Dynamic/Decrypted Code Coverage:9.2%
                                      Signature Coverage:0%
                                      Total number of Nodes:2000
                                      Total number of Limit Nodes:87
                                      execution_graph 40425 441819 40428 430737 40425->40428 40427 441825 40429 430756 40428->40429 40441 43076d 40428->40441 40430 430774 40429->40430 40431 43075f 40429->40431 40442 43034a 40430->40442 40453 4169a7 11 API calls 40431->40453 40434 4307ce 40435 430819 memset 40434->40435 40446 415b2c 40434->40446 40435->40441 40436 43077e 40436->40434 40439 4307fa 40436->40439 40436->40441 40438 4307e9 40438->40435 40438->40441 40454 4169a7 11 API calls 40439->40454 40441->40427 40443 430359 40442->40443 40444 43034e 40442->40444 40443->40436 40455 415c23 memcpy 40444->40455 40447 415b46 40446->40447 40448 415b42 40446->40448 40447->40438 40448->40447 40449 415b94 40448->40449 40450 415b5a 40448->40450 40451 4438b5 10 API calls 40449->40451 40450->40447 40452 415b79 memcpy 40450->40452 40451->40447 40452->40447 40453->40441 40454->40441 40455->40443 37676 442ec6 19 API calls 37853 4152c6 malloc 37854 4152e2 37853->37854 37855 4152ef 37853->37855 37857 416760 11 API calls 37855->37857 37857->37854 37858 4466f4 37877 446904 37858->37877 37860 446700 GetModuleHandleA 37863 446710 __set_app_type __p__fmode __p__commode 37860->37863 37862 4467a4 37864 4467ac __setusermatherr 37862->37864 37865 4467b8 37862->37865 37863->37862 37864->37865 37878 4468f0 _controlfp 37865->37878 37867 4467bd _initterm __wgetmainargs _initterm 37869 44681e GetStartupInfoW 37867->37869 37870 446810 37867->37870 37871 446866 GetModuleHandleA 37869->37871 37879 41276d 37871->37879 37875 446896 exit 37876 44689d _cexit 37875->37876 37876->37870 37877->37860 37878->37867 37880 41277d 37879->37880 37922 4044a4 LoadLibraryW 37880->37922 37882 412785 37913 412789 37882->37913 37930 414b81 37882->37930 37885 4127c8 37936 412465 memset ??2@YAPAXI 37885->37936 37887 4127ea 37948 40ac21 37887->37948 37892 412813 37966 40dd07 memset 37892->37966 37893 412827 37971 40db69 memset 37893->37971 37897 412822 37992 4125b6 ??3@YAXPAX 37897->37992 37898 40ada2 _wcsicmp 37899 41283d 37898->37899 37899->37897 37902 412863 CoInitialize 37899->37902 37976 41268e 37899->37976 37996 4123e2 GetModuleHandleW RegisterClassW GetModuleHandleW CreateWindowExW 37902->37996 37906 41296f 37998 40b633 37906->37998 37908 412873 ShowWindow UpdateWindow GetModuleHandleW LoadAcceleratorsW GetMessageW 37914 412957 CoUninitialize 37908->37914 37919 4128ca 37908->37919 37913->37875 37913->37876 37914->37897 37915 4128d0 TranslateAcceleratorW 37916 412941 GetMessageW 37915->37916 37915->37919 37916->37914 37916->37915 37917 412909 IsDialogMessageW 37917->37916 37917->37919 37918 4128fd IsDialogMessageW 37918->37916 37918->37917 37919->37915 37919->37917 37919->37918 37920 41292b TranslateMessage DispatchMessageW 37919->37920 37921 41291f IsDialogMessageW 37919->37921 37920->37916 37921->37916 37921->37920 37923 4044cf GetProcAddress 37922->37923 37926 4044f7 37922->37926 37924 4044e8 FreeLibrary 37923->37924 37927 4044df 37923->37927 37925 4044f3 37924->37925 37924->37926 37925->37926 37928 404507 MessageBoxW 37926->37928 37929 40451e 37926->37929 37927->37924 37928->37882 37929->37882 37931 414b8a 37930->37931 37932 412794 SetErrorMode GetModuleHandleW EnumResourceTypesW 37930->37932 38002 40a804 memset 37931->38002 37932->37885 37935 414b9e GetProcAddress 37935->37932 37937 4124e0 37936->37937 37938 412505 ??2@YAPAXI 37937->37938 37939 41251c 37938->37939 37941 412521 37938->37941 38024 40e820 memset ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI 37939->38024 38013 444722 37941->38013 37947 41259b wcscpy 37947->37887 38029 40b1ab free free 37948->38029 37952 40a9ce malloc memcpy free free 37959 40ac5c 37952->37959 37953 40ad4b 37961 40ad76 37953->37961 38053 40a9ce 37953->38053 37955 40ace7 free 37955->37959 37959->37952 37959->37953 37959->37955 37959->37961 38033 40a8d0 37959->38033 38045 4099f4 37959->38045 37960 40a8d0 7 API calls 37960->37961 38030 40aa04 37961->38030 37962 40ada2 37963 40adc9 37962->37963 37964 40adaa 37962->37964 37963->37892 37963->37893 37964->37963 37965 40adb3 _wcsicmp 37964->37965 37965->37963 37965->37964 38058 40dce0 37966->38058 37968 40dd3a GetModuleHandleW 38063 40dba7 37968->38063 37972 40dce0 3 API calls 37971->37972 37973 40db99 37972->37973 38135 40dae1 37973->38135 38149 402f3a 37976->38149 37978 412766 37978->37897 37978->37902 37979 4126d3 _wcsicmp 37980 4126a8 37979->37980 37980->37978 37980->37979 37982 41270a 37980->37982 38183 4125f8 7 API calls 37980->38183 37982->37978 38152 411ac5 37982->38152 37993 4125da 37992->37993 37994 4125f0 37993->37994 37995 4125e6 DeleteObject 37993->37995 37997 40b1ab free free 37994->37997 37995->37994 37996->37908 37997->37906 37999 40b640 37998->37999 38000 40b639 free 37998->38000 38001 40b1ab free free 37999->38001 38000->37999 38001->37913 38003 40a83b GetSystemDirectoryW 38002->38003 38004 40a84c wcscpy 38002->38004 38003->38004 38009 409719 wcslen 38004->38009 38007 40a881 LoadLibraryW 38008 40a886 38007->38008 38008->37932 38008->37935 38010 409724 38009->38010 38011 409739 wcscat LoadLibraryW 38009->38011 38010->38011 38012 40972c wcscat 38010->38012 38011->38007 38011->38008 38012->38011 38014 444732 38013->38014 38015 444728 DeleteObject 38013->38015 38025 409cc3 38014->38025 38015->38014 38017 412551 38018 4010f9 38017->38018 38019 401130 38018->38019 38020 401134 GetModuleHandleW LoadIconW 38019->38020 38021 401107 wcsncat 38019->38021 38022 40a7be 38020->38022 38021->38019 38023 40a7d2 38022->38023 38023->37947 38023->38023 38024->37941 38028 409bfd memset wcscpy 38025->38028 38027 409cdb CreateFontIndirectW 38027->38017 38028->38027 38029->37959 38031 40aa14 38030->38031 38032 40aa0a free 38030->38032 38031->37962 38032->38031 38034 40a8eb 38033->38034 38035 40a8df wcslen 38033->38035 38036 40a906 free 38034->38036 38037 40a90f 38034->38037 38035->38034 38038 40a919 38036->38038 38039 4099f4 3 API calls 38037->38039 38040 40a932 38038->38040 38041 40a929 free 38038->38041 38039->38038 38043 4099f4 3 API calls 38040->38043 38042 40a93e memcpy 38041->38042 38042->37959 38044 40a93d 38043->38044 38044->38042 38046 409a41 38045->38046 38047 4099fb malloc 38045->38047 38046->37959 38049 409a37 38047->38049 38050 409a1c 38047->38050 38049->37959 38051 409a30 free 38050->38051 38052 409a20 memcpy 38050->38052 38051->38049 38052->38051 38054 40a9e7 38053->38054 38055 40a9dc free 38053->38055 38057 4099f4 3 API calls 38054->38057 38056 40a9f2 38055->38056 38056->37960 38057->38056 38082 409bca GetModuleFileNameW 38058->38082 38060 40dce6 wcsrchr 38061 40dcf5 38060->38061 38062 40dcf9 wcscat 38060->38062 38061->38062 38062->37968 38083 44db70 38063->38083 38067 40dbfd 38086 4447d9 38067->38086 38070 40dc34 wcscpy wcscpy 38112 40d6f5 38070->38112 38071 40dc1f wcscpy 38071->38070 38074 40d6f5 3 API calls 38075 40dc73 38074->38075 38076 40d6f5 3 API calls 38075->38076 38077 40dc89 38076->38077 38078 40d6f5 3 API calls 38077->38078 38079 40dc9c EnumResourceNamesW EnumResourceNamesW wcscpy 38078->38079 38118 40da80 38079->38118 38082->38060 38084 40dbb4 memset memset 38083->38084 38085 409bca GetModuleFileNameW 38084->38085 38085->38067 38088 4447f4 38086->38088 38087 40dc1b 38087->38070 38087->38071 38088->38087 38089 444807 ??2@YAPAXI 38088->38089 38090 44481f 38089->38090 38091 444873 _snwprintf 38090->38091 38092 4448ab wcscpy 38090->38092 38125 44474a 8 API calls 38091->38125 38094 4448bb 38092->38094 38126 44474a 8 API calls 38094->38126 38095 4448a7 38095->38092 38095->38094 38097 4448cd 38127 44474a 8 API calls 38097->38127 38099 4448e2 38128 44474a 8 API calls 38099->38128 38101 4448f7 38129 44474a 8 API calls 38101->38129 38103 44490c 38130 44474a 8 API calls 38103->38130 38105 444921 38131 44474a 8 API calls 38105->38131 38107 444936 38132 44474a 8 API calls 38107->38132 38109 44494b 38133 44474a 8 API calls 38109->38133 38111 444960 ??3@YAXPAX 38111->38087 38113 44db70 38112->38113 38114 40d702 memset GetPrivateProfileStringW 38113->38114 38115 40d752 38114->38115 38116 40d75c WritePrivateProfileStringW 38114->38116 38115->38116 38117 40d758 38115->38117 38116->38117 38117->38074 38119 44db70 38118->38119 38120 40da8d memset 38119->38120 38121 40daac LoadStringW 38120->38121 38122 40dac6 38121->38122 38122->38121 38124 40dade 38122->38124 38134 40d76e memset GetPrivateProfileStringW WritePrivateProfileStringW memset _itow 38122->38134 38124->37897 38125->38095 38126->38097 38127->38099 38128->38101 38129->38103 38130->38105 38131->38107 38132->38109 38133->38111 38134->38122 38145 409b98 GetFileAttributesW 38135->38145 38137 40daea 38138 40db63 38137->38138 38139 40daef wcscpy wcscpy GetPrivateProfileIntW 38137->38139 38138->37898 38146 40d65d GetPrivateProfileStringW 38139->38146 38141 40db3e 38147 40d65d GetPrivateProfileStringW 38141->38147 38143 40db4f 38148 40d65d GetPrivateProfileStringW 38143->38148 38145->38137 38146->38141 38147->38143 38148->38138 38184 40eaff 38149->38184 38153 411ae2 memset 38152->38153 38154 411b8f 38152->38154 38224 409bca GetModuleFileNameW 38153->38224 38166 411a8b 38154->38166 38156 411b0a wcsrchr 38157 411b22 wcscat 38156->38157 38158 411b1f 38156->38158 38225 414770 wcscpy wcscpy wcscpy CreateFileW CloseHandle 38157->38225 38158->38157 38160 411b67 38226 402afb 38160->38226 38164 411b7f 38282 40ea13 SendMessageW memset SendMessageW 38164->38282 38167 402afb 27 API calls 38166->38167 38168 411ac0 38167->38168 38169 4110dc 38168->38169 38170 41113e 38169->38170 38175 4110f0 38169->38175 38307 40969c LoadCursorW SetCursor 38170->38307 38172 411143 38308 4032b4 38172->38308 38326 444a54 38172->38326 38173 4110f7 _wcsicmp 38173->38175 38174 411157 38176 40ada2 _wcsicmp 38174->38176 38175->38170 38175->38173 38329 410c46 10 API calls 38175->38329 38179 411167 38176->38179 38177 4111af 38179->38177 38180 4111a6 qsort 38179->38180 38180->38177 38183->37980 38185 40eb10 38184->38185 38197 40e8e0 38185->38197 38188 40eb6c memcpy memcpy 38189 40ebb7 38188->38189 38189->38188 38190 40ebf2 ??2@YAPAXI ??2@YAPAXI 38189->38190 38193 40d134 16 API calls 38189->38193 38191 40ec2e ??2@YAPAXI 38190->38191 38194 40ec65 38190->38194 38191->38194 38193->38189 38194->38194 38207 40ea7f 38194->38207 38196 402f49 38196->37980 38198 40e8f2 38197->38198 38199 40e8eb ??3@YAXPAX 38197->38199 38200 40e900 38198->38200 38201 40e8f9 ??3@YAXPAX 38198->38201 38199->38198 38202 40e911 38200->38202 38203 40e90a ??3@YAXPAX 38200->38203 38201->38200 38204 40e931 ??2@YAPAXI ??2@YAPAXI 38202->38204 38205 40e921 ??3@YAXPAX 38202->38205 38206 40e92a ??3@YAXPAX 38202->38206 38203->38202 38204->38188 38205->38206 38206->38204 38208 40aa04 free 38207->38208 38209 40ea88 38208->38209 38210 40aa04 free 38209->38210 38211 40ea90 38210->38211 38212 40aa04 free 38211->38212 38213 40ea98 38212->38213 38214 40aa04 free 38213->38214 38215 40eaa0 38214->38215 38216 40a9ce 4 API calls 38215->38216 38217 40eab3 38216->38217 38218 40a9ce 4 API calls 38217->38218 38219 40eabd 38218->38219 38220 40a9ce 4 API calls 38219->38220 38221 40eac7 38220->38221 38222 40a9ce 4 API calls 38221->38222 38223 40ead1 38222->38223 38223->38196 38224->38156 38225->38160 38283 40b2cc 38226->38283 38228 402b0a 38229 40b2cc 27 API calls 38228->38229 38230 402b23 38229->38230 38231 40b2cc 27 API calls 38230->38231 38232 402b3a 38231->38232 38233 40b2cc 27 API calls 38232->38233 38234 402b54 38233->38234 38235 40b2cc 27 API calls 38234->38235 38236 402b6b 38235->38236 38237 40b2cc 27 API calls 38236->38237 38238 402b82 38237->38238 38239 40b2cc 27 API calls 38238->38239 38240 402b99 38239->38240 38241 40b2cc 27 API calls 38240->38241 38242 402bb0 38241->38242 38243 40b2cc 27 API calls 38242->38243 38244 402bc7 38243->38244 38245 40b2cc 27 API calls 38244->38245 38246 402bde 38245->38246 38247 40b2cc 27 API calls 38246->38247 38248 402bf5 38247->38248 38249 40b2cc 27 API calls 38248->38249 38250 402c0c 38249->38250 38251 40b2cc 27 API calls 38250->38251 38252 402c23 38251->38252 38253 40b2cc 27 API calls 38252->38253 38254 402c3a 38253->38254 38255 40b2cc 27 API calls 38254->38255 38256 402c51 38255->38256 38257 40b2cc 27 API calls 38256->38257 38258 402c68 38257->38258 38259 40b2cc 27 API calls 38258->38259 38260 402c7f 38259->38260 38261 40b2cc 27 API calls 38260->38261 38262 402c99 38261->38262 38263 40b2cc 27 API calls 38262->38263 38264 402cb3 38263->38264 38265 40b2cc 27 API calls 38264->38265 38266 402cd5 38265->38266 38267 40b2cc 27 API calls 38266->38267 38268 402cf0 38267->38268 38269 40b2cc 27 API calls 38268->38269 38270 402d0b 38269->38270 38271 40b2cc 27 API calls 38270->38271 38272 402d26 38271->38272 38273 40b2cc 27 API calls 38272->38273 38274 402d3e 38273->38274 38275 40b2cc 27 API calls 38274->38275 38276 402d59 38275->38276 38277 40b2cc 27 API calls 38276->38277 38278 402d78 38277->38278 38279 40b2cc 27 API calls 38278->38279 38280 402d93 38279->38280 38281 4018db GetWindowPlacement memset GetSystemMetrics GetSystemMetrics SetWindowPlacement 38280->38281 38281->38164 38282->38154 38286 40b58d 38283->38286 38285 40b2d1 38285->38228 38287 40b5a4 GetModuleHandleW FindResourceW 38286->38287 38288 40b62e 38286->38288 38289 40b5c2 LoadResource 38287->38289 38291 40b5e7 38287->38291 38288->38285 38290 40b5d0 SizeofResource LockResource 38289->38290 38289->38291 38290->38291 38291->38288 38299 40afcf 38291->38299 38293 40b608 memcpy 38302 40b4d3 memcpy 38293->38302 38295 40b61e 38303 40b3c1 18 API calls 38295->38303 38297 40b626 38304 40b04b 38297->38304 38300 40b04b ??3@YAXPAX 38299->38300 38301 40afd7 ??2@YAPAXI 38300->38301 38301->38293 38302->38295 38303->38297 38305 40b051 ??3@YAXPAX 38304->38305 38306 40b05f 38304->38306 38305->38306 38306->38288 38307->38172 38309 4032c4 38308->38309 38310 40b633 free 38309->38310 38311 403316 38310->38311 38330 44553b 38311->38330 38315 403480 38528 40368c 15 API calls 38315->38528 38317 403489 38318 40b633 free 38317->38318 38319 403495 38318->38319 38319->38174 38320 4033a9 memset memcpy 38321 4033ec wcscmp 38320->38321 38322 40333c 38320->38322 38321->38322 38322->38315 38322->38320 38322->38321 38526 4028e7 11 API calls 38322->38526 38527 40f508 6 API calls 38322->38527 38324 403421 _wcsicmp 38324->38322 38327 444a64 FreeLibrary 38326->38327 38328 444a83 38326->38328 38327->38328 38328->38174 38329->38175 38331 445548 38330->38331 38332 445599 38331->38332 38529 40c768 38331->38529 38333 4455a8 memset 38332->38333 38340 4457f2 38332->38340 38612 403988 38333->38612 38344 445854 38340->38344 38714 403e2d memset memset memset memset memset 38340->38714 38341 445672 38623 403fbe memset memset memset memset memset 38341->38623 38342 4458bb memset memset 38349 414c2e 16 API calls 38342->38349 38395 4458aa 38344->38395 38737 403c9c memset memset memset memset memset 38344->38737 38345 44557a 38392 44558c 38345->38392 38809 4136c0 CoTaskMemFree 38345->38809 38347 44595e memset memset 38354 414c2e 16 API calls 38347->38354 38348 4455e5 38348->38341 38357 44560f 38348->38357 38350 4458f9 38349->38350 38355 40b2cc 27 API calls 38350->38355 38352 445a00 memset memset 38760 414c2e 38352->38760 38353 445b22 38359 445bca 38353->38359 38360 445b38 memset memset memset 38353->38360 38364 44599c 38354->38364 38365 445909 38355->38365 38369 4087b3 338 API calls 38357->38369 38358 445849 38825 40b1ab free free 38358->38825 38366 445c8b memset memset 38359->38366 38434 445cf0 38359->38434 38370 445bd4 38360->38370 38371 445b98 38360->38371 38374 40b2cc 27 API calls 38364->38374 38375 409d1f 6 API calls 38365->38375 38378 414c2e 16 API calls 38366->38378 38367 445585 38810 41366b FreeLibrary 38367->38810 38368 44589f 38826 40b1ab free free 38368->38826 38376 445621 38369->38376 38384 414c2e 16 API calls 38370->38384 38371->38370 38380 445ba2 38371->38380 38377 4459ac 38374->38377 38388 445919 38375->38388 38811 4454bf 20 API calls 38376->38811 38390 409d1f 6 API calls 38377->38390 38391 445cc9 38378->38391 38898 4099c6 wcslen 38380->38898 38381 4456b2 38813 40b1ab free free 38381->38813 38383 40b2cc 27 API calls 38396 445a4f 38383->38396 38398 445be2 38384->38398 38385 403335 38525 4452e5 45 API calls 38385->38525 38386 445d3d 38418 40b2cc 27 API calls 38386->38418 38387 445d88 memset memset memset 38401 414c2e 16 API calls 38387->38401 38827 409b98 GetFileAttributesW 38388->38827 38389 445823 38389->38358 38400 4087b3 338 API calls 38389->38400 38402 4459bc 38390->38402 38403 409d1f 6 API calls 38391->38403 38596 444b06 38392->38596 38393 445879 38393->38368 38414 4087b3 338 API calls 38393->38414 38395->38342 38419 44594a 38395->38419 38775 409d1f wcslen wcslen 38396->38775 38407 40b2cc 27 API calls 38398->38407 38400->38389 38411 445dde 38401->38411 38894 409b98 GetFileAttributesW 38402->38894 38413 445ce1 38403->38413 38404 445bb3 38901 445403 memset 38404->38901 38405 445680 38405->38381 38646 4087b3 memset 38405->38646 38408 445bf3 38407->38408 38417 409d1f 6 API calls 38408->38417 38409 445928 38409->38419 38828 40b6ef 38409->38828 38420 40b2cc 27 API calls 38411->38420 38918 409b98 GetFileAttributesW 38413->38918 38414->38393 38428 445c07 38417->38428 38429 445d54 _wcsicmp 38418->38429 38419->38347 38433 4459ed 38419->38433 38432 445def 38420->38432 38421 4459cb 38421->38433 38442 40b6ef 252 API calls 38421->38442 38425 40b2cc 27 API calls 38426 445a94 38425->38426 38780 40ae18 38426->38780 38427 44566d 38427->38340 38697 413d4c 38427->38697 38438 445389 258 API calls 38428->38438 38439 445d71 38429->38439 38504 445d67 38429->38504 38431 445665 38812 40b1ab free free 38431->38812 38440 409d1f 6 API calls 38432->38440 38433->38352 38433->38353 38434->38385 38434->38386 38434->38387 38435 445389 258 API calls 38435->38359 38444 445c17 38438->38444 38919 445093 23 API calls 38439->38919 38447 445e03 38440->38447 38442->38433 38443 4456d8 38449 40b2cc 27 API calls 38443->38449 38450 40b2cc 27 API calls 38444->38450 38446 44563c 38446->38431 38452 4087b3 338 API calls 38446->38452 38920 409b98 GetFileAttributesW 38447->38920 38448 40b6ef 252 API calls 38448->38385 38454 4456e2 38449->38454 38455 445c23 38450->38455 38451 445d83 38451->38385 38452->38446 38814 413fa6 _wcsicmp _wcsicmp 38454->38814 38459 409d1f 6 API calls 38455->38459 38457 445e12 38464 445e6b 38457->38464 38470 40b2cc 27 API calls 38457->38470 38462 445c37 38459->38462 38460 445aa1 38463 445b17 38460->38463 38478 445ab2 memset 38460->38478 38491 409d1f 6 API calls 38460->38491 38787 40add4 38460->38787 38792 445389 38460->38792 38801 40ae51 38460->38801 38461 4456eb 38466 4456fd memset memset memset memset 38461->38466 38467 4457ea 38461->38467 38468 445389 258 API calls 38462->38468 38895 40aebe 38463->38895 38922 445093 23 API calls 38464->38922 38815 409c70 wcscpy wcsrchr 38466->38815 38818 413d29 38467->38818 38473 445c47 38468->38473 38474 445e33 38470->38474 38480 40b2cc 27 API calls 38473->38480 38481 409d1f 6 API calls 38474->38481 38476 445e7e 38477 445f67 38476->38477 38486 40b2cc 27 API calls 38477->38486 38482 40b2cc 27 API calls 38478->38482 38484 445c53 38480->38484 38485 445e47 38481->38485 38482->38460 38483 409c70 2 API calls 38487 44577e 38483->38487 38488 409d1f 6 API calls 38484->38488 38921 409b98 GetFileAttributesW 38485->38921 38490 445f73 38486->38490 38492 409c70 2 API calls 38487->38492 38493 445c67 38488->38493 38495 409d1f 6 API calls 38490->38495 38491->38460 38496 44578d 38492->38496 38497 445389 258 API calls 38493->38497 38494 445e56 38494->38464 38500 445e83 memset 38494->38500 38498 445f87 38495->38498 38496->38467 38503 40b2cc 27 API calls 38496->38503 38497->38359 38925 409b98 GetFileAttributesW 38498->38925 38502 40b2cc 27 API calls 38500->38502 38505 445eab 38502->38505 38506 4457a8 38503->38506 38504->38385 38504->38448 38507 409d1f 6 API calls 38505->38507 38508 409d1f 6 API calls 38506->38508 38509 445ebf 38507->38509 38510 4457b8 38508->38510 38511 40ae18 9 API calls 38509->38511 38817 409b98 GetFileAttributesW 38510->38817 38521 445ef5 38511->38521 38513 4457c7 38513->38467 38515 4087b3 338 API calls 38513->38515 38514 40ae51 9 API calls 38514->38521 38515->38467 38516 445f5c 38518 40aebe FindClose 38516->38518 38517 40add4 2 API calls 38517->38521 38518->38477 38519 40b2cc 27 API calls 38519->38521 38520 409d1f 6 API calls 38520->38521 38521->38514 38521->38516 38521->38517 38521->38519 38521->38520 38523 445f3a 38521->38523 38923 409b98 GetFileAttributesW 38521->38923 38924 445093 23 API calls 38523->38924 38525->38322 38526->38324 38527->38322 38528->38317 38530 40c775 38529->38530 38926 40b1ab free free 38530->38926 38532 40c788 38927 40b1ab free free 38532->38927 38534 40c790 38928 40b1ab free free 38534->38928 38536 40c798 38537 40aa04 free 38536->38537 38538 40c7a0 38537->38538 38929 40c274 memset 38538->38929 38543 40a8ab 9 API calls 38544 40c7c3 38543->38544 38545 40a8ab 9 API calls 38544->38545 38546 40c7d0 38545->38546 38958 40c3c3 38546->38958 38550 40c877 38559 40bdb0 38550->38559 38551 40c86c 39000 4053fe 39 API calls 38551->39000 38553 40c7e5 38553->38550 38553->38551 38558 40c634 49 API calls 38553->38558 38983 40a706 38553->38983 38558->38553 39190 404363 38559->39190 38562 40bf5d 39210 40440c 38562->39210 38564 40bdee 38564->38562 38567 40b2cc 27 API calls 38564->38567 38565 40bddf CredEnumerateW 38565->38564 38568 40be02 wcslen 38567->38568 38568->38562 38570 40be1e 38568->38570 38569 40be26 wcsncmp 38569->38570 38570->38562 38570->38569 38573 40be7d memset 38570->38573 38574 40bea7 memcpy 38570->38574 38575 40bf11 wcschr 38570->38575 38576 40b2cc 27 API calls 38570->38576 38578 40bf43 LocalFree 38570->38578 39213 40bd5d 28 API calls 38570->39213 39214 404423 38570->39214 38573->38570 38573->38574 38574->38570 38574->38575 38575->38570 38577 40bef6 _wcsnicmp 38576->38577 38577->38570 38577->38575 38578->38570 38579 4135f7 39227 4135e0 38579->39227 38582 40b2cc 27 API calls 38583 41360d 38582->38583 38584 40a804 8 API calls 38583->38584 38585 413613 38584->38585 38586 41361b 38585->38586 38587 41363e 38585->38587 38588 40b273 27 API calls 38586->38588 38589 4135e0 FreeLibrary 38587->38589 38590 413625 GetProcAddress 38588->38590 38591 413643 38589->38591 38590->38587 38592 413648 38590->38592 38591->38345 38593 413658 38592->38593 38594 4135e0 FreeLibrary 38592->38594 38593->38345 38595 413666 38594->38595 38595->38345 39230 4449b9 38596->39230 38599 444c1f 38599->38332 38600 4449b9 42 API calls 38602 444b4b 38600->38602 38601 444c15 38603 4449b9 42 API calls 38601->38603 38602->38601 39251 444972 GetVersionExW 38602->39251 38603->38599 38605 444b99 memcmp 38610 444b8c 38605->38610 38606 444c0b 39255 444a85 42 API calls 38606->39255 38610->38605 38610->38606 39252 444aa5 42 API calls 38610->39252 39253 40a7a0 GetVersionExW 38610->39253 39254 444a85 42 API calls 38610->39254 38613 40399d 38612->38613 39256 403a16 38613->39256 38615 403a09 39270 40b1ab free free 38615->39270 38617 4039a3 38617->38615 38621 4039f4 38617->38621 39267 40a02c CreateFileW 38617->39267 38618 403a12 wcsrchr 38618->38348 38621->38615 38622 4099c6 2 API calls 38621->38622 38622->38615 38624 414c2e 16 API calls 38623->38624 38625 404048 38624->38625 38626 414c2e 16 API calls 38625->38626 38627 404056 38626->38627 38628 409d1f 6 API calls 38627->38628 38629 404073 38628->38629 38630 409d1f 6 API calls 38629->38630 38631 40408e 38630->38631 38632 409d1f 6 API calls 38631->38632 38633 4040a6 38632->38633 38634 403af5 20 API calls 38633->38634 38635 4040ba 38634->38635 38636 403af5 20 API calls 38635->38636 38637 4040cb 38636->38637 39297 40414f memset 38637->39297 38639 404140 39311 40b1ab free free 38639->39311 38641 4040ec memset 38644 4040e0 38641->38644 38642 404148 38642->38405 38643 4099c6 2 API calls 38643->38644 38644->38639 38644->38641 38644->38643 38645 40a8ab 9 API calls 38644->38645 38645->38644 39324 40a6e6 WideCharToMultiByte 38646->39324 38648 4087ed 39325 4095d9 memset 38648->39325 38651 408953 38651->38405 38652 408809 memset memset memset memset memset 38653 40b2cc 27 API calls 38652->38653 38654 4088a1 38653->38654 38655 409d1f 6 API calls 38654->38655 38656 4088b1 38655->38656 38657 40b2cc 27 API calls 38656->38657 38658 4088c0 38657->38658 38659 409d1f 6 API calls 38658->38659 38660 4088d0 38659->38660 38661 40b2cc 27 API calls 38660->38661 38662 4088df 38661->38662 38663 409d1f 6 API calls 38662->38663 38664 4088ef 38663->38664 38665 40b2cc 27 API calls 38664->38665 38666 4088fe 38665->38666 38667 409d1f 6 API calls 38666->38667 38668 40890e 38667->38668 38669 40b2cc 27 API calls 38668->38669 38670 40891d 38669->38670 38671 409d1f 6 API calls 38670->38671 38698 40b633 free 38697->38698 38699 413d65 CreateToolhelp32Snapshot memset Process32FirstW 38698->38699 38700 413f00 Process32NextW 38699->38700 38701 413da5 OpenProcess 38700->38701 38702 413f17 CloseHandle 38700->38702 38703 413df3 memset 38701->38703 38708 413eb0 38701->38708 38702->38443 39646 413f27 38703->39646 38705 413ebf free 38705->38708 38706 4099f4 3 API calls 38706->38708 38708->38700 38708->38705 38708->38706 38709 413e37 GetModuleHandleW 38710 413e1f 38709->38710 38711 413e46 GetProcAddress 38709->38711 38710->38709 39651 413959 38710->39651 39667 413ca4 38710->39667 38711->38710 38713 413ea2 CloseHandle 38713->38708 38715 414c2e 16 API calls 38714->38715 38716 403eb7 38715->38716 38717 414c2e 16 API calls 38716->38717 38718 403ec5 38717->38718 38719 409d1f 6 API calls 38718->38719 38720 403ee2 38719->38720 38721 409d1f 6 API calls 38720->38721 38722 403efd 38721->38722 38723 409d1f 6 API calls 38722->38723 38724 403f15 38723->38724 38725 403af5 20 API calls 38724->38725 38726 403f29 38725->38726 38727 403af5 20 API calls 38726->38727 38728 403f3a 38727->38728 38729 40414f 33 API calls 38728->38729 38730 403f4f 38729->38730 38731 403faf 38730->38731 38733 403f5b memset 38730->38733 38735 4099c6 2 API calls 38730->38735 38736 40a8ab 9 API calls 38730->38736 39681 40b1ab free free 38731->39681 38733->38730 38734 403fb7 38734->38389 38735->38730 38736->38730 38738 414c2e 16 API calls 38737->38738 38739 403d26 38738->38739 38740 414c2e 16 API calls 38739->38740 38741 403d34 38740->38741 38742 409d1f 6 API calls 38741->38742 38743 403d51 38742->38743 38744 409d1f 6 API calls 38743->38744 38745 403d6c 38744->38745 38746 409d1f 6 API calls 38745->38746 38747 403d84 38746->38747 38748 403af5 20 API calls 38747->38748 38749 403d98 38748->38749 38750 403af5 20 API calls 38749->38750 38751 403da9 38750->38751 38752 40414f 33 API calls 38751->38752 38753 403dbe 38752->38753 38754 403e1e 38753->38754 38755 403dca memset 38753->38755 38758 4099c6 2 API calls 38753->38758 38759 40a8ab 9 API calls 38753->38759 39682 40b1ab free free 38754->39682 38755->38753 38757 403e26 38757->38393 38758->38753 38759->38753 38761 414b81 9 API calls 38760->38761 38762 414c40 38761->38762 38763 414c73 memset 38762->38763 39683 409cea 38762->39683 38764 414c94 38763->38764 39686 414592 RegOpenKeyExW 38764->39686 38768 414c64 38768->38383 38769 414cc1 38770 414cf4 wcscpy 38769->38770 39687 414bb0 wcscpy 38769->39687 38770->38768 38772 414cd2 39688 4145ac RegQueryValueExW 38772->39688 38774 414ce9 RegCloseKey 38774->38770 38776 409d62 38775->38776 38777 409d43 wcscpy 38775->38777 38776->38425 38778 409719 2 API calls 38777->38778 38779 409d51 wcscat 38778->38779 38779->38776 38781 40aebe FindClose 38780->38781 38782 40ae21 38781->38782 38783 4099c6 2 API calls 38782->38783 38784 40ae35 38783->38784 38785 409d1f 6 API calls 38784->38785 38786 40ae49 38785->38786 38786->38460 38788 40ade0 38787->38788 38789 40ae0f 38787->38789 38788->38789 38790 40ade7 wcscmp 38788->38790 38789->38460 38790->38789 38791 40adfe wcscmp 38790->38791 38791->38789 38793 40ae18 9 API calls 38792->38793 38799 4453c4 38793->38799 38794 40ae51 9 API calls 38794->38799 38795 4453f3 38797 40aebe FindClose 38795->38797 38796 40add4 2 API calls 38796->38799 38798 4453fe 38797->38798 38798->38460 38799->38794 38799->38795 38799->38796 38800 445403 253 API calls 38799->38800 38800->38799 38802 40ae7b FindNextFileW 38801->38802 38803 40ae5c FindFirstFileW 38801->38803 38804 40ae94 38802->38804 38805 40ae8f 38802->38805 38803->38804 38807 40aeb6 38804->38807 38808 409d1f 6 API calls 38804->38808 38806 40aebe FindClose 38805->38806 38806->38804 38807->38460 38808->38807 38809->38367 38810->38392 38811->38446 38812->38427 38813->38427 38814->38461 38816 409c89 38815->38816 38816->38483 38817->38513 38819 413d39 38818->38819 38820 413d2f FreeLibrary 38818->38820 38821 40b633 free 38819->38821 38820->38819 38822 413d42 38821->38822 38823 40b633 free 38822->38823 38824 413d4a 38823->38824 38824->38340 38825->38344 38826->38395 38827->38409 38829 44db70 38828->38829 38830 40b6fc memset 38829->38830 38831 409c70 2 API calls 38830->38831 38832 40b732 wcsrchr 38831->38832 38833 40b743 38832->38833 38834 40b746 memset 38832->38834 38833->38834 38835 40b2cc 27 API calls 38834->38835 38836 40b76f 38835->38836 38837 409d1f 6 API calls 38836->38837 38838 40b783 38837->38838 39689 409b98 GetFileAttributesW 38838->39689 38840 40b792 38841 40b7c2 38840->38841 38842 409c70 2 API calls 38840->38842 39690 40bb98 38841->39690 38844 40b7a5 38842->38844 38846 40b2cc 27 API calls 38844->38846 38849 40b7b2 38846->38849 38847 40b837 CloseHandle 38851 40b83e memset 38847->38851 38848 40b817 39724 409a45 GetTempPathW 38848->39724 38853 409d1f 6 API calls 38849->38853 39723 40a6e6 WideCharToMultiByte 38851->39723 38853->38841 38854 40b827 CopyFileW 38854->38851 38855 40b866 38856 444432 121 API calls 38855->38856 38857 40b879 38856->38857 38858 40bad5 38857->38858 38859 40b273 27 API calls 38857->38859 38860 40baeb 38858->38860 38861 40bade DeleteFileW 38858->38861 38862 40b89a 38859->38862 38863 40b04b ??3@YAXPAX 38860->38863 38861->38860 38864 438552 134 API calls 38862->38864 38865 40baf3 38863->38865 38866 40b8a4 38864->38866 38865->38419 38867 40bacd 38866->38867 38869 4251c4 137 API calls 38866->38869 38868 443d90 111 API calls 38867->38868 38868->38858 38892 40b8b8 38869->38892 38870 40bac6 39736 424f26 123 API calls 38870->39736 38871 40b8bd memset 39727 425413 17 API calls 38871->39727 38874 425413 17 API calls 38874->38892 38877 40a71b MultiByteToWideChar 38877->38892 38878 40a734 MultiByteToWideChar 38878->38892 38881 40b9b5 memcmp 38881->38892 38882 4099c6 2 API calls 38882->38892 38883 404423 37 API calls 38883->38892 38885 40bb3e memset memcpy 39737 40a734 MultiByteToWideChar 38885->39737 38886 4251c4 137 API calls 38886->38892 38889 40bb88 LocalFree 38889->38892 38892->38870 38892->38871 38892->38874 38892->38877 38892->38878 38892->38881 38892->38882 38892->38883 38892->38885 38892->38886 38893 40ba5f memcmp 38892->38893 39728 4253ef 16 API calls 38892->39728 39729 40b64c SystemTimeToFileTime FileTimeToLocalFileTime 38892->39729 39730 4253af 17 API calls 38892->39730 39731 4253cf 17 API calls 38892->39731 39732 447280 memset 38892->39732 39733 447960 memset memcpy memcpy memcpy 38892->39733 39734 40afe8 ??2@YAPAXI memcpy ??3@YAXPAX 38892->39734 39735 447920 memcpy memcpy memcpy 38892->39735 38893->38892 38894->38421 38896 40aed1 38895->38896 38897 40aec7 FindClose 38895->38897 38896->38353 38897->38896 38899 4099d7 38898->38899 38900 4099da memcpy 38898->38900 38899->38900 38900->38404 38902 40b2cc 27 API calls 38901->38902 38903 44543f 38902->38903 38904 409d1f 6 API calls 38903->38904 38905 44544f 38904->38905 39829 409b98 GetFileAttributesW 38905->39829 38907 44545e 38908 445476 38907->38908 38909 40b6ef 252 API calls 38907->38909 38910 40b2cc 27 API calls 38908->38910 38909->38908 38911 445482 38910->38911 38912 409d1f 6 API calls 38911->38912 38913 445492 38912->38913 39830 409b98 GetFileAttributesW 38913->39830 38915 4454a1 38916 4454b9 38915->38916 38917 40b6ef 252 API calls 38915->38917 38916->38435 38917->38916 38918->38434 38919->38451 38920->38457 38921->38494 38922->38476 38923->38521 38924->38521 38925->38504 38926->38532 38927->38534 38928->38536 38930 414c2e 16 API calls 38929->38930 38931 40c2ae 38930->38931 39001 40c1d3 38931->39001 38936 40c3be 38953 40a8ab 38936->38953 38937 40afcf 2 API calls 38938 40c2fd FindFirstUrlCacheEntryW 38937->38938 38939 40c3b6 38938->38939 38940 40c31e wcschr 38938->38940 38941 40b04b ??3@YAXPAX 38939->38941 38942 40c331 38940->38942 38943 40c35e FindNextUrlCacheEntryW 38940->38943 38941->38936 38944 40a8ab 9 API calls 38942->38944 38943->38940 38945 40c373 GetLastError 38943->38945 38948 40c33e wcschr 38944->38948 38946 40c3ad FindCloseUrlCache 38945->38946 38947 40c37e 38945->38947 38946->38939 38949 40afcf 2 API calls 38947->38949 38948->38943 38950 40c34f 38948->38950 38951 40c391 FindNextUrlCacheEntryW 38949->38951 38952 40a8ab 9 API calls 38950->38952 38951->38940 38951->38946 38952->38943 39117 40a97a 38953->39117 38956 40a8cc 38956->38543 38957 40a8d0 7 API calls 38957->38956 39122 40b1ab free free 38958->39122 38960 40c3dd 38961 40b2cc 27 API calls 38960->38961 38962 40c3e7 38961->38962 39123 414592 RegOpenKeyExW 38962->39123 38964 40c3f4 38965 40c50e 38964->38965 38966 40c3ff 38964->38966 38980 405337 38965->38980 38967 40a9ce 4 API calls 38966->38967 38968 40c418 memset 38967->38968 39124 40aa1d 38968->39124 38971 40c471 38973 40c47a _wcsupr 38971->38973 38972 40c505 RegCloseKey 38972->38965 38974 40a8d0 7 API calls 38973->38974 38975 40c498 38974->38975 38976 40a8d0 7 API calls 38975->38976 38977 40c4ac memset 38976->38977 38978 40aa1d 38977->38978 38979 40c4e4 RegEnumValueW 38978->38979 38979->38972 38979->38973 39126 405220 38980->39126 38984 4099c6 2 API calls 38983->38984 38985 40a714 _wcslwr 38984->38985 38986 40c634 38985->38986 39183 405361 38986->39183 38989 40c65c wcslen 39186 4053b6 39 API calls 38989->39186 38990 40c71d wcslen 38990->38553 38992 40c713 39189 4053df 39 API calls 38992->39189 38993 40c677 38993->38992 39187 40538b 39 API calls 38993->39187 38996 40c6a5 38996->38992 38997 40c6a9 memset 38996->38997 38998 40c6d3 38997->38998 39188 40c589 43 API calls 38998->39188 39000->38550 39002 40ae18 9 API calls 39001->39002 39008 40c210 39002->39008 39003 40ae51 9 API calls 39003->39008 39004 40c264 39005 40aebe FindClose 39004->39005 39007 40c26f 39005->39007 39006 40add4 2 API calls 39006->39008 39013 40e5ed memset memset 39007->39013 39008->39003 39008->39004 39008->39006 39009 40c231 _wcsicmp 39008->39009 39010 40c1d3 35 API calls 39008->39010 39009->39008 39011 40c248 39009->39011 39010->39008 39026 40c084 22 API calls 39011->39026 39014 414c2e 16 API calls 39013->39014 39015 40e63f 39014->39015 39016 409d1f 6 API calls 39015->39016 39017 40e658 39016->39017 39027 409b98 GetFileAttributesW 39017->39027 39019 40e667 39020 40e680 39019->39020 39022 409d1f 6 API calls 39019->39022 39028 409b98 GetFileAttributesW 39020->39028 39022->39020 39023 40e68f 39024 40c2d8 39023->39024 39029 40e4b2 39023->39029 39024->38936 39024->38937 39026->39008 39027->39019 39028->39023 39050 40e01e 39029->39050 39031 40e593 39033 40e5b0 39031->39033 39034 40e59c DeleteFileW 39031->39034 39032 40e521 39032->39031 39073 40e175 39032->39073 39035 40b04b ??3@YAXPAX 39033->39035 39034->39033 39036 40e5bb 39035->39036 39038 40e5c4 CloseHandle 39036->39038 39039 40e5cc 39036->39039 39038->39039 39041 40b633 free 39039->39041 39040 40e573 39042 40e584 39040->39042 39043 40e57c CloseHandle 39040->39043 39044 40e5db 39041->39044 39116 40b1ab free free 39042->39116 39043->39042 39047 40b633 free 39044->39047 39046 40e540 39046->39040 39093 40e2ab 39046->39093 39048 40e5e3 39047->39048 39048->39024 39051 406214 22 API calls 39050->39051 39052 40e03c 39051->39052 39053 40e16b 39052->39053 39054 40dd85 74 API calls 39052->39054 39053->39032 39055 40e06b 39054->39055 39055->39053 39056 40afcf ??2@YAPAXI ??3@YAXPAX 39055->39056 39057 40e08d OpenProcess 39056->39057 39058 40e0a4 GetCurrentProcess DuplicateHandle 39057->39058 39062 40e152 39057->39062 39059 40e0d0 GetFileSize 39058->39059 39060 40e14a CloseHandle 39058->39060 39063 409a45 GetTempPathW GetWindowsDirectoryW GetTempFileNameW 39059->39063 39060->39062 39061 40e160 39065 40b04b ??3@YAXPAX 39061->39065 39062->39061 39064 406214 22 API calls 39062->39064 39066 40e0ea 39063->39066 39064->39061 39065->39053 39067 4096dc CreateFileW 39066->39067 39068 40e0f1 CreateFileMappingW 39067->39068 39069 40e140 CloseHandle CloseHandle 39068->39069 39070 40e10b MapViewOfFile 39068->39070 39069->39060 39071 40e13b CloseHandle 39070->39071 39072 40e11f WriteFile UnmapViewOfFile 39070->39072 39071->39069 39072->39071 39074 40e18c 39073->39074 39075 406b90 11 API calls 39074->39075 39076 40e19f 39075->39076 39077 40e1a7 memset 39076->39077 39078 40e299 39076->39078 39083 40e1e8 39077->39083 39079 4069a3 ??3@YAXPAX free 39078->39079 39080 40e2a4 39079->39080 39080->39046 39081 406e8f 13 API calls 39081->39083 39082 406b53 SetFilePointerEx ReadFile 39082->39083 39083->39081 39083->39082 39084 40e283 39083->39084 39085 40dd50 _wcsicmp 39083->39085 39089 40742e 8 API calls 39083->39089 39090 40aae3 wcslen wcslen _memicmp 39083->39090 39091 40e244 _snwprintf 39083->39091 39086 40e291 39084->39086 39087 40e288 free 39084->39087 39085->39083 39088 40aa04 free 39086->39088 39087->39086 39088->39078 39089->39083 39090->39083 39092 40a8d0 7 API calls 39091->39092 39092->39083 39094 40e2c2 39093->39094 39095 406b90 11 API calls 39094->39095 39106 40e2d3 39095->39106 39096 40e4a0 39097 4069a3 ??3@YAXPAX free 39096->39097 39099 40e4ab 39097->39099 39098 406e8f 13 API calls 39098->39106 39099->39046 39100 406b53 SetFilePointerEx ReadFile 39100->39106 39101 40e489 39102 40aa04 free 39101->39102 39103 40e491 39102->39103 39103->39096 39104 40e497 free 39103->39104 39104->39096 39105 40dd50 _wcsicmp 39105->39106 39106->39096 39106->39098 39106->39100 39106->39101 39106->39105 39107 40dd50 _wcsicmp 39106->39107 39110 40742e 8 API calls 39106->39110 39111 40e3e0 memcpy 39106->39111 39112 40e3b3 wcschr 39106->39112 39113 40e3fb memcpy 39106->39113 39114 40e416 memcpy 39106->39114 39115 40e431 memcpy 39106->39115 39108 40e376 memset 39107->39108 39109 40aa29 6 API calls 39108->39109 39109->39106 39110->39106 39111->39106 39112->39106 39113->39106 39114->39106 39115->39106 39116->39031 39119 40a980 39117->39119 39118 40a8bb 39118->38956 39118->38957 39119->39118 39120 40a995 _wcsicmp 39119->39120 39121 40a99c wcscmp 39119->39121 39120->39119 39121->39119 39122->38960 39123->38964 39125 40aa23 RegEnumValueW 39124->39125 39125->38971 39125->38972 39127 405335 39126->39127 39128 40522a 39126->39128 39127->38553 39129 40b2cc 27 API calls 39128->39129 39130 405234 39129->39130 39131 40a804 8 API calls 39130->39131 39132 40523a 39131->39132 39171 40b273 39132->39171 39134 405248 _mbscpy _mbscat GetProcAddress 39135 40b273 27 API calls 39134->39135 39136 405279 39135->39136 39174 405211 GetProcAddress 39136->39174 39138 405282 39139 40b273 27 API calls 39138->39139 39140 40528f 39139->39140 39175 405211 GetProcAddress 39140->39175 39142 405298 39143 40b273 27 API calls 39142->39143 39144 4052a5 39143->39144 39176 405211 GetProcAddress 39144->39176 39146 4052ae 39147 40b273 27 API calls 39146->39147 39148 4052bb 39147->39148 39177 405211 GetProcAddress 39148->39177 39150 4052c4 39151 40b273 27 API calls 39150->39151 39152 4052d1 39151->39152 39178 405211 GetProcAddress 39152->39178 39154 4052da 39155 40b273 27 API calls 39154->39155 39156 4052e7 39155->39156 39179 405211 GetProcAddress 39156->39179 39158 4052f0 39159 40b273 27 API calls 39158->39159 39160 4052fd 39159->39160 39180 405211 GetProcAddress 39160->39180 39162 405306 39163 40b273 27 API calls 39162->39163 39164 405313 39163->39164 39181 405211 GetProcAddress 39164->39181 39166 40531c 39167 40b273 27 API calls 39166->39167 39172 40b58d 27 API calls 39171->39172 39173 40b18c 39172->39173 39173->39134 39174->39138 39175->39142 39176->39146 39177->39150 39178->39154 39179->39158 39180->39162 39181->39166 39184 405220 39 API calls 39183->39184 39185 405369 39184->39185 39185->38989 39185->38990 39186->38993 39187->38996 39188->38992 39189->38990 39191 40440c FreeLibrary 39190->39191 39192 40436d 39191->39192 39193 40a804 8 API calls 39192->39193 39194 404377 39193->39194 39195 404383 39194->39195 39196 404405 39194->39196 39197 40b273 27 API calls 39195->39197 39196->38562 39196->38564 39196->38565 39198 40438d GetProcAddress 39197->39198 39199 40b273 27 API calls 39198->39199 39200 4043a7 GetProcAddress 39199->39200 39201 40b273 27 API calls 39200->39201 39202 4043ba GetProcAddress 39201->39202 39203 40b273 27 API calls 39202->39203 39204 4043ce GetProcAddress 39203->39204 39205 40b273 27 API calls 39204->39205 39206 4043e2 GetProcAddress 39205->39206 39207 4043f1 39206->39207 39208 4043f7 39207->39208 39209 40440c FreeLibrary 39207->39209 39208->39196 39209->39196 39211 404413 FreeLibrary 39210->39211 39212 40441e 39210->39212 39211->39212 39212->38579 39213->38570 39215 40442e 39214->39215 39216 40447e 39214->39216 39217 40b2cc 27 API calls 39215->39217 39216->38570 39218 404438 39217->39218 39219 40a804 8 API calls 39218->39219 39220 40443e 39219->39220 39221 404445 39220->39221 39222 404467 39220->39222 39223 40b273 27 API calls 39221->39223 39222->39216 39224 404475 FreeLibrary 39222->39224 39225 40444f GetProcAddress 39223->39225 39224->39216 39225->39222 39226 404460 39225->39226 39226->39222 39228 4135f6 39227->39228 39229 4135eb FreeLibrary 39227->39229 39228->38582 39229->39228 39231 4449c4 39230->39231 39232 444a52 39230->39232 39233 40b2cc 27 API calls 39231->39233 39232->38599 39232->38600 39234 4449cb 39233->39234 39235 40a804 8 API calls 39234->39235 39236 4449d1 39235->39236 39237 40b273 27 API calls 39236->39237 39238 4449dc GetProcAddress 39237->39238 39239 40b273 27 API calls 39238->39239 39240 4449f3 GetProcAddress 39239->39240 39241 40b273 27 API calls 39240->39241 39242 444a04 GetProcAddress 39241->39242 39243 40b273 27 API calls 39242->39243 39244 444a15 GetProcAddress 39243->39244 39245 40b273 27 API calls 39244->39245 39246 444a26 GetProcAddress 39245->39246 39251->38610 39252->38610 39253->38610 39254->38610 39255->38601 39257 403a29 39256->39257 39271 403bed memset memset 39257->39271 39259 403ae7 39284 40b1ab free free 39259->39284 39260 403a3f memset 39266 403a2f 39260->39266 39262 403aef 39262->38617 39263 409b98 GetFileAttributesW 39263->39266 39264 40a8d0 7 API calls 39264->39266 39265 409d1f 6 API calls 39265->39266 39266->39259 39266->39260 39266->39263 39266->39264 39266->39265 39268 40a051 GetFileTime CloseHandle 39267->39268 39269 4039ca CompareFileTime 39267->39269 39268->39269 39269->38617 39270->38618 39272 414c2e 16 API calls 39271->39272 39273 403c38 39272->39273 39274 409719 2 API calls 39273->39274 39275 403c3f wcscat 39274->39275 39276 414c2e 16 API calls 39275->39276 39277 403c61 39276->39277 39278 409719 2 API calls 39277->39278 39279 403c68 wcscat 39278->39279 39285 403af5 39279->39285 39282 403af5 20 API calls 39283 403c95 39282->39283 39283->39266 39284->39262 39286 403b02 39285->39286 39287 40ae18 9 API calls 39286->39287 39295 403b37 39287->39295 39288 403bdb 39290 40aebe FindClose 39288->39290 39289 40add4 wcscmp wcscmp 39289->39295 39291 403be6 39290->39291 39291->39282 39292 40ae18 9 API calls 39292->39295 39293 40ae51 9 API calls 39293->39295 39294 40aebe FindClose 39294->39295 39295->39288 39295->39289 39295->39292 39295->39293 39295->39294 39296 40a8d0 7 API calls 39295->39296 39296->39295 39298 409d1f 6 API calls 39297->39298 39299 404190 39298->39299 39312 409b98 GetFileAttributesW 39299->39312 39301 40419c 39302 4041a7 6 API calls 39301->39302 39303 40435c 39301->39303 39305 40424f 39302->39305 39303->38644 39305->39303 39306 40425e memset 39305->39306 39308 409d1f 6 API calls 39305->39308 39309 40a8ab 9 API calls 39305->39309 39313 414842 39305->39313 39306->39305 39307 404296 wcscpy 39306->39307 39307->39305 39308->39305 39310 4042b6 memset memset _snwprintf wcscpy 39309->39310 39310->39305 39311->38642 39312->39301 39316 41443e 39313->39316 39315 414866 39315->39305 39317 41444b 39316->39317 39318 414451 39317->39318 39319 4144a3 GetPrivateProfileStringW 39317->39319 39320 414491 39318->39320 39321 414455 wcschr 39318->39321 39319->39315 39322 414495 WritePrivateProfileStringW 39320->39322 39321->39320 39323 414463 _snwprintf 39321->39323 39322->39315 39323->39322 39324->38648 39326 40b2cc 27 API calls 39325->39326 39327 409615 39326->39327 39328 409d1f 6 API calls 39327->39328 39329 409625 39328->39329 39354 409b98 GetFileAttributesW 39329->39354 39331 409634 39332 409648 39331->39332 39355 4091b8 memset 39331->39355 39334 40b2cc 27 API calls 39332->39334 39336 408801 39332->39336 39335 40965d 39334->39335 39337 409d1f 6 API calls 39335->39337 39336->38651 39336->38652 39338 40966d 39337->39338 39407 409b98 GetFileAttributesW 39338->39407 39340 40967c 39340->39336 39341 409681 39340->39341 39408 409529 72 API calls 39341->39408 39343 409690 39343->39336 39354->39331 39409 40a6e6 WideCharToMultiByte 39355->39409 39357 409202 39410 444432 39357->39410 39360 40b273 27 API calls 39361 409236 39360->39361 39456 438552 39361->39456 39364 409383 39366 40b273 27 API calls 39364->39366 39368 409399 39366->39368 39370 438552 134 API calls 39368->39370 39388 4093a3 39370->39388 39387 40951d 39387->39332 39407->39340 39408->39343 39409->39357 39506 4438b5 39410->39506 39412 44444c 39418 409215 39412->39418 39520 415a6d 39412->39520 39414 4442e6 11 API calls 39416 44469e 39414->39416 39415 444486 39417 4444b9 memcpy 39415->39417 39455 4444a4 39415->39455 39416->39418 39420 443d90 111 API calls 39416->39420 39524 415258 39417->39524 39418->39360 39418->39387 39420->39418 39421 444524 39422 444541 39421->39422 39423 44452a 39421->39423 39527 444316 39422->39527 39424 416935 16 API calls 39423->39424 39424->39455 39427 444316 18 API calls 39455->39414 39594 438460 39456->39594 39458 409240 39458->39364 39459 4251c4 39458->39459 39606 424f07 39459->39606 39507 4438d0 39506->39507 39518 4438c9 39506->39518 39508 415378 memcpy memcpy 39507->39508 39509 4438d5 39508->39509 39510 4154e2 10 API calls 39509->39510 39511 443906 39509->39511 39509->39518 39510->39511 39512 443970 memset 39511->39512 39511->39518 39514 44398b 39512->39514 39513 4439a0 39515 415700 10 API calls 39513->39515 39513->39518 39514->39513 39517 41975c 10 API calls 39514->39517 39516 4439c0 39515->39516 39516->39518 39519 418981 10 API calls 39516->39519 39517->39513 39518->39412 39519->39518 39521 415a77 39520->39521 39522 415a8d 39521->39522 39523 415a7e memset 39521->39523 39522->39415 39523->39522 39525 4438b5 11 API calls 39524->39525 39526 41525d 39525->39526 39526->39421 39528 444328 39527->39528 39529 444423 39528->39529 39530 44434e 39528->39530 39531 4446ea 11 API calls 39529->39531 39532 432d4e memset memset memcpy 39530->39532 39538 444381 39531->39538 39533 44435a 39532->39533 39535 444375 39533->39535 39540 44438b 39533->39540 39538->39427 39595 41703f 11 API calls 39594->39595 39596 43847a 39595->39596 39597 43848a 39596->39597 39598 43847e 39596->39598 39600 438270 134 API calls 39597->39600 39599 4446ea 11 API calls 39598->39599 39602 438488 39599->39602 39601 4384aa 39600->39601 39601->39602 39603 424f26 123 API calls 39601->39603 39602->39458 39604 4384bb 39603->39604 39605 438270 134 API calls 39604->39605 39605->39602 39607 424f1f 39606->39607 39608 424f0c 39606->39608 39610 424eea 11 API calls 39607->39610 39609 416760 11 API calls 39608->39609 39611 424f18 39609->39611 39612 424f24 39610->39612 39673 413f4f 39646->39673 39649 413f37 K32GetModuleFileNameExW 39650 413f4a 39649->39650 39650->38710 39652 413969 wcscpy 39651->39652 39653 41396c wcschr 39651->39653 39665 413a3a 39652->39665 39653->39652 39655 41398e 39653->39655 39678 4097f7 wcslen wcslen _memicmp 39655->39678 39657 41399a 39658 4139a4 memset 39657->39658 39659 4139e6 39657->39659 39679 409dd5 GetWindowsDirectoryW wcscpy 39658->39679 39661 413a31 wcscpy 39659->39661 39662 4139ec memset 39659->39662 39661->39665 39680 409dd5 GetWindowsDirectoryW wcscpy 39662->39680 39663 4139c9 wcscpy wcscat 39663->39665 39665->38710 39666 413a11 memcpy wcscat 39666->39665 39668 413cb0 GetModuleHandleW 39667->39668 39669 413cda 39667->39669 39668->39669 39670 413cbf GetProcAddress 39668->39670 39671 413ce3 GetProcessTimes 39669->39671 39672 413cf6 39669->39672 39670->39669 39671->38713 39672->38713 39674 413f2f 39673->39674 39675 413f54 39673->39675 39674->39649 39674->39650 39676 40a804 8 API calls 39675->39676 39677 413f5f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 39676->39677 39677->39674 39678->39657 39679->39663 39680->39666 39681->38734 39682->38757 39684 409cf9 GetVersionExW 39683->39684 39685 409d0a 39683->39685 39684->39685 39685->38763 39685->38768 39686->38769 39687->38772 39688->38774 39689->38840 39691 40bba5 39690->39691 39738 40cc26 39691->39738 39694 40bd4b 39759 40cc0c 39694->39759 39699 40b2cc 27 API calls 39700 40bbef 39699->39700 39766 40ccf0 _wcsicmp 39700->39766 39702 40bbf5 39702->39694 39767 40ccb4 6 API calls 39702->39767 39704 40bc26 39705 40cf04 17 API calls 39704->39705 39706 40bc2e 39705->39706 39707 40bd43 39706->39707 39708 40b2cc 27 API calls 39706->39708 39709 40cc0c 4 API calls 39707->39709 39710 40bc40 39708->39710 39709->39694 39768 40ccf0 _wcsicmp 39710->39768 39712 40bc46 39712->39707 39713 40bc61 memset memset WideCharToMultiByte 39712->39713 39769 40103c strlen 39713->39769 39715 40bcc0 39716 40b273 27 API calls 39715->39716 39717 40bcd0 memcmp 39716->39717 39717->39707 39718 40bce2 39717->39718 39719 404423 37 API calls 39718->39719 39720 40bd10 39719->39720 39720->39707 39721 40bd3a LocalFree 39720->39721 39722 40bd1f memcpy 39720->39722 39721->39707 39722->39721 39723->38855 39725 409a74 GetTempFileNameW 39724->39725 39726 409a66 GetWindowsDirectoryW 39724->39726 39725->38854 39726->39725 39727->38892 39728->38892 39729->38892 39730->38892 39731->38892 39732->38892 39733->38892 39734->38892 39735->38892 39736->38867 39737->38889 39770 4096c3 CreateFileW 39738->39770 39740 40cc34 39741 40cc3d GetFileSize 39740->39741 39749 40bbca 39740->39749 39742 40afcf 2 API calls 39741->39742 39743 40cc64 39742->39743 39771 40a2ef ReadFile 39743->39771 39745 40cc71 39772 40ab4a MultiByteToWideChar 39745->39772 39747 40cc95 CloseHandle 39748 40b04b ??3@YAXPAX 39747->39748 39748->39749 39749->39694 39750 40cf04 39749->39750 39751 40b633 free 39750->39751 39752 40cf14 39751->39752 39778 40b1ab free free 39752->39778 39754 40bbdd 39754->39694 39754->39699 39755 40cf1b 39755->39754 39757 40cfef 39755->39757 39779 40cd4b 39755->39779 39758 40cd4b 14 API calls 39757->39758 39758->39754 39760 40b633 free 39759->39760 39761 40cc15 39760->39761 39762 40aa04 free 39761->39762 39763 40cc1d 39762->39763 39828 40b1ab free free 39763->39828 39765 40b7d4 memset CreateFileW 39765->38847 39765->38848 39766->39702 39767->39704 39768->39712 39769->39715 39770->39740 39771->39745 39773 40ab93 39772->39773 39774 40ab6b 39772->39774 39773->39747 39775 40a9ce 4 API calls 39774->39775 39776 40ab74 39775->39776 39777 40ab7c MultiByteToWideChar 39776->39777 39777->39773 39778->39755 39780 40cd7b 39779->39780 39813 40aa29 39780->39813 39782 40cef5 39783 40aa04 free 39782->39783 39784 40cefd 39783->39784 39784->39755 39786 40aa29 6 API calls 39787 40ce1d 39786->39787 39788 40aa29 6 API calls 39787->39788 39789 40ce3e 39788->39789 39790 40ce6a 39789->39790 39821 40abb7 wcslen memmove 39789->39821 39791 40ce9f 39790->39791 39824 40abb7 wcslen memmove 39790->39824 39793 40a8d0 7 API calls 39791->39793 39796 40ceb5 39793->39796 39794 40ce56 39822 40aa71 wcslen 39794->39822 39802 40a8d0 7 API calls 39796->39802 39798 40ce8b 39825 40aa71 wcslen 39798->39825 39799 40ce5e 39823 40abb7 wcslen memmove 39799->39823 39805 40cecb 39802->39805 39803 40ce93 39826 40abb7 wcslen memmove 39803->39826 39827 40d00b malloc memcpy free free 39805->39827 39807 40cedd 39808 40aa04 free 39807->39808 39809 40cee5 39808->39809 39810 40aa04 free 39809->39810 39811 40ceed 39810->39811 39812 40aa04 free 39811->39812 39812->39782 39814 40aa33 39813->39814 39815 40aa63 39813->39815 39816 40aa44 39814->39816 39817 40aa38 wcslen 39814->39817 39815->39782 39815->39786 39818 40a9ce malloc memcpy free free 39816->39818 39817->39816 39819 40aa4d 39818->39819 39819->39815 39820 40aa51 memcpy 39819->39820 39820->39815 39821->39794 39822->39799 39823->39790 39824->39798 39825->39803 39826->39791 39827->39807 39828->39765 39829->38907 39830->38915 39907 44def7 39908 44df07 39907->39908 39909 44df00 ??3@YAXPAX 39907->39909 39910 44df17 39908->39910 39911 44df10 ??3@YAXPAX 39908->39911 39909->39908 39912 44df27 39910->39912 39913 44df20 ??3@YAXPAX 39910->39913 39911->39910 39914 44df37 39912->39914 39915 44df30 ??3@YAXPAX 39912->39915 39913->39912 39915->39914 37668 44dea5 37669 44deb5 FreeLibrary 37668->37669 37670 44dec3 37668->37670 37669->37670 39916 4148b6 FindResourceW 39917 4148cf SizeofResource 39916->39917 39920 4148f9 39916->39920 39918 4148e0 LoadResource 39917->39918 39917->39920 39919 4148ee LockResource 39918->39919 39918->39920 39919->39920 37852 415304 free 37671 415320 realloc 37672 415340 37671->37672 37673 41534d 37671->37673 37675 416760 11 API calls 37673->37675 37675->37672 39831 427533 39835 427548 39831->39835 39844 425711 39831->39844 39832 4259da 39888 416760 11 API calls 39832->39888 39834 4275cb 39868 425506 39834->39868 39835->39834 39842 429b7a 39835->39842 39836 4260dd 39889 424251 120 API calls 39836->39889 39837 4259c2 39864 425ad6 39837->39864 39882 415c56 11 API calls 39837->39882 39894 4446ce 11 API calls 39842->39894 39844->39832 39844->39837 39847 429a4d 39844->39847 39850 422aeb memset memcpy memcpy 39844->39850 39852 4260a1 39844->39852 39858 429ac1 39844->39858 39867 425a38 39844->39867 39878 4227f0 memset memcpy 39844->39878 39879 422b84 15 API calls 39844->39879 39880 422b5d memset memcpy memcpy 39844->39880 39881 422640 13 API calls 39844->39881 39883 4241fc 11 API calls 39844->39883 39884 42413a 90 API calls 39844->39884 39848 429a66 39847->39848 39849 429a9b 39847->39849 39890 415c56 11 API calls 39848->39890 39854 429a96 39849->39854 39892 416760 11 API calls 39849->39892 39850->39844 39887 415c56 11 API calls 39852->39887 39893 424251 120 API calls 39854->39893 39856 429a7a 39891 416760 11 API calls 39856->39891 39858->39832 39858->39864 39895 415c56 11 API calls 39858->39895 39867->39837 39885 422640 13 API calls 39867->39885 39886 4226e0 12 API calls 39867->39886 39869 425554 39868->39869 39870 42554d 39868->39870 39897 422586 12 API calls 39869->39897 39896 423b34 103 API calls 39870->39896 39873 425567 39874 4255ba 39873->39874 39875 42556c memset 39873->39875 39874->39844 39876 425596 39875->39876 39876->39874 39877 4255a4 memset 39876->39877 39877->39874 39878->39844 39879->39844 39880->39844 39881->39844 39882->39832 39883->39844 39884->39844 39885->39867 39886->39867 39887->39832 39888->39836 39889->39864 39890->39856 39891->39854 39892->39854 39893->39858 39894->39858 39895->39832 39896->39869 39897->39873 39921 441b3f 39931 43a9f6 39921->39931 39923 441b61 40104 4386af memset 39923->40104 39925 44189a 39926 4418e2 39925->39926 39930 442bd4 39925->39930 39927 4418ea 39926->39927 40105 4414a9 12 API calls 39926->40105 39930->39927 40106 441409 memset 39930->40106 39932 43aa20 39931->39932 39933 43aadf 39931->39933 39932->39933 39934 43aa34 memset 39932->39934 39933->39923 39935 43aa56 39934->39935 39936 43aa4d 39934->39936 40107 43a6e7 39935->40107 40115 42c02e memset 39936->40115 39941 43aad3 40117 4169a7 11 API calls 39941->40117 39942 43aaae 39942->39933 39942->39941 39957 43aae5 39942->39957 39943 43ac18 39946 43ac47 39943->39946 40119 42bbd5 memcpy memcpy memcpy memset memcpy 39943->40119 39947 43aca8 39946->39947 40120 438eed 16 API calls 39946->40120 39950 43acd5 39947->39950 40122 4233ae 11 API calls 39947->40122 40123 423426 11 API calls 39950->40123 39951 43ac87 40121 4233c5 16 API calls 39951->40121 39955 43ace1 40124 439811 163 API calls 39955->40124 39956 43a9f6 161 API calls 39956->39957 39957->39933 39957->39943 39957->39956 40118 439bbb 22 API calls 39957->40118 39959 43acfd 39965 43ad2c 39959->39965 40125 438eed 16 API calls 39959->40125 39961 43ad19 40126 4233c5 16 API calls 39961->40126 39962 43ad58 40127 44081d 163 API calls 39962->40127 39965->39962 39968 43add9 39965->39968 39967 43ae3a memset 39969 43ae73 39967->39969 39968->39968 40131 423426 11 API calls 39968->40131 40132 42e1c0 147 API calls 39969->40132 39970 43adab 40129 438c4e 163 API calls 39970->40129 39973 43ad6c 39973->39933 39973->39970 40128 42370b memset memcpy memset 39973->40128 39974 43adcc 40130 440f84 12 API calls 39974->40130 39975 43ae96 40133 42e1c0 147 API calls 39975->40133 39979 43aea8 39980 43aec1 39979->39980 40134 42e199 147 API calls 39979->40134 39981 43af00 39980->39981 40135 42e1c0 147 API calls 39980->40135 39981->39933 39985 43af1a 39981->39985 39986 43b3d9 39981->39986 40136 438eed 16 API calls 39985->40136 39991 43b3f6 39986->39991 39995 43b4c8 39986->39995 39988 43b60f 39988->39933 40195 4393a5 17 API calls 39988->40195 39989 43af2f 40137 4233c5 16 API calls 39989->40137 40177 432878 12 API calls 39991->40177 39993 43af51 40138 423426 11 API calls 39993->40138 40001 43b4f2 39995->40001 40183 42bbd5 memcpy memcpy memcpy memset memcpy 39995->40183 39997 43af7d 40139 423426 11 API calls 39997->40139 40184 43a76c 21 API calls 40001->40184 40002 43b529 40185 44081d 163 API calls 40002->40185 40003 43b462 40179 423330 11 API calls 40003->40179 40004 43af94 40140 423330 11 API calls 40004->40140 40008 43b47e 40013 43b497 40008->40013 40180 42374a memcpy memset memcpy memcpy memcpy 40008->40180 40009 43b544 40014 43b55c 40009->40014 40186 42c02e memset 40009->40186 40010 43b428 40010->40003 40178 432b60 16 API calls 40010->40178 40011 43afca 40141 423330 11 API calls 40011->40141 40181 4233ae 11 API calls 40013->40181 40187 43a87a 163 API calls 40014->40187 40015 43afdb 40142 4233ae 11 API calls 40015->40142 40021 43b56c 40024 43b58a 40021->40024 40188 423330 11 API calls 40021->40188 40022 43b4b1 40182 423399 11 API calls 40022->40182 40023 43afee 40143 44081d 163 API calls 40023->40143 40189 440f84 12 API calls 40024->40189 40029 43b4c1 40191 42db80 163 API calls 40029->40191 40031 43b592 40190 43a82f 16 API calls 40031->40190 40034 43b5b4 40192 438c4e 163 API calls 40034->40192 40036 43b5cf 40193 42c02e memset 40036->40193 40038 43b005 40038->39933 40042 43b01f 40038->40042 40144 42d836 163 API calls 40038->40144 40039 43b1ef 40154 4233c5 16 API calls 40039->40154 40042->40039 40152 423330 11 API calls 40042->40152 40153 42d71d 163 API calls 40042->40153 40043 43b212 40155 423330 11 API calls 40043->40155 40044 43b087 40145 4233ae 11 API calls 40044->40145 40045 43add4 40045->39988 40194 438f86 16 API calls 40045->40194 40050 43b22a 40156 42ccb5 11 API calls 40050->40156 40052 43b23f 40157 4233ae 11 API calls 40052->40157 40053 43b10f 40148 423330 11 API calls 40053->40148 40055 43b257 40158 4233ae 11 API calls 40055->40158 40059 43b129 40149 4233ae 11 API calls 40059->40149 40060 43b26e 40159 4233ae 11 API calls 40060->40159 40063 43b09a 40063->40053 40146 42cc15 19 API calls 40063->40146 40147 4233ae 11 API calls 40063->40147 40064 43b282 40160 43a87a 163 API calls 40064->40160 40066 43b13c 40150 440f84 12 API calls 40066->40150 40068 43b29d 40161 423330 11 API calls 40068->40161 40071 43b15f 40151 4233ae 11 API calls 40071->40151 40072 43b2af 40074 43b2b8 40072->40074 40075 43b2ce 40072->40075 40162 4233ae 11 API calls 40074->40162 40163 440f84 12 API calls 40075->40163 40078 43b2c9 40165 4233ae 11 API calls 40078->40165 40079 43b2da 40164 42370b memset memcpy memset 40079->40164 40082 43b2f9 40166 423330 11 API calls 40082->40166 40084 43b30b 40167 423330 11 API calls 40084->40167 40086 43b325 40168 423399 11 API calls 40086->40168 40088 43b332 40169 4233ae 11 API calls 40088->40169 40090 43b354 40170 423399 11 API calls 40090->40170 40092 43b364 40171 43a82f 16 API calls 40092->40171 40094 43b370 40172 42db80 163 API calls 40094->40172 40096 43b380 40173 438c4e 163 API calls 40096->40173 40098 43b39e 40174 423399 11 API calls 40098->40174 40100 43b3ae 40175 43a76c 21 API calls 40100->40175 40102 43b3c3 40176 423399 11 API calls 40102->40176 40104->39925 40105->39927 40106->39930 40108 43a6f5 40107->40108 40109 43a765 40107->40109 40108->40109 40196 42a115 40108->40196 40109->39933 40116 4397fd memset 40109->40116 40113 43a73d 40113->40109 40114 42a115 147 API calls 40113->40114 40114->40109 40115->39935 40116->39942 40117->39933 40118->39957 40119->39946 40120->39951 40121->39947 40122->39950 40123->39955 40124->39959 40125->39961 40126->39965 40127->39973 40128->39970 40129->39974 40130->40045 40131->39967 40132->39975 40133->39979 40134->39980 40135->39980 40136->39989 40137->39993 40138->39997 40139->40004 40140->40011 40141->40015 40142->40023 40143->40038 40144->40044 40145->40063 40146->40063 40147->40063 40148->40059 40149->40066 40150->40071 40151->40042 40152->40042 40153->40042 40154->40043 40155->40050 40156->40052 40157->40055 40158->40060 40159->40064 40160->40068 40161->40072 40162->40078 40163->40079 40164->40078 40165->40082 40166->40084 40167->40086 40168->40088 40169->40090 40170->40092 40171->40094 40172->40096 40173->40098 40174->40100 40175->40102 40176->40045 40177->40010 40178->40003 40179->40008 40180->40013 40181->40022 40182->40029 40183->40001 40184->40002 40185->40009 40186->40014 40187->40021 40188->40024 40189->40031 40190->40029 40191->40034 40192->40036 40193->40045 40194->39988 40195->39933 40197 42a175 40196->40197 40199 42a122 40196->40199 40197->40109 40202 42b13b 147 API calls 40197->40202 40199->40197 40200 42a115 147 API calls 40199->40200 40203 43a174 40199->40203 40227 42a0a8 147 API calls 40199->40227 40200->40199 40202->40113 40217 43a196 40203->40217 40218 43a19e 40203->40218 40204 43a306 40204->40217 40247 4388c4 14 API calls 40204->40247 40207 42a115 147 API calls 40207->40218 40209 43a642 40209->40217 40251 4169a7 11 API calls 40209->40251 40213 43a635 40250 42c02e memset 40213->40250 40217->40199 40218->40204 40218->40207 40218->40217 40228 42ff8c 40218->40228 40236 415a91 40218->40236 40240 4165ff 40218->40240 40243 439504 13 API calls 40218->40243 40244 4312d0 147 API calls 40218->40244 40245 42be4c memcpy memcpy memcpy memset memcpy 40218->40245 40246 43a121 11 API calls 40218->40246 40220 4169a7 11 API calls 40221 43a325 40220->40221 40221->40209 40221->40213 40221->40217 40221->40220 40222 42b5b5 memset memcpy 40221->40222 40223 42bf4c 14 API calls 40221->40223 40226 4165ff 11 API calls 40221->40226 40248 42b63e 14 API calls 40221->40248 40249 42bfcf memcpy 40221->40249 40222->40221 40223->40221 40226->40221 40227->40199 40252 43817e 40228->40252 40230 42ff99 40231 42ffe3 40230->40231 40232 42ffd0 40230->40232 40235 42ff9d 40230->40235 40257 4169a7 11 API calls 40231->40257 40256 4169a7 11 API calls 40232->40256 40235->40218 40237 415a9d 40236->40237 40238 415ab3 40237->40238 40239 415aa4 memset 40237->40239 40238->40218 40239->40238 40404 4165a0 40240->40404 40243->40218 40244->40218 40245->40218 40246->40218 40247->40221 40248->40221 40249->40221 40250->40209 40251->40217 40253 438187 40252->40253 40255 438192 40252->40255 40258 4380f6 40253->40258 40255->40230 40256->40235 40257->40235 40260 43811f 40258->40260 40259 438164 40259->40255 40260->40259 40262 4300e8 3 API calls 40260->40262 40263 437e5e 40260->40263 40262->40260 40286 437d3c 40263->40286 40265 437eb3 40265->40260 40266 437ea9 40266->40265 40271 437f22 40266->40271 40301 41f432 40266->40301 40269 437f06 40348 415c56 11 API calls 40269->40348 40273 432d4e 3 API calls 40271->40273 40274 437f7f 40271->40274 40272 437f95 40349 415c56 11 API calls 40272->40349 40273->40274 40274->40272 40275 43802b 40274->40275 40277 4165ff 11 API calls 40275->40277 40278 438054 40277->40278 40312 437371 40278->40312 40281 43806b 40282 438094 40281->40282 40350 42f50e 138 API calls 40281->40350 40284 4300e8 3 API calls 40282->40284 40285 437fa3 40282->40285 40284->40285 40285->40265 40351 41f638 104 API calls 40285->40351 40287 437d69 40286->40287 40290 437d80 40286->40290 40352 437ccb 11 API calls 40287->40352 40289 437d76 40289->40266 40290->40289 40291 437da3 40290->40291 40293 437d90 40290->40293 40294 438460 134 API calls 40291->40294 40293->40289 40356 437ccb 11 API calls 40293->40356 40297 437dcb 40294->40297 40295 437de8 40355 424f26 123 API calls 40295->40355 40297->40295 40353 444283 13 API calls 40297->40353 40299 437dfc 40354 437ccb 11 API calls 40299->40354 40302 41f54d 40301->40302 40308 41f44f 40301->40308 40303 41f466 40302->40303 40386 41c635 memset memset 40302->40386 40303->40269 40303->40271 40308->40303 40310 41f50b 40308->40310 40357 41f1a5 40308->40357 40382 41c06f memcmp 40308->40382 40383 41f3b1 90 API calls 40308->40383 40384 41f398 86 API calls 40308->40384 40310->40302 40310->40303 40385 41c295 86 API calls 40310->40385 40387 41703f 40312->40387 40314 437399 40315 43739d 40314->40315 40317 4373ac 40314->40317 40394 4446ea 11 API calls 40315->40394 40318 416935 16 API calls 40317->40318 40319 4373ca 40318->40319 40320 438460 134 API calls 40319->40320 40325 4251c4 137 API calls 40319->40325 40329 415a91 memset 40319->40329 40332 43758f 40319->40332 40344 437584 40319->40344 40347 437d3c 135 API calls 40319->40347 40395 425433 13 API calls 40319->40395 40396 425413 17 API calls 40319->40396 40397 42533e 16 API calls 40319->40397 40398 42538f 16 API calls 40319->40398 40399 42453e 123 API calls 40319->40399 40320->40319 40321 4375bc 40323 415c7d 16 API calls 40321->40323 40324 4375d2 40323->40324 40326 4442e6 11 API calls 40324->40326 40346 4373a7 40324->40346 40325->40319 40327 4375e2 40326->40327 40327->40346 40402 444283 13 API calls 40327->40402 40329->40319 40400 42453e 123 API calls 40332->40400 40335 4375f4 40338 437620 40335->40338 40339 43760b 40335->40339 40337 43759f 40340 416935 16 API calls 40337->40340 40342 416935 16 API calls 40338->40342 40403 444283 13 API calls 40339->40403 40340->40344 40342->40346 40344->40321 40401 42453e 123 API calls 40344->40401 40345 437612 memcpy 40345->40346 40346->40281 40347->40319 40348->40265 40349->40285 40350->40282 40351->40265 40352->40289 40353->40299 40354->40295 40355->40289 40356->40289 40358 41bc3b 101 API calls 40357->40358 40359 41f1b4 40358->40359 40360 41edad 86 API calls 40359->40360 40367 41f282 40359->40367 40361 41f1cb 40360->40361 40362 41f1f5 memcmp 40361->40362 40363 41f20e 40361->40363 40361->40367 40362->40363 40364 41f21b memcmp 40363->40364 40363->40367 40365 41f326 40364->40365 40368 41f23d 40364->40368 40366 41ee6b 86 API calls 40365->40366 40365->40367 40366->40367 40367->40308 40368->40365 40369 41f28e memcmp 40368->40369 40371 41c8df 56 API calls 40368->40371 40369->40365 40370 41f2a9 40369->40370 40370->40365 40373 41f308 40370->40373 40374 41f2d8 40370->40374 40372 41f269 40371->40372 40372->40365 40375 41f287 40372->40375 40376 41f27a 40372->40376 40373->40365 40380 4446ce 11 API calls 40373->40380 40377 41ee6b 86 API calls 40374->40377 40375->40369 40378 41ee6b 86 API calls 40376->40378 40379 41f2e0 40377->40379 40378->40367 40381 41b1ca memset 40379->40381 40380->40365 40381->40367 40382->40308 40383->40308 40384->40308 40385->40302 40386->40303 40388 417044 40387->40388 40389 41705c 40387->40389 40391 416760 11 API calls 40388->40391 40393 417055 40388->40393 40390 417075 40389->40390 40392 41707a 11 API calls 40389->40392 40390->40314 40391->40393 40392->40388 40393->40314 40394->40346 40395->40319 40396->40319 40397->40319 40398->40319 40399->40319 40400->40337 40401->40321 40402->40335 40403->40345 40409 415cfe 40404->40409 40413 415d23 __aullrem __aulldvrm 40409->40413 40416 41628e 40409->40416 40410 4163ca 40423 416422 11 API calls 40410->40423 40412 416172 memset 40412->40413 40413->40410 40413->40412 40414 416422 10 API calls 40413->40414 40415 415cb9 10 API calls 40413->40415 40413->40416 40414->40413 40415->40413 40417 416520 40416->40417 40418 416527 40417->40418 40422 416574 40417->40422 40419 416544 40418->40419 40418->40422 40424 4156aa 11 API calls 40418->40424 40421 416561 memcpy 40419->40421 40419->40422 40421->40422 40422->40218 40423->40416 40424->40419 40456 41493c EnumResourceNamesW 37677 4287c1 37678 4287d2 37677->37678 37679 429ac1 37677->37679 37680 428818 37678->37680 37681 42881f 37678->37681 37696 425711 37678->37696 37691 425ad6 37679->37691 37747 415c56 11 API calls 37679->37747 37714 42013a 37680->37714 37742 420244 97 API calls 37681->37742 37686 4260dd 37741 424251 120 API calls 37686->37741 37688 4259da 37740 416760 11 API calls 37688->37740 37694 422aeb memset memcpy memcpy 37694->37696 37695 429a4d 37697 429a66 37695->37697 37701 429a9b 37695->37701 37696->37679 37696->37688 37696->37694 37696->37695 37699 4260a1 37696->37699 37710 4259c2 37696->37710 37713 425a38 37696->37713 37730 4227f0 memset memcpy 37696->37730 37731 422b84 15 API calls 37696->37731 37732 422b5d memset memcpy memcpy 37696->37732 37733 422640 13 API calls 37696->37733 37735 4241fc 11 API calls 37696->37735 37736 42413a 90 API calls 37696->37736 37743 415c56 11 API calls 37697->37743 37739 415c56 11 API calls 37699->37739 37702 429a96 37701->37702 37745 416760 11 API calls 37701->37745 37746 424251 120 API calls 37702->37746 37704 429a7a 37744 416760 11 API calls 37704->37744 37710->37691 37734 415c56 11 API calls 37710->37734 37713->37710 37737 422640 13 API calls 37713->37737 37738 4226e0 12 API calls 37713->37738 37715 42014c 37714->37715 37718 420151 37714->37718 37757 41e466 97 API calls 37715->37757 37717 420162 37717->37696 37718->37717 37719 4201b3 37718->37719 37720 420229 37718->37720 37721 4201b8 37719->37721 37722 4201dc 37719->37722 37720->37717 37723 41fd5e 86 API calls 37720->37723 37748 41fbdb 37721->37748 37722->37717 37726 4201ff 37722->37726 37754 41fc4c 37722->37754 37723->37717 37726->37717 37729 42013a 97 API calls 37726->37729 37729->37717 37730->37696 37731->37696 37732->37696 37733->37696 37734->37688 37735->37696 37736->37696 37737->37713 37738->37713 37739->37688 37740->37686 37741->37691 37742->37696 37743->37704 37744->37702 37745->37702 37746->37679 37747->37688 37749 41fbf1 37748->37749 37750 41fbf8 37748->37750 37753 41fc39 37749->37753 37772 4446ce 11 API calls 37749->37772 37762 41ee26 37750->37762 37753->37717 37758 41fd5e 37753->37758 37755 41ee6b 86 API calls 37754->37755 37756 41fc5d 37755->37756 37756->37722 37757->37718 37760 41fd65 37758->37760 37759 41fdab 37759->37717 37760->37759 37761 41fbdb 86 API calls 37760->37761 37761->37760 37763 41ee41 37762->37763 37764 41ee32 37762->37764 37773 41edad 37763->37773 37776 4446ce 11 API calls 37764->37776 37767 41ee3c 37767->37749 37770 41ee58 37770->37767 37778 41ee6b 37770->37778 37772->37753 37782 41be52 37773->37782 37776->37767 37777 41eb85 11 API calls 37777->37770 37779 41ee70 37778->37779 37780 41ee78 37778->37780 37838 41bf99 86 API calls 37779->37838 37780->37767 37783 41be6f 37782->37783 37784 41be5f 37782->37784 37790 41be8c 37783->37790 37803 418c63 37783->37803 37817 4446ce 11 API calls 37784->37817 37786 41be69 37786->37767 37786->37777 37788 41bee7 37788->37786 37821 41a453 86 API calls 37788->37821 37790->37786 37790->37788 37791 41bf3a 37790->37791 37792 41bed1 37790->37792 37820 4446ce 11 API calls 37791->37820 37794 41bef0 37792->37794 37797 41bee2 37792->37797 37794->37788 37795 41bf01 37794->37795 37796 41bf24 memset 37795->37796 37798 41bf14 37795->37798 37818 418a6d memset memcpy memset 37795->37818 37796->37786 37807 41ac13 37797->37807 37819 41a223 memset memcpy memset 37798->37819 37802 41bf20 37802->37796 37806 418c72 37803->37806 37804 418d51 memset memset 37805 418c94 37804->37805 37805->37790 37806->37804 37806->37805 37808 41ac52 37807->37808 37809 41ac3f memset 37807->37809 37812 41ac6a 37808->37812 37822 41dc14 19 API calls 37808->37822 37810 41acd9 37809->37810 37810->37788 37813 41aca1 37812->37813 37823 41519d 37812->37823 37813->37810 37815 41acc0 memset 37813->37815 37816 41accd memcpy 37813->37816 37815->37810 37816->37810 37817->37786 37818->37798 37819->37802 37820->37788 37822->37812 37826 4175ed 37823->37826 37834 417570 SetFilePointer 37826->37834 37829 41760a ReadFile 37830 417637 37829->37830 37831 417627 GetLastError 37829->37831 37832 4151b3 37830->37832 37833 41763e memset 37830->37833 37831->37832 37832->37813 37833->37832 37835 4175b2 37834->37835 37836 41759c GetLastError 37834->37836 37835->37829 37835->37832 37836->37835 37837 4175a8 GetLastError 37836->37837 37837->37835 37838->37780 37839 417bc5 37840 417c61 37839->37840 37845 417bda 37839->37845 37841 417bf6 UnmapViewOfFile CloseHandle 37841->37841 37841->37845 37843 417c2c 37843->37845 37851 41851e 20 API calls 37843->37851 37845->37840 37845->37841 37845->37843 37846 4175b7 37845->37846 37847 4175d6 CloseHandle 37846->37847 37848 4175c8 37847->37848 37849 4175df 37847->37849 37848->37849 37850 4175ce Sleep 37848->37850 37849->37845 37850->37847 37851->37843 39898 4147f3 39901 414561 39898->39901 39900 414813 39902 41456d 39901->39902 39903 41457f GetPrivateProfileIntW 39901->39903 39906 4143f1 memset _itow WritePrivateProfileStringW 39902->39906 39903->39900 39905 41457a 39905->39900 39906->39905

                                      Executed Functions

                                      Function 0040DD85 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 212filenativeCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 338 40dd85-40ddeb memset call 409bca CreateFileW 341 40ddf1-40de09 call 40afcf call 41352f 338->341 346 40de0b-40de1a NtQuerySystemInformation 341->346 347 40de1c 341->347 348 40de20-40de27 346->348 347->348 349 40de29-40de39 348->349 350 40de3b-40de52 CloseHandle GetCurrentProcessId 348->350 349->341 349->350 351 40de54-40de58 350->351 352 40de7a-40de8e call 413cfa call 413d4c 350->352 351->352 354 40de5a 351->354 362 40de94-40debb call 40e6ad call 409c52 _wcsicmp 352->362 363 40e00c-40e01b call 413d29 352->363 356 40de5d-40de63 354->356 358 40de74-40de78 356->358 359 40de65-40de6c 356->359 358->352 358->356 359->358 361 40de6e-40de71 359->361 361->358 370 40dee7-40def7 OpenProcess 362->370 371 40debd-40dece _wcsicmp 362->371 373 40dff8-40dffb 370->373 374 40defd-40df02 370->374 371->370 372 40ded0-40dee1 _wcsicmp 371->372 372->370 375 40dffd-40e006 372->375 373->363 373->375 376 40df08 374->376 377 40dfef-40dff2 CloseHandle 374->377 375->362 375->363 378 40df0b-40df10 376->378 377->373 379 40df16-40df1d 378->379 380 40dfbd-40dfcb 378->380 379->380 381 40df23-40df4a GetCurrentProcess DuplicateHandle 379->381 380->378 382 40dfd1-40dfd3 380->382 381->380 383 40df4c-40df76 memset call 41352f 381->383 382->377 386 40df78-40df8a 383->386 387 40df8f-40dfbb CloseHandle call 409c52 * 2 _wcsicmp 383->387 386->387 387->380 392 40dfd5-40dfed 387->392 392->377
                                      APIs
                                      • memset.MSVCRT ref: 0040DDAD
                                        • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                      • CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                        • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                        • Part of subcall function 0041352F: GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                        • Part of subcall function 0041352F: GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                        • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                        • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                        • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                        • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                        • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                        • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                        • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                      • NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                      • CloseHandle.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                      • GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                      • _wcsicmp.MSVCRT ref: 0040DEB2
                                      • _wcsicmp.MSVCRT ref: 0040DEC5
                                      • _wcsicmp.MSVCRT ref: 0040DED8
                                      • OpenProcess.KERNEL32(00000040,00000000,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DEEC
                                      • GetCurrentProcess.KERNEL32(C0000004,80000000,00000000,00000002,?,000000FF,00000000,00000104), ref: 0040DF32
                                      • DuplicateHandle.KERNELBASE(00000104,?,00000000,?,000000FF,00000000,00000104), ref: 0040DF41
                                      • memset.MSVCRT ref: 0040DF5F
                                      • CloseHandle.KERNEL32(C0000004,?,?,?,?,000000FF,00000000,00000104), ref: 0040DF92
                                      • _wcsicmp.MSVCRT ref: 0040DFB2
                                      • CloseHandle.KERNEL32(00000104,?,000000FF,00000000,00000104), ref: 0040DFF2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: AddressProc$Handle$_wcsicmp$CloseProcess$CurrentFileModulememset$??2@CreateDuplicateInformationNameOpenQuerySystem
                                      • String ID: dllhost.exe$taskhost.exe$taskhostex.exe
                                      • API String ID: 708747863-3398334509
                                      • Opcode ID: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                                      • Instruction ID: 75e999e9478e2cd8c236028a88c267773407d5e0538ee9298daa3020847ac7a6
                                      • Opcode Fuzzy Hash: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                                      • Instruction Fuzzy Hash: 57818F71D00209AFEB10EF95CC81AAEBBB5FF04345F20407AF915B6291DB399E95CB58
                                      Function 00418758 Relevance: 4.6, APIs: 3, Instructions: 79COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00418680: GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                        • Part of subcall function 00418680: malloc.MSVCRT ref: 004186B7
                                        • Part of subcall function 00418680: free.MSVCRT ref: 004186C7
                                        • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                      • GetDiskFreeSpaceW.KERNELBASE(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187D2
                                      • GetDiskFreeSpaceA.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187FA
                                      • free.MSVCRT ref: 00418803
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: DiskFreeSpacefree$FullNamePathVersionmalloc
                                      • String ID:
                                      • API String ID: 1355100292-0
                                      • Opcode ID: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                                      • Instruction ID: 9f5aa8738ec5ca8fa6c7af21032fcab0d24b7c3e7281463e4f88d86f77cdc7da
                                      • Opcode Fuzzy Hash: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                                      • Instruction Fuzzy Hash: 2A218776904118AEEB11EBA4CC849EF77BCEF05704F2404AFE551D7181EB784EC58769
                                      Function 0040AE51 Relevance: 3.0, APIs: 2, Instructions: 39fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE67
                                      • FindNextFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE83
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: FileFind$FirstNext
                                      • String ID:
                                      • API String ID: 1690352074-0
                                      • Opcode ID: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                      • Instruction ID: bc213c2af839868520f9a45b85e911a0cf9bcc257b6b56acf9ba21b23a9e6198
                                      • Opcode Fuzzy Hash: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                      • Instruction Fuzzy Hash: 34F0C877040B005BD761C774D8489C733D89F84320B20063EF56AD32C0EB3899098755
                                      Function 00418981 Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 0041898C
                                      • GetSystemInfo.KERNELBASE(004725C0,?,00000000,004439D6,?,00445FAE,?,?,?,?,?,?), ref: 00418995
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: InfoSystemmemset
                                      • String ID:
                                      • API String ID: 3558857096-0
                                      • Opcode ID: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                                      • Instruction ID: bf8bfd662ffca2911032058da6995c9eeb4a28626cb6ee34ade21af96d3a2c90
                                      • Opcode Fuzzy Hash: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                                      • Instruction Fuzzy Hash: C0E06531A0163097F22077766C067DF25949F41395F04407BB9049A186EBAC4D8546DE
                                      Function 0044553B Relevance: 44.5, APIs: 23, Strings: 2, Instructions: 758COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 0 44553b-445558 call 44db70 3 445599-4455a2 0->3 4 44555a-44557c call 40c768 call 40bdb0 call 4135f7 0->4 5 4455a8-4455e3 memset call 403988 wcsrchr 3->5 6 4457fb 3->6 38 44558e-445594 call 444b06 4->38 39 44557e-44558c call 4136c0 call 41366b 4->39 15 4455e5 5->15 16 4455e8-4455f9 5->16 10 445800-445809 6->10 13 445856-44585f 10->13 14 44580b-44581e call 40a889 call 403e2d 10->14 18 445861-445874 call 40a889 call 403c9c 13->18 19 4458ac-4458b5 13->19 42 445823-445826 14->42 15->16 22 445672-445683 call 40a889 call 403fbe 16->22 23 4455fb-445601 16->23 49 445879-44587c 18->49 24 44594f-445958 19->24 25 4458bb-44592b memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 19->25 82 445685 22->82 83 4456b2-4456b5 call 40b1ab 22->83 34 445605-445607 23->34 35 445603 23->35 32 4459f2-4459fa 24->32 33 44595e-4459ce memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 24->33 134 44592d-445945 call 40b6ef 25->134 135 44594a 25->135 44 445a00-445aa1 memset * 2 call 414c2e call 40b2cc call 409d1f call 40b2cc call 40ae18 32->44 45 445b29-445b32 32->45 153 4459d0-4459e8 call 40b6ef 33->153 154 4459ed 33->154 34->22 41 445609-44560d 34->41 35->34 38->3 39->38 41->22 50 44560f-445641 call 4087b3 call 40a889 call 4454bf 41->50 51 44584c-445854 call 40b1ab 42->51 52 445828 42->52 182 445b08-445b15 call 40ae51 44->182 53 445c7c-445c85 45->53 54 445b38-445b96 memset * 3 45->54 63 4458a2-4458aa call 40b1ab 49->63 64 44587e 49->64 150 445665-445670 call 40b1ab 50->150 151 445643-445663 call 40a9b5 call 4087b3 50->151 51->13 66 44582e-445847 call 40a9b5 call 4087b3 52->66 60 445d1c-445d25 53->60 61 445c8b-445cf3 memset * 2 call 414c2e call 409d1f call 409b98 53->61 67 445bd4-445c72 call 414c2e call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 54->67 68 445b98-445ba0 54->68 87 445fae-445fb2 60->87 88 445d2b-445d3b 60->88 168 445cf5 61->168 169 445cfc-445d03 61->169 63->19 80 445884-44589d call 40a9b5 call 4087b3 64->80 137 445849 66->137 247 445c77 67->247 68->67 81 445ba2-445bcf call 4099c6 call 445403 call 445389 68->81 156 44589f 80->156 81->53 99 44568b-4456a4 call 40a9b5 call 4087b3 82->99 115 4456ba-4456c4 83->115 89 445d3d-445d65 call 409c52 call 40b2cc _wcsicmp 88->89 90 445d88-445e15 memset * 3 call 414c2e call 40b2cc call 409d1f call 409b98 88->90 162 445d67-445d6c 89->162 163 445d71-445d83 call 445093 89->163 196 445e17 90->196 197 445e1e-445e25 90->197 158 4456a9-4456b0 99->158 129 4457f9 115->129 130 4456ca-4456d3 call 413cfa call 413d4c 115->130 129->6 172 4456d8-4456f7 call 40b2cc call 413fa6 130->172 134->135 135->24 137->51 150->115 151->150 153->154 154->32 156->63 158->83 158->99 174 445fa1-445fa9 call 40b6ef 162->174 163->87 168->169 179 445d05-445d13 169->179 180 445d17 169->180 205 4456fd-445796 memset * 4 call 409c70 * 3 172->205 206 4457ea-4457f7 call 413d29 172->206 174->87 179->180 180->60 200 445b17-445b27 call 40aebe 182->200 201 445aa3-445ab0 call 40add4 182->201 196->197 202 445e27-445e59 call 40b2cc call 409d1f call 409b98 197->202 203 445e6b-445e7e call 445093 197->203 200->45 201->182 219 445ab2-445b03 memset call 40b2cc call 409d1f call 445389 201->219 242 445e62-445e69 202->242 243 445e5b 202->243 218 445f67-445f99 call 40b2cc call 409d1f call 409b98 203->218 205->206 246 445798-4457ca call 40b2cc call 409d1f call 409b98 205->246 206->10 218->87 255 445f9b 218->255 219->182 242->203 248 445e83-445ef5 memset call 40b2cc call 409d1f call 40ae18 242->248 243->242 246->206 265 4457cc-4457e5 call 4087b3 246->265 247->53 264 445f4d-445f5a call 40ae51 248->264 255->174 269 445ef7-445f04 call 40add4 264->269 270 445f5c-445f62 call 40aebe 264->270 265->206 269->264 274 445f06-445f38 call 40b2cc call 409d1f call 409b98 269->274 270->218 274->264 281 445f3a-445f48 call 445093 274->281 281->264
                                      APIs
                                      • memset.MSVCRT ref: 004455C2
                                      • wcsrchr.MSVCRT ref: 004455DA
                                      • memset.MSVCRT ref: 0044570D
                                      • memset.MSVCRT ref: 00445725
                                        • Part of subcall function 0040C768: _wcslwr.MSVCRT ref: 0040C817
                                        • Part of subcall function 0040C768: wcslen.MSVCRT ref: 0040C82C
                                        • Part of subcall function 0040BDB0: CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                        • Part of subcall function 0040BDB0: wcslen.MSVCRT ref: 0040BE06
                                        • Part of subcall function 0040BDB0: wcsncmp.MSVCRT ref: 0040BE38
                                        • Part of subcall function 0040BDB0: memset.MSVCRT ref: 0040BE91
                                        • Part of subcall function 0040BDB0: memcpy.MSVCRT(?,?,?,00000001,?,?,?,00000000,?), ref: 0040BEB2
                                        • Part of subcall function 004135F7: GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                      • memset.MSVCRT ref: 0044573D
                                      • memset.MSVCRT ref: 00445755
                                      • memset.MSVCRT ref: 004458CB
                                      • memset.MSVCRT ref: 004458E3
                                      • memset.MSVCRT ref: 0044596E
                                      • memset.MSVCRT ref: 00445A10
                                      • memset.MSVCRT ref: 00445A28
                                      • memset.MSVCRT ref: 00445AC6
                                        • Part of subcall function 00445093: GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                        • Part of subcall function 00445093: ??2@YAPAXI@Z.MSVCRT(0000000A,?,?,00000104), ref: 004450BE
                                        • Part of subcall function 00445093: memset.MSVCRT ref: 004450CD
                                        • Part of subcall function 00445093: ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004450F0
                                        • Part of subcall function 00445093: CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                      • memset.MSVCRT ref: 00445B52
                                      • memset.MSVCRT ref: 00445B6A
                                      • memset.MSVCRT ref: 00445C9B
                                      • memset.MSVCRT ref: 00445CB3
                                      • _wcsicmp.MSVCRT ref: 00445D56
                                      • memset.MSVCRT ref: 00445B82
                                        • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                        • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                        • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                        • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                        • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                        • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040ADF3
                                        • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040AE04
                                      • memset.MSVCRT ref: 00445986
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                        • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memset$wcslen$File$wcscmpwcsrchr$??2@??3@AddressAttributesCloseCreateCredEnumerateHandleProcSize_wcsicmp_wcslwrmemcpywcscatwcscpywcsncmp
                                      • String ID: *.*$Apple Computer\Preferences\keychain.plist
                                      • API String ID: 2263259095-3798722523
                                      • Opcode ID: 60142fc224ce82f33f024026baff3817031bc91c0ca8ee6e0e9eeeaa230f4715
                                      • Instruction ID: 0d822d17a5609fa1e1b699618fc72e24fb48bc28b5d87ede4d5502c71e25afa2
                                      • Opcode Fuzzy Hash: 60142fc224ce82f33f024026baff3817031bc91c0ca8ee6e0e9eeeaa230f4715
                                      • Instruction Fuzzy Hash: ED4278B29005196BEB10E761DD46EDFB37CEF45358F1001ABF508A2193EB385E948B9A
                                      Function 0041276D Relevance: 35.1, APIs: 17, Strings: 3, Instructions: 149COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                        • Part of subcall function 004044A4: LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                                        • Part of subcall function 004044A4: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                        • Part of subcall function 004044A4: FreeLibrary.KERNEL32(00000000), ref: 004044E9
                                        • Part of subcall function 004044A4: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                      • SetErrorMode.KERNELBASE(00008001), ref: 00412799
                                      • GetModuleHandleW.KERNEL32(00000000,0041493C,00000000), ref: 004127B2
                                      • EnumResourceTypesW.KERNEL32(00000000), ref: 004127B9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: Library$AddressEnumErrorFreeHandleLoadMessageModeModuleProcResourceTypes
                                      • String ID: $/deleteregkey$/savelangfile
                                      • API String ID: 2744995895-28296030
                                      • Opcode ID: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                                      • Instruction ID: bb1d383b9f388563dc7403a66819e695bb2bbb53a4e653fbe84b6d7681309d95
                                      • Opcode Fuzzy Hash: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                                      • Instruction Fuzzy Hash: FC51BEB1608346ABD710AFA6DD88A9F77ECFF81304F40092EF644D2161D778E8558B2A
                                      Function 0040B6EF Relevance: 30.1, APIs: 15, Strings: 2, Instructions: 388fileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • memset.MSVCRT ref: 0040B71C
                                        • Part of subcall function 00409C70: wcscpy.MSVCRT ref: 00409C75
                                        • Part of subcall function 00409C70: wcsrchr.MSVCRT ref: 00409C7D
                                      • wcsrchr.MSVCRT ref: 0040B738
                                      • memset.MSVCRT ref: 0040B756
                                      • memset.MSVCRT ref: 0040B7F5
                                      • CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                      • CopyFileW.KERNEL32(00445FAE,?,00000000,?,?), ref: 0040B82D
                                      • CloseHandle.KERNELBASE(00000000,?,?), ref: 0040B838
                                      • memset.MSVCRT ref: 0040B851
                                      • memset.MSVCRT ref: 0040B8CA
                                      • memcmp.MSVCRT(?,v10,00000003), ref: 0040B9BF
                                        • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                        • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                      • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0040BAE5
                                      • memset.MSVCRT ref: 0040BB53
                                      • memcpy.MSVCRT(?,00000000,?,00000000,00000000,?), ref: 0040BB66
                                      • LocalFree.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 0040BB8D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memset$File$Freewcsrchr$AddressCloseCopyCreateDeleteHandleLibraryLocalProcmemcmpmemcpywcscpy
                                      • String ID: chp$v10
                                      • API String ID: 4165125987-2783969131
                                      • Opcode ID: aa7ff03ddb8a60b54c19e14ecab6b10a2ad5bd81823861da0c4d13f19dc0bdfc
                                      • Instruction ID: 8b5aa87907ec6e815121f1c024adfc7170cbdef62e19f7af032d1a0a82a34a86
                                      • Opcode Fuzzy Hash: aa7ff03ddb8a60b54c19e14ecab6b10a2ad5bd81823861da0c4d13f19dc0bdfc
                                      • Instruction Fuzzy Hash: 32D17372900218AFEB11EB95DC41EEE77B8EF44304F1044BAF509B7191DB789F858B99
                                      Function 0040E2AB Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 165COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 504 40e2ab-40e2ce call 40695d call 406b90 508 40e2d3-40e2d5 504->508 509 40e4a0-40e4af call 4069a3 508->509 510 40e2db-40e300 508->510 512 40e304-40e316 call 406e8f 510->512 516 40e476-40e483 call 406b53 512->516 517 40e31c-40e39b call 40dd50 * 7 memset call 40aa29 512->517 523 40e302 516->523 524 40e489-40e495 call 40aa04 516->524 541 40e3c9-40e3ce 517->541 542 40e39d-40e3ae call 40742e 517->542 523->512 524->509 530 40e497-40e49f free 524->530 530->509 544 40e3d0-40e3d6 541->544 545 40e3d9-40e3de 541->545 549 40e3b0 542->549 550 40e3b3-40e3c1 wcschr 542->550 544->545 547 40e3e0-40e3f1 memcpy 545->547 548 40e3f4-40e3f9 545->548 547->548 551 40e3fb-40e40c memcpy 548->551 552 40e40f-40e414 548->552 549->550 550->541 555 40e3c3-40e3c6 550->555 551->552 553 40e416-40e427 memcpy 552->553 554 40e42a-40e42f 552->554 553->554 556 40e431-40e442 memcpy 554->556 557 40e445-40e44a 554->557 555->541 556->557 558 40e44c-40e45b 557->558 559 40e45e-40e463 557->559 558->559 559->516 560 40e465-40e469 559->560 560->516 561 40e46b-40e473 560->561 561->516
                                      APIs
                                        • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                        • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                      • free.MSVCRT ref: 0040E49A
                                        • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                      • memset.MSVCRT ref: 0040E380
                                        • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                        • Part of subcall function 0040AA29: memcpy.MSVCRT(?,?,00000000,00000001,00401B3C,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040AA5B
                                      • wcschr.MSVCRT ref: 0040E3B8
                                      • memcpy.MSVCRT(?,-00000121,00000008,0044E518,00000000,00000000,75922EE0), ref: 0040E3EC
                                      • memcpy.MSVCRT(?,-00000121,00000008,0044E518,00000000,00000000,75922EE0), ref: 0040E407
                                      • memcpy.MSVCRT(?,-00000220,00000008,0044E518,00000000,00000000,75922EE0), ref: 0040E422
                                      • memcpy.MSVCRT(?,-00000220,00000008,0044E518,00000000,00000000,75922EE0), ref: 0040E43D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memcpy$_wcsicmpmemset$freewcschrwcslen
                                      • String ID: $AccessCount$AccessedTime$CreationTime$EntryID$ExpiryTime$ModifiedTime$Url
                                      • API String ID: 3849927982-2252543386
                                      • Opcode ID: c30480054a5ca474dc40abe6212bc187cfeb1b733cbf080f7a891c76daa1d321
                                      • Instruction ID: 3bb3cf654da2d90f893253d259683e8481abe175d229eeda5eb464894a91a1db
                                      • Opcode Fuzzy Hash: c30480054a5ca474dc40abe6212bc187cfeb1b733cbf080f7a891c76daa1d321
                                      • Instruction Fuzzy Hash: DA512071E00309ABDF10EFA6DC45B9EB7B8AF54305F15443BA904F7291E678AA14CB58
                                      Function 004091B8 Relevance: 25.8, APIs: 16, Strings: 1, Instructions: 272COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 562 4091b8-40921b memset call 40a6e6 call 444432 567 409520-409526 562->567 568 409221-40923b call 40b273 call 438552 562->568 572 409240-409248 568->572 573 409383-4093ab call 40b273 call 438552 572->573 574 40924e-409258 call 4251c4 572->574 586 4093b1 573->586 587 4094ff-40950b call 443d90 573->587 579 40937b-40937e call 424f26 574->579 580 40925e-409291 call 4253cf * 2 call 4253af * 2 574->580 579->573 580->579 610 409297-409299 580->610 590 4093d3-4093dd call 4251c4 586->590 587->567 596 40950d-409511 587->596 597 4093b3-4093cc call 4253cf * 2 590->597 598 4093df 590->598 596->567 600 409513-40951d call 408f2f 596->600 597->590 613 4093ce-4093d1 597->613 601 4094f7-4094fa call 424f26 598->601 600->567 601->587 610->579 612 40929f-4092a3 610->612 612->579 614 4092a9-4092ba 612->614 613->590 615 4093e4-4093fb call 4253af * 2 613->615 616 4092bc 614->616 617 4092be-4092e3 memcpy memcmp 614->617 615->601 627 409401-409403 615->627 616->617 618 409333-409345 memcmp 617->618 619 4092e5-4092ec 617->619 618->579 622 409347-40935f memcpy 618->622 619->579 621 4092f2-409331 memcpy * 2 619->621 624 409363-409378 memcpy 621->624 622->624 624->579 627->601 628 409409-40941b memcmp 627->628 628->601 629 409421-409433 memcmp 628->629 630 4094a4-4094b6 memcmp 629->630 631 409435-40943c 629->631 630->601 633 4094b8-4094ed memcpy * 2 630->633 631->601 632 409442-4094a2 memcpy * 3 631->632 634 4094f4 632->634 633->634 634->601
                                      APIs
                                      • memset.MSVCRT ref: 004091E2
                                        • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                      • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
                                      • memcmp.MSVCRT(00000000,0045A4F0,00000006,?,?,?,?,?,?,?,?,?,?,?,?,00000143), ref: 004092D9
                                      • memcpy.MSVCRT(?,00000023,?), ref: 0040930C
                                      • memcpy.MSVCRT(?,?,00000010), ref: 00409325
                                      • memcmp.MSVCRT(00000000,0045A4E8,00000006), ref: 0040933B
                                      • memcpy.MSVCRT(?,00000015,?), ref: 00409357
                                      • memcpy.MSVCRT(?,?,00000010), ref: 00409370
                                      • memcmp.MSVCRT(00000000,004599B8,00000010), ref: 00409411
                                      • memcmp.MSVCRT(00000000,0045A500,00000006), ref: 00409429
                                      • memcpy.MSVCRT(?,00000023,?), ref: 00409462
                                      • memcpy.MSVCRT(?,?,00000010), ref: 0040947E
                                      • memcpy.MSVCRT(?,?,00000020), ref: 0040949A
                                      • memcmp.MSVCRT(00000000,0045A4F8,00000006), ref: 004094AC
                                      • memcpy.MSVCRT(?,00000015,?), ref: 004094D0
                                      • memcpy.MSVCRT(?,?,00000020), ref: 004094E8
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memcpy$memcmp$ByteCharMultiWidememset
                                      • String ID:
                                      • API String ID: 3715365532-3916222277
                                      • Opcode ID: 84d8fa7e2563b014b86416b64341180d82413736d9254b8658418cb4f91a0b1c
                                      • Instruction ID: d5c0d9b4f94ac501fd0f2fb5594fd033b2d13f4c98b4255323c8c53c7695c3f7
                                      • Opcode Fuzzy Hash: 84d8fa7e2563b014b86416b64341180d82413736d9254b8658418cb4f91a0b1c
                                      • Instruction Fuzzy Hash: DDA1BA71900605ABDB21EF65D885BAFB7BCAF44304F01043FF945E6282EB78EA458B59
                                      Function 00413D4C Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 142processlibraryloaderCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 635 413d4c-413da0 call 40b633 CreateToolhelp32Snapshot memset Process32FirstW 638 413f00-413f11 Process32NextW 635->638 639 413da5-413ded OpenProcess 638->639 640 413f17-413f24 CloseHandle 638->640 641 413eb0-413eb5 639->641 642 413df3-413e26 memset call 413f27 639->642 641->638 643 413eb7-413ebd 641->643 650 413e79-413e9d call 413959 call 413ca4 642->650 651 413e28-413e35 642->651 645 413ec8-413eda call 4099f4 643->645 646 413ebf-413ec6 free 643->646 648 413edb-413ee2 645->648 646->648 656 413ee4 648->656 657 413ee7-413efe 648->657 662 413ea2-413eae CloseHandle 650->662 654 413e61-413e68 651->654 655 413e37-413e44 GetModuleHandleW 651->655 654->650 660 413e6a-413e76 654->660 655->654 659 413e46-413e5c GetProcAddress 655->659 656->657 657->638 659->654 660->650 662->641
                                      APIs
                                        • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,?), ref: 00413D6A
                                      • memset.MSVCRT ref: 00413D7F
                                      • Process32FirstW.KERNEL32(00000000,?), ref: 00413D9B
                                      • OpenProcess.KERNEL32(00000410,00000000,?,?,?,?), ref: 00413DE0
                                      • memset.MSVCRT ref: 00413E07
                                      • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 00413E3C
                                      • GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameW), ref: 00413E56
                                      • CloseHandle.KERNEL32(?,?,?,?,00000000,?), ref: 00413EA8
                                      • free.MSVCRT ref: 00413EC1
                                      • Process32NextW.KERNEL32(00000000,0000022C), ref: 00413F0A
                                      • CloseHandle.KERNEL32(00000000,00000000,0000022C), ref: 00413F1A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: Handle$CloseProcess32freememset$AddressCreateFirstModuleNextOpenProcProcessSnapshotToolhelp32
                                      • String ID: QueryFullProcessImageNameW$kernel32.dll
                                      • API String ID: 1344430650-1740548384
                                      • Opcode ID: d01459b62e4562fe598c3dda65fe2a12e31c3c57d7bea03f0a3dc75513a8eb61
                                      • Instruction ID: a891ebf292d3308fa7e32b9fbc5d589fb36fb38cf1b6cbdc37d41f3709903cdc
                                      • Opcode Fuzzy Hash: d01459b62e4562fe598c3dda65fe2a12e31c3c57d7bea03f0a3dc75513a8eb61
                                      • Instruction Fuzzy Hash: B4518FB2C00218ABDB10DF5ACC84ADEF7B9AF95305F1041ABE509A3251D7795F84CFA9
                                      Function 0040E01E Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 120fileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                        • Part of subcall function 0040DD85: memset.MSVCRT ref: 0040DDAD
                                        • Part of subcall function 0040DD85: CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                        • Part of subcall function 0040DD85: NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                        • Part of subcall function 0040DD85: CloseHandle.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                        • Part of subcall function 0040DD85: GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                        • Part of subcall function 0040DD85: _wcsicmp.MSVCRT ref: 0040DEB2
                                        • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                      • OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                      • GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                      • DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                      • GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                        • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                        • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                        • Part of subcall function 00409A45: GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                        • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                      • CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                      • MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                      • WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                      • UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                      • CloseHandle.KERNELBASE(?), ref: 0040E13E
                                      • CloseHandle.KERNEL32(00000000), ref: 0040E143
                                      • CloseHandle.KERNEL32(?), ref: 0040E148
                                      • CloseHandle.KERNEL32(?), ref: 0040E14D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: File$Handle$Close$CreateProcess$CurrentTempView$??2@DirectoryDuplicateInformationMappingNameOpenPathQuerySizeSystemUnmapWindowsWrite_wcsicmpmemset
                                      • String ID: bhv
                                      • API String ID: 4234240956-2689659898
                                      • Opcode ID: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                                      • Instruction ID: 69536691d8562172d0558c987aea6dfe4ed17d6a9a6de0cf2c6621a9a97a0e87
                                      • Opcode Fuzzy Hash: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                                      • Instruction Fuzzy Hash: 15412775800218FBCF119FA6CC489DFBFB9FF09750F148466F504A6250D7748A50CBA8
                                      Function 00413F4F Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 29libraryloaderCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 691 413f4f-413f52 692 413fa5 691->692 693 413f54-413f5a call 40a804 691->693 695 413f5f-413fa4 GetProcAddress * 5 693->695 695->692
                                      APIs
                                        • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                        • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                        • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                        • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                        • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                        • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                      • GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                      • GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                      • GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                      • GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                      • GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                      • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                      • API String ID: 2941347001-70141382
                                      • Opcode ID: 39c22376907c33733211e363db3c4349312dc982ad78c4cc463d34b505bb12c7
                                      • Instruction ID: 7b3d606b7d389a8205b465373562f67d85acf78e859b2fe1c5436fc88fb80995
                                      • Opcode Fuzzy Hash: 39c22376907c33733211e363db3c4349312dc982ad78c4cc463d34b505bb12c7
                                      • Instruction Fuzzy Hash: BBF03470840340AECB706F769809E06BEF0EFD8B097318C2EE6C557291E3BD9098DE48
                                      Function 004466F4 Relevance: 18.1, APIs: 12, Instructions: 134COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 696 4466f4-44670e call 446904 GetModuleHandleA 699 446710-44671b 696->699 700 44672f-446732 696->700 699->700 701 44671d-446726 699->701 702 44675b-4467aa __set_app_type __p__fmode __p__commode call 4153f2 700->702 704 446747-44674b 701->704 705 446728-44672d 701->705 710 4467ac-4467b7 __setusermatherr 702->710 711 4467b8-44680e call 4468f0 _initterm __wgetmainargs _initterm 702->711 704->700 706 44674d-44674f 704->706 705->700 708 446734-44673b 705->708 709 446755-446758 706->709 708->700 712 44673d-446745 708->712 709->702 710->711 715 446810-446819 711->715 716 44681e-446825 711->716 712->709 717 4468d8-4468dd call 44693d 715->717 718 446827-446832 716->718 719 44686c-446870 716->719 722 446834-446838 718->722 723 44683a-44683e 718->723 720 446845-44684b 719->720 721 446872-446877 719->721 725 446853-446864 GetStartupInfoW 720->725 726 44684d-446851 720->726 721->719 722->718 722->723 723->720 727 446840-446842 723->727 729 446866-44686a 725->729 730 446879-44687b 725->730 726->725 726->727 727->720 731 44687c-446894 GetModuleHandleA call 41276d 729->731 730->731 734 446896-446897 exit 731->734 735 44689d-4468d6 _cexit 731->735 734->735 735->717
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: HandleModule_initterm$InfoStartup__p__commode__p__fmode__set_app_type__setusermatherr__wgetmainargs_cexitexit
                                      • String ID:
                                      • API String ID: 2827331108-0
                                      • Opcode ID: 7ba7b2652c13871cd0d5cae79e0f4a701fe2602556b2c3d333f15f3a91922bbb
                                      • Instruction ID: 0e3254bf032efe29fc581ce6ca9889a5a3d5d0d8e47fd2ea34fa35870f4f4cb9
                                      • Opcode Fuzzy Hash: 7ba7b2652c13871cd0d5cae79e0f4a701fe2602556b2c3d333f15f3a91922bbb
                                      • Instruction Fuzzy Hash: 9D51C474C41314DFEB21AF65D8499AD7BB0FB0A715F21452BE82197291D7788C82CF1E
                                      Function 0040C274 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • memset.MSVCRT ref: 0040C298
                                        • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E60F
                                        • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E629
                                        • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                      • FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                      • wcschr.MSVCRT ref: 0040C324
                                      • wcschr.MSVCRT ref: 0040C344
                                      • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                      • GetLastError.KERNEL32 ref: 0040C373
                                      • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C39F
                                      • FindCloseUrlCache.WININET(?), ref: 0040C3B0
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: CacheFind$Entrymemset$Nextwcschr$??2@CloseErrorFirstLast
                                      • String ID: visited:
                                      • API String ID: 1157525455-1702587658
                                      • Opcode ID: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                                      • Instruction ID: 6629d855392f08d41decd2a192e4b6579142cf3eaa95f33c860a05aa0b18639b
                                      • Opcode Fuzzy Hash: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                                      • Instruction Fuzzy Hash: DA417F71D00219ABDB10EF92DC85AEFBBB8FF45714F10416AE904F7281D7389A45CBA9
                                      Function 0040E175 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 91COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 762 40e175-40e1a1 call 40695d call 406b90 767 40e1a7-40e1e5 memset 762->767 768 40e299-40e2a8 call 4069a3 762->768 770 40e1e8-40e1fa call 406e8f 767->770 774 40e270-40e27d call 406b53 770->774 775 40e1fc-40e219 call 40dd50 * 2 770->775 774->770 780 40e283-40e286 774->780 775->774 786 40e21b-40e21d 775->786 783 40e291-40e294 call 40aa04 780->783 784 40e288-40e290 free 780->784 783->768 784->783 786->774 787 40e21f-40e235 call 40742e 786->787 787->774 790 40e237-40e242 call 40aae3 787->790 790->774 793 40e244-40e26b _snwprintf call 40a8d0 790->793 793->774
                                      APIs
                                        • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                      • memset.MSVCRT ref: 0040E1BD
                                        • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                      • free.MSVCRT ref: 0040E28B
                                        • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                        • Part of subcall function 0040AAE3: wcslen.MSVCRT ref: 0040AAF2
                                        • Part of subcall function 0040AAE3: _memicmp.MSVCRT ref: 0040AB20
                                      • _snwprintf.MSVCRT ref: 0040E257
                                        • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                        • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                        • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                        • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: free$_wcsicmpmemsetwcslen$_memicmp_snwprintfmemcpy
                                      • String ID: $ContainerId$Container_%I64d$Containers$Name
                                      • API String ID: 2804212203-2982631422
                                      • Opcode ID: 3292a8bc8b2a8f6d115ff62c82a82f0362dff8113198451487ff657a70090be0
                                      • Instruction ID: de93d03617a61f3aa6bbe184beafcfad76b4f566d35596b706efacabd7485ccb
                                      • Opcode Fuzzy Hash: 3292a8bc8b2a8f6d115ff62c82a82f0362dff8113198451487ff657a70090be0
                                      • Instruction Fuzzy Hash: 74318272D002196ADF10EFA6DC45ADEB7B8AF04344F1105BFE508B3191DB38AE598F99
                                      Function 0040BB98 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 145COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                        • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                        • Part of subcall function 0040CC26: CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                        • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                      • memset.MSVCRT ref: 0040BC75
                                      • memset.MSVCRT ref: 0040BC8C
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,0044E518,000000FF,?,00000FFF,00000000,00000000,?,?,?,0040B7D4,?,?), ref: 0040BCA8
                                      • memcmp.MSVCRT(?,00000000,00000005,?,?,?,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE), ref: 0040BCD6
                                      • memcpy.MSVCRT(00000024,?,00000020,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD2B
                                      • LocalFree.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD3D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memset$ByteCharCloseFileFreeHandleLocalMultiSizeWide_wcsicmpmemcmpmemcpy
                                      • String ID:
                                      • API String ID: 115830560-3916222277
                                      • Opcode ID: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                                      • Instruction ID: 00a8249a540342db609c93f8c1f67c79963b4134db5221072d0e6ece1bb2d715
                                      • Opcode Fuzzy Hash: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                                      • Instruction Fuzzy Hash: 3F41B372900219ABDB10ABA5CC85ADEB7ACEF04314F01057BB509F7292D7789E45CA99
                                      Function 0041837F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 140fileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 847 41837f-4183bf 848 4183c1-4183cc call 418197 847->848 849 4183dc-4183ec call 418160 847->849 854 4183d2-4183d8 848->854 855 418517-41851d 848->855 856 4183f6-41840b 849->856 857 4183ee-4183f1 849->857 854->849 858 418417-418423 856->858 859 41840d-418415 856->859 857->855 860 418427-418442 call 41739b 858->860 859->860 863 418444-41845d CreateFileW 860->863 864 41845f-418475 CreateFileA 860->864 865 418477-41847c 863->865 864->865 866 4184c2-4184c7 865->866 867 41847e-418495 GetLastError free 865->867 870 4184d5-418501 memset call 418758 866->870 871 4184c9-4184d3 866->871 868 4184b5-4184c0 call 444706 867->868 869 418497-4184b3 call 41837f 867->869 868->855 869->855 877 418506-418515 free 870->877 871->870 877->855
                                      APIs
                                      • CreateFileW.KERNELBASE(?,-7FBE829D,00000003,00000000,?,?,00000000), ref: 00418457
                                      • CreateFileA.KERNEL32(?,-7FBE829D,00000003,00000000,|A,00417CE3,00000000), ref: 0041846F
                                      • GetLastError.KERNEL32 ref: 0041847E
                                      • free.MSVCRT ref: 0041848B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: CreateFile$ErrorLastfree
                                      • String ID: |A
                                      • API String ID: 77810686-1717621600
                                      • Opcode ID: b73738cfafb11dafaf653c45b8d30767a4f0487cb759c2014a2d8a4f30590433
                                      • Instruction ID: 73005d91fce95ddd83c4435d1527c7398ec28b7193468e33704956b81d718a95
                                      • Opcode Fuzzy Hash: b73738cfafb11dafaf653c45b8d30767a4f0487cb759c2014a2d8a4f30590433
                                      • Instruction Fuzzy Hash: 50412472508306AFD710CF25DC4179BBBE5FF84328F14492EF8A492290EB78D9448B96
                                      Function 00412465 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88windowCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • memset.MSVCRT ref: 0041249C
                                      • ??2@YAPAXI@Z.MSVCRT(00002A88), ref: 004124D2
                                      • ??2@YAPAXI@Z.MSVCRT(00000350), ref: 00412510
                                      • GetModuleHandleW.KERNEL32(00000000,0000000E), ref: 00412582
                                      • LoadIconW.USER32(00000000,00000065), ref: 0041258B
                                      • wcscpy.MSVCRT ref: 004125A0
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: ??2@$HandleIconLoadModulememsetwcscpy
                                      • String ID: r!A
                                      • API String ID: 2791114272-628097481
                                      • Opcode ID: c8dffcb2de6473715ddac6d72e3c76979a49d8854762dd44dbb162fd21f04a95
                                      • Instruction ID: f2e108ad35b37ee9f58e8ef6409d1766b43f0b07df47584fb449e80907097569
                                      • Opcode Fuzzy Hash: c8dffcb2de6473715ddac6d72e3c76979a49d8854762dd44dbb162fd21f04a95
                                      • Instruction Fuzzy Hash: 0431A1B19013889FEB30EF669C896CAB7E8FF44314F00852FE90CCB241DBB946548B49
                                      Function 0040C768 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 87COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1AE
                                        • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1B6
                                        • Part of subcall function 0040AA04: free.MSVCRT ref: 0040AA0B
                                        • Part of subcall function 0040C274: memset.MSVCRT ref: 0040C298
                                        • Part of subcall function 0040C274: FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                        • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C324
                                        • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C344
                                        • Part of subcall function 0040C274: FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                        • Part of subcall function 0040C274: GetLastError.KERNEL32 ref: 0040C373
                                        • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C439
                                        • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                        • Part of subcall function 0040C3C3: _wcsupr.MSVCRT ref: 0040C481
                                        • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C4D0
                                        • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                      • _wcslwr.MSVCRT ref: 0040C817
                                        • Part of subcall function 0040C634: wcslen.MSVCRT ref: 0040C65F
                                        • Part of subcall function 0040C634: memset.MSVCRT ref: 0040C6BF
                                      • wcslen.MSVCRT ref: 0040C82C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memset$free$CacheEntryEnumFindValuewcschrwcslen$ErrorFirstLastNext_wcslwr_wcsupr
                                      • String ID: /$/$http://www.facebook.com/$https://login.yahoo.com/config/login$https://www.google.com/accounts/servicelogin
                                      • API String ID: 2936932814-4196376884
                                      • Opcode ID: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                                      • Instruction ID: 5b72bd72183a146cc5fb8da473a5bce975bbff0c760a192580a28ed18ba85502
                                      • Opcode Fuzzy Hash: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                                      • Instruction Fuzzy Hash: 42218272A00244A6CF10BB6A9C8589E7B68EF44744B10457BB804B7293D67CDE85DB9D
                                      Function 0040B58D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNEL32(00000000,00000000,?,?), ref: 0040B5A5
                                      • FindResourceW.KERNELBASE(00000000,00000032,BIN), ref: 0040B5B6
                                      • LoadResource.KERNEL32(00000000,00000000), ref: 0040B5C4
                                      • SizeofResource.KERNEL32(?,00000000), ref: 0040B5D4
                                      • LockResource.KERNEL32(00000000), ref: 0040B5DD
                                      • memcpy.MSVCRT(00000000,00000000,00000000), ref: 0040B60D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: Resource$FindHandleLoadLockModuleSizeofmemcpy
                                      • String ID: BIN
                                      • API String ID: 1668488027-1015027815
                                      • Opcode ID: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                                      • Instruction ID: e905eb6dc449d61379ecdc49350c1a2f8866219970738eecada31b95dd052af9
                                      • Opcode Fuzzy Hash: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                                      • Instruction Fuzzy Hash: 5E11C636C00225BBD7116BE2DC09AAFBA78FF85755F010476F81072292DB794D018BED
                                      Function 0040BDB0 Relevance: 12.2, APIs: 8, Instructions: 151COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                        • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                        • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                        • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                        • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                      • CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                      • wcslen.MSVCRT ref: 0040BE06
                                      • wcsncmp.MSVCRT ref: 0040BE38
                                      • memset.MSVCRT ref: 0040BE91
                                      • memcpy.MSVCRT(?,?,?,00000001,?,?,?,00000000,?), ref: 0040BEB2
                                      • _wcsnicmp.MSVCRT ref: 0040BEFC
                                      • wcschr.MSVCRT ref: 0040BF24
                                      • LocalFree.KERNEL32(?,?,?,?,00000001,?,?,?,00000000,?), ref: 0040BF48
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: AddressProc$CredEnumerateFreeLocal_wcsnicmpmemcpymemsetwcschrwcslenwcsncmp
                                      • String ID:
                                      • API String ID: 697348961-0
                                      • Opcode ID: 4320d3521706fdf8c6ed48fb05be967b0956d3d4dbd01890db6896aba47bd834
                                      • Instruction ID: 79a9ca8399314c5bcb3e205da5602351372edcdcc58f79068602210d8f55f42f
                                      • Opcode Fuzzy Hash: 4320d3521706fdf8c6ed48fb05be967b0956d3d4dbd01890db6896aba47bd834
                                      • Instruction Fuzzy Hash: 1851E9B5D002099FCF20DFA5C8859AEBBF9FF48304F10452AE919F7251E734A9458F69
                                      Function 00403C9C Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 00403CBF
                                      • memset.MSVCRT ref: 00403CD4
                                      • memset.MSVCRT ref: 00403CE9
                                      • memset.MSVCRT ref: 00403CFE
                                      • memset.MSVCRT ref: 00403D13
                                        • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                        • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                        • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                        • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                        • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                        • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                        • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                        • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                        • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                        • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                      • memset.MSVCRT ref: 00403DDA
                                        • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                        • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memset$wcscpy$wcslen$Close_snwprintfmemcpywcscat
                                      • String ID: Waterfox$Waterfox\Profiles
                                      • API String ID: 3527940856-11920434
                                      • Opcode ID: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                                      • Instruction ID: d72014143a293005b417e5222852f61d3cfc405123c5957a7e6d01a12b636873
                                      • Opcode Fuzzy Hash: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                                      • Instruction Fuzzy Hash: 1E4133B294012C7ADB20EB56DC85ECF777CEF85314F1180ABB509B2181DA745B948FAA
                                      Function 00403E2D Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 00403E50
                                      • memset.MSVCRT ref: 00403E65
                                      • memset.MSVCRT ref: 00403E7A
                                      • memset.MSVCRT ref: 00403E8F
                                      • memset.MSVCRT ref: 00403EA4
                                        • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                        • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                        • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                        • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                        • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                        • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                        • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                        • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                        • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                        • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                      • memset.MSVCRT ref: 00403F6B
                                        • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                        • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memset$wcscpy$wcslen$Close_snwprintfmemcpywcscat
                                      • String ID: Mozilla\SeaMonkey$Mozilla\SeaMonkey\Profiles
                                      • API String ID: 3527940856-2068335096
                                      • Opcode ID: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                                      • Instruction ID: badb9319ce56d3a3e0b5d4601891faab39f88fc9b3936f94b46873e2979bc7df
                                      • Opcode Fuzzy Hash: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                                      • Instruction Fuzzy Hash: F94133B294012CBADB20EB56DC85FCF777CAF85314F1180A7B509F2181DA785B848F6A
                                      Function 00403FBE Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 00403FE1
                                      • memset.MSVCRT ref: 00403FF6
                                      • memset.MSVCRT ref: 0040400B
                                      • memset.MSVCRT ref: 00404020
                                      • memset.MSVCRT ref: 00404035
                                        • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                        • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                        • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                        • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                        • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                        • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                        • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                        • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                        • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                        • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                      • memset.MSVCRT ref: 004040FC
                                        • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                        • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memset$wcscpy$wcslen$Close_snwprintfmemcpywcscat
                                      • String ID: Mozilla\Firefox$Mozilla\Firefox\Profiles
                                      • API String ID: 3527940856-3369679110
                                      • Opcode ID: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                                      • Instruction ID: a33c26704871042caa7cb74448a1974e70df039046fe21947f04a6d8cbe9f93a
                                      • Opcode Fuzzy Hash: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                                      • Instruction Fuzzy Hash: 354134B294012CBADB20EB56DC85ECF777CAF85314F1180A7B509B3181EA745B948F6A
                                      Function 00444432 Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 217COMMON
                                      Download Yara Rule
                                      APIs
                                      • memcpy.MSVCRT(00000048,00451D40,0000002C,000003FF,00445FAE,?,00000000,?,0040B879), ref: 004444E3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memcpy
                                      • String ID: BINARY$NOCASE$RTRIM$main$no such vfs: %s$temp
                                      • API String ID: 3510742995-2641926074
                                      • Opcode ID: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                      • Instruction ID: 565814064bb2237b40e40c3ad6633df45ffc5137317807aec9a32ad89077b3bf
                                      • Opcode Fuzzy Hash: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                      • Instruction Fuzzy Hash: BA7119B1600701BFE710AF16CC81B66B7A8BB85319F11452FF4189B742D7BDED908B99
                                      Function 004032B4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 119COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                        • Part of subcall function 0044553B: memset.MSVCRT ref: 004455C2
                                        • Part of subcall function 0044553B: wcsrchr.MSVCRT ref: 004455DA
                                      • memset.MSVCRT ref: 004033B7
                                      • memcpy.MSVCRT(?,00000000,0000121C), ref: 004033D0
                                      • wcscmp.MSVCRT ref: 004033FC
                                      • _wcsicmp.MSVCRT ref: 00403439
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memset$_wcsicmpfreememcpywcscmpwcsrchr
                                      • String ID: $0.@
                                      • API String ID: 2758756878-1896041820
                                      • Opcode ID: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                                      • Instruction ID: ab192eb15c9642abc1a13bae453f9d52c7669558764b377fc560e22e349fc473
                                      • Opcode Fuzzy Hash: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                                      • Instruction Fuzzy Hash: 6B414A71A0C3819BD770EF65C885A8BB7E8AF86314F004D2FE48C97681DB3899458B5B
                                      Function 004449B9 Relevance: 10.6, APIs: 7, Instructions: 61libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                        • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                        • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                        • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                        • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                        • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                      • String ID:
                                      • API String ID: 2941347001-0
                                      • Opcode ID: 71f7015b8efbcabf0d8a3174310d871b9f234e636c99dab6741889365bf8ff35
                                      • Instruction ID: 45112ec7679d7541be2eaee67b01953ccf91f0241e5cd71b41190719d78dca83
                                      • Opcode Fuzzy Hash: 71f7015b8efbcabf0d8a3174310d871b9f234e636c99dab6741889365bf8ff35
                                      • Instruction Fuzzy Hash: 2E115871840700EDEA207F72DD0FF2B7AA5EF40B14F10882EF555594E1EBB6A8119E9C
                                      Function 00403BED Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 57COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 00403C09
                                      • memset.MSVCRT ref: 00403C1E
                                        • Part of subcall function 00409719: wcslen.MSVCRT ref: 0040971A
                                        • Part of subcall function 00409719: wcscat.MSVCRT ref: 00409732
                                      • wcscat.MSVCRT ref: 00403C47
                                        • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                        • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                        • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                      • wcscat.MSVCRT ref: 00403C70
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memsetwcscat$Closewcscpywcslen
                                      • String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
                                      • API String ID: 3249829328-1174173950
                                      • Opcode ID: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                                      • Instruction ID: 5219a381a5be6f9fff484f4b9c8ff18b49dc44b18064e24db21ac924a7a96902
                                      • Opcode Fuzzy Hash: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                                      • Instruction Fuzzy Hash: 4401A9B294032C76DB207B669C86ECF672C9F45358F01447FB504B7182D9785E844AA9
                                      Function 0040A804 Relevance: 9.0, APIs: 6, Instructions: 40libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 0040A824
                                      • GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                      • wcscpy.MSVCRT ref: 0040A854
                                      • wcscat.MSVCRT ref: 0040A86A
                                      • LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                      • LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                      • String ID:
                                      • API String ID: 669240632-0
                                      • Opcode ID: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                                      • Instruction ID: 21688b76284891f368be2c5f4feed5723597baa153f24eadc702144372ba9d0b
                                      • Opcode Fuzzy Hash: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                                      • Instruction Fuzzy Hash: A6F0A472D0022467DF207B65AC46B8A3B6CBF01754F008072F908B71D2EB789A55CFDA
                                      Function 0041443E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
                                      Download Yara Rule
                                      APIs
                                      • wcschr.MSVCRT ref: 00414458
                                      • _snwprintf.MSVCRT ref: 0041447D
                                      • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 0041449B
                                      • GetPrivateProfileStringW.KERNEL32(?,?,?,?,?,?), ref: 004144B3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: PrivateProfileString$Write_snwprintfwcschr
                                      • String ID: "%s"
                                      • API String ID: 1343145685-3297466227
                                      • Opcode ID: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                                      • Instruction ID: 05c1b6e2b8d8aed92df8b5d38884bf02313f678dea9e3ece4dcd1a0b753c0483
                                      • Opcode Fuzzy Hash: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                                      • Instruction Fuzzy Hash: 7201AD3240421ABBEF219F81DC09FDB3F6AFF09305F14806ABA08501A1D339C5A5EB58
                                      Function 00413CA4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloadertimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNEL32(kernel32.dll,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CB5
                                      • GetProcAddress.KERNEL32(00000000,GetProcessTimes), ref: 00413CCF
                                      • GetProcessTimes.KERNELBASE(00000000,?,?,?,?,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CF2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: AddressHandleModuleProcProcessTimes
                                      • String ID: GetProcessTimes$kernel32.dll
                                      • API String ID: 1714573020-3385500049
                                      • Opcode ID: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                      • Instruction ID: 0a9fc9a7fb2a98cd878f934f387e3824ef844cc6c25aa3dbb33b58617c33e237
                                      • Opcode Fuzzy Hash: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                      • Instruction Fuzzy Hash: F5F03036204309AFEF008FA6FD06B963BA8BB04742F044066FA0CD1561D7B5D6B0EF99
                                      Function 004087B3 Relevance: 7.7, APIs: 6, Instructions: 190COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 004087D6
                                        • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                        • Part of subcall function 004095D9: memset.MSVCRT ref: 004095FC
                                      • memset.MSVCRT ref: 00408828
                                      • memset.MSVCRT ref: 00408840
                                      • memset.MSVCRT ref: 00408858
                                      • memset.MSVCRT ref: 00408870
                                      • memset.MSVCRT ref: 00408888
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                        • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memset$wcslen$AttributesByteCharFileMultiWidewcscatwcscpy
                                      • String ID:
                                      • API String ID: 2911713577-0
                                      • Opcode ID: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                                      • Instruction ID: a7e5ca25de4111a2a05fe91eb9e7b9268c7acadad77a1a504b595fc773a76dc1
                                      • Opcode Fuzzy Hash: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                                      • Instruction Fuzzy Hash: BD5146B280011D7EEB50E751DC46EEF776CDF05318F0040BEB948B6182EA745F948BA9
                                      Function 0041F1A5 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 165COMMON
                                      Download Yara Rule
                                      APIs
                                      • memcmp.MSVCRT(?,?,00000004,?,00000065,004381DF,00000065,00000000,00000007,?,00000000), ref: 0041F202
                                      • memcmp.MSVCRT(?,SQLite format 3,00000010,?,00000065,004381DF,00000065,00000000), ref: 0041F22D
                                      • memcmp.MSVCRT(?,@ ,00000003,?,?,00000065,004381DF,00000065,00000000), ref: 0041F299
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memcmp
                                      • String ID: @ $SQLite format 3
                                      • API String ID: 1475443563-3708268960
                                      • Opcode ID: bc797f5c287fbec082bfe36368e8bdb92b626008a1b8340b8f00afaa449410d4
                                      • Instruction ID: a5e199d7c3355b23248e204991ed7883f9cb1cefd3641e4a8180bf992d12f390
                                      • Opcode Fuzzy Hash: bc797f5c287fbec082bfe36368e8bdb92b626008a1b8340b8f00afaa449410d4
                                      • Instruction Fuzzy Hash: 9051C1719002199BDF10DFA9C4817DEB7F4AF44314F1541AAEC14EB246E778EA8ACB88
                                      Function 00414C2E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77registryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00414B81: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4
                                      • memset.MSVCRT ref: 00414C87
                                      • RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                      • wcscpy.MSVCRT ref: 00414CFC
                                        • Part of subcall function 00409CEA: GetVersionExW.KERNEL32(0045D340,0000001A,00414C4F,?,00000000), ref: 00409D04
                                      Strings
                                      • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00414CA2, 00414CB2
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: AddressCloseProcVersionmemsetwcscpy
                                      • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                      • API String ID: 2705122986-2036018995
                                      • Opcode ID: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                                      • Instruction ID: cfba8ba70a3d5c5eb0df7add68d4968905301debfffe1ddd107e81ced3c7690c
                                      • Opcode Fuzzy Hash: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                                      • Instruction Fuzzy Hash: EE110B31802224ABDB24A7999C4E9EF736CDBD1315F2200A7F80562151F6685EC5C6DE
                                      Function 004110DC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: _wcsicmpqsort
                                      • String ID: /nosort$/sort
                                      • API String ID: 1579243037-1578091866
                                      • Opcode ID: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                                      • Instruction ID: 59a4a6edbc2c6816dd96362f3638b70d105e8990563e463c72bda517b6347aa4
                                      • Opcode Fuzzy Hash: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                                      • Instruction Fuzzy Hash: C8213770700201AFD714FB36C880E96F3AAFF58314F11012EE61897692DB39BC918B4A
                                      Function 0040E5ED Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 61COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 0040E60F
                                      • memset.MSVCRT ref: 0040E629
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                        • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                      Strings
                                      • Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 0040E647
                                      • Microsoft\Windows\WebCache\WebCacheV24.dat, xrefs: 0040E66F
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memsetwcslen$AttributesFilewcscatwcscpy
                                      • String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$Microsoft\Windows\WebCache\WebCacheV24.dat
                                      • API String ID: 3354267031-2114579845
                                      • Opcode ID: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                                      • Instruction ID: 2f29c334d396001d9fe1cebc89c879271eb53039ccc8e03d5a3365d75131e7c5
                                      • Opcode Fuzzy Hash: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                                      • Instruction Fuzzy Hash: 66118AB3D4012C66EB10E755EC85FDB73ACAF14319F1408B7B904F11C2E6B89F984998
                                      Function 004148B6 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                      Download Yara Rule
                                      APIs
                                      • FindResourceW.KERNELBASE(?,?,?), ref: 004148C3
                                      • SizeofResource.KERNEL32(?,00000000), ref: 004148D4
                                      • LoadResource.KERNEL32(?,00000000), ref: 004148E4
                                      • LockResource.KERNEL32(00000000), ref: 004148EF
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: Resource$FindLoadLockSizeof
                                      • String ID:
                                      • API String ID: 3473537107-0
                                      • Opcode ID: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                      • Instruction ID: 8a72e2f5d7590eb6bb033c3ed88c96ec9d5eb8bcd973c23d1c6560583cb0a60d
                                      • Opcode Fuzzy Hash: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                      • Instruction Fuzzy Hash: 0101D2727402156B8B294FB6DD4999BBFAEFFC6391308803AF809D6331DA31C851C688
                                      Function 0044DEF7 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: ??3@
                                      • String ID:
                                      • API String ID: 613200358-0
                                      • Opcode ID: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                      • Instruction ID: aa45652f999bbb0892b85dcd7393972dd4dfe4e89c7b59a5f1a68188070d07e1
                                      • Opcode Fuzzy Hash: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                      • Instruction Fuzzy Hash: 5EE08C60F0830052BA31EBBABD40E2723EC5E1AB4271A842FB905C3282CE2CC880C02D
                                      Function 0043A9F6 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 979COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      • only a single result allowed for a SELECT that is part of an expression, xrefs: 0043AAD3
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memset
                                      • String ID: only a single result allowed for a SELECT that is part of an expression
                                      • API String ID: 2221118986-1725073988
                                      • Opcode ID: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                                      • Instruction ID: 0c5fbdb45af1b87466ede92b40025f4dfba1e1eb7e0419b48c64bc8603b8f36f
                                      • Opcode Fuzzy Hash: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                                      • Instruction Fuzzy Hash: 5D827A71608340AFD720DF15C881B1BBBE1FF88318F14491EFA9987262D779E954CB96
                                      Function 004125B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                      Download Yara Rule
                                      APIs
                                      • ??3@YAXPAX@Z.MSVCRT(?,?,00412966,/deleteregkey,/savelangfile), ref: 004125C3
                                      • DeleteObject.GDI32(00000000), ref: 004125E7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: ??3@DeleteObject
                                      • String ID: r!A
                                      • API String ID: 1103273653-628097481
                                      • Opcode ID: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                                      • Instruction ID: d381ae2e1f6c469d4091c7bd434485f036f098756071eb86a226830a39d2e28c
                                      • Opcode Fuzzy Hash: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                                      • Instruction Fuzzy Hash: 72E04F75000302DFD7115F26E400782B7F5FF85315F11455EE89497151EBB96164CE19
                                      Function 0040D092 Relevance: 5.1, APIs: 4, Instructions: 51COMMON
                                      Download Yara Rule
                                      APIs
                                      • ??2@YAPAXI@Z.MSVCRT(00000000,0040D142,00402E6F), ref: 0040D0CC
                                      • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040D142,00402E6F), ref: 0040D0EA
                                      • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,0040D142,00402E6F), ref: 0040D108
                                      • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000,0040D142,00402E6F), ref: 0040D126
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: ??2@
                                      • String ID:
                                      • API String ID: 1033339047-0
                                      • Opcode ID: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                      • Instruction ID: 5f4fc1bc6a90e200713bb7744dd8ab6a017b0cf4e98027731d5581fdeff4b0c3
                                      • Opcode Fuzzy Hash: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                      • Instruction Fuzzy Hash: B00121B2A413005EEB7ADF38EE5772966A0AF4C351F01453EA246CD1F6EEF58480CB49
                                      Function 00444B06 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 108COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                        • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                        • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                        • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                        • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                        • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                        • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                      • memcmp.MSVCRT(?,0044EC68,00000010,?,00000000,?), ref: 00444BA5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: AddressProc$memcmp
                                      • String ID: $$8
                                      • API String ID: 2808797137-435121686
                                      • Opcode ID: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                      • Instruction ID: 2c4e4273d6b09173b98ec99ba1a72f96ebc6587eba5c15334d9e54441f883a66
                                      • Opcode Fuzzy Hash: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                      • Instruction Fuzzy Hash: 04314171A00209ABEB10DFA6CDC1BAEB7B9FF88314F11055AE515A3241D778ED048B69
                                      Function 00430737 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 94COMMON
                                      Download Yara Rule
                                      Strings
                                      • duplicate column name: %s, xrefs: 004307FE
                                      • too many columns on %s, xrefs: 00430763
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: duplicate column name: %s$too many columns on %s
                                      • API String ID: 0-1445880494
                                      • Opcode ID: d71f1f637ec18e5f8a62c501b2db333135d8de05f3daff8c641ff98159ef3fea
                                      • Instruction ID: 332525b9e829d337f3b342900587a6bcab00951879d739311f42b30c77ca79e1
                                      • Opcode Fuzzy Hash: d71f1f637ec18e5f8a62c501b2db333135d8de05f3daff8c641ff98159ef3fea
                                      • Instruction Fuzzy Hash: 5E314735500705AFCB109F55C891ABEB7B5EF88318F24815BE8969B342C738F841CB99
                                      Function 0040E4B2 Relevance: 4.6, APIs: 3, Instructions: 87fileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040E01E: OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                        • Part of subcall function 0040E01E: GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                        • Part of subcall function 0040E01E: DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                        • Part of subcall function 0040E01E: GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                        • Part of subcall function 0040E01E: CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                        • Part of subcall function 0040E01E: MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                        • Part of subcall function 0040E01E: WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                        • Part of subcall function 0040E01E: UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                        • Part of subcall function 0040E01E: CloseHandle.KERNELBASE(?), ref: 0040E13E
                                      • CloseHandle.KERNELBASE(000000FF,000000FF,00000000,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E582
                                        • Part of subcall function 0040E2AB: memset.MSVCRT ref: 0040E380
                                        • Part of subcall function 0040E2AB: wcschr.MSVCRT ref: 0040E3B8
                                        • Part of subcall function 0040E2AB: memcpy.MSVCRT(?,-00000121,00000008,0044E518,00000000,00000000,75922EE0), ref: 0040E3EC
                                      • DeleteFileW.KERNELBASE(?,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5A3
                                      • CloseHandle.KERNEL32(000000FF,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5CA
                                        • Part of subcall function 0040E175: memset.MSVCRT ref: 0040E1BD
                                        • Part of subcall function 0040E175: _snwprintf.MSVCRT ref: 0040E257
                                        • Part of subcall function 0040E175: free.MSVCRT ref: 0040E28B
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: File$Handle$Close$ProcessViewmemset$CreateCurrentDeleteDuplicateMappingOpenSizeUnmapWrite_snwprintffreememcpywcschr
                                      • String ID:
                                      • API String ID: 1979745280-0
                                      • Opcode ID: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                                      • Instruction ID: 90d235a97b45fa8760f9e747b2c38a4e83ddeae1161d8ec943a7631d31c9d9e7
                                      • Opcode Fuzzy Hash: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                                      • Instruction Fuzzy Hash: DA312CB1C00618ABCF60DF96CD456CEF7B8AF44318F1006AB9518B31A1DB755E95CF58
                                      Function 00403A16 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 67COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C09
                                        • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C1E
                                        • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C47
                                        • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C70
                                      • memset.MSVCRT ref: 00403A55
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                        • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                        • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                        • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                        • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                        • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memsetwcscatwcslen$free$AttributesFilememcpywcscpy
                                      • String ID: history.dat$places.sqlite
                                      • API String ID: 2641622041-467022611
                                      • Opcode ID: ff38290cf6d73649d3c52fc0ad95bc2cdf601f157f84f60878f9098853983ee3
                                      • Instruction ID: 4d52d99a2018a06e8b3479be55870673e402391ac5db5fe9af26a684ed702786
                                      • Opcode Fuzzy Hash: ff38290cf6d73649d3c52fc0ad95bc2cdf601f157f84f60878f9098853983ee3
                                      • Instruction Fuzzy Hash: CA112EB2A0111866DB10FA66CD4AACE77BCAF54354F1001B7B915B20C2EB3CAF45CA69
                                      Function 004175ED Relevance: 4.5, APIs: 3, Instructions: 49fileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00417570: SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                        • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A2
                                        • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A8
                                      • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0041761D
                                      • GetLastError.KERNEL32 ref: 00417627
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: ErrorLast$File$PointerRead
                                      • String ID:
                                      • API String ID: 839530781-0
                                      • Opcode ID: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                                      • Instruction ID: c9208e3d43fc8ff2949f7201360c8f82def2114e122364bdeb0a9035ecfb973e
                                      • Opcode Fuzzy Hash: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                                      • Instruction Fuzzy Hash: D001A236208204BBEB008F69DC45BDA3B78FB153B4F100427F908C6640E275D89096EA
                                      Function 0040C1D3 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 45COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: FileFindFirst
                                      • String ID: *.*$index.dat
                                      • API String ID: 1974802433-2863569691
                                      • Opcode ID: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                                      • Instruction ID: 5c3219b8572ff4376619b1de75d6d1d1b7443a793578eadcc31bed7d77429009
                                      • Opcode Fuzzy Hash: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                                      • Instruction Fuzzy Hash: 0E01257180125895EB20E761DC467DF766C9F04314F5002FB9818F21D6E7389F958F9A
                                      Function 00417570 Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                      • GetLastError.KERNEL32 ref: 004175A2
                                      • GetLastError.KERNEL32 ref: 004175A8
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: ErrorLast$FilePointer
                                      • String ID:
                                      • API String ID: 1156039329-0
                                      • Opcode ID: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                      • Instruction ID: d6bca62a971eeae6b8c8b5ba9af71e52dcee60bc35e592f51b1cb5e4efccb3e3
                                      • Opcode Fuzzy Hash: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                      • Instruction Fuzzy Hash: 03F03071918115FBCB009B75DC009AA7ABAFB05360B104726E822D7690E730E9409AA8
                                      Function 0040A02C Relevance: 4.5, APIs: 3, Instructions: 26filetimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                      • GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                      • CloseHandle.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: File$CloseCreateHandleTime
                                      • String ID:
                                      • API String ID: 3397143404-0
                                      • Opcode ID: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                      • Instruction ID: 1a7e7c0172e67e076cb3c0c47f72e507911c66c01d2121fa3096849e88919459
                                      • Opcode Fuzzy Hash: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                      • Instruction Fuzzy Hash: 23E04F3624036077E2311B2BAC0CF4B2E69FBCBB21F150639F565B21E086704915C665
                                      Function 00409A45 Relevance: 4.5, APIs: 3, Instructions: 26COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                      • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                      • GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: Temp$DirectoryFileNamePathWindows
                                      • String ID:
                                      • API String ID: 1125800050-0
                                      • Opcode ID: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                      • Instruction ID: b144c37017a21c6b5a3d1d2b3cfc872714830df517851edcd0bc871ed666fd71
                                      • Opcode Fuzzy Hash: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                      • Instruction Fuzzy Hash: ACE0927A500218A7DB109B61DC4DFC777BCFB45304F0001B1B945E2161EB349A848BA8
                                      Function 004175B7 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 24sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • Sleep.KERNEL32(00000064), ref: 004175D0
                                      • CloseHandle.KERNELBASE(?,00000000,?,0045DBC0,00417C24,?,00000000,00000000,?,00417DE1,?,00000000), ref: 004175D9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: CloseHandleSleep
                                      • String ID: }A
                                      • API String ID: 252777609-2138825249
                                      • Opcode ID: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                      • Instruction ID: 75b622f9be81829505acbf4f2e76dfbd2ea822dc2a3448742147a61f3b6dc806
                                      • Opcode Fuzzy Hash: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                      • Instruction Fuzzy Hash: B7E0CD3B1045156ED500577DDCC099773E9EF892347144226F171C25D0C6759C828524
                                      Function 004099F4 Relevance: 3.8, APIs: 3, Instructions: 38COMMON
                                      Download Yara Rule
                                      APIs
                                      • malloc.MSVCRT ref: 00409A10
                                      • memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                      • free.MSVCRT ref: 00409A31
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: freemallocmemcpy
                                      • String ID:
                                      • API String ID: 3056473165-0
                                      • Opcode ID: a8c2b4a2abbe370f156afd1ac3a64450955b5e367f985048e5f3f029e510ba1a
                                      • Instruction ID: 1240433d41d023da9ba75aa62d017d874606d7cfbee4c78203c9aa8101697722
                                      • Opcode Fuzzy Hash: a8c2b4a2abbe370f156afd1ac3a64450955b5e367f985048e5f3f029e510ba1a
                                      • Instruction Fuzzy Hash: 88F0E9727092219FC708AE75A98180BB79DAF55314B12482FF404E3282D7389C50CB58
                                      Function 00415320 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      • failed memory resize %u to %u bytes, xrefs: 00415358
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: realloc
                                      • String ID: failed memory resize %u to %u bytes
                                      • API String ID: 471065373-2134078882
                                      • Opcode ID: e5ae129d454b891eada76ccbfa458d0a6592737a0e8831e28bd7d44ced5f0510
                                      • Instruction ID: af22f86c8d97814ed0bf188a45fefa7fc909daabc8cee38fca791e75313f3e85
                                      • Opcode Fuzzy Hash: e5ae129d454b891eada76ccbfa458d0a6592737a0e8831e28bd7d44ced5f0510
                                      • Instruction Fuzzy Hash: 49F027B3A01605A7D2109A55DC418CBF3DCDFC4655B06082FF998D3201E168E88083B6
                                      Function 00437371 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 243COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: d
                                      • API String ID: 0-2564639436
                                      • Opcode ID: b7bdb433cc21537495b9453c0ef7e1d4136cbb83a95eb0b3518e055101e122e1
                                      • Instruction ID: 98c7df9677761670a5e344a1c7628a8b006f0a2246df1cf6f5c5c4488f8f87fd
                                      • Opcode Fuzzy Hash: b7bdb433cc21537495b9453c0ef7e1d4136cbb83a95eb0b3518e055101e122e1
                                      • Instruction Fuzzy Hash: 4591ABB0508302AFDB20DF19D88196FBBE4BF88358F50192FF88497251D778D985CB9A
                                      Function 0041EED2 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 174COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memset
                                      • String ID: BINARY
                                      • API String ID: 2221118986-907554435
                                      • Opcode ID: 423c094908dc07756a2ef734edd9c41c0411f3bff0f864234720e07ca5cd074c
                                      • Instruction ID: 089a0534c11c2c8a1092ab46fa13594887108ded84822111f9e073e703b485f9
                                      • Opcode Fuzzy Hash: 423c094908dc07756a2ef734edd9c41c0411f3bff0f864234720e07ca5cd074c
                                      • Instruction Fuzzy Hash: 41518B71A047059FDB21CF69C881BEA7BE4EF48350F14446AF849CB342E738D995CBA9
                                      Function 0041268E Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: _wcsicmp
                                      • String ID: /stext
                                      • API String ID: 2081463915-3817206916
                                      • Opcode ID: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                                      • Instruction ID: 10e6e7fbaeb1b3fbdbf907bfc38f809d5841ace5bac79d7196eddb000c1bc607
                                      • Opcode Fuzzy Hash: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                                      • Instruction Fuzzy Hash: 19218E30B00605AFD704EF6ACAC1AD9F7A9FF44304F10416AA419D7342DB79ADA18B95
                                      Function 0040CC26 Relevance: 3.1, APIs: 2, Instructions: 53COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                      • GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                        • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                        • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                        • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB63
                                        • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB88
                                      • CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                        • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT(00000000,00401B44,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040B052
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: File$ByteCharMultiWide$??2@??3@CloseCreateHandleReadSize
                                      • String ID:
                                      • API String ID: 2445788494-0
                                      • Opcode ID: 5551154f09d9ac0fe1cac7a20b9391cb02a4855cbb9d966ae120c46d578013b8
                                      • Instruction ID: dc8783d9a6c7baf78a377756874cfbd60b78407a6d3acdf6d1052ad5173bbb79
                                      • Opcode Fuzzy Hash: 5551154f09d9ac0fe1cac7a20b9391cb02a4855cbb9d966ae120c46d578013b8
                                      • Instruction Fuzzy Hash: 91118275804208AFDB10AF6ADC45C8A7F75FF01364711C27AF525A72A1D6349A18CBA5
                                      Function 00404423 Relevance: 3.1, APIs: 2, Instructions: 51libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                        • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                        • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                        • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                        • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                        • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                      • GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                      • FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                      • String ID:
                                      • API String ID: 3150196962-0
                                      • Opcode ID: e13bd3a8970da8505fcd32bc3817dd57930a815364b2861f31204fc1a755a47e
                                      • Instruction ID: e973b1bd6c29085855c002f2d91bff7161adaf38cfdf5e3d51a6561f1cc66020
                                      • Opcode Fuzzy Hash: e13bd3a8970da8505fcd32bc3817dd57930a815364b2861f31204fc1a755a47e
                                      • Instruction Fuzzy Hash: D90192B1100211AAD6319FA6CC04D1BFAE9EFC0750B20883FF1D9E25A0D7B49881DB69
                                      Function 004152C6 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 27COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      • failed to allocate %u bytes of memory, xrefs: 004152F0
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: malloc
                                      • String ID: failed to allocate %u bytes of memory
                                      • API String ID: 2803490479-1168259600
                                      • Opcode ID: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                                      • Instruction ID: 101c51dc2fc609bd9d1e0073b1fda66f00508c6688545faad3e4fa21ce9dc4bd
                                      • Opcode Fuzzy Hash: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                                      • Instruction Fuzzy Hash: 11E0DFB7B02A12A3C200561AED01AC667959FC122572B013BF92CD3681E638D89687A9
                                      Function 0041BC3B Relevance: 2.7, APIs: 2, Instructions: 195COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 0041BDDF
                                      • memcmp.MSVCRT(00001388,?,00000010,?,00000065,00000065,?,?,?,?,?,0041F1B4,?,00000065,004381DF,00000065), ref: 0041BDF1
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memcmpmemset
                                      • String ID:
                                      • API String ID: 1065087418-0
                                      • Opcode ID: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                                      • Instruction ID: cf105cae5e27f97c9cd1c3f46a8d5e16e2707a712041142e317bfb3d1f631299
                                      • Opcode Fuzzy Hash: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                                      • Instruction Fuzzy Hash: 2A615B71A01349EBDB14EFA495815EEB7B4EB04308F1440AFE609D3241E738AED4DB99
                                      Function 004104FB Relevance: 2.6, APIs: 2, Instructions: 140COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040ECF9
                                        • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 0040EDC0
                                      • GetStdHandle.KERNEL32(000000F5), ref: 00410530
                                      • CloseHandle.KERNELBASE(?), ref: 00410654
                                        • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                        • Part of subcall function 0040973C: GetLastError.KERNEL32 ref: 00409750
                                        • Part of subcall function 0040973C: _snwprintf.MSVCRT ref: 0040977D
                                        • Part of subcall function 0040973C: MessageBoxW.USER32(?,?,Error,00000030), ref: 00409796
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: Handle$??2@??3@CloseCreateErrorFileLastMessage_snwprintf
                                      • String ID:
                                      • API String ID: 1381354015-0
                                      • Opcode ID: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
                                      • Instruction ID: c777e68e994987bb064ab7fb99de871126f79ef1b866bcb434911d427814d160
                                      • Opcode Fuzzy Hash: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
                                      • Instruction Fuzzy Hash: BE417231A00204EFCB25AF65C885A9E77B6EF84711F20446FF446A7291C7B99EC0DE59
                                      Function 00418C63 Relevance: 2.6, APIs: 2, Instructions: 132COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memset
                                      • String ID:
                                      • API String ID: 2221118986-0
                                      • Opcode ID: 1314b8a525b96e130b2fbb6cbe3c7ee378288528e928e0e3fe9c348834c14d1c
                                      • Instruction ID: 1d54aaebfbdefc3985b5f7374fea00c82d73a4224d5df9dcd637b0600b3a95b1
                                      • Opcode Fuzzy Hash: 1314b8a525b96e130b2fbb6cbe3c7ee378288528e928e0e3fe9c348834c14d1c
                                      • Instruction Fuzzy Hash: B2415872500701EFDB349F60E8848AAB7F5FB18314720492FE54AC7690EB38E9C58B98
                                      Function 004300E8 Relevance: 2.6, APIs: 2, Instructions: 103COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 004301AD
                                      • memcpy.MSVCRT(000001A8,?,00000020,?,00000000,00000000,00443DCE,00000000,00000000,00000000,?,00445FAE,?), ref: 004301CD
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memcpymemset
                                      • String ID:
                                      • API String ID: 1297977491-0
                                      • Opcode ID: b6c8b344e63531bca6e6aefc5e8eb99709ec7ba8fcdd06e77ba93d6293000e49
                                      • Instruction ID: 4c6ebae2fd17f46eb6a701b53e5b2159fa076c350f721ddb3a961165d25aeca7
                                      • Opcode Fuzzy Hash: b6c8b344e63531bca6e6aefc5e8eb99709ec7ba8fcdd06e77ba93d6293000e49
                                      • Instruction Fuzzy Hash: F331BE72A00214EBDF10DF59C881A9EB7B4EF48714F24959AE804AF242C775EE41CB98
                                      Function 0040B1AB Relevance: 2.5, APIs: 2, Instructions: 14COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: free
                                      • String ID:
                                      • API String ID: 1294909896-0
                                      • Opcode ID: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                      • Instruction ID: 7f33cc2486ffea160e999b9abaf125df84647c5341351ad01334bd221cd3bada
                                      • Opcode Fuzzy Hash: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                      • Instruction Fuzzy Hash: 32D042B0404B008ED7B0DF39D401602BBF0AB093143118D2E90AAC2A50E775A0149F08
                                      Function 00403988 Relevance: 1.6, APIs: 1, Instructions: 56timeCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00403A16: memset.MSVCRT ref: 00403A55
                                        • Part of subcall function 0040A02C: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                        • Part of subcall function 0040A02C: GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                        • Part of subcall function 0040A02C: CloseHandle.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                      • CompareFileTime.KERNEL32(?,?,00000000,?,00000000), ref: 004039D4
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: File$Time$CloseCompareCreateHandlememset
                                      • String ID:
                                      • API String ID: 2154303073-0
                                      • Opcode ID: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                                      • Instruction ID: d476be81a684c5cf971044fbd14bb177a9e73989d843208b34704cc982626f94
                                      • Opcode Fuzzy Hash: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                                      • Instruction Fuzzy Hash: 11111CB6D00218ABCB11EFA5D9415DEBBB9EF44315F20407BE841F7281DA389F45CB95
                                      Function 004135F7 Relevance: 1.5, APIs: 1, Instructions: 44libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 004135E0: FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                        • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                        • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                        • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                        • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                        • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                        • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                      • GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                      • String ID:
                                      • API String ID: 3150196962-0
                                      • Opcode ID: 102e9bd218bff8034664a90f9159d5d227e7736aeb8d0cece17e8d9bf5f2cb6a
                                      • Instruction ID: 35a9ad0fe6b4507ee66bae46934dcfd2e139bf0842d10804986ce3ee8b034d80
                                      • Opcode Fuzzy Hash: 102e9bd218bff8034664a90f9159d5d227e7736aeb8d0cece17e8d9bf5f2cb6a
                                      • Instruction Fuzzy Hash: BBF0A4311447126AE6306B7AAC02BE762849F00725F10862EB425D55D1EFA8D5C046AC
                                      Function 004062A6 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000,00000000,004068F9,00000000,00000000,?,00000000,0040627C), ref: 004062C2
                                        • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: File$PointerRead
                                      • String ID:
                                      • API String ID: 3154509469-0
                                      • Opcode ID: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                      • Instruction ID: d794e9b43e5f56b2d2e2073d65b81241c22a9a75ad02cc9b2284f18e77a2fe0f
                                      • Opcode Fuzzy Hash: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                      • Instruction Fuzzy Hash: 45E01276100100FFE6619B05DC06F57FBB9FBD4710F14883DB59596174C6326851CB25
                                      Function 00414561 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetPrivateProfileIntW.KERNEL32(?,?,?,?), ref: 00414588
                                        • Part of subcall function 004143F1: memset.MSVCRT ref: 00414410
                                        • Part of subcall function 004143F1: _itow.MSVCRT ref: 00414427
                                        • Part of subcall function 004143F1: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 00414436
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: PrivateProfile$StringWrite_itowmemset
                                      • String ID:
                                      • API String ID: 4232544981-0
                                      • Opcode ID: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                      • Instruction ID: 104e910b762de94586eb11e4c264cf061db1895f8dce3fe8c281d71359574313
                                      • Opcode Fuzzy Hash: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                      • Instruction Fuzzy Hash: 8EE09232000209ABDF125F91EC01AA93B66FF54315F548469F95C05520D33295B0AB59
                                      Function 00444A54 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                      Download Yara Rule
                                      APIs
                                      • FreeLibrary.KERNELBASE(?,?,004452FB,?,?,?,0040333C,?), ref: 00444A65
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: FreeLibrary
                                      • String ID:
                                      • API String ID: 3664257935-0
                                      • Opcode ID: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                      • Instruction ID: 9043d1e372537a54137ae43dcd20834ee918eeaa55a47e8e1dedab4d47514996
                                      • Opcode Fuzzy Hash: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                      • Instruction Fuzzy Hash: E2E0F6B5900B018FD3708F1BE944406FBF8BFE56113108A1FD4AAC2A24D7B4A1898F54
                                      Function 00413F27 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                        • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                        • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                        • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                        • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                      • K32GetModuleFileNameExW.KERNEL32(00000104,00000000,00413E1F,00000104,00413E1F,00000000,?), ref: 00413F46
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: AddressProc$FileModuleName
                                      • String ID:
                                      • API String ID: 3859505661-0
                                      • Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                      • Instruction ID: eb737a8a997ed41d0f7a348c178ce8d4b8225706e43eb580f21eee6dbde26bc7
                                      • Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                      • Instruction Fuzzy Hash: 6FD02231B083007BEA20EE70CC00FCBA2F47F40F12F008C5AB191D2080C374C9495305
                                      Function 0040A2EF Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: FileRead
                                      • String ID:
                                      • API String ID: 2738559852-0
                                      • Opcode ID: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                      • Instruction ID: df780c2d30ec27a436fe2e8938b9b3026ee6fdf868a35847a3a0dbf755fefbc9
                                      • Opcode Fuzzy Hash: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                      • Instruction Fuzzy Hash: 6DD0C97505020DFBDF01CF81DC06FDD7B7DFB05359F108054BA0095060C7759A15AB55
                                      Function 0040A30E Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • WriteFile.KERNELBASE(?,00000009,?,00000000,00000000,?,?,00402F9B,?,00000000,00000000,00000000,0000017E), ref: 0040A325
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: FileWrite
                                      • String ID:
                                      • API String ID: 3934441357-0
                                      • Opcode ID: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                      • Instruction ID: 3280266517864b8de079c100525e5277478ec149926fcdeece843fe2c70d8c86
                                      • Opcode Fuzzy Hash: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                      • Instruction Fuzzy Hash: CFD0C93501020DFBDF01CF81DC06FDD7BBDFB04359F108054BA1095060D7B59A20AB94
                                      Function 00413D29 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                      Download Yara Rule
                                      APIs
                                      • FreeLibrary.KERNELBASE(00000000,004457F2,00000000,000001F7,00000000), ref: 00413D30
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: FreeLibrary
                                      • String ID:
                                      • API String ID: 3664257935-0
                                      • Opcode ID: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                                      • Instruction ID: 8f6381f957debc367d4a0444659be52de1bfd3a154b3998764173f6a98a011bd
                                      • Opcode Fuzzy Hash: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                                      • Instruction Fuzzy Hash: 1DD0C9765002229BDB10AF26EC057857378FF00712B110425E810B7594D778BEE68ADC
                                      Function 004096C3 Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: CreateFile
                                      • String ID:
                                      • API String ID: 823142352-0
                                      • Opcode ID: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                      • Instruction ID: 15e4bfb1af8ab284213ec8af4af1ca3ed9a3c322684c6da9746693c795416a08
                                      • Opcode Fuzzy Hash: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                      • Instruction Fuzzy Hash: A8C092B0280200BEFE224B10EC15F36755CE744700F2008247E40F40E0C1605E108524
                                      Function 004096DC Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: CreateFile
                                      • String ID:
                                      • API String ID: 823142352-0
                                      • Opcode ID: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                      • Instruction ID: 13aef0f41518da9c32968a96bed17b980f0e8f352a8d1793a660c4ee04e7d177
                                      • Opcode Fuzzy Hash: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                      • Instruction Fuzzy Hash: B8C012F02903007EFF204B10AC0AF37755DF784700F2048207E40F40E1C2B15C008524
                                      Function 0040B04B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      • ??3@YAXPAX@Z.MSVCRT(00000000,00401B44,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040B052
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: ??3@
                                      • String ID:
                                      • API String ID: 613200358-0
                                      • Opcode ID: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                      • Instruction ID: 6ff791ec813821c2e9e24527ebed0d702daabad41f6d5d50af9b89e3d4ad0470
                                      • Opcode Fuzzy Hash: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                      • Instruction Fuzzy Hash: ADC09BB15117014BE7305F15D40471373D49F11727F318C1DA5D1914C2D77CD4408518
                                      Function 004135E0 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                      Download Yara Rule
                                      APIs
                                      • FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: FreeLibrary
                                      • String ID:
                                      • API String ID: 3664257935-0
                                      • Opcode ID: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                      • Instruction ID: 97b2006ec1e2dd28fddd19cbcf35086f2a6b1d7d6d8af37d8808782836c913ed
                                      • Opcode Fuzzy Hash: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                      • Instruction Fuzzy Hash: C1C04C355107129BE7318F22C849793B3E8BB00767F40C818A56A85454D7BCE594CE28
                                      Function 0041493C Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                      Download Yara Rule
                                      APIs
                                      • EnumResourceNamesW.KERNELBASE(?,?,Function_000148B6,00000000), ref: 0041494B
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: EnumNamesResource
                                      • String ID:
                                      • API String ID: 3334572018-0
                                      • Opcode ID: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                      • Instruction ID: 4cd0fc1a45efe5f4a77ff86a676eea9814a6d41529a344ef69fdb726e0e13cac
                                      • Opcode Fuzzy Hash: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                      • Instruction Fuzzy Hash: 5CC09B355943819FD711DF108C05F1A76D5BF95705F104C397151940A0C7614014A60A
                                      Function 0044DEA5 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                      Download Yara Rule
                                      APIs
                                      • FreeLibrary.KERNELBASE(?), ref: 0044DEB6
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: FreeLibrary
                                      • String ID:
                                      • API String ID: 3664257935-0
                                      • Opcode ID: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                      • Instruction ID: c12df66a07a312a107e4de7a98dbd39cb061029a89fa16cd2619b088cce9516a
                                      • Opcode Fuzzy Hash: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                      • Instruction Fuzzy Hash: 95C04C35D10311ABFB31AB11ED4975232A5BB00717F52006494128D065D7B8E454CB2D
                                      Function 0040AEBE Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                      Download Yara Rule
                                      APIs
                                      • FindClose.KERNELBASE(?,0040AE21,?,00000000,00445EF5,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AEC8
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: CloseFind
                                      • String ID:
                                      • API String ID: 1863332320-0
                                      • Opcode ID: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                      • Instruction ID: 0a5868f0c47a417661f40efe111cada53839b745ef6d73ffe26d621af3302058
                                      • Opcode Fuzzy Hash: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                      • Instruction Fuzzy Hash: 06C092341506058BD62C5F38DC9A42A77A0BF4A3303B40F6CA0F3D24F0E73888538A04
                                      Function 00414592 Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: Open
                                      • String ID:
                                      • API String ID: 71445658-0
                                      • Opcode ID: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                      • Instruction ID: 4e31294bd56c0fd8f54a78566f459ab053e1b17b284f5820c9a90ca28514d216
                                      • Opcode Fuzzy Hash: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                      • Instruction Fuzzy Hash: C4C09B35544311BFDE114F40FD09F09BB61BB84B05F004414B254640B182714414EB17
                                      Function 00409B98 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: AttributesFile
                                      • String ID:
                                      • API String ID: 3188754299-0
                                      • Opcode ID: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                      • Instruction ID: 3e515636d229e53f9e638efbf3d1d2cf0185fd636b5c9b7db17c068ea44c501e
                                      • Opcode Fuzzy Hash: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                      • Instruction Fuzzy Hash: B9B012792104005BCB0807349C4904D35507F456317200B3CF033C00F0D730CC61BA00
                                      Function 0041BE52 Relevance: 1.3, APIs: 1, Instructions: 99COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f464ccbab3ddc34ea334660331f976908ef01721c951a33d0f0b075526a08e67
                                      • Instruction ID: 186a7b248be49691fb09735f75239c469d17650efe27a5986e87276cb9a2b443
                                      • Opcode Fuzzy Hash: f464ccbab3ddc34ea334660331f976908ef01721c951a33d0f0b075526a08e67
                                      • Instruction Fuzzy Hash: E8318B31901616EFDF24AF25D8417DA73A0FF04314F10416BF91497251DB38ADE18BDA
                                      Function 004095D9 Relevance: 1.3, APIs: 1, Instructions: 66COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 004095FC
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                        • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                        • Part of subcall function 004091B8: memset.MSVCRT ref: 004091E2
                                        • Part of subcall function 004091B8: memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
                                        • Part of subcall function 004091B8: memcmp.MSVCRT(00000000,0045A4F0,00000006,?,?,?,?,?,?,?,?,?,?,?,?,00000143), ref: 004092D9
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memsetwcslen$AttributesFilememcmpmemcpywcscatwcscpy
                                      • String ID:
                                      • API String ID: 3655998216-0
                                      • Opcode ID: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                                      • Instruction ID: 072a19641c33d96fdc78833b4ff670bebeeceb9371718ab52934a970b5968781
                                      • Opcode Fuzzy Hash: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                                      • Instruction Fuzzy Hash: F311607290021D6AEF20A662DC4AE9B376CEF41318F10047BB908E51D2EA79DE548659
                                      Function 00415B2C Relevance: 1.3, APIs: 1, Instructions: 62COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c75aee8a2a8dfae17061e24b09256e9f24568c4c4acdadc464b978748c80593b
                                      • Instruction ID: 56811e6a31311fae19106e74f332fd481794b0d175407c03959d21f12539f693
                                      • Opcode Fuzzy Hash: c75aee8a2a8dfae17061e24b09256e9f24568c4c4acdadc464b978748c80593b
                                      • Instruction Fuzzy Hash: 4201E572109E01E6DB1029278C81AF766899FC0399F14016FF94886281EEA8EEC542AE
                                      Function 00445403 Relevance: 1.3, APIs: 1, Instructions: 60COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 00445426
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                        • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                        • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                        • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                        • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                        • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                        • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memset$Filewcslen$AttributesCreatewcscatwcscpywcsrchr
                                      • String ID:
                                      • API String ID: 1828521557-0
                                      • Opcode ID: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                                      • Instruction ID: 9d1500c39017731ad640c46c84131142cb98d7893e2d711cbdbff08f65233ce4
                                      • Opcode Fuzzy Hash: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                                      • Instruction Fuzzy Hash: 4B1186B294011D7BEB10E751DC4AFDB776CEF51328F10047FB518A50C2E6B8AAC486A9
                                      Function 004068BF Relevance: 1.3, APIs: 1, Instructions: 59COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                        • Part of subcall function 004062A6: SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000,00000000,004068F9,00000000,00000000,?,00000000,0040627C), ref: 004062C2
                                      • memcpy.MSVCRT(00000000,00000000,?,00000000,00000000,?,00000000,0040627C), ref: 00406942
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: ??2@FilePointermemcpy
                                      • String ID:
                                      • API String ID: 609303285-0
                                      • Opcode ID: cfa0e116d589173c1f74b587a6cbbf9e28bf831d76649fdc759f8710e9f20be5
                                      • Instruction ID: a147fa8ec668463fbbadbca9a08a444fcb23aa95a0ceadfc627c4072e562ebd5
                                      • Opcode Fuzzy Hash: cfa0e116d589173c1f74b587a6cbbf9e28bf831d76649fdc759f8710e9f20be5
                                      • Instruction Fuzzy Hash: 4B11A7B2500108BBDB11A755C840F9F77ADDF85318F16807AF90677281C778AE2687A9
                                      Function 00406B90 Relevance: 1.3, APIs: 1, Instructions: 56COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: _wcsicmp
                                      • String ID:
                                      • API String ID: 2081463915-0
                                      • Opcode ID: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
                                      • Instruction ID: 44e68c08f8902dbc9d3bec9e3d7b81d72528a2b8c41660eeece459a1934edfa0
                                      • Opcode Fuzzy Hash: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
                                      • Instruction Fuzzy Hash: 0C118CB1600205AFD710DF65C8809AAB7F8FF44314F11843EE55AE7240EB34F9658B68
                                      Function 00406214 Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00406294: CloseHandle.KERNEL32(000000FF,00406224,00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF), ref: 0040629C
                                        • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                      • GetLastError.KERNEL32(00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF,?,00000104), ref: 00406281
                                        • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: File$CloseCreateErrorHandleLastRead
                                      • String ID:
                                      • API String ID: 2136311172-0
                                      • Opcode ID: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                      • Instruction ID: 5eec059ee86d0bbb8aaa5289f200f29bbda103cdac5cb86a40c163b72aa3aa4c
                                      • Opcode Fuzzy Hash: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                      • Instruction Fuzzy Hash: 3F01D6B14017018FD7206B70CD05BA273D8EF10319F11897EE55BE62D1EB3C9861866E
                                      Function 0040AFCF Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT(00000000,00401B44,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040B052
                                      • ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: ??2@??3@
                                      • String ID:
                                      • API String ID: 1936579350-0
                                      • Opcode ID: d9146978952df4032bb52ee1fc914549b8afd9994305f4c2f79ca13836f6df5d
                                      • Instruction ID: 89dc8af08517091935dcea8fd058adf4401913b4726dbdea6cb301b2924d739e
                                      • Opcode Fuzzy Hash: d9146978952df4032bb52ee1fc914549b8afd9994305f4c2f79ca13836f6df5d
                                      • Instruction Fuzzy Hash: 8FC02B7240C2100FD730FF74340205736D4CE422203028C2FE0E4D3101DB3C840103C8
                                      Function 0040B633 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: free
                                      • String ID:
                                      • API String ID: 1294909896-0
                                      • Opcode ID: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                                      • Instruction ID: 84c58710a9e867f17c2d1ed9f7495b278bdfae561cd9e9721482330d0bfefd66
                                      • Opcode Fuzzy Hash: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                                      • Instruction Fuzzy Hash: 48C00272510B018FEB209E16C405762B3E4AF5173BF928C1D949591481D77CE4448A1D
                                      Function 0040AA04 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: free
                                      • String ID:
                                      • API String ID: 1294909896-0
                                      • Opcode ID: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                                      • Instruction ID: 146ea39d6618054f0b1de7ea1636ea0e57db3b52e0d7afa8327ef8e2ad9437d0
                                      • Opcode Fuzzy Hash: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                                      • Instruction Fuzzy Hash: 18C012B29107018BFB308E15C409322B2E4AF0072BFA18C0D9090910C2C77CD080CA18
                                      Function 00415304 Relevance: 1.3, APIs: 1, Instructions: 6COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: free
                                      • String ID:
                                      • API String ID: 1294909896-0
                                      • Opcode ID: c64955702a5dc36c53a796a23ab56cc8adc6c768dfa77ba71ac51c435adf9ecd
                                      • Instruction ID: e7ff0dbf640816315c9486a8db62c76896ac9b8339bf6d895034c27267ad2de3
                                      • Opcode Fuzzy Hash: c64955702a5dc36c53a796a23ab56cc8adc6c768dfa77ba71ac51c435adf9ecd
                                      • Instruction Fuzzy Hash: A5A022A200820023CC00AB3CCC02A0A33880EE323EB320B0EB032C20C2CF38C830B00E

                                      Non-executed Functions

                                      Function 004098E2 Relevance: 16.6, APIs: 11, Instructions: 59clipboardmemoryfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • EmptyClipboard.USER32 ref: 004098EC
                                        • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                      • GetFileSize.KERNEL32(00000000,00000000), ref: 00409909
                                      • GlobalAlloc.KERNEL32(00002000,00000002), ref: 0040991A
                                      • GlobalLock.KERNEL32(00000000), ref: 00409927
                                      • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040993A
                                      • GlobalUnlock.KERNEL32(00000000), ref: 0040994C
                                      • SetClipboardData.USER32(0000000D,00000000), ref: 00409955
                                      • GetLastError.KERNEL32 ref: 0040995D
                                      • CloseHandle.KERNEL32(?), ref: 00409969
                                      • GetLastError.KERNEL32 ref: 00409974
                                      • CloseClipboard.USER32 ref: 0040997D
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleLockReadSizeUnlock
                                      • String ID:
                                      • API String ID: 3604893535-0
                                      • Opcode ID: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                                      • Instruction ID: b216396755dc4e0bfb1664a9ae46c4c33dbc75b884417c11e98c88a04b476fe2
                                      • Opcode Fuzzy Hash: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                                      • Instruction Fuzzy Hash: 3D113D7A540204BBE7105FA6DC4CA9E7B78FB06356F10457AF902E22A1DB748901CB69
                                      Function 0040987A Relevance: 12.0, APIs: 8, Instructions: 42clipboardmemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • EmptyClipboard.USER32 ref: 00409882
                                      • wcslen.MSVCRT ref: 0040988F
                                      • GlobalAlloc.KERNEL32(00002000,00000002,?,?,?,?,00411A1E,-00000210), ref: 0040989F
                                      • GlobalLock.KERNEL32(00000000), ref: 004098AC
                                      • memcpy.MSVCRT(00000000,?,00000002,?,?,?,00411A1E,-00000210), ref: 004098B5
                                      • GlobalUnlock.KERNEL32(00000000), ref: 004098BE
                                      • SetClipboardData.USER32(0000000D,00000000), ref: 004098C7
                                      • CloseClipboard.USER32 ref: 004098D7
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: ClipboardGlobal$AllocCloseDataEmptyLockUnlockmemcpywcslen
                                      • String ID:
                                      • API String ID: 1213725291-0
                                      • Opcode ID: ef81b411bc32b98b0d58beac2f1626bda71a649682fb6f24e39e44ffb2f3f244
                                      • Instruction ID: b754b6ca90195c8d8a6f67e3e00c953256c5cf8724ac1a445a604cc17dd28da6
                                      • Opcode Fuzzy Hash: ef81b411bc32b98b0d58beac2f1626bda71a649682fb6f24e39e44ffb2f3f244
                                      • Instruction Fuzzy Hash: 4AF0967B1402246BD2112FA6AC4DD2B772CFB86B56B05013AF90592251DA3448004779
                                      Function 004182CE Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLastError.KERNEL32 ref: 004182D7
                                        • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                      • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 004182FE
                                      • FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 00418327
                                      • LocalFree.KERNEL32(?), ref: 00418342
                                      • free.MSVCRT ref: 00418370
                                        • Part of subcall function 00417434: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,7591DF80,?,0041755F,?), ref: 00417452
                                        • Part of subcall function 00417434: malloc.MSVCRT ref: 00417459
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: FormatMessage$ByteCharErrorFreeLastLocalMultiVersionWidefreemalloc
                                      • String ID: OsError 0x%x (%u)
                                      • API String ID: 2360000266-2664311388
                                      • Opcode ID: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                                      • Instruction ID: 20f22e5b187e4483f2e635e74e626e0383ca95cf640bb4168ff376264581b0c9
                                      • Opcode Fuzzy Hash: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                                      • Instruction Fuzzy Hash: 6011B634901128FBCB11ABE2DC49CDF7F78FF85B54B10405AF811A2251DB754A81D7A9
                                      Function 00401806 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: ??2@??3@memcpymemset
                                      • String ID:
                                      • API String ID: 1865533344-0
                                      • Opcode ID: f3de4b73387da6c78884f7b0b81a8c47798430fc751eec9b9c4e2da2d29500ae
                                      • Instruction ID: 142cde259e2f0f6626273334703b570cf32d48e622dac596d848113b95f58250
                                      • Opcode Fuzzy Hash: f3de4b73387da6c78884f7b0b81a8c47798430fc751eec9b9c4e2da2d29500ae
                                      • Instruction Fuzzy Hash: D7113C71900209EFDF10AF95C805AAE3B71FF09325F04C16AFD15662A1C7798E21EF5A
                                      Function 0041739B Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetVersionExW.KERNEL32(?), ref: 004173BE
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: Version
                                      • String ID:
                                      • API String ID: 1889659487-0
                                      • Opcode ID: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
                                      • Instruction ID: 34334e4c1a53cba42546035453d5331cf18162d9798f59f763323439a3546438
                                      • Opcode Fuzzy Hash: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
                                      • Instruction Fuzzy Hash: BAE0463590131CCFEB24DB34DB0B7C676F5AB08B46F0104F4C20AC2092D3789688CA2A
                                      Function 004018C0 Relevance: 1.5, APIs: 1, Instructions: 6nativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • NtdllDefWindowProc_W.NTDLL(?,?,?,?,00401B0D,?,?,?), ref: 004018D2
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: NtdllProc_Window
                                      • String ID:
                                      • API String ID: 4255912815-0
                                      • Opcode ID: 3de349333402391b5f3bd83c09a178b3b388cc2d8cda5cc5e9d51b86f8a07b54
                                      • Instruction ID: 27e4c09127093a565ccbabfb03fa630377511b1425115cef73ae3fc8c8acf6c4
                                      • Opcode Fuzzy Hash: 3de349333402391b5f3bd83c09a178b3b388cc2d8cda5cc5e9d51b86f8a07b54
                                      • Instruction Fuzzy Hash: BEC0483A108200FFCA024B81DD08D0ABFA2BB98320F00C868B2AC0403187338022EB02
                                      Function 00402279 Relevance: 110.5, APIs: 9, Strings: 54, Instructions: 285COMMON
                                      Download Yara Rule
                                      APIs
                                      • _wcsicmp.MSVCRT ref: 004022A6
                                      • _wcsicmp.MSVCRT ref: 004022D7
                                      • _wcsicmp.MSVCRT ref: 00402305
                                      • _wcsicmp.MSVCRT ref: 00402333
                                        • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                        • Part of subcall function 0040AA29: memcpy.MSVCRT(?,?,00000000,00000001,00401B3C,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040AA5B
                                      • memset.MSVCRT ref: 0040265F
                                      • memcpy.MSVCRT(?,?,00000011), ref: 0040269B
                                        • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                        • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                      • memcpy.MSVCRT(?,?,0000001C,?,?,00000000,?), ref: 004026FF
                                      • LocalFree.KERNEL32(?,?,?,00000000,?,?,00000000,?), ref: 00402764
                                      • FreeLibrary.KERNEL32(00000000,?,?,00000000,?), ref: 00402775
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: _wcsicmp$Freememcpy$Library$AddressLocalProcmemsetwcslen
                                      • String ID: !$#$$$&$&$'$)$/$0$2$8$=$>$>$@$A$Account$Data$F$H$H$I$K$K$L$O$Path$S$X$\$^$`$a$b$com.apple.Safari$com.apple.WebKit2WebProcess$g$h$n$n$q$server$t$t$t$u$u$w$y$y$z${$}$~
                                      • API String ID: 577499730-1134094380
                                      • Opcode ID: 9397f4940cefbe0ceec442a857739dd93941f810d0ac8ce2dbc103f0b42f9f84
                                      • Instruction ID: 24bcbd005531c38afe4d7004bd238553ea51a424b60caac2517de9c8923e7683
                                      • Opcode Fuzzy Hash: 9397f4940cefbe0ceec442a857739dd93941f810d0ac8ce2dbc103f0b42f9f84
                                      • Instruction Fuzzy Hash: 8FE1F32010C7C19DD332D678884978BBFD45BA7328F484B9EF1E89A2D2D7B98509C767
                                      Function 0040C87B Relevance: 54.5, APIs: 27, Strings: 4, Instructions: 285stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: _wcsicmpmemset$_wcsnicmpwcslen$ByteCharMultiWidewcschrwcscpy$memcpystrchrstrlen
                                      • String ID: :stringdata$ftp://$http://$https://
                                      • API String ID: 2787044678-1921111777
                                      • Opcode ID: 5cfdb451540a99f12352c14b787623eda213fcfbf47060a2a7a9031bc80669e4
                                      • Instruction ID: 1dd8f84a331a8d1f0195812dc1f06ff326a48265e58e3ad24d859c5fcdf3acb9
                                      • Opcode Fuzzy Hash: 5cfdb451540a99f12352c14b787623eda213fcfbf47060a2a7a9031bc80669e4
                                      • Instruction Fuzzy Hash: C191C571540219AEEF10EF65DC82EEF776DEF41318F01016AF948B7181EA38ED518BA9
                                      Function 00414002 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 265COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDlgItem.USER32(?,000003E9), ref: 0041402F
                                      • GetDlgItem.USER32(?,000003E8), ref: 0041403B
                                      • GetWindowLongW.USER32(00000000,000000F0), ref: 0041404A
                                      • GetWindowLongW.USER32(?,000000F0), ref: 00414056
                                      • GetWindowLongW.USER32(00000000,000000EC), ref: 0041405F
                                      • GetWindowLongW.USER32(?,000000EC), ref: 0041406B
                                      • GetWindowRect.USER32(00000000,?), ref: 0041407D
                                      • GetWindowRect.USER32(?,?), ref: 00414088
                                      • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041409C
                                      • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004140AA
                                      • GetDC.USER32 ref: 004140E3
                                      • wcslen.MSVCRT ref: 00414123
                                      • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00414134
                                      • ReleaseDC.USER32(?,?), ref: 00414181
                                      • _snwprintf.MSVCRT ref: 00414244
                                      • SetWindowTextW.USER32(?,?), ref: 00414258
                                      • SetWindowTextW.USER32(?,00000000), ref: 00414276
                                      • GetDlgItem.USER32(?,00000001), ref: 004142AC
                                      • GetWindowRect.USER32(00000000,?), ref: 004142BC
                                      • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004142CA
                                      • GetClientRect.USER32(?,?), ref: 004142E1
                                      • GetWindowRect.USER32(?,?), ref: 004142EB
                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 00414331
                                      • GetClientRect.USER32(?,?), ref: 0041433B
                                      • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 00414373
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Release_snwprintfwcslen
                                      • String ID: %s:$EDIT$STATIC
                                      • API String ID: 2080319088-3046471546
                                      • Opcode ID: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                                      • Instruction ID: eff71af8639f47ea0b7533f6321954d8b94ad3b67000e3ed03306cc56154d199
                                      • Opcode Fuzzy Hash: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                                      • Instruction Fuzzy Hash: F8B1DF71108301AFD721DFA9C985E6BBBF9FF88704F004A2DF69582261DB75E9448F16
                                      Function 004131DC Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 214windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • EndDialog.USER32(?,?), ref: 00413221
                                      • GetDlgItem.USER32(?,000003EA), ref: 00413239
                                      • SendMessageW.USER32(00000000,000000B1,00000000,0000FFFF), ref: 00413257
                                      • SendMessageW.USER32(?,00000301,00000000,00000000), ref: 00413263
                                      • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0041326B
                                      • memset.MSVCRT ref: 00413292
                                      • memset.MSVCRT ref: 004132B4
                                      • memset.MSVCRT ref: 004132CD
                                      • memset.MSVCRT ref: 004132E1
                                      • memset.MSVCRT ref: 004132FB
                                      • memset.MSVCRT ref: 00413310
                                      • GetCurrentProcess.KERNEL32 ref: 00413318
                                      • ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0041333B
                                      • ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0041336D
                                      • memset.MSVCRT ref: 004133C0
                                      • GetCurrentProcessId.KERNEL32 ref: 004133CE
                                      • memcpy.MSVCRT(?,0045AA90,0000021C), ref: 004133FC
                                      • wcscpy.MSVCRT ref: 0041341F
                                      • _snwprintf.MSVCRT ref: 0041348E
                                      • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004134A6
                                      • GetDlgItem.USER32(?,000003EA), ref: 004134B0
                                      • SetFocus.USER32(00000000), ref: 004134B7
                                      Strings
                                      • {Unknown}, xrefs: 004132A6
                                      • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 00413483
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
                                      • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
                                      • API String ID: 4111938811-1819279800
                                      • Opcode ID: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                                      • Instruction ID: fb691a4f2f0ee0f23db40d54bf7b3fb7beca904c55697b54c7815e943e903c38
                                      • Opcode Fuzzy Hash: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                                      • Instruction Fuzzy Hash: A97182B280021DBFEB219F51DC45EEA3B7CFB08355F0440B6F508A6161DB799E948F69
                                      Function 00401198 Relevance: 39.2, APIs: 26, Instructions: 185COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDlgItem.USER32(?,000003EC), ref: 004011F0
                                      • ChildWindowFromPoint.USER32(?,?,?), ref: 00401202
                                      • GetDlgItem.USER32(?,000003EE), ref: 00401238
                                      • ChildWindowFromPoint.USER32(?,?,?), ref: 00401245
                                      • GetDlgItem.USER32(?,000003EC), ref: 00401273
                                      • ChildWindowFromPoint.USER32(?,?,?), ref: 00401285
                                      • GetModuleHandleW.KERNEL32(00000000,?,?), ref: 0040128E
                                      • LoadCursorW.USER32(00000000,00000067), ref: 00401297
                                      • SetCursor.USER32(00000000,?,?), ref: 0040129E
                                      • GetDlgItem.USER32(?,000003EE), ref: 004012BF
                                      • ChildWindowFromPoint.USER32(?,?,?), ref: 004012CC
                                      • GetDlgItem.USER32(?,000003EC), ref: 004012E6
                                      • SetBkMode.GDI32(?,00000001), ref: 004012F2
                                      • SetTextColor.GDI32(?,00C00000), ref: 00401300
                                      • GetSysColorBrush.USER32(0000000F), ref: 00401308
                                      • GetDlgItem.USER32(?,000003EE), ref: 00401329
                                      • EndDialog.USER32(?,?), ref: 0040135E
                                      • DeleteObject.GDI32(?), ref: 0040136A
                                      • GetDlgItem.USER32(?,000003ED), ref: 0040138F
                                      • ShowWindow.USER32(00000000), ref: 00401398
                                      • GetDlgItem.USER32(?,000003EE), ref: 004013A4
                                      • ShowWindow.USER32(00000000), ref: 004013A7
                                      • SetDlgItemTextW.USER32(?,000003EE,0045D778), ref: 004013B8
                                      • SetWindowTextW.USER32(?,00000000), ref: 004013CA
                                      • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004013E2
                                      • SetDlgItemTextW.USER32(?,000003EC,?), ref: 004013F3
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
                                      • String ID:
                                      • API String ID: 829165378-0
                                      • Opcode ID: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                                      • Instruction ID: caa3714a391556dce09a7e5fb0b25e31ef738818e6d8753142f97b5ec5ee2caf
                                      • Opcode Fuzzy Hash: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                                      • Instruction Fuzzy Hash: 0051B134500708AFEB32AF61DC85E6E7BB9FB44301F10093AF552A61F1C7B9A991DB19
                                      Function 0040414F Relevance: 35.1, APIs: 13, Strings: 7, Instructions: 145COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 00404172
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                        • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                      • wcscpy.MSVCRT ref: 004041D6
                                      • wcscpy.MSVCRT ref: 004041E7
                                      • memset.MSVCRT ref: 00404200
                                      • memset.MSVCRT ref: 00404215
                                      • _snwprintf.MSVCRT ref: 0040422F
                                      • wcscpy.MSVCRT ref: 00404242
                                      • memset.MSVCRT ref: 0040426E
                                      • memset.MSVCRT ref: 004042CD
                                      • memset.MSVCRT ref: 004042E2
                                      • _snwprintf.MSVCRT ref: 004042FE
                                      • wcscpy.MSVCRT ref: 00404311
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memset$wcscpy$_snwprintfwcslen$AttributesFilewcscat
                                      • String ID: AE$General$IsRelative$Path$Profile%d$profiles.ini$EA
                                      • API String ID: 2454223109-1580313836
                                      • Opcode ID: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                                      • Instruction ID: 5f54f20862f9259acc4f568515dc65a5c395277ecd0331c6beb9e3a358a2eb32
                                      • Opcode Fuzzy Hash: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                                      • Instruction Fuzzy Hash: 18512FB294012CBADB20EB55DC45ECFB7BCBF55744F0040E6B50CA2142EA795B84CFAA
                                      Function 00411346 Relevance: 31.8, APIs: 13, Strings: 5, Instructions: 263windowregistryclipboardCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040D407: LoadMenuW.USER32(00000000), ref: 0040D40F
                                      • SetMenu.USER32(?,00000000), ref: 00411453
                                      • SendMessageW.USER32(00000000,00000404,00000001,?), ref: 00411486
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 00411495
                                      • LoadImageW.USER32(00000000,00000068,00000000,00000000,00000000,00009060), ref: 004114A2
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 004114D9
                                      • CreateWindowExW.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000,00000000), ref: 00411500
                                      • memcpy.MSVCRT(?,?,00002008,/nosaveload,00000000,00000001), ref: 004115C8
                                      • ShowWindow.USER32(?,?), ref: 004115FE
                                      • GetFileAttributesW.KERNEL32(0045E078), ref: 0041162F
                                      • GetTempPathW.KERNEL32(00000104,0045E078), ref: 0041163F
                                      • RegisterClipboardFormatW.USER32(commdlg_FindReplace), ref: 0041167A
                                      • SendMessageW.USER32(?,00000404,00000002,?), ref: 004116B4
                                      • SendMessageW.USER32(?,0000040B,00001001,00000000), ref: 004116C7
                                        • Part of subcall function 00404592: wcslen.MSVCRT ref: 004045AF
                                        • Part of subcall function 00404592: SendMessageW.USER32(?,00001061,?,?), ref: 004045D3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: MessageSend$HandleLoadMenuModuleWindow$AttributesClipboardCreateFileFormatImagePathRegisterShowTempmemcpywcslen
                                      • String ID: /nosaveload$SysListView32$commdlg_FindReplace$report.html$xE
                                      • API String ID: 4054529287-3175352466
                                      • Opcode ID: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                                      • Instruction ID: 800f7bfcdfcb1fd3e7c20450dd8eb4425a557a8a4e928c852398501c1500280f
                                      • Opcode Fuzzy Hash: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                                      • Instruction Fuzzy Hash: CBA1A271640388AFEB11DF69CC89FCA3FA5AF55304F0404B9FE48AF292C6B59548CB65
                                      Function 0041352F Relevance: 31.5, APIs: 9, Strings: 9, Instructions: 41libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                      • GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                      • GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                      • GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                      • GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                      • GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                      • GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                      • GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                      • GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: AddressProc$HandleModule
                                      • String ID: NtLoadDriver$NtOpenSymbolicLinkObject$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeProcess$NtSuspendProcess$NtUnloadDriver$ntdll.dll
                                      • API String ID: 667068680-2887671607
                                      • Opcode ID: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                      • Instruction ID: 8dd6b0f06cc06780b82abcfa5335c49c30c65db347d43124f897848efd9f6b7c
                                      • Opcode Fuzzy Hash: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                      • Instruction Fuzzy Hash: 8C015E75D48324AACB339F75AD09A053FB1EF04797B1004B7A80492266DAF9815CDE4C
                                      Function 0040FB5D Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 185COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: _snwprintfmemset$wcscpy$wcscat
                                      • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                                      • API String ID: 1607361635-601624466
                                      • Opcode ID: 014fce8712d2099ed920d1c21251e5be9fb3fd75ebba54fa6feefa75023380bc
                                      • Instruction ID: 75b7dc7a1ab43caf41f6bee0dc73fa500ed8492db64f50ed133d22c14cecb56c
                                      • Opcode Fuzzy Hash: 014fce8712d2099ed920d1c21251e5be9fb3fd75ebba54fa6feefa75023380bc
                                      • Instruction Fuzzy Hash: 09619F71900208BFDF25EF54CC86EAE7BB9FF44310F1040AAF805A7296DB399A59CB55
                                      Function 0041019A Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 122COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: _snwprintf$memset$wcscpy
                                      • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                      • API String ID: 2000436516-3842416460
                                      • Opcode ID: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                                      • Instruction ID: 0effb7443b15cd0e53e626898d2c9f551e6481245c02f09bcd1282082c9ffe88
                                      • Opcode Fuzzy Hash: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                                      • Instruction Fuzzy Hash: C74163B194021D7AEB20EF55DC46EEB73BCFF45304F0440ABB908A2141E7759B988F66
                                      Function 004035AD Relevance: 27.1, APIs: 18, Instructions: 93windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0041083A: memset.MSVCRT ref: 0041087D
                                        • Part of subcall function 0041083A: memset.MSVCRT ref: 00410892
                                        • Part of subcall function 0041083A: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                        • Part of subcall function 0041083A: SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                        • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                        • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                        • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                        • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                        • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                        • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                        • Part of subcall function 0041083A: GetSysColor.USER32(0000000F), ref: 00410999
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 004035BF
                                      • LoadIconW.USER32(00000000,00000072), ref: 004035CA
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 004035DF
                                      • LoadIconW.USER32(00000000,00000074), ref: 004035E4
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 004035F3
                                      • LoadIconW.USER32(00000000,00000073), ref: 004035F8
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 00403607
                                      • LoadIconW.USER32(00000000,00000075), ref: 0040360C
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 0040361B
                                      • LoadIconW.USER32(00000000,0000006F), ref: 00403620
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 0040362F
                                      • LoadIconW.USER32(00000000,00000076), ref: 00403634
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 00403643
                                      • LoadIconW.USER32(00000000,00000077), ref: 00403648
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 00403657
                                      • LoadIconW.USER32(00000000,00000070), ref: 0040365C
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 0040366B
                                      • LoadIconW.USER32(00000000,00000078), ref: 00403670
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: HandleLoadModule$Icon$ImageMessageSendmemset$ColorDirectoryFileInfoWindows
                                      • String ID:
                                      • API String ID: 1043902810-0
                                      • Opcode ID: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                      • Instruction ID: 42406aa8c1b655767e81280a563d2f976f29c17d6cb42a8b032fada3297a07e5
                                      • Opcode Fuzzy Hash: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                      • Instruction Fuzzy Hash: B1212EA0B857087AF63137B2DC4BF7B7A5EDF81B89F214410F35C990E0C9E6AC108929
                                      Function 004447D9 Relevance: 26.4, APIs: 4, Strings: 11, Instructions: 139COMMON
                                      Download Yara Rule
                                      APIs
                                      • ??2@YAPAXI@Z.MSVCRT(?,?,0040DC1B,?,00000000), ref: 0044480A
                                      • _snwprintf.MSVCRT ref: 0044488A
                                      • wcscpy.MSVCRT ref: 004448B4
                                      • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,OriginalFileName,00000000,?,LegalCopyright,00000000,?,InternalName,00000000,?,CompanyName,00000000,?,ProductVersion), ref: 00444964
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: ??2@??3@_snwprintfwcscpy
                                      • String ID: %4.4X%4.4X$040904E4$CompanyName$FileDescription$FileVersion$InternalName$LegalCopyright$OriginalFileName$ProductName$ProductVersion$\VarFileInfo\Translation
                                      • API String ID: 2899246560-1542517562
                                      • Opcode ID: e17f1f04e88a4cb48931d1772d94f5796c3f29ffdcb1b521dadae3bcfb684220
                                      • Instruction ID: ddb1140ba30d93f946c39142265044aeba6ebe712c4753dd77c76fa61262b17a
                                      • Opcode Fuzzy Hash: e17f1f04e88a4cb48931d1772d94f5796c3f29ffdcb1b521dadae3bcfb684220
                                      • Instruction Fuzzy Hash: 434127B2900218BAD704EFA1DC82DDEB7BCBF49305B110167BD05B3152DB78A655CBE8
                                      Function 0040DBA7 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 95COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 0040DBCD
                                      • memset.MSVCRT ref: 0040DBE9
                                        • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                        • Part of subcall function 004447D9: ??2@YAPAXI@Z.MSVCRT(?,?,0040DC1B,?,00000000), ref: 0044480A
                                        • Part of subcall function 004447D9: _snwprintf.MSVCRT ref: 0044488A
                                        • Part of subcall function 004447D9: wcscpy.MSVCRT ref: 004448B4
                                      • wcscpy.MSVCRT ref: 0040DC2D
                                      • wcscpy.MSVCRT ref: 0040DC3C
                                      • wcscpy.MSVCRT ref: 0040DC4C
                                      • EnumResourceNamesW.KERNEL32(?,00000004,Function_0000D957,00000000), ref: 0040DCB1
                                      • EnumResourceNamesW.KERNEL32(?,00000005,Function_0000D957,00000000), ref: 0040DCBB
                                      • wcscpy.MSVCRT ref: 0040DCC3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: wcscpy$EnumNamesResourcememset$??2@FileModuleName_snwprintf
                                      • String ID: RTL$TranslatorName$TranslatorURL$Version$general$strings
                                      • API String ID: 3330709923-517860148
                                      • Opcode ID: 8014600ebdaa413990019ca607550d51b11cce94ae1a09dd3fff3b2e07bb1862
                                      • Instruction ID: fd1c33b42c1478e8908a3567a27dc6f764f3595523656020fa754494b197929d
                                      • Opcode Fuzzy Hash: 8014600ebdaa413990019ca607550d51b11cce94ae1a09dd3fff3b2e07bb1862
                                      • Instruction Fuzzy Hash: 2121ACB2D4021876D720B7929C46ECF7B6CAF41759F010477B90C72083DAB95B98CAAE
                                      Function 00408560 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 182stringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                      • GetFileSize.KERNEL32(00000000,00000000,?,00000001,00000000,?,004089ED,?,?,?,0000001E,?,?,00000104), ref: 00408589
                                      • ??2@YAPAXI@Z.MSVCRT(00000001,?,004089ED,?,?,?,0000001E,?,?,00000104,?,?,00000104,?,?,00000104), ref: 0040859D
                                        • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                      • memset.MSVCRT ref: 004085CF
                                      • memset.MSVCRT ref: 004085F1
                                      • memset.MSVCRT ref: 00408606
                                      • strcmp.MSVCRT ref: 00408645
                                      • _mbscpy.MSVCRT(?,?,?,?,?,?), ref: 004086DB
                                      • _mbscpy.MSVCRT(?,?,?,?,?,?), ref: 004086FA
                                      • memset.MSVCRT ref: 0040870E
                                      • strcmp.MSVCRT ref: 0040876B
                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000001E), ref: 0040879D
                                      • CloseHandle.KERNEL32(?,?,004089ED,?,?,?,0000001E,?,?,00000104,?,?,00000104,?,?,00000104), ref: 004087A6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memset$File$_mbscpystrcmp$??2@??3@CloseCreateHandleReadSize
                                      • String ID: ---
                                      • API String ID: 3437578500-2854292027
                                      • Opcode ID: c5c02c04611bcd29229c4833ebed6afde2d02892c84083fd30bc2caee93791c4
                                      • Instruction ID: 4c5fbc017ddd4a43d5b0f69e9578b2b0908928dff5e121bfcb53d45818d158f6
                                      • Opcode Fuzzy Hash: c5c02c04611bcd29229c4833ebed6afde2d02892c84083fd30bc2caee93791c4
                                      • Instruction Fuzzy Hash: 256191B2C0421DAADF20DB948D819DEBBBCAB15314F1140FFE558B3141DA399BC4CBA9
                                      Function 0041083A Relevance: 21.1, APIs: 14, Instructions: 137windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 0041087D
                                      • memset.MSVCRT ref: 00410892
                                      • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                      • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                      • SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                      • SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                      • LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                      • LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                      • GetSysColor.USER32(0000000F), ref: 00410999
                                      • DeleteObject.GDI32(?), ref: 004109D0
                                      • DeleteObject.GDI32(?), ref: 004109D6
                                      • SendMessageW.USER32(00000000,00001208,00000000,?), ref: 004109F3
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: MessageSend$DeleteHandleImageLoadModuleObjectmemset$ColorDirectoryFileInfoWindows
                                      • String ID:
                                      • API String ID: 1010922700-0
                                      • Opcode ID: 9f32c972fd3bed260489b92fc8884ca82be835491797332215144efe3993187c
                                      • Instruction ID: e9b684d61d60cc1afb152275eb3c8de820581b68aaecd99ee02cab8be193ddee
                                      • Opcode Fuzzy Hash: 9f32c972fd3bed260489b92fc8884ca82be835491797332215144efe3993187c
                                      • Instruction Fuzzy Hash: 48418575640304BFF720AF61DC8AF97779CFB09744F000829F399A51E1D6F6A8909B29
                                      Function 00418680 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 88COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                      • GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                      • malloc.MSVCRT ref: 004186B7
                                      • free.MSVCRT ref: 004186C7
                                      • GetFullPathNameW.KERNEL32(00000000,-00000003,00000000,00000000), ref: 004186DB
                                      • free.MSVCRT ref: 004186E0
                                      • GetFullPathNameA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186F6
                                      • malloc.MSVCRT ref: 004186FE
                                      • GetFullPathNameA.KERNEL32(00000000,-00000003,00000000,00000000), ref: 00418711
                                      • free.MSVCRT ref: 00418716
                                      • free.MSVCRT ref: 0041872A
                                      • free.MSVCRT ref: 00418749
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: free$FullNamePath$malloc$Version
                                      • String ID: |A
                                      • API String ID: 3356672799-1717621600
                                      • Opcode ID: 66b970c2726a19c6cf161dcebd973c19408ec610aa0d83d05880a80435803f02
                                      • Instruction ID: f8a1ad7f3386c3a0ca67e8408a701755caa4d882ef8d2f884b3bc60851bd4b4d
                                      • Opcode Fuzzy Hash: 66b970c2726a19c6cf161dcebd973c19408ec610aa0d83d05880a80435803f02
                                      • Instruction Fuzzy Hash: F5217432900118BFEF11BFA6DC46CDFBB79DF41368B22006FF804A2161DA799E91995D
                                      Function 004125F8 Relevance: 21.1, APIs: 7, Strings: 7, Instructions: 70COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: _wcsicmp
                                      • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                                      • API String ID: 2081463915-1959339147
                                      • Opcode ID: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
                                      • Instruction ID: 8733bd8b557f913067c5021fbfe18d0583d9fd94efe92a6f612d034962822ca0
                                      • Opcode Fuzzy Hash: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
                                      • Instruction Fuzzy Hash: A401843328931228FA2538663D07F834F48CB52BBBF32405BF800D81C6FE8C4565605E
                                      Function 004138C1 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 49libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                        • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                        • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                        • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                        • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                        • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                      • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004138ED
                                      • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004138FE
                                      • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 0041390F
                                      • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00413920
                                      • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 00413931
                                      • FreeLibrary.KERNEL32(00000000), ref: 00413951
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                      • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                      • API String ID: 2012295524-70141382
                                      • Opcode ID: de34bece31b7142a998ab6ccb1b4abbedb6e98f3c738f5240e3b00242a7e4309
                                      • Instruction ID: 1ed0e205fb1d3ca6b4a3c81c58fecbd4dea9624ac3f9f6029147382c5f000437
                                      • Opcode Fuzzy Hash: de34bece31b7142a998ab6ccb1b4abbedb6e98f3c738f5240e3b00242a7e4309
                                      • Instruction Fuzzy Hash: 7301B5B1905312DAD7705F31AE40B6B2FA45B81FA7B10003BEA00D1286DBFCC8C5DA6E
                                      Function 0041383D Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNEL32(kernel32.dll,?,0041339D), ref: 0041384C
                                      • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 00413865
                                      • GetProcAddress.KERNEL32(00000000,Module32First), ref: 00413876
                                      • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 00413887
                                      • GetProcAddress.KERNEL32(00000000,Process32First), ref: 00413898
                                      • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 004138A9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: AddressProc$HandleModule
                                      • String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
                                      • API String ID: 667068680-3953557276
                                      • Opcode ID: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                                      • Instruction ID: ced2a49a11d8a5ad7e856d80fa96ce31c371be68fc2c17877008b9264e9f9212
                                      • Opcode Fuzzy Hash: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                                      • Instruction Fuzzy Hash: 58F08631900317A9E7206F357D41B672AE45B86F83714017BFC04D12D9DB7CE98A9B6D
                                      Function 00412172 Relevance: 19.7, APIs: 13, Instructions: 189windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDC.USER32(00000000), ref: 004121FF
                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041220A
                                      • ReleaseDC.USER32(00000000,00000000), ref: 0041221F
                                      • SetBkMode.GDI32(?,00000001), ref: 00412232
                                      • SetTextColor.GDI32(?,00FF0000), ref: 00412240
                                      • SelectObject.GDI32(?,?), ref: 00412251
                                      • DrawTextExW.USER32(?,?,000000FF,?,00000024,?), ref: 00412285
                                      • SelectObject.GDI32(00000014,00000005), ref: 00412291
                                        • Part of subcall function 00411FC6: GetCursorPos.USER32(?), ref: 00411FD0
                                        • Part of subcall function 00411FC6: GetSubMenu.USER32(?,00000000), ref: 00411FDE
                                        • Part of subcall function 00411FC6: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0041200F
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 004122AC
                                      • LoadCursorW.USER32(00000000,00000067), ref: 004122B5
                                      • SetCursor.USER32(00000000), ref: 004122BC
                                      • PostMessageW.USER32(?,00000428,00000000,00000000), ref: 00412304
                                      • memcpy.MSVCRT(?,?,00002008), ref: 0041234D
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: Cursor$MenuObjectSelectText$CapsColorDeviceDrawHandleLoadMessageModeModulePopupPostReleaseTrackmemcpy
                                      • String ID:
                                      • API String ID: 1700100422-0
                                      • Opcode ID: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                                      • Instruction ID: eb413d4c014922f01c1be241ee45634b3e5b5e29cfe5fc1015c733cb557b7a75
                                      • Opcode Fuzzy Hash: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                                      • Instruction Fuzzy Hash: 0F61D331600109AFDB149F74CE89BEA77A5BB45300F10052AFA25D7291DBBC9CB1DB59
                                      Function 004111C1 Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetClientRect.USER32(?,?), ref: 004111E0
                                      • GetWindowRect.USER32(?,?), ref: 004111F6
                                      • GetWindowRect.USER32(?,?), ref: 0041120C
                                      • GetDlgItem.USER32(00000000,0000040D), ref: 00411246
                                      • GetWindowRect.USER32(00000000), ref: 0041124D
                                      • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0041125D
                                      • BeginDeferWindowPos.USER32(00000004), ref: 00411281
                                      • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 004112A4
                                      • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 004112C3
                                      • DeferWindowPos.USER32(?,?,00000000,00000000,000000DC,?,?,00000004), ref: 004112EE
                                      • DeferWindowPos.USER32(?,00000000,00000000,00000000,?,?,000000DC,00000004), ref: 00411306
                                      • EndDeferWindowPos.USER32(?), ref: 0041130B
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: Window$Defer$Rect$BeginClientItemPoints
                                      • String ID:
                                      • API String ID: 552707033-0
                                      • Opcode ID: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                      • Instruction ID: 1a89c9de14f4e003cb1acc22e2fe5cfe68aec74c13575a54a2aa846d798aa5ff
                                      • Opcode Fuzzy Hash: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                      • Instruction Fuzzy Hash: 3B41D375900209FFEB11DFA8DD89FEEBBBAFB48300F104469F655A61A0C771AA50DB14
                                      Function 0040C084 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 110stringfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,?,?,?,0040C255,?,?,*.*,0040C2BF,00000000), ref: 0040C0A4
                                        • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                      • GetFileSize.KERNEL32(00000000,00000000), ref: 0040C0D4
                                        • Part of subcall function 0040BFF3: _memicmp.MSVCRT ref: 0040C00D
                                        • Part of subcall function 0040BFF3: memcpy.MSVCRT(?,?,00000004,00000000,?,?,?,?,?,?,?,?,*.*,0040C2BF,00000000), ref: 0040C024
                                      • memcpy.MSVCRT(00000000,?,00000004,00000000,?,?,?,?), ref: 0040C11B
                                      • strchr.MSVCRT ref: 0040C140
                                      • strchr.MSVCRT ref: 0040C151
                                      • _strlwr.MSVCRT ref: 0040C15F
                                      • memset.MSVCRT ref: 0040C17A
                                      • CloseHandle.KERNEL32(00000000), ref: 0040C1C7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: File$memcpystrchr$CloseCreateHandlePointerSize_memicmp_strlwrmemset
                                      • String ID: 4$h
                                      • API String ID: 4066021378-1856150674
                                      • Opcode ID: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                                      • Instruction ID: ad7b68c589633d756b108d453181f98220e50dbf4ed18f1a1dc8c2c6e1bbf79d
                                      • Opcode Fuzzy Hash: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                                      • Instruction Fuzzy Hash: F531C2B2800218FEEB20EB54CC85EEE73BCEF05354F14416AF508A6181D7389F558FA9
                                      Function 00414621 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 99COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memset$_snwprintf
                                      • String ID: %%0.%df
                                      • API String ID: 3473751417-763548558
                                      • Opcode ID: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
                                      • Instruction ID: e3e507119e413e1699737691dcc770ce903c50d69a4f0c7cc4f670013a5326e5
                                      • Opcode Fuzzy Hash: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
                                      • Instruction Fuzzy Hash: 2D318F71800129BBEB20DF95CC85FEB77BCFF49304F0104EAB509A2155E7349A94CBA9
                                      Function 004060A4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97timewindowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SetTimer.USER32(?,00000041,00000064,00000000), ref: 004060C7
                                      • KillTimer.USER32(?,00000041), ref: 004060D7
                                      • KillTimer.USER32(?,00000041), ref: 004060E8
                                      • GetTickCount.KERNEL32 ref: 0040610B
                                      • GetParent.USER32(?), ref: 00406136
                                      • SendMessageW.USER32(00000000), ref: 0040613D
                                      • BeginDeferWindowPos.USER32(00000004), ref: 0040614B
                                      • EndDeferWindowPos.USER32(00000000), ref: 0040619B
                                      • InvalidateRect.USER32(?,?,00000001), ref: 004061A7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: Timer$DeferKillWindow$BeginCountInvalidateMessageParentRectSendTick
                                      • String ID: A
                                      • API String ID: 2892645895-3554254475
                                      • Opcode ID: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                      • Instruction ID: 3d646c34c65c30a23a549f03b0efc12359fcfb722ff8df3f2fd47db5f06942f8
                                      • Opcode Fuzzy Hash: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                      • Instruction Fuzzy Hash: 67318F75240304BBEB205F62DC85F6A7B6ABB44742F018539F3067A5E1C7F998A18B58
                                      Function 0040D957 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadMenuW.USER32(?,?), ref: 0040D97F
                                        • Part of subcall function 0040D7A7: GetMenuItemCount.USER32(?), ref: 0040D7BD
                                        • Part of subcall function 0040D7A7: memset.MSVCRT ref: 0040D7DC
                                        • Part of subcall function 0040D7A7: GetMenuItemInfoW.USER32 ref: 0040D818
                                        • Part of subcall function 0040D7A7: wcschr.MSVCRT ref: 0040D830
                                      • DestroyMenu.USER32(00000000), ref: 0040D99D
                                      • CreateDialogParamW.USER32(?,?,00000000,0040D952,00000000), ref: 0040D9F2
                                      • GetDesktopWindow.USER32 ref: 0040D9FD
                                      • CreateDialogParamW.USER32(?,?,00000000), ref: 0040DA0A
                                      • memset.MSVCRT ref: 0040DA23
                                      • GetWindowTextW.USER32(00000005,?,00001000), ref: 0040DA3A
                                      • EnumChildWindows.USER32(00000005,Function_0000D898,00000000), ref: 0040DA67
                                      • DestroyWindow.USER32(00000005), ref: 0040DA70
                                        • Part of subcall function 0040D5D6: _snwprintf.MSVCRT ref: 0040D5FB
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: Menu$Window$CreateDestroyDialogItemParammemset$ChildCountDesktopEnumInfoLoadTextWindows_snwprintfwcschr
                                      • String ID: caption
                                      • API String ID: 973020956-4135340389
                                      • Opcode ID: 5e414436bb8e275bf9a16e2693900a7463b03ad76ebaf029bad5c7ef584cf34d
                                      • Instruction ID: d77e6bedd7727d4aace6f5c0bd160524984489d6dc7b24eaa8e7ecc9459ec1fc
                                      • Opcode Fuzzy Hash: 5e414436bb8e275bf9a16e2693900a7463b03ad76ebaf029bad5c7ef584cf34d
                                      • Instruction Fuzzy Hash: 60319072900208BFEF11AF91DC85EAA3B78FF04315F10843AF909A61A1D7799D58CF59
                                      Function 00410A60 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 90COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      • <meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00410ADD
                                      • <br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 00410B3C
                                      • <table dir="rtl"><tr><td>, xrefs: 00410B00
                                      • <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 00410A70
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memset$_snwprintf$wcscpy
                                      • String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>
                                      • API String ID: 1283228442-2366825230
                                      • Opcode ID: 2928c1e4db6f8540118cb54ef1ff53e3c28d5a36283f281326c9c00f9b8dcb63
                                      • Instruction ID: da896b014e5ee892582fb8e7d48e4383de9842bc572d8210300f5843ce7472f7
                                      • Opcode Fuzzy Hash: 2928c1e4db6f8540118cb54ef1ff53e3c28d5a36283f281326c9c00f9b8dcb63
                                      • Instruction Fuzzy Hash: 5C2182B69002197BDB21AB95CC41EDE77BCAF08785F0040ABF549D3151DA789F888BA9
                                      Function 00413959 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 82COMMON
                                      Download Yara Rule
                                      APIs
                                      • wcschr.MSVCRT ref: 00413972
                                      • wcscpy.MSVCRT ref: 00413982
                                        • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
                                        • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
                                        • Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B
                                      • wcscpy.MSVCRT ref: 004139D1
                                      • wcscat.MSVCRT ref: 004139DC
                                      • memset.MSVCRT ref: 004139B8
                                        • Part of subcall function 00409DD5: GetWindowsDirectoryW.KERNEL32(0045DC58,00000104,?,00413A11,?,?,00000000,00000208,?), ref: 00409DEB
                                        • Part of subcall function 00409DD5: wcscpy.MSVCRT ref: 00409DFB
                                      • memset.MSVCRT ref: 00413A00
                                      • memcpy.MSVCRT(?,?,00000004,?,?,00000000,00000208,?), ref: 00413A1B
                                      • wcscat.MSVCRT ref: 00413A27
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: wcscpy$memsetwcscatwcslen$DirectoryWindows_memicmpmemcpywcschr
                                      • String ID: \systemroot
                                      • API String ID: 4173585201-1821301763
                                      • Opcode ID: e4551322c16c9acef98fc86a4838192e22c045fa3321ccd57a54cdfa3ae28df9
                                      • Instruction ID: a9582ad2fab6187976d7b5f1d827ce349b207672d34ede1993470c6c3fb504e1
                                      • Opcode Fuzzy Hash: e4551322c16c9acef98fc86a4838192e22c045fa3321ccd57a54cdfa3ae28df9
                                      • Instruction Fuzzy Hash: 7D21F6F68053146AE720FB619C86EEF73EC9F06719F20415FF115A20C6EA7C9A844B5E
                                      Function 00414BB0 Relevance: 16.6, APIs: 1, Strings: 10, Instructions: 50COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: wcscpy
                                      • String ID: AppData$Common Desktop$Common Programs$Common Start Menu$Common Startup$Desktop$Favorites$Programs$Start Menu$Startup
                                      • API String ID: 1284135714-318151290
                                      • Opcode ID: dc6868dd8f5dbcd850853512a46c22a4be17f2be4da4ff30984607c28efcaa9d
                                      • Instruction ID: e2253d4fd864bfabc2f945990654e2d0feb0e3e4f5de9ed447e77a37a808a444
                                      • Opcode Fuzzy Hash: dc6868dd8f5dbcd850853512a46c22a4be17f2be4da4ff30984607c28efcaa9d
                                      • Instruction Fuzzy Hash: 04F0127526EA4161142406240E0DEF75509D0D575F3F74A537A02E89D6FCCDDEC6609F
                                      Function 0040D2AB Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: Menu$Itemmemset$CountInfoModifywcscatwcschr
                                      • String ID: 0$6
                                      • API String ID: 4066108131-3849865405
                                      • Opcode ID: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                                      • Instruction ID: 23fd2219eb4cf2a86962fa47610fb6a66e7712bfbd77636794901fa2ff6d3352
                                      • Opcode Fuzzy Hash: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                                      • Instruction Fuzzy Hash: 1C317C72808344AFDB209F95D84499FB7E8FF84314F00493EFA48A2291D775D949CB5B
                                      Function 004082C7 Relevance: 15.2, APIs: 10, Instructions: 229COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 004082EF
                                        • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                      • memset.MSVCRT ref: 00408362
                                      • memset.MSVCRT ref: 00408377
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memset$ByteCharMultiWide
                                      • String ID:
                                      • API String ID: 290601579-0
                                      • Opcode ID: 0f4830a1bd5c139c57c95e775b3a7e0dd93a0ba2de61a1ec6096e44496360a03
                                      • Instruction ID: eff1c4cb9ad8ed09cf65616da307521f953f8cb6273bc8e87bbfe44e88666a06
                                      • Opcode Fuzzy Hash: 0f4830a1bd5c139c57c95e775b3a7e0dd93a0ba2de61a1ec6096e44496360a03
                                      • Instruction Fuzzy Hash: E1716C72E0421DAFEF10EFA1EC82AEDB7B9EF04314F14406FE104B6191EB795A458B59
                                      Function 004028E7 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 190COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: free$wcslen
                                      • String ID:
                                      • API String ID: 3592753638-3916222277
                                      • Opcode ID: c7ce2940fe04b4405a0b219ffbd3b3dbc0b14a035c74dd75871d5eb09ab59b8c
                                      • Instruction ID: 6c84a66137f0c35b9d0eb965e4703c645d554f15bb1c6f80accdbf0b715e4580
                                      • Opcode Fuzzy Hash: c7ce2940fe04b4405a0b219ffbd3b3dbc0b14a035c74dd75871d5eb09ab59b8c
                                      • Instruction Fuzzy Hash: 78614A70E0421ADADF28AF95E6485EEB771FF04315F60807BE411B62D1EBB84981CB5D
                                      Function 0040A45A Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 0040A47B
                                      • _snwprintf.MSVCRT ref: 0040A4AE
                                      • wcslen.MSVCRT ref: 0040A4BA
                                      • memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                      • wcslen.MSVCRT ref: 0040A4E0
                                      • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memcpywcslen$_snwprintfmemset
                                      • String ID: %s (%s)$YV@
                                      • API String ID: 3979103747-598926743
                                      • Opcode ID: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                                      • Instruction ID: 06bfc13611ed198a4270a5cd43788582667178ba612a9453d6f3368808cd6753
                                      • Opcode Fuzzy Hash: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                                      • Instruction Fuzzy Hash: 31216F72900219BBDF21DF55CC45D8BB7B8BF04318F018466E948AB106DB74EA188BD9
                                      Function 004044A4 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                                      • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                      • FreeLibrary.KERNEL32(00000000), ref: 004044E9
                                      • MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: Library$AddressFreeLoadMessageProc
                                      • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                      • API String ID: 2780580303-317687271
                                      • Opcode ID: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                      • Instruction ID: 703d86131c3dcb59aab6256491fb2853d543806c906e0642a055f98632e98cc8
                                      • Opcode Fuzzy Hash: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                      • Instruction Fuzzy Hash: B201D6757502217BE7112FB69C49F7B7A9CFF82749B000035E601E2180EAB8D901926D
                                      Function 0040A661 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarywindowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,?,?,?,00409764,?), ref: 0040A686
                                      • FormatMessageW.KERNEL32(00001100,00000000,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6A4
                                      • wcslen.MSVCRT ref: 0040A6B1
                                      • wcscpy.MSVCRT ref: 0040A6C1
                                      • LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6CB
                                      • wcscpy.MSVCRT ref: 0040A6DB
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
                                      • String ID: Unknown Error$netmsg.dll
                                      • API String ID: 2767993716-572158859
                                      • Opcode ID: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
                                      • Instruction ID: f30f617898fcbe25dfcd40b25f3134c3ee1324ef56ff669fd92f7ad18b117fee
                                      • Opcode Fuzzy Hash: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
                                      • Instruction Fuzzy Hash: 77014772104214BFE7151B61EC46E9F7B3DEF06795F24043AF902B10D0DA7A5E10D69D
                                      Function 0040DAE1 Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                      • wcscpy.MSVCRT ref: 0040DAFB
                                      • wcscpy.MSVCRT ref: 0040DB0B
                                      • GetPrivateProfileIntW.KERNEL32(0045D668,rtl,00000000,0045D458), ref: 0040DB1C
                                        • Part of subcall function 0040D65D: GetPrivateProfileStringW.KERNEL32(0045D668,?,0044E518,0045D6F8,?,0045D458), ref: 0040D679
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: PrivateProfilewcscpy$AttributesFileString
                                      • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                                      • API String ID: 3176057301-2039793938
                                      • Opcode ID: 3fbe58534c285a30a84b282ab535004845ea1880fa40ce6c2a5f8ae528691bae
                                      • Instruction ID: a06b33177ff8c9e83df2ed587696004ed0fecc3b70d630751f385571f4afffd7
                                      • Opcode Fuzzy Hash: 3fbe58534c285a30a84b282ab535004845ea1880fa40ce6c2a5f8ae528691bae
                                      • Instruction Fuzzy Hash: A8F0F661EC061236D2213A761C07F2E26149FA3B93F05447BBC08771C7CA7E4A4DC69E
                                      Function 0042F5F4 Relevance: 13.8, APIs: 2, Strings: 7, Instructions: 250COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      • too many attached databases - max %d, xrefs: 0042F64D
                                      • unable to open database: %s, xrefs: 0042F84E
                                      • out of memory, xrefs: 0042F865
                                      • attached databases must use the same text encoding as main database, xrefs: 0042F76F
                                      • database %s is already in use, xrefs: 0042F6C5
                                      • cannot ATTACH database within transaction, xrefs: 0042F663
                                      • database is already attached, xrefs: 0042F721
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memcpymemset
                                      • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                                      • API String ID: 1297977491-2001300268
                                      • Opcode ID: bc1e043490782c929c709f26cda1c8b0ebc87db0ce4dfb41b9d8c8297906dfd0
                                      • Instruction ID: 2d624c67d108d3170f37657fe85980b6deaf3b4166a4b31ce602698a835437d0
                                      • Opcode Fuzzy Hash: bc1e043490782c929c709f26cda1c8b0ebc87db0ce4dfb41b9d8c8297906dfd0
                                      • Instruction Fuzzy Hash: 4791C131B00315AFDB10DF65E481B9ABBB0AF44318F94807FE8059B252D778E949CB59
                                      Function 0040EAFF Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 160COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8EC
                                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8FA
                                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E90B
                                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E922
                                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E92B
                                      • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040EB3F
                                      • ??2@YAPAXI@Z.MSVCRT(00000000,00000000), ref: 0040EB5B
                                      • memcpy.MSVCRT(?,0045A248,00000014), ref: 0040EB80
                                      • memcpy.MSVCRT(?,0045A234,00000014,?,0045A248,00000014), ref: 0040EB94
                                      • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040EC17
                                      • ??2@YAPAXI@Z.MSVCRT(0000000C,00000000), ref: 0040EC21
                                      • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040EC59
                                        • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                        • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                        • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                        • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                        • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                        • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: ??2@??3@$memcpy$HandleModule$LoadStringwcscpywcslen
                                      • String ID: ($d
                                      • API String ID: 1140211610-1915259565
                                      • Opcode ID: 2d8781ba105db3adf58cafe694f4c442d3862c9e44634e011589b3902fbf09db
                                      • Instruction ID: 92dd2811bdb74a70ba85f750b5b6098557f3982e7a927aadba8bcdb4291d1afd
                                      • Opcode Fuzzy Hash: 2d8781ba105db3adf58cafe694f4c442d3862c9e44634e011589b3902fbf09db
                                      • Instruction Fuzzy Hash: D7518D71601704AFD724DF2AC586A5AB7F8FF48314F10892EE55ACB381DB75E9408B48
                                      Function 00417887 Relevance: 13.6, APIs: 9, Instructions: 126filesleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004178DF
                                      • Sleep.KERNEL32(00000001), ref: 004178E9
                                      • GetLastError.KERNEL32 ref: 004178FB
                                      • UnlockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004179D3
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: File$ErrorLastLockSleepUnlock
                                      • String ID:
                                      • API String ID: 3015003838-0
                                      • Opcode ID: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                                      • Instruction ID: bb7e89fefddb53edf96b8819cb9ac805ac4f8ca395f1f2490f4f27a155f14dd5
                                      • Opcode Fuzzy Hash: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                                      • Instruction Fuzzy Hash: C741FFB515C3029FE3209F219C05BA7B7F1BFC4714F20092EF5A556280CBB9D8898A6E
                                      Function 0041851E Relevance: 13.6, APIs: 9, Instructions: 67sleepfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • DeleteFileW.KERNEL32(00000000,?,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 00418548
                                      • GetFileAttributesW.KERNEL32(00000000), ref: 0041854F
                                      • GetLastError.KERNEL32 ref: 0041855C
                                      • Sleep.KERNEL32(00000064), ref: 00418571
                                      • DeleteFileA.KERNEL32(00000000,?,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 0041857A
                                      • GetFileAttributesA.KERNEL32(00000000), ref: 00418581
                                      • GetLastError.KERNEL32 ref: 0041858E
                                      • Sleep.KERNEL32(00000064), ref: 004185A3
                                      • free.MSVCRT ref: 004185AC
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: File$AttributesDeleteErrorLastSleep$free
                                      • String ID:
                                      • API String ID: 2802642348-0
                                      • Opcode ID: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                                      • Instruction ID: d61f765991b085217c17e58d7c3851c8d0f597f546fc635256e60a728691d00d
                                      • Opcode Fuzzy Hash: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                                      • Instruction Fuzzy Hash: A011C639540624BBC61027716CC89BE3676E75B335B210A2EFA22912D0DF6C4CC2557E
                                      Function 00413A3F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141COMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenProcess.KERNEL32(00000410,00000000,00000000,?,?,00000000,?,004133E1,00000000,?), ref: 00413A7A
                                      • memset.MSVCRT ref: 00413ADC
                                      • memset.MSVCRT ref: 00413AEC
                                        • Part of subcall function 00413959: wcscpy.MSVCRT ref: 00413982
                                      • memset.MSVCRT ref: 00413BD7
                                      • wcscpy.MSVCRT ref: 00413BF8
                                      • CloseHandle.KERNEL32(?,3A,?,?,?,004133E1,00000000,?), ref: 00413C4E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memset$wcscpy$CloseHandleOpenProcess
                                      • String ID: 3A
                                      • API String ID: 3300951397-293699754
                                      • Opcode ID: 8542788a6fbd662e622ac6317d91a932690acc9b8880ba19fbfc79209a0c02cc
                                      • Instruction ID: 1dd795ac5698d536b98d54c3d0ab6bca04534a71b571f2ddc62e59a9adc8dd8d
                                      • Opcode Fuzzy Hash: 8542788a6fbd662e622ac6317d91a932690acc9b8880ba19fbfc79209a0c02cc
                                      • Instruction Fuzzy Hash: 3C514D71108341AFD720DF25DC84ADBB7E8FF84705F004A2EF59992291EB75DA44CBAA
                                      Function 0040D134 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                      • wcscpy.MSVCRT ref: 0040D1B5
                                        • Part of subcall function 0040D626: memset.MSVCRT ref: 0040D639
                                        • Part of subcall function 0040D626: _itow.MSVCRT ref: 0040D647
                                      • wcslen.MSVCRT ref: 0040D1D3
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                      • LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                      • memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                        • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,0040D142,00402E6F), ref: 0040D0CC
                                        • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040D142,00402E6F), ref: 0040D0EA
                                        • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,0040D142,00402E6F), ref: 0040D108
                                        • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000,0040D142,00402E6F), ref: 0040D126
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
                                      • String ID: strings
                                      • API String ID: 3166385802-3030018805
                                      • Opcode ID: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                                      • Instruction ID: f4589d763452722e7ce024d248fd6f149fceb83749f413ad0df853fa0cd60d20
                                      • Opcode Fuzzy Hash: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                                      • Instruction Fuzzy Hash: 78418D75D003109BD7369FA8ED809263365FF48306700047EE942972A7DEB9E886CB5D
                                      Function 00411AC5 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 59COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 00411AF6
                                        • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                      • wcsrchr.MSVCRT ref: 00411B14
                                      • wcscat.MSVCRT ref: 00411B2E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: FileModuleNamememsetwcscatwcsrchr
                                      • String ID: AE$.cfg$General$EA
                                      • API String ID: 776488737-1622828088
                                      • Opcode ID: b6de0e43a8c0916aab6107a9d450eab560a3e9a3f2f4477a4909840308f89baa
                                      • Instruction ID: 09e7cc653f6f297407560738dd106e03d424c3973b250f6ebd227ee33dbedd02
                                      • Opcode Fuzzy Hash: b6de0e43a8c0916aab6107a9d450eab560a3e9a3f2f4477a4909840308f89baa
                                      • Instruction Fuzzy Hash: 9611B93250022C66DF20EF51DC85ACE7378FF54754F1004ABE908B7142DB74ABC88B99
                                      Function 0040D898 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 0040D8BD
                                      • GetDlgCtrlID.USER32(?), ref: 0040D8C8
                                      • GetWindowTextW.USER32(?,?,00001000), ref: 0040D8DF
                                      • memset.MSVCRT ref: 0040D906
                                      • GetClassNameW.USER32(?,?,000000FF), ref: 0040D91D
                                      • _wcsicmp.MSVCRT ref: 0040D92F
                                        • Part of subcall function 0040D76E: memset.MSVCRT ref: 0040D781
                                        • Part of subcall function 0040D76E: _itow.MSVCRT ref: 0040D78F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memset$ClassCtrlNameTextWindow_itow_wcsicmp
                                      • String ID: sysdatetimepick32
                                      • API String ID: 1028950076-4169760276
                                      • Opcode ID: eb3a53bf7b2f710d742758b2cc733c17be47e3e423eab4b3bd20e98515a4ffe8
                                      • Instruction ID: 7fefccf0184427ff86f81c2eca1e08be5bb75bf3b76f29e65549559b88306b24
                                      • Opcode Fuzzy Hash: eb3a53bf7b2f710d742758b2cc733c17be47e3e423eab4b3bd20e98515a4ffe8
                                      • Instruction Fuzzy Hash: 061177769002197AEB10EB91DC49EDF7BACEF05750F0040BAF508D2192EB749A85CA59
                                      Function 0041B7D9 Relevance: 12.3, APIs: 6, Strings: 2, Instructions: 269COMMON
                                      Download Yara Rule
                                      APIs
                                      • memcpy.MSVCRT(00000000,00000000,00000000,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B911
                                      • memcpy.MSVCRT(?,00000000,00000000,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B923
                                      • memcpy.MSVCRT(?,-journal,00000008,?,?,?,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B93B
                                      • memcpy.MSVCRT(?,00000000,00000000,?,?,?,?,?,?,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B958
                                      • memcpy.MSVCRT(?,-wal,00000004,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0041B970
                                      • memset.MSVCRT ref: 0041BA3D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memcpy$memset
                                      • String ID: -journal$-wal
                                      • API String ID: 438689982-2894717839
                                      • Opcode ID: dbb6fae49c61f74d6f433767b436fbd9ec9999f6e4b570cef93805d1319e1532
                                      • Instruction ID: 9370885b9bf0560d7aa4477d28ce4586d78acc2621466e64c0ac2b95c9c5353a
                                      • Opcode Fuzzy Hash: dbb6fae49c61f74d6f433767b436fbd9ec9999f6e4b570cef93805d1319e1532
                                      • Instruction Fuzzy Hash: CBA1EFB1A04606EFCB14DF69C8417DAFBB4FF04314F14826EE46897381D738AA95CB99
                                      Function 00405B83 Relevance: 12.2, APIs: 8, Instructions: 197windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDlgItem.USER32(?,000003E9), ref: 00405C27
                                      • GetDlgItem.USER32(?,000003E9), ref: 00405C3A
                                      • GetDlgItem.USER32(?,000003E9), ref: 00405C4F
                                      • GetDlgItem.USER32(?,000003E9), ref: 00405C67
                                      • EndDialog.USER32(?,00000002), ref: 00405C83
                                      • EndDialog.USER32(?,00000001), ref: 00405C98
                                        • Part of subcall function 00405942: GetDlgItem.USER32(?,000003E9), ref: 0040594F
                                        • Part of subcall function 00405942: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 00405964
                                      • SendDlgItemMessageW.USER32(?,000003ED,000000C5,00000003,00000000), ref: 00405CB0
                                      • SetDlgItemInt.USER32(?,000003ED,?,00000000), ref: 00405DC1
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: Item$Dialog$MessageSend
                                      • String ID:
                                      • API String ID: 3975816621-0
                                      • Opcode ID: 7732dd923fe157b610bb283d6cbae8fba396a65a3534e092655bb2fc554de655
                                      • Instruction ID: f402ee7b04c6f37fed0081192b7321ff61b10a2f1b35431ffb531e22b2ae6a97
                                      • Opcode Fuzzy Hash: 7732dd923fe157b610bb283d6cbae8fba396a65a3534e092655bb2fc554de655
                                      • Instruction Fuzzy Hash: CC61C130214B05ABEB21AF25C886A2BB7B9FF40314F00C63EF515A76D1D778A980CF59
                                      Function 00444C89 Relevance: 12.2, APIs: 3, Strings: 5, Instructions: 154COMMON
                                      Download Yara Rule
                                      APIs
                                      • _wcsicmp.MSVCRT ref: 00444D09
                                      • _wcsicmp.MSVCRT ref: 00444D1E
                                      • _wcsicmp.MSVCRT ref: 00444D33
                                        • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
                                        • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
                                        • Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: _wcsicmp$wcslen$_memicmp
                                      • String ID: .save$http://$https://$log profile$signIn
                                      • API String ID: 1214746602-2708368587
                                      • Opcode ID: 3e4eac411a0fb8cde327a0735871c2cff258de2e34b2a7eb3fc074b31144511c
                                      • Instruction ID: a06b7041105a35739b636013fb05be6f811b580b4b6be30494b1fb5d54fb6444
                                      • Opcode Fuzzy Hash: 3e4eac411a0fb8cde327a0735871c2cff258de2e34b2a7eb3fc074b31144511c
                                      • Instruction Fuzzy Hash: CF41E6F25047018AF730AA65988176773C8DBD4329F20893FE466E27C3DB7CE841451D
                                      Function 00405DD1 Relevance: 12.1, APIs: 8, Instructions: 100windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • ??2@YAPAXI@Z.MSVCRT(0000000C), ref: 00405DE1
                                      • ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00405DFD
                                      • ??2@YAPAXI@Z.MSVCRT(00000000,?), ref: 00405E23
                                      • memset.MSVCRT ref: 00405E33
                                      • ??2@YAPAXI@Z.MSVCRT(00000000,?), ref: 00405E62
                                      • InvalidateRect.USER32(?,00000000,00000000,?,?,?,?), ref: 00405EAF
                                      • SetFocus.USER32(?,?,?,?), ref: 00405EB8
                                      • ??3@YAXPAX@Z.MSVCRT(?,?), ref: 00405EC8
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: ??2@$??3@$FocusInvalidateRectmemset
                                      • String ID:
                                      • API String ID: 2313361498-0
                                      • Opcode ID: ae1e8c4172d72900b4b853b02d180aef4faae84485dd6f90a73647b320165284
                                      • Instruction ID: b0df241c53c05d00948b57b0581abff4a91b8671001b7eb205ccc6b71985861b
                                      • Opcode Fuzzy Hash: ae1e8c4172d72900b4b853b02d180aef4faae84485dd6f90a73647b320165284
                                      • Instruction Fuzzy Hash: F231C1B1500601AFEB249F6AD88692AB7A8FF14344B11853FF545E72A0DB38ED90CFD4
                                      Function 0041881C Relevance: 12.1, APIs: 8, Instructions: 70timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetSystemTime.KERNEL32(?), ref: 00418836
                                      • memcpy.MSVCRT(?,?,00000010), ref: 00418845
                                      • GetCurrentProcessId.KERNEL32 ref: 00418856
                                      • memcpy.MSVCRT(?,?,00000004), ref: 00418869
                                      • GetTickCount.KERNEL32 ref: 0041887D
                                      • memcpy.MSVCRT(?,?,00000004), ref: 00418890
                                      • QueryPerformanceCounter.KERNEL32(?), ref: 004188A6
                                      • memcpy.MSVCRT(?,?,00000008), ref: 004188B6
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memcpy$CountCounterCurrentPerformanceProcessQuerySystemTickTime
                                      • String ID:
                                      • API String ID: 4218492932-0
                                      • Opcode ID: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                      • Instruction ID: a427a134a5f43ecd7f569dc5a6dbdc76404a49e7a1b6a3986382666b5299f542
                                      • Opcode Fuzzy Hash: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                      • Instruction Fuzzy Hash: 141184B39001286BEB00AFA5DC899DEB7ACEB1A210F454837FA15D7144E634E2488795
                                      Function 0044A7C0 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 203COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6EB
                                        • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6FB
                                        • Part of subcall function 0044A6E0: memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0044A75D
                                        • Part of subcall function 0044A6E0: memcpy.MSVCRT(?,?,?,?,?,00000000,?,?,00000000), ref: 0044A7AA
                                      • memcpy.MSVCRT(?,?,00000040), ref: 0044A8BF
                                      • memcpy.MSVCRT(?,?,00000004,00000000), ref: 0044A90C
                                      • memcpy.MSVCRT(?,?,00000040), ref: 0044A988
                                        • Part of subcall function 0044A3F0: memcpy.MSVCRT(?,0044A522,00000040,?,?,?,0044A522,?,?,?,?,0044A93F,?,?,?,00000000), ref: 0044A422
                                        • Part of subcall function 0044A3F0: memcpy.MSVCRT(?,0044A522,00000008,?,?,?,0044A522,?,?,?,?,0044A93F,?,?,?,00000000), ref: 0044A46E
                                      • memcpy.MSVCRT(?,?,00000000), ref: 0044A9D8
                                      • memcpy.MSVCRT(?,?,00000020,?,?,?,?,00000000), ref: 0044AA19
                                      • memcpy.MSVCRT(00000000,?,00000020,?,?,?,?,?,?,?,00000000), ref: 0044AA4A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memcpy$memset
                                      • String ID: gj
                                      • API String ID: 438689982-4203073231
                                      • Opcode ID: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                      • Instruction ID: 6893d0ddfb5a5ce8f484e87047b84ef7868cce638272d7e844f470f6f9013d76
                                      • Opcode Fuzzy Hash: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                      • Instruction Fuzzy Hash: 2E71D6F39083449BE310EF25D84059FB7E9ABD5348F050E2EF88997205E639DA19C797
                                      Function 00430C36 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 135COMMON
                                      Download Yara Rule
                                      APIs
                                      • memcpy.MSVCRT(00000000,?,00000000,00000000,00000000), ref: 00430D77
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memcpy
                                      • String ID: $, $CREATE TABLE $h\E$h\E$t\El\E
                                      • API String ID: 3510742995-2446657581
                                      • Opcode ID: 14c264379a519ee19885d409f26ecc6e2d490775587d859f835060da74a6389d
                                      • Instruction ID: 6ffa86bec377aa4089670d2183b3ec09711c7f982517375fcd2495ffcd0e8f65
                                      • Opcode Fuzzy Hash: 14c264379a519ee19885d409f26ecc6e2d490775587d859f835060da74a6389d
                                      • Instruction Fuzzy Hash: CE51CF71D00219DFCB10CF99C490AAEB7F5EF89319F21925BD841AB206D738AE45CF98
                                      Function 00405A0E Relevance: 10.6, APIs: 7, Instructions: 125windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDlgItem.USER32(?,000003E9), ref: 00405A25
                                      • SendMessageW.USER32(00000000,00001009,00000000,00000000), ref: 00405A3E
                                      • SendMessageW.USER32(?,00001036,00000000,00000026), ref: 00405A4B
                                      • SendMessageW.USER32(?,0000101C,00000000,00000000), ref: 00405A57
                                      • memset.MSVCRT ref: 00405ABB
                                      • SendMessageW.USER32(?,0000105F,?,?), ref: 00405AF0
                                      • SetFocus.USER32(?), ref: 00405B76
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: MessageSend$FocusItemmemset
                                      • String ID:
                                      • API String ID: 4281309102-0
                                      • Opcode ID: efd53bebf051b2277f9dab0bebba2bcddea9ab5f54e930dc2bb54400b8a4bf25
                                      • Instruction ID: 6f3680249e95162a2c17081b35fa045d6cf646e1ea5253f38cdaf521fbeb1c86
                                      • Opcode Fuzzy Hash: efd53bebf051b2277f9dab0bebba2bcddea9ab5f54e930dc2bb54400b8a4bf25
                                      • Instruction Fuzzy Hash: 86414B75900219BBDB20DF95CC85EAFBFB8FF04754F10406AF508A6291D3759A90CFA4
                                      Function 0040FA33 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 103COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: _snwprintfwcscat
                                      • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                                      • API String ID: 384018552-4153097237
                                      • Opcode ID: e2d8d0cbab619b5be06ee0f81a04f929cebd05eebf119826ccd3725ad5dc4e14
                                      • Instruction ID: 690b9c6e7bf42a1b777b65718bd5b5c6a61f2cd8039d9a9c88f4ff4500a270e2
                                      • Opcode Fuzzy Hash: e2d8d0cbab619b5be06ee0f81a04f929cebd05eebf119826ccd3725ad5dc4e14
                                      • Instruction Fuzzy Hash: D8319E31A00209AFDF14AF55CC86AAE7BB5FF45320F10007AE804AB292D775AE49DB94
                                      Function 0040D7A7 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: ItemMenu$CountInfomemsetwcschr
                                      • String ID: 0$6
                                      • API String ID: 2029023288-3849865405
                                      • Opcode ID: 391c38dbba120c466a74104014748036d1901581f04e0d37adf97963ab497765
                                      • Instruction ID: 35075b9e4b0179943f9cc9fcb0392e174ec026107191ec1d659f896637aaeb19
                                      • Opcode Fuzzy Hash: 391c38dbba120c466a74104014748036d1901581f04e0d37adf97963ab497765
                                      • Instruction Fuzzy Hash: A321AB32905300ABD720AF91DC8599FB7B8FB85754F000A3FF954A2280E779D944CB9A
                                      Function 0040541F Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 78COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 004055A4: GetLastError.KERNEL32(?,00000000,00405522,?,?,?,00000000,00000000,?,00408E1C,?,?,00000060,00000000), ref: 004055B9
                                      • memset.MSVCRT ref: 00405455
                                      • memset.MSVCRT ref: 0040546C
                                      • memset.MSVCRT ref: 00405483
                                      • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00405498
                                      • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004054AD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memset$memcpy$ErrorLast
                                      • String ID: 6$\
                                      • API String ID: 404372293-1284684873
                                      • Opcode ID: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                                      • Instruction ID: af38dfd20ac5a94c77b7ead9800c7a3089711b207e9f3183cf3669ed78e53beb
                                      • Opcode Fuzzy Hash: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                                      • Instruction Fuzzy Hash: 572141B280112CBBDF11AF99DC45EDF7BACDF15304F0080A6B509E2156E6398B988F65
                                      Function 0040A06C Relevance: 10.6, APIs: 7, Instructions: 63timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A088
                                      • GetDateFormatW.KERNEL32(00000400,00000001,000007C1,00000000,?,00000080), ref: 0040A0B4
                                      • GetTimeFormatW.KERNEL32(00000400,00000000,000007C1,00000000,?,00000080), ref: 0040A0C9
                                      • wcscpy.MSVCRT ref: 0040A0D9
                                      • wcscat.MSVCRT ref: 0040A0E6
                                      • wcscat.MSVCRT ref: 0040A0F5
                                      • wcscpy.MSVCRT ref: 0040A107
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: Time$Formatwcscatwcscpy$DateFileSystem
                                      • String ID:
                                      • API String ID: 1331804452-0
                                      • Opcode ID: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                                      • Instruction ID: 70f18838178cd2dbc623065d80ced1a8b0c5b1489d8a310e1ceaee9f81d034e1
                                      • Opcode Fuzzy Hash: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                                      • Instruction Fuzzy Hash: 321191B284011DBFEB10AF95DC45DEF777CEB01745F104076B904B6091E6399E858B7A
                                      Function 00404363 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040440C: FreeLibrary.KERNEL32(?,0040436D,00000000,00000000,?,0040BDCC,?,00000000,?), ref: 00404414
                                        • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                        • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                        • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                        • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                        • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                        • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                      • GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                      • GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                      • GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                      • GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                      • GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                      • String ID: advapi32.dll
                                      • API String ID: 2012295524-4050573280
                                      • Opcode ID: 65f3d33700ac9d510cc5e5eb6f652d35bee5e6265e8d5a0c26d000a27f9b730c
                                      • Instruction ID: 6b6c0a27b71384d3bff991c3c7ca7c9b0301c8735f49a3ee57333cb8f9a5f734
                                      • Opcode Fuzzy Hash: 65f3d33700ac9d510cc5e5eb6f652d35bee5e6265e8d5a0c26d000a27f9b730c
                                      • Instruction Fuzzy Hash: 5F119470440700DDE6307F62EC0AF2777A4DF80714F104A3FE541565E1DBB8A8519AAD
                                      Function 00410030 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 54COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      • <?xml version="1.0" ?>, xrefs: 0041007C
                                      • <%s>, xrefs: 004100A6
                                      • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 00410083
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memset$_snwprintf
                                      • String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                      • API String ID: 3473751417-2880344631
                                      • Opcode ID: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                                      • Instruction ID: 2862698e7f89dc449948c814091faf4507903f68b21858a7dbdf66e33a92e1a6
                                      • Opcode Fuzzy Hash: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                                      • Instruction Fuzzy Hash: F501C8F2E402197BD720AA559C41FEAB6ACEF48345F0040B7B608B3151D6389F494B99
                                      Function 0040A178 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: wcscat$_snwprintfmemset
                                      • String ID: %2.2X
                                      • API String ID: 2521778956-791839006
                                      • Opcode ID: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                                      • Instruction ID: 672bbb69153a15f1984629f72f86def8939f314c78adde6f8276b735d3b02408
                                      • Opcode Fuzzy Hash: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                                      • Instruction Fuzzy Hash: 2101D472A403297AF7206756AC46BBA33ACAB41714F11407BFC14AA1C2EA7C9A54469A
                                      Function 0040D5D6 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 26COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: _snwprintfwcscpy
                                      • String ID: dialog_%d$general$menu_%d$strings
                                      • API String ID: 999028693-502967061
                                      • Opcode ID: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
                                      • Instruction ID: 4b5f4d23dee208ad245a1fa3262b8d520e9fbefe09054bf07968a47f6ed58b46
                                      • Opcode Fuzzy Hash: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
                                      • Instruction Fuzzy Hash: 1AE04FB5E8870035E92519A10C03B2A155086A6B5BF740C2BFD0AB11D2E47F955DA40F
                                      Function 0042ADCD Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 217COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memset
                                      • String ID: 8$GROUP$ORDER$a GROUP BY clause is required before HAVING$aggregate functions are not allowed in the GROUP BY clause
                                      • API String ID: 2221118986-1606337402
                                      • Opcode ID: 10415b1a1c8003ecd0031fb780f2e77066144490245ccd4b04bba77302a40a65
                                      • Instruction ID: 7aef5b05df8cb417835a49add62511a3dd126d480fa81acd131143259a3eb597
                                      • Opcode Fuzzy Hash: 10415b1a1c8003ecd0031fb780f2e77066144490245ccd4b04bba77302a40a65
                                      • Instruction Fuzzy Hash: 5D818A706083219FDB10CF25E48162BB7E1EF84318F96885EEC949B256D738EC55CB9B
                                      Function 0040C3C3 Relevance: 9.1, APIs: 6, Instructions: 109registryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1AE
                                        • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1B6
                                        • Part of subcall function 00414592: RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                        • Part of subcall function 0040A9CE: free.MSVCRT ref: 0040A9DD
                                      • memset.MSVCRT ref: 0040C439
                                      • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                      • _wcsupr.MSVCRT ref: 0040C481
                                        • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                        • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                        • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                        • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                      • memset.MSVCRT ref: 0040C4D0
                                      • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,?), ref: 0040C508
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: free$EnumValuememset$CloseOpen_wcsuprmemcpywcslen
                                      • String ID:
                                      • API String ID: 4131475296-0
                                      • Opcode ID: eb77d7cad75ccead34f911285e165139a1ce78e2e313fb24f2a05cc2c8735199
                                      • Instruction ID: d2440758a7fd93b52fc88bd6111275bc9aa4df1ffeb01c53d5483546710cd2f3
                                      • Opcode Fuzzy Hash: eb77d7cad75ccead34f911285e165139a1ce78e2e313fb24f2a05cc2c8735199
                                      • Instruction Fuzzy Hash: A4411CB2900219BBDB00EF95DC85EEFB7BCAF48304F10417AB505F6191D7749A44CBA5
                                      Function 004116DD Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 82COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 004116FF
                                        • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                        • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                        • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                        • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                        • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                        • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                        • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                        • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                        • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                        • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                        • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                        • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                        • Part of subcall function 0040A279: wcscpy.MSVCRT ref: 0040A2DF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                      • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                      • API String ID: 2618321458-3614832568
                                      • Opcode ID: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
                                      • Instruction ID: 2af34abd3473d77be096866f654b5876edf67c2d942e61680e34910f62553c8c
                                      • Opcode Fuzzy Hash: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
                                      • Instruction Fuzzy Hash: 71310DB1D013589BDB10EFA9DC816DDBBB4FB08345F10407BE548BB282DB385A468F99
                                      Function 004185CA Relevance: 9.1, APIs: 6, Instructions: 78COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: AttributesFilefreememset
                                      • String ID:
                                      • API String ID: 2507021081-0
                                      • Opcode ID: afcad17dad9998b86119828d1b617f81507b1c6ffb5a90d063004130875e5eff
                                      • Instruction ID: e31a4ad29e7632976921f0390f19c15604a95804a640e9d04457ce0419b5f72c
                                      • Opcode Fuzzy Hash: afcad17dad9998b86119828d1b617f81507b1c6ffb5a90d063004130875e5eff
                                      • Instruction Fuzzy Hash: 1211E632A04115EFDB209FA49DC59FF73A8EB45318B21013FF911E2280DF789D8196AE
                                      Function 004174F5 Relevance: 9.1, APIs: 6, Instructions: 61COMMON
                                      Download Yara Rule
                                      APIs
                                      • AreFileApisANSI.KERNEL32 ref: 004174FC
                                      • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041751A
                                      • malloc.MSVCRT ref: 00417524
                                      • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041753B
                                      • free.MSVCRT ref: 00417544
                                      • free.MSVCRT ref: 00417562
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: ByteCharMultiWidefree$ApisFilemalloc
                                      • String ID:
                                      • API String ID: 4131324427-0
                                      • Opcode ID: 5d21432bc65b929392c7d49bf17a02b877e07d349bc8417fbf8b7ee350a515ff
                                      • Instruction ID: 8d188238c5fd2fb6163cec5331830b967abe0ebba74b79ef9884251e0929a2bc
                                      • Opcode Fuzzy Hash: 5d21432bc65b929392c7d49bf17a02b877e07d349bc8417fbf8b7ee350a515ff
                                      • Instruction Fuzzy Hash: 9701D4726081257BEB215B7A9C41DEF3AAEDF463B47210226FC14E3280EA38DD4141BD
                                      Function 00418197 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetTempPathW.KERNEL32(000000E6,?,?,00417D63), ref: 004181DB
                                      • GetTempPathA.KERNEL32(000000E6,?,?,00417D63), ref: 00418203
                                      • free.MSVCRT ref: 0041822B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: PathTemp$free
                                      • String ID: %s\etilqs_$etilqs_
                                      • API String ID: 924794160-1420421710
                                      • Opcode ID: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                                      • Instruction ID: b359b55a6514fc6c55a0405950767d5f88b37029f74eadb26d8a0dc7501745d5
                                      • Opcode Fuzzy Hash: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                                      • Instruction Fuzzy Hash: 43313931A046169BE725A3669C41BFB735C9B64308F2004AFE881C2283EF7CDEC54A5D
                                      Function 00414770 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • wcscpy.MSVCRT ref: 0041477F
                                      • wcscpy.MSVCRT ref: 0041479A
                                      • CreateFileW.KERNEL32(00000002,40000000,00000000,00000000,00000002,00000000,00000000,?,00000000,?,00411B67,?,General), ref: 004147C1
                                      • CloseHandle.KERNEL32(00000000), ref: 004147C8
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: wcscpy$CloseCreateFileHandle
                                      • String ID: General
                                      • API String ID: 999786162-26480598
                                      • Opcode ID: d203a37054ecec13293c6845d931113d91e33057b6480a05be5df7ab04b5f2c3
                                      • Instruction ID: 029e45c8424a23c50dbc4d8c1dfe1f9d14d00e2cf8bd1bf10ef2c4f99c7741b7
                                      • Opcode Fuzzy Hash: d203a37054ecec13293c6845d931113d91e33057b6480a05be5df7ab04b5f2c3
                                      • Instruction Fuzzy Hash: 52F024B30083146FF7205B509C85EAF769CEB86369F25482FF05592092C7398C448669
                                      Function 0040973C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: ErrorLastMessage_snwprintf
                                      • String ID: Error$Error %d: %s
                                      • API String ID: 313946961-1552265934
                                      • Opcode ID: a33dc607cfdbe5323d0e9dcae57c7c504b94496520966edc9fba833a94f57729
                                      • Instruction ID: 46023337ddced075b6ccb796d059e6b1f6412beb8ed51135551ede388a9512b7
                                      • Opcode Fuzzy Hash: a33dc607cfdbe5323d0e9dcae57c7c504b94496520966edc9fba833a94f57729
                                      • Instruction Fuzzy Hash: C1F0A7765402086BDB11A795DC06FDA73BCFB45785F0404ABB544A3181DAB4EA484A59
                                      Function 00435A61 Relevance: 7.9, APIs: 1, Strings: 4, Instructions: 394COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: foreign key constraint failed$new$oid$old
                                      • API String ID: 0-1953309616
                                      • Opcode ID: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                                      • Instruction ID: 109d2bbf80905f1e2503505ff3b1f335ff26ebd6ff49ac5ca42eb4ed0232da3f
                                      • Opcode Fuzzy Hash: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                                      • Instruction Fuzzy Hash: 71E19271E00318EFDF14DFA5D882AAEBBB5EF08304F54406EE805AB351DB799A01CB65
                                      Function 00431671 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 231COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      • foreign key on %s should reference only one column of table %T, xrefs: 004316CD
                                      • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 004316F5
                                      • unknown column "%s" in foreign key definition, xrefs: 00431858
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memcpy
                                      • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                                      • API String ID: 3510742995-272990098
                                      • Opcode ID: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                      • Instruction ID: d29657cdd308451ad819b70b0710bc7d1770ace047979dc07f2e4ef1020519d4
                                      • Opcode Fuzzy Hash: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                      • Instruction Fuzzy Hash: B7913E75A00205DFCB14DF99C481AAEBBF1FF49314F25815AE805AB312DB35E941CF99
                                      Function 0044A6E0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 84COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 0044A6EB
                                      • memset.MSVCRT ref: 0044A6FB
                                      • memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0044A75D
                                      • memcpy.MSVCRT(?,?,?,?,?,00000000,?,?,00000000), ref: 0044A7AA
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memcpymemset
                                      • String ID: gj
                                      • API String ID: 1297977491-4203073231
                                      • Opcode ID: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
                                      • Instruction ID: b45f8a370873a883e9703370fbfe8b0477d3556cf02d11e6db591a78d085f858
                                      • Opcode Fuzzy Hash: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
                                      • Instruction Fuzzy Hash: 95213DB67403002BE7209A39CC4165B7B6D9FC6318F0A481EF6464B346E67DD605C756
                                      Function 0040E946 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8EC
                                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8FA
                                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E90B
                                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E922
                                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E92B
                                      • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000), ref: 0040E961
                                      • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000), ref: 0040E974
                                      • ??3@YAXPAX@Z.MSVCRT(00000001,?,00411CA8,00000000,?,00412766,00000000,00000000), ref: 0040E987
                                      • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000), ref: 0040E99A
                                      • free.MSVCRT ref: 0040E9D3
                                        • Part of subcall function 0040AA04: free.MSVCRT ref: 0040AA0B
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: ??3@$free
                                      • String ID:
                                      • API String ID: 2241099983-0
                                      • Opcode ID: 2f3d1febb6567f1c65e15d924abe411323abe179da33a997404dc77986320892
                                      • Instruction ID: 098569c1990a85f87ddbd530571c52e66e2f7ba0f471894b996c1416d461d1fd
                                      • Opcode Fuzzy Hash: 2f3d1febb6567f1c65e15d924abe411323abe179da33a997404dc77986320892
                                      • Instruction Fuzzy Hash: 5001A932A01A2097C665BB27A50195EB354BE86B24316896FF844773C1CB3C6C61C6DF
                                      Function 0041748F Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                                      Download Yara Rule
                                      APIs
                                      • AreFileApisANSI.KERNEL32 ref: 00417497
                                      • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 004174B7
                                      • malloc.MSVCRT ref: 004174BD
                                      • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 004174DB
                                      • free.MSVCRT ref: 004174E4
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: ByteCharMultiWide$ApisFilefreemalloc
                                      • String ID:
                                      • API String ID: 4053608372-0
                                      • Opcode ID: 26b6d0d827bb447631a2da2f7ad9fad7d37cc7249bf214c4621a9d0d58d44de2
                                      • Instruction ID: 68224c9aa4b31b20fa5037399352f9c2f04b40a845063e8f60522cdb36b448b3
                                      • Opcode Fuzzy Hash: 26b6d0d827bb447631a2da2f7ad9fad7d37cc7249bf214c4621a9d0d58d44de2
                                      • Instruction Fuzzy Hash: DE01A4B150412DBEAF115FA99C80CAF7E7CEA463FC721422AF514E2290DA345E405AB9
                                      Function 0040D441 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetParent.USER32(?), ref: 0040D453
                                      • GetWindowRect.USER32(?,?), ref: 0040D460
                                      • GetClientRect.USER32(00000000,?), ref: 0040D46B
                                      • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0040D47B
                                      • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 0040D497
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: Window$Rect$ClientParentPoints
                                      • String ID:
                                      • API String ID: 4247780290-0
                                      • Opcode ID: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                      • Instruction ID: 8744084584fea1eb3916f9079d499296a2dd08f7759f51c0708cf8f54c9212ed
                                      • Opcode Fuzzy Hash: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                      • Instruction Fuzzy Hash: 62018836801129BBDB11EBA6CC49EFFBFBCFF06310F048069F901A2180D778A5018BA5
                                      Function 00445093 Relevance: 7.5, APIs: 5, Instructions: 46COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                      • GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                      • ??2@YAPAXI@Z.MSVCRT(0000000A,?,?,00000104), ref: 004450BE
                                      • memset.MSVCRT ref: 004450CD
                                        • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                      • ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004450F0
                                        • Part of subcall function 00444E84: memchr.MSVCRT ref: 00444EBF
                                        • Part of subcall function 00444E84: memcpy.MSVCRT(?,0044EB0C,0000000B,?,?,?,00000000,00000000,00000000), ref: 00444F63
                                        • Part of subcall function 00444E84: memcpy.MSVCRT(?,00000001,00000008,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00444F75
                                        • Part of subcall function 00444E84: memcpy.MSVCRT(?,?,00000010,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00444F9D
                                      • CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: Filememcpy$??2@??3@CloseCreateHandleReadSizememchrmemset
                                      • String ID:
                                      • API String ID: 1471605966-0
                                      • Opcode ID: 2aed10359402c50519c1c236b6adb34ede6eedef97d485569bed8d1556fc9971
                                      • Instruction ID: af7e2442fb2a0afe256a59df9b01c6fa6c67666c78107f96d02934f32f814c95
                                      • Opcode Fuzzy Hash: 2aed10359402c50519c1c236b6adb34ede6eedef97d485569bed8d1556fc9971
                                      • Instruction Fuzzy Hash: D8F0C2765002107BE5207736AC8AEAB3A5CDF96771F11893FF416921D2EE698814C1BD
                                      Function 0044474A Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 45COMMON
                                      Download Yara Rule
                                      APIs
                                      • wcscpy.MSVCRT ref: 0044475F
                                      • wcscat.MSVCRT ref: 0044476E
                                      • wcscat.MSVCRT ref: 0044477F
                                      • wcscat.MSVCRT ref: 0044478E
                                        • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                        • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                        • Part of subcall function 00409A90: lstrcpyW.KERNEL32(?,?,004447CD,?,?,?,00000000,?), ref: 00409AA5
                                        • Part of subcall function 00409A90: lstrlenW.KERNEL32(?), ref: 00409AAC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: wcscat$lstrcpylstrlenmemcpywcscpywcslen
                                      • String ID: \StringFileInfo\
                                      • API String ID: 102104167-2245444037
                                      • Opcode ID: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
                                      • Instruction ID: e4f437c51a7ffcfb72b972a214432876dbdec8abc2c75880463b8380eb377783
                                      • Opcode Fuzzy Hash: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
                                      • Instruction Fuzzy Hash: 41018FB290021DB6EF10EAA1DC45EDF73BCAB05304F0004B7B514F2052EE38DB969B69
                                      Function 0040E8E0 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                      Download Yara Rule
                                      APIs
                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8EC
                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8FA
                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E90B
                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E922
                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E92B
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: ??3@
                                      • String ID:
                                      • API String ID: 613200358-0
                                      • Opcode ID: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                                      • Instruction ID: 8b058f36177a858601f18eb469b8e3bd7c1df3fc7b9e847ab044313c89d6339d
                                      • Opcode Fuzzy Hash: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                                      • Instruction Fuzzy Hash: 98F012B25047015FD760AF6AA8C491BF3E9AB597147668C3FF149D3641CB38FC508A1C
                                      Function 0040AAE3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: _memicmpwcslen
                                      • String ID: @@@@$History
                                      • API String ID: 1872909662-685208920
                                      • Opcode ID: 3ad5d2c3b3ee2b52e24687d5059668d8296d000cbab4a3a90200832106c23410
                                      • Instruction ID: 0314511eba11a06c501d0b319d6753a7178557fc2485e08f734f24cb460fdfed
                                      • Opcode Fuzzy Hash: 3ad5d2c3b3ee2b52e24687d5059668d8296d000cbab4a3a90200832106c23410
                                      • Instruction Fuzzy Hash: F1F0CD3310471157D210DE199C41A2BF7F8DB813A5F11063FF991A31C2D739EC658657
                                      Function 004100D7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 004100FB
                                      • memset.MSVCRT ref: 00410112
                                        • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                        • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                      • _snwprintf.MSVCRT ref: 00410141
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memset$_snwprintf_wcslwrwcscpy
                                      • String ID: </%s>
                                      • API String ID: 3400436232-259020660
                                      • Opcode ID: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                                      • Instruction ID: d6b380c41b5e3e458bf6abeca455f552dea24a705517b0a2e3702c553642f250
                                      • Opcode Fuzzy Hash: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                                      • Instruction Fuzzy Hash: 9B01DBF3D0012977D730A755CC46FEA76ACEF45304F0000B6BB08B3186DB78DA458A99
                                      Function 0040D553 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 0040D58D
                                      • SetWindowTextW.USER32(?,?), ref: 0040D5BD
                                      • EnumChildWindows.USER32(?,Function_0000D4F5,00000000), ref: 0040D5CD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: ChildEnumTextWindowWindowsmemset
                                      • String ID: caption
                                      • API String ID: 1523050162-4135340389
                                      • Opcode ID: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                                      • Instruction ID: dcfab03f3ae0740f4c11e1fd8af26e22289cdce227bdcda27870e2dbaf68b2c3
                                      • Opcode Fuzzy Hash: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                                      • Instruction Fuzzy Hash: 50F08131D0031876FB206B95CC4EB8A3268AB04744F000076BE04B61D2DBB8EA44C69D
                                      Function 00401137 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00409BFD: memset.MSVCRT ref: 00409C07
                                        • Part of subcall function 00409BFD: wcscpy.MSVCRT ref: 00409C47
                                      • CreateFontIndirectW.GDI32(?), ref: 00401156
                                      • SendDlgItemMessageW.USER32(?,000003EC,00000030,00000000,00000000), ref: 00401175
                                      • SendDlgItemMessageW.USER32(?,000003EE,00000030,?,00000000), ref: 00401193
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: ItemMessageSend$CreateFontIndirectmemsetwcscpy
                                      • String ID: MS Sans Serif
                                      • API String ID: 210187428-168460110
                                      • Opcode ID: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                                      • Instruction ID: 44e142790c58e2983bb51e892a2c7280827b5342727586ee11fe1c2be2fb852b
                                      • Opcode Fuzzy Hash: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                                      • Instruction Fuzzy Hash: 7CF082B5A4030877EB326BA1DC46F9A77BDBB44B01F040935F721B91D1D3F4A585C658
                                      Function 00409D7F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: ClassName_wcsicmpmemset
                                      • String ID: edit
                                      • API String ID: 2747424523-2167791130
                                      • Opcode ID: 966ba6659df31be0b994ff47204b898d343df69b3f9d85cbf29a1f53eef5b26a
                                      • Instruction ID: aa36152fd255268de381ae2120198bffa1fffac517830ea88c39a2b7b5867ff0
                                      • Opcode Fuzzy Hash: 966ba6659df31be0b994ff47204b898d343df69b3f9d85cbf29a1f53eef5b26a
                                      • Instruction Fuzzy Hash: 86E0D872D8031E6AFB10EBA0DC4AFA977BCFB01708F0001B6B915E10C2EBB496494A45
                                      Function 0041D893 Relevance: 6.3, APIs: 5, Instructions: 82COMMON
                                      Download Yara Rule
                                      APIs
                                      • memcpy.MSVCRT(?,00000000,00000030,00000000), ref: 0041D8A6
                                      • memcpy.MSVCRT(?,-00000030,00000030,?,00000000,00000030,00000000), ref: 0041D8BC
                                      • memcmp.MSVCRT(?,?,00000030,?,-00000030,00000030,?,00000000,00000030,00000000), ref: 0041D8CB
                                      • memcmp.MSVCRT(?,?,00000030,?,?,?,?,?,?,?,?,00000000), ref: 0041D913
                                      • memcpy.MSVCRT(?,?,00000030,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0041D92E
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memcpy$memcmp
                                      • String ID:
                                      • API String ID: 3384217055-0
                                      • Opcode ID: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                                      • Instruction ID: f5df6941464580ef2fdae31f27b7f31021858bb2d0e37ec30fcb1df3a02010a9
                                      • Opcode Fuzzy Hash: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                                      • Instruction Fuzzy Hash: 8821B2B2E10249ABDB14EA91DC46EDF73FC9B44704F01442AF512D7181EB28E644C725
                                      Function 00412A2A Relevance: 6.3, APIs: 5, Instructions: 50COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memset$memcpy
                                      • String ID:
                                      • API String ID: 368790112-0
                                      • Opcode ID: 97945d52b79a003f2428fc236831fd74eb0a020fff419a73dba27ff1a1f4f0ec
                                      • Instruction ID: abb90bdd0bd5c960a46cc99acd1c91865272cbbdb433919b32c204757dd19146
                                      • Opcode Fuzzy Hash: 97945d52b79a003f2428fc236831fd74eb0a020fff419a73dba27ff1a1f4f0ec
                                      • Instruction Fuzzy Hash: 0201FCB5740B007BF235AB35CC03F9A73A8AF52724F004A1EF153966C2DBF8A554819D
                                      Function 0042EB92 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 133COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00415A91: memset.MSVCRT ref: 00415AAB
                                      • memcpy.MSVCRT(?,?,?), ref: 0042EC7A
                                      Strings
                                      • virtual tables may not be altered, xrefs: 0042EBD2
                                      • sqlite_altertab_%s, xrefs: 0042EC4C
                                      • Cannot add a column to a view, xrefs: 0042EBE8
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memcpymemset
                                      • String ID: Cannot add a column to a view$sqlite_altertab_%s$virtual tables may not be altered
                                      • API String ID: 1297977491-2063813899
                                      • Opcode ID: 474643fef30daba4970a7dc8f748fcc45b15c3e498b07267a37eb72da69de8bb
                                      • Instruction ID: f910cd7a27c7e389b2617bf4251edf561ae6288f62f29054cc1fb9bea0934792
                                      • Opcode Fuzzy Hash: 474643fef30daba4970a7dc8f748fcc45b15c3e498b07267a37eb72da69de8bb
                                      • Instruction Fuzzy Hash: 1E418E75A00615EFCB04DF5AD881A99BBF0FF48314F65816BE808DB352D778E950CB88
                                      Function 004055C5 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 122COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 0040560C
                                        • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                        • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                        • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                        • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                        • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                        • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                        • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                        • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                        • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                        • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                        • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                        • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                        • Part of subcall function 0040A212: wcscpy.MSVCRT ref: 0040A269
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                      • String ID: *.*$dat$wand.dat
                                      • API String ID: 2618321458-1828844352
                                      • Opcode ID: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                                      • Instruction ID: e27ea46a2f82f1f177a07810d763c9ecc86b2647b265d762bc330c580f82b585
                                      • Opcode Fuzzy Hash: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                                      • Instruction Fuzzy Hash: BF419B71600205AFDB10AF65DC85EAEB7B9FF40314F10802BF909AB1D1EF7999958F89
                                      Function 00410C46 Relevance: 6.1, APIs: 4, Instructions: 106COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040ECF9
                                        • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 0040EDC0
                                      • wcslen.MSVCRT ref: 00410C74
                                      • _wtoi.MSVCRT(?), ref: 00410C80
                                      • _wcsicmp.MSVCRT ref: 00410CCE
                                      • _wcsicmp.MSVCRT ref: 00410CDF
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: _wcsicmp$??2@??3@_wtoiwcslen
                                      • String ID:
                                      • API String ID: 1549203181-0
                                      • Opcode ID: a5a55a776a9d7000c7a90f9dc0003ee3df1153e447b70ecb3cda70254c63b6c3
                                      • Instruction ID: d767fa7272777d82bc727b9b5621bf7cb5fcf48a3d465f11467ce1d5a1151d11
                                      • Opcode Fuzzy Hash: a5a55a776a9d7000c7a90f9dc0003ee3df1153e447b70ecb3cda70254c63b6c3
                                      • Instruction Fuzzy Hash: 5E4190359006089FCF21DFA9D480AD9BBB4EF48318F1105AAEC05DB316D6B4EAC08B99
                                      Function 00412018 Relevance: 6.1, APIs: 4, Instructions: 99windowkeyboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 00412057
                                        • Part of subcall function 0040A116: ShellExecuteW.SHELL32(?,open,?,0044E518,0044E518,00000005), ref: 0040A12C
                                      • SendMessageW.USER32(00000000,00000423,00000000,00000000), ref: 004120C7
                                      • GetMenuStringW.USER32(?,00000103,?,0000004F,00000000), ref: 004120E1
                                      • GetKeyState.USER32(00000010), ref: 0041210D
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: ExecuteMenuMessageSendShellStateStringmemset
                                      • String ID:
                                      • API String ID: 3550944819-0
                                      • Opcode ID: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                                      • Instruction ID: 97bad96470fefb965444fbd8e179d7ef3b872eae7f66eff2ef5a186de824ffeb
                                      • Opcode Fuzzy Hash: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                                      • Instruction Fuzzy Hash: 5341C330600305EBDB209F15CD88B9677A8AB54324F10817AEA699B2E2D7B89DD1CB14
                                      Function 0040F508 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                                      Download Yara Rule
                                      APIs
                                      • free.MSVCRT ref: 0040F561
                                      • memcpy.MSVCRT(00000000,?,00000001,g4@,00000000,0000121C,?,?,?,00403467), ref: 0040F573
                                      • memcpy.MSVCRT(00000000,?,?,00000000), ref: 0040F5A6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memcpy$free
                                      • String ID: g4@
                                      • API String ID: 2888793982-2133833424
                                      • Opcode ID: 37ff6d91120af751e53e18efb23c18060f8529393ff4323a563ff9c980eac345
                                      • Instruction ID: 6372a4083673351870aa2a156e9431cadfa41d37230e9e7fabcd635cb7c3c96e
                                      • Opcode Fuzzy Hash: 37ff6d91120af751e53e18efb23c18060f8529393ff4323a563ff9c980eac345
                                      • Instruction Fuzzy Hash: D2217A30900604EFCB20DF29C94182ABBF5FF447247204A7EE852A3B91E735EE119B04
                                      Function 0041298C Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                      Download Yara Rule
                                      APIs
                                      • memcpy.MSVCRT(?,?,00000040,00000001,0044EB0C,?,?,004131CA,?,0044EB0C), ref: 004129CF
                                      • memcpy.MSVCRT(?,?,00000040,00000001,0044EB0C,?,?,004131CA,?,0044EB0C), ref: 004129F9
                                      • memcpy.MSVCRT(?,?,00000013,00000001,0044EB0C,?,?,004131CA,?,0044EB0C), ref: 00412A1D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memcpy
                                      • String ID: @
                                      • API String ID: 3510742995-2766056989
                                      • Opcode ID: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                                      • Instruction ID: b25eae0e74258469ce0af521155fdf6a80f479b4e9ffe9ec94392e3587c9c40c
                                      • Opcode Fuzzy Hash: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                                      • Instruction Fuzzy Hash: 65115EF2A003057FDB349E15D980C9A77A8EF50394B00062FF90AD6151E7B8DEA5C7D9
                                      Function 004144BB Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 004144E7
                                        • Part of subcall function 0040A353: _snwprintf.MSVCRT ref: 0040A398
                                        • Part of subcall function 0040A353: memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 0040A3A8
                                      • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00414510
                                      • memset.MSVCRT ref: 0041451A
                                      • GetPrivateProfileStringW.KERNEL32(?,?,0044E518,?,00002000,?), ref: 0041453C
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
                                      • String ID:
                                      • API String ID: 1127616056-0
                                      • Opcode ID: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                                      • Instruction ID: e03fcf36bb778615f94f946172f2cadce4c7e53e7889dedf6030812535802df7
                                      • Opcode Fuzzy Hash: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                                      • Instruction Fuzzy Hash: 9A1170B1500119BFEF115F65EC02EDA7B69EF04714F100066FB09B2060E6319A60DB9D
                                      Function 00414D8A Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                      Download Yara Rule
                                      APIs
                                      • SHGetMalloc.SHELL32(?), ref: 00414D9A
                                      • SHBrowseForFolderW.SHELL32(?), ref: 00414DCC
                                      • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00414DE0
                                      • wcscpy.MSVCRT ref: 00414DF3
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: BrowseFolderFromListMallocPathwcscpy
                                      • String ID:
                                      • API String ID: 3917621476-0
                                      • Opcode ID: d90d9ac40998c7a3314b3e96da16ed6310d1c669f25a0de425d8610d706a6174
                                      • Instruction ID: 3f0f02420fde520a26c7535fd1ed00e0b1d7e8cc8ebd586967f5863715f62e8c
                                      • Opcode Fuzzy Hash: d90d9ac40998c7a3314b3e96da16ed6310d1c669f25a0de425d8610d706a6174
                                      • Instruction Fuzzy Hash: 3311FAB5A00208AFDB10DFA9D9889EEB7F8FB49314F10446AF905E7200D739DB45CB64
                                      Function 00417434 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                      Download Yara Rule
                                      APIs
                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,7591DF80,?,0041755F,?), ref: 00417452
                                      • malloc.MSVCRT ref: 00417459
                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000,?,7591DF80,?,0041755F,?), ref: 00417478
                                      • free.MSVCRT ref: 0041747F
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: ByteCharMultiWide$freemalloc
                                      • String ID:
                                      • API String ID: 2605342592-0
                                      • Opcode ID: 393c83f8647a4e4e905b151b9ea1406947fc62e9018515f0e7f821d7fee9a8df
                                      • Instruction ID: 8389f0226c663b3c6d8c6253af8546a3d73aba679155ae8f7c82d0c1376384d0
                                      • Opcode Fuzzy Hash: 393c83f8647a4e4e905b151b9ea1406947fc62e9018515f0e7f821d7fee9a8df
                                      • Instruction Fuzzy Hash: 1DF0E9B620D21E3F7B006AB55CC0C7B7B9CD7862FCB11072FF51091180E9594C1116B6
                                      Function 004123E2 Relevance: 6.0, APIs: 4, Instructions: 47registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 00412403
                                      • RegisterClassW.USER32(?), ref: 00412428
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 0041242F
                                      • CreateWindowExW.USER32(00000000,00000000,0044E518,00CF0000,00000000,00000000,00000280,000001E0,00000000,00000000,00000000), ref: 00412455
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: HandleModule$ClassCreateRegisterWindow
                                      • String ID:
                                      • API String ID: 2678498856-0
                                      • Opcode ID: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                                      • Instruction ID: 2742b6e08e64d4f702ac0bdc031c2178a10537c5a2141806c9029dd5a11ba4c1
                                      • Opcode Fuzzy Hash: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                                      • Instruction Fuzzy Hash: E601E5B1941228ABD7119FA68C89ADFBEBCFF09B14F10411AF514A2240D7B456408BE9
                                      Function 00409B32 Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDlgItem.USER32(?,?), ref: 00409B40
                                      • SendMessageW.USER32(00000000,00000146,00000000,00000000), ref: 00409B58
                                      • SendMessageW.USER32(00000000,00000150,00000000,00000000), ref: 00409B6E
                                      • SendMessageW.USER32(00000000,0000014E,00000000,00000000), ref: 00409B91
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: MessageSend$Item
                                      • String ID:
                                      • API String ID: 3888421826-0
                                      • Opcode ID: cb9c6f71d59db109bdd11c185378715e2458b2dfdf7aafdda88e0268854c6760
                                      • Instruction ID: c5475329a145d4377f6ebcab718370c73cf4573fffc80ea9acc016878d8bcf0e
                                      • Opcode Fuzzy Hash: cb9c6f71d59db109bdd11c185378715e2458b2dfdf7aafdda88e0268854c6760
                                      • Instruction Fuzzy Hash: 89F01D75A0010CBFEB019F959CC1CAF7BBDFB497A4B204475F504E2150D274AE41AA64
                                      Function 00417B5E Relevance: 6.0, APIs: 4, Instructions: 45fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 00417B7B
                                      • UnlockFileEx.KERNEL32(?,00000000,?,00000000,?), ref: 00417B9B
                                      • LockFileEx.KERNEL32(?,00000001,00000000,?,00000000,?), ref: 00417BA7
                                      • GetLastError.KERNEL32 ref: 00417BB5
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: File$ErrorLastLockUnlockmemset
                                      • String ID:
                                      • API String ID: 3727323765-0
                                      • Opcode ID: 8dd354450774e38097dcb59a2dc1954613c626237ffe04feccb939eb681cbc84
                                      • Instruction ID: 0282759007fe27108f915f617c318df1b7667033481b7feabffed058191037b6
                                      • Opcode Fuzzy Hash: 8dd354450774e38097dcb59a2dc1954613c626237ffe04feccb939eb681cbc84
                                      • Instruction Fuzzy Hash: A801F971108208BFDB219FA5DC84D9B77B8FB40308F20483AF51395050D730A944CB65
                                      Function 0040F64E Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 0040F673
                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00007FFF,00000000,00000000,?,<item>), ref: 0040F690
                                      • strlen.MSVCRT ref: 0040F6A2
                                      • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F6B3
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: ByteCharFileMultiWideWritememsetstrlen
                                      • String ID:
                                      • API String ID: 2754987064-0
                                      • Opcode ID: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
                                      • Instruction ID: e5447571fde1e0de43d26e7f5909b1ba013d3ab3fbf9ce0dfcc5e01eb4e41d37
                                      • Opcode Fuzzy Hash: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
                                      • Instruction Fuzzy Hash: 03F062B680102C7FEB81A794DC81DEB77ACEB05258F0080B2B715D2140E9749F484F7D
                                      Function 0040F6BD Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 0040F6E2
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF,00000000,00000000,?,<item>), ref: 0040F6FB
                                      • strlen.MSVCRT ref: 0040F70D
                                      • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F71E
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: ByteCharFileMultiWideWritememsetstrlen
                                      • String ID:
                                      • API String ID: 2754987064-0
                                      • Opcode ID: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
                                      • Instruction ID: 4069f22fd96ae38f7b0fbed24adb75974e75abfa9f51d26af0f678a77882025e
                                      • Opcode Fuzzy Hash: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
                                      • Instruction Fuzzy Hash: C8F06DB780022CBFFB059B94DCC8DEB77ACEB05254F0000A2B715D2042E6749F448BB8
                                      Function 0041437B Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00409D7F: memset.MSVCRT ref: 00409D9E
                                        • Part of subcall function 00409D7F: GetClassNameW.USER32(?,00000000,000000FF), ref: 00409DB5
                                        • Part of subcall function 00409D7F: _wcsicmp.MSVCRT ref: 00409DC7
                                      • SetBkMode.GDI32(?,00000001), ref: 004143A2
                                      • SetBkColor.GDI32(?,00FFFFFF), ref: 004143B0
                                      • SetTextColor.GDI32(?,00C00000), ref: 004143BE
                                      • GetStockObject.GDI32(00000000), ref: 004143C6
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: Color$ClassModeNameObjectStockText_wcsicmpmemset
                                      • String ID:
                                      • API String ID: 764393265-0
                                      • Opcode ID: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                      • Instruction ID: 55a1794077c12dabf0ba6e1c8d3319674f3f2ba5a0574a39bcd6537ad23d1771
                                      • Opcode Fuzzy Hash: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                      • Instruction Fuzzy Hash: 3AF06835200219BBCF112FA5EC06EDD3F25BF05321F104536FA25A45F1CBB59D609759
                                      Function 0040A751 Relevance: 6.0, APIs: 4, Instructions: 34timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A76D
                                      • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?,?,?), ref: 0040A77D
                                      • SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 0040A78C
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: Time$System$File$LocalSpecific
                                      • String ID:
                                      • API String ID: 979780441-0
                                      • Opcode ID: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                      • Instruction ID: f583aad53f3de4022dcae7e9f33737e8013f67213d7447df07319dea818b2b95
                                      • Opcode Fuzzy Hash: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                      • Instruction Fuzzy Hash: 48F08272900219AFEB019BB1DC49FBBB3FCBB0570AF04443AE112E1090D774D0058B65
                                      Function 004134C6 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                      Download Yara Rule
                                      APIs
                                      • memcpy.MSVCRT(0045A808,?,00000050,?,0040155D,?), ref: 004134E0
                                      • memcpy.MSVCRT(0045A538,?,000002CC,0045A808,?,00000050,?,0040155D,?), ref: 004134F2
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 00413505
                                      • DialogBoxParamW.USER32(00000000,0000006B,?,Function_000131DC,00000000), ref: 00413519
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memcpy$DialogHandleModuleParam
                                      • String ID:
                                      • API String ID: 1386444988-0
                                      • Opcode ID: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                      • Instruction ID: 364e94b7bdcda47f4d7f1f8d7aeee0d56301a77e6e21c3ce81869cca2c347424
                                      • Opcode Fuzzy Hash: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                      • Instruction Fuzzy Hash: 80F0E272A843207BF7207FA5AC0AB477E94FB05B03F114826F600E50D2C2B988518F8D
                                      Function 00411D08 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 00411D71
                                      • InvalidateRect.USER32(?,00000000,00000000), ref: 00411DC1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: InvalidateMessageRectSend
                                      • String ID: d=E
                                      • API String ID: 909852535-3703654223
                                      • Opcode ID: d50188de171b89ef93dcf19ee585c83eb13d29586f1846fcb2bff02c85403588
                                      • Instruction ID: 9534a32422cce1c6391a187da628b0196a645ea69cbd0f5c6bc65931d7846800
                                      • Opcode Fuzzy Hash: d50188de171b89ef93dcf19ee585c83eb13d29586f1846fcb2bff02c85403588
                                      • Instruction Fuzzy Hash: 7E61E9307006044BDB20EB658885FEE73E6AF44728F42456BF2195B2B2CB79ADC6C74D
                                      Function 0040F75C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                      Download Yara Rule
                                      APIs
                                      • wcschr.MSVCRT ref: 0040F79E
                                      • wcschr.MSVCRT ref: 0040F7AC
                                        • Part of subcall function 0040AA8C: wcslen.MSVCRT ref: 0040AAA8
                                        • Part of subcall function 0040AA8C: memcpy.MSVCRT(00000000,?,00000000,00000000,?,0000002C,?,0040F7F4,?,?,?,?,004032AB,?), ref: 0040AACB
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: wcschr$memcpywcslen
                                      • String ID: "
                                      • API String ID: 1983396471-123907689
                                      • Opcode ID: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
                                      • Instruction ID: b5ec2b97dc3a1d34b4ae52474db4a85f3d32b900c8044ec90cdce640e07fed14
                                      • Opcode Fuzzy Hash: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
                                      • Instruction Fuzzy Hash: 7C315532904204ABDF24EFA6C8419EEB7B4EF44324F20457BEC10B75D1DB789A46CE99
                                      Function 0040A353 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                                      Download Yara Rule
                                      APIs
                                      • _snwprintf.MSVCRT ref: 0040A398
                                      • memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 0040A3A8
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: _snwprintfmemcpy
                                      • String ID: %2.2X
                                      • API String ID: 2789212964-323797159
                                      • Opcode ID: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                                      • Instruction ID: 802357eb4f50a043e47c8b78e7782d62930b20b04af67ea92e1f933aeb07fc5a
                                      • Opcode Fuzzy Hash: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                                      • Instruction Fuzzy Hash: 71118E32900309BFEB10DFE8D8829AFB3B9FB05314F108476ED11E7141D6789A258B96
                                      Function 0040F9B5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: _snwprintf
                                      • String ID: %%-%d.%ds
                                      • API String ID: 3988819677-2008345750
                                      • Opcode ID: ff7c17540168d96ed4966b56b0a467b3337874ab214ea8a90bdbbe2252cfc3dc
                                      • Instruction ID: 7541af853baca77dfc804340e5f0ab0fe899c5989b891af63cf45e557cb41de3
                                      • Opcode Fuzzy Hash: ff7c17540168d96ed4966b56b0a467b3337874ab214ea8a90bdbbe2252cfc3dc
                                      • Instruction Fuzzy Hash: B801DE71200204BFD720EE59CC82D5AB7E8FB48308B00443AF846A7692D636E854CB65
                                      Function 0040E758 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 0040E770
                                      • SendMessageW.USER32(F^@,0000105F,00000000,?), ref: 0040E79F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: MessageSendmemset
                                      • String ID: F^@
                                      • API String ID: 568519121-3652327722
                                      • Opcode ID: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
                                      • Instruction ID: 5049a961280a3e8282645b70ff0f7bf8ff78c54eb6baa8beabb6daf17925e322
                                      • Opcode Fuzzy Hash: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
                                      • Instruction Fuzzy Hash: A701A239900204ABEB209F5ACC81EABB7F8FF44B45F008429E854A7291D3349855CF79
                                      Function 004018DB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: PlacementWindowmemset
                                      • String ID: WinPos
                                      • API String ID: 4036792311-2823255486
                                      • Opcode ID: 43a26fe09d4836415a0f9153b5f51c370111d8f5fda2234af2192006d5bb601b
                                      • Instruction ID: 942d740d8c3c01bede0812328a3a4706cce13fdf2e849e9dfea5930b7654417c
                                      • Opcode Fuzzy Hash: 43a26fe09d4836415a0f9153b5f51c370111d8f5fda2234af2192006d5bb601b
                                      • Instruction Fuzzy Hash: D4F096B0600204EFEB04DF55D899F6A33E8EF04701F1440B9F909DB1D1E7B89A04C729
                                      Function 0040DCE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                      • wcsrchr.MSVCRT ref: 0040DCE9
                                      • wcscat.MSVCRT ref: 0040DCFF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: FileModuleNamewcscatwcsrchr
                                      • String ID: _lng.ini
                                      • API String ID: 383090722-1948609170
                                      • Opcode ID: d415c57d84eb2c5e7c8364d47a353e5cf76fbd17fa45f1fd58641194e3ec22f3
                                      • Instruction ID: 003e7a9acac466aac22365d7a2b75ab102816a5e64793edac74c8fca87dba5cc
                                      • Opcode Fuzzy Hash: d415c57d84eb2c5e7c8364d47a353e5cf76fbd17fa45f1fd58641194e3ec22f3
                                      • Instruction Fuzzy Hash: CEC0129654561430F51526116C03B4E12585F13316F21006BFD01340C3EFAD5705406F
                                      Function 00414B81 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 13libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                        • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                        • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                        • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                        • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                        • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                      • GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: LibraryLoad$AddressDirectoryProcSystemmemsetwcscatwcscpy
                                      • String ID: SHGetSpecialFolderPathW$shell32.dll
                                      • API String ID: 2773794195-880857682
                                      • Opcode ID: c93510e3b53e51a0fa34588ad362a10002a2b390dcacad00d2ab9882db4cd41e
                                      • Instruction ID: 520684b8054713cb13715c6c8af1848dbb459e29e8538d47b3508bbaa4bbc045
                                      • Opcode Fuzzy Hash: c93510e3b53e51a0fa34588ad362a10002a2b390dcacad00d2ab9882db4cd41e
                                      • Instruction Fuzzy Hash: 23D0C7719483019DD7105F65AC19B8336545B50307F204077AC04E66D7EA7CC4C49E1D
                                      Function 0042B9BD Relevance: 5.2, APIs: 4, Instructions: 181COMMON
                                      Download Yara Rule
                                      APIs
                                      • memcpy.MSVCRT(?,?,00000000,?), ref: 0042BA5F
                                      • memcpy.MSVCRT(?,?,?,?), ref: 0042BA98
                                      • memset.MSVCRT ref: 0042BAAE
                                      • memcpy.MSVCRT(?,?,00000000,?,?,?,?,?,?,?), ref: 0042BAE7
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memcpy$memset
                                      • String ID:
                                      • API String ID: 438689982-0
                                      • Opcode ID: ef116662622e1dd2984e515fcaedae38b96dc359db8ee055bda91140f73fb117
                                      • Instruction ID: 797e1fd24865db6de4a95defd5ca955254a0dec7c2ff798398e4890fb9874305
                                      • Opcode Fuzzy Hash: ef116662622e1dd2984e515fcaedae38b96dc359db8ee055bda91140f73fb117
                                      • Instruction Fuzzy Hash: 1B51A2B5A00219EBDF14DF55D882BAEBBB5FF04340F54806AE904AA245E7389E50DBD8
                                      Function 0040E820 Relevance: 5.1, APIs: 4, Instructions: 70COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040A13C: memset.MSVCRT ref: 0040A14A
                                      • ??2@YAPAXI@Z.MSVCRT ref: 0040E84D
                                      • ??2@YAPAXI@Z.MSVCRT(00000014), ref: 0040E874
                                      • ??2@YAPAXI@Z.MSVCRT(00000014), ref: 0040E895
                                      • ??2@YAPAXI@Z.MSVCRT(00000014), ref: 0040E8B6
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: ??2@$memset
                                      • String ID:
                                      • API String ID: 1860491036-0
                                      • Opcode ID: 96af4030734a5e2f6ef23c2ae6277f6dabdb1784b135b246f31e93988d402875
                                      • Instruction ID: 7dda0de82ffecb18951b1be6aadeef514c87807746e1e94fbb8d74dd8fa57bec
                                      • Opcode Fuzzy Hash: 96af4030734a5e2f6ef23c2ae6277f6dabdb1784b135b246f31e93988d402875
                                      • Instruction Fuzzy Hash: 4F21F3B1A003008FDB219F2B9445912FBE8FF90310B2AC8AF9158CB2B2D7B8C454CF15
                                      Function 0040A8D0 Relevance: 5.1, APIs: 4, Instructions: 69COMMON
                                      Download Yara Rule
                                      APIs
                                      • wcslen.MSVCRT ref: 0040A8E2
                                        • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                        • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                        • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                      • free.MSVCRT ref: 0040A908
                                      • free.MSVCRT ref: 0040A92B
                                      • memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: free$memcpy$mallocwcslen
                                      • String ID:
                                      • API String ID: 726966127-0
                                      • Opcode ID: e8e6c2fed7f9440c8640dc4717368e77cb96f6303dd1ec86a793a42355efe2a9
                                      • Instruction ID: f32a9ac0308abec2140ef864181b54c8d04bf3279582b466e144db770ea3622c
                                      • Opcode Fuzzy Hash: e8e6c2fed7f9440c8640dc4717368e77cb96f6303dd1ec86a793a42355efe2a9
                                      • Instruction Fuzzy Hash: 64217CB2200704EFC720DF18D88189AB3F9FF453247118A2EF866AB6A1CB35AD15CB55
                                      Function 0040B1D1 Relevance: 5.1, APIs: 4, Instructions: 67COMMON
                                      Download Yara Rule
                                      APIs
                                      • wcslen.MSVCRT ref: 0040B1DE
                                      • free.MSVCRT ref: 0040B201
                                        • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                        • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                        • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                      • free.MSVCRT ref: 0040B224
                                      • memcpy.MSVCRT(?,00000000,-00000002,00000000,00000000,?,?,?,?,0040B319,0040B432,00000000,?,?,0040B432,00000000), ref: 0040B248
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: free$memcpy$mallocwcslen
                                      • String ID:
                                      • API String ID: 726966127-0
                                      • Opcode ID: 6421ea3f553dae7d25363b5bd64276aec0fbe05fa0d8b4b2605bf4838246495e
                                      • Instruction ID: 71128cbd9221161776fa816c6212d75478d488e0bdd8d9cf72ea7cd81dda7be0
                                      • Opcode Fuzzy Hash: 6421ea3f553dae7d25363b5bd64276aec0fbe05fa0d8b4b2605bf4838246495e
                                      • Instruction Fuzzy Hash: 02215BB2500604EFD720DF18D881CAAB7F9EF49324B114A6EE452976A1CB35B9158B98
                                      Function 00408ADC Relevance: 5.1, APIs: 4, Instructions: 63COMMON
                                      Download Yara Rule
                                      APIs
                                      • memcmp.MSVCRT(?,004599B8,00000010,00000000,00409690,?,00408C27,00409690,?,00409690,00408801,00000000), ref: 00408AF3
                                        • Part of subcall function 00408A6E: memcmp.MSVCRT(00409690,00408B12,00000004,000000FF), ref: 00408A8C
                                        • Part of subcall function 00408A6E: memcpy.MSVCRT(00000363,004096AA,4415FF50,?), ref: 00408ABB
                                        • Part of subcall function 00408A6E: memcpy.MSVCRT(-00000265,004096AF,00000060,00000363,004096AA,4415FF50,?), ref: 00408AD0
                                      • memcmp.MSVCRT(?,00000000,0000000E,00000000,00409690,?,00408C27,00409690,?,00409690,00408801,00000000), ref: 00408B2B
                                      • memcmp.MSVCRT(?,00000000,0000000B,00000000,00409690,?,00408C27,00409690,?,00409690,00408801,00000000), ref: 00408B5C
                                      • memcpy.MSVCRT(0000023E,00409690,?), ref: 00408B79
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: memcmp$memcpy
                                      • String ID:
                                      • API String ID: 231171946-0
                                      • Opcode ID: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
                                      • Instruction ID: 684d12db3f6cc64b33ac9287d8c213aaad77bc3869a84850190dd4d7d2050874
                                      • Opcode Fuzzy Hash: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
                                      • Instruction Fuzzy Hash: 8411A9F1600308AAFF202A129D07F5A3658DB21768F25443FFC84641D2FE7DAA50C55E
                                      Function 0040B0D1 Relevance: 5.1, APIs: 4, Instructions: 55stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • strlen.MSVCRT ref: 0040B0D8
                                      • free.MSVCRT ref: 0040B0FB
                                        • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                        • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                        • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                      • free.MSVCRT ref: 0040B12C
                                      • memcpy.MSVCRT(?,?,00000000,00000000,0040B35A,?), ref: 0040B159
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: free$memcpy$mallocstrlen
                                      • String ID:
                                      • API String ID: 3669619086-0
                                      • Opcode ID: 1049280fa2475c497c1b628b605c6dc2082e028c9e0fefa85919baabf6481477
                                      • Instruction ID: 61abf4b4d63bdfee40e3433ef4540d9b033b11d4199be086b3082c0bee804e2f
                                      • Opcode Fuzzy Hash: 1049280fa2475c497c1b628b605c6dc2082e028c9e0fefa85919baabf6481477
                                      • Instruction Fuzzy Hash: CA113A712042019FD711DB98FC499267B66EB8733AB25833BF4045A2A3CBB99834865F
                                      Function 004173E4 Relevance: 5.0, APIs: 4, Instructions: 41COMMON
                                      Download Yara Rule
                                      APIs
                                      • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,00417D63,?,?,00417D63,00418178,00000000,?,004183E5,?,00000000), ref: 004173FF
                                      • malloc.MSVCRT ref: 00417407
                                      • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,?,00417D63,00418178,00000000,?,004183E5,?,00000000,00000000,?), ref: 0041741E
                                      • free.MSVCRT ref: 00417425
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: ByteCharMultiWide$freemalloc
                                      • String ID:
                                      • API String ID: 2605342592-0
                                      • Opcode ID: c62e76641e050cafa551b594d013d2ba0ec055e9779dbb9c6b02089c0e2d57f7
                                      • Instruction ID: cad4d062c051d68cf548c6c9b5623cfc012c7edadb1d539185634ca375d1558c
                                      • Opcode Fuzzy Hash: c62e76641e050cafa551b594d013d2ba0ec055e9779dbb9c6b02089c0e2d57f7
                                      • Instruction Fuzzy Hash: E7F0377620921E7BDA1029655C40D77779CEB8B675B11072BBA10D21C1ED59D81005B5
                                      Function 00409D1F Relevance: 5.0, APIs: 4, Instructions: 32COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.2130588800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_6_2_400000_Adobe.jbxd
                                      Similarity
                                      • API ID: wcslen$wcscat$wcscpy
                                      • String ID:
                                      • API String ID: 1961120804-0
                                      • Opcode ID: a9fb2844ceaa9879afdc746da54e0e12922ba62d069c0ab92073ae84f79bc1ad
                                      • Instruction ID: 298d28553a3f700387dea6c06157f027a7ba74c69b0fe1c0d14b010c740a3b55
                                      • Opcode Fuzzy Hash: a9fb2844ceaa9879afdc746da54e0e12922ba62d069c0ab92073ae84f79bc1ad
                                      • Instruction Fuzzy Hash: 3AE0E532000114BADF116FB2D8068CE3B99EF42364751883BFD08D2043EB3ED511869E